]> git.ipfire.org Git - thirdparty/grsecurity-scrape.git/blob - test/grsecurity-2.2.2-2.6.39.3-201107090923.patch
projects / thirdparty / grsecurity-scrape.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Auto commit, 1 new patch{es}.
[thirdparty/grsecurity-scrape.git] / test / grsecurity-2.2.2-2.6.39.3-201107090923.patch
1 diff -urNp linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
3 +++ linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
4 @@ -3,9 +3,9 @@
5
6 #include <linux/dma-attrs.h>
7
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
10
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
13 {
14 return dma_ops;
15 }
16 diff -urNp linux-2.6.39.3/arch/alpha/include/asm/elf.h linux-2.6.39.3/arch/alpha/include/asm/elf.h
17 --- linux-2.6.39.3/arch/alpha/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
18 +++ linux-2.6.39.3/arch/alpha/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
20
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
22
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
25 +
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
28 +#endif
29 +
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.39.3/arch/alpha/include/asm/pgtable.h linux-2.6.39.3/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.39.3/arch/alpha/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
35 +++ linux-2.6.39.3/arch/alpha/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
40 +
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
45 +#else
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
49 +#endif
50 +
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
52
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_apecs.c linux-2.6.39.3/arch/alpha/kernel/core_apecs.c
55 --- linux-2.6.39.3/arch/alpha/kernel/core_apecs.c 2011-05-19 00:06:34.000000000 -0400
56 +++ linux-2.6.39.3/arch/alpha/kernel/core_apecs.c 2011-05-22 19:36:30.000000000 -0400
57 @@ -305,7 +305,7 @@ apecs_write_config(struct pci_bus *bus,
58 return PCIBIOS_SUCCESSFUL;
59 }
60
61 -struct pci_ops apecs_pci_ops =
62 +const struct pci_ops apecs_pci_ops =
63 {
64 .read = apecs_read_config,
65 .write = apecs_write_config,
66 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_cia.c linux-2.6.39.3/arch/alpha/kernel/core_cia.c
67 --- linux-2.6.39.3/arch/alpha/kernel/core_cia.c 2011-05-19 00:06:34.000000000 -0400
68 +++ linux-2.6.39.3/arch/alpha/kernel/core_cia.c 2011-05-22 19:36:30.000000000 -0400
69 @@ -239,7 +239,7 @@ cia_write_config(struct pci_bus *bus, un
70 return PCIBIOS_SUCCESSFUL;
71 }
72
73 -struct pci_ops cia_pci_ops =
74 +const struct pci_ops cia_pci_ops =
75 {
76 .read = cia_read_config,
77 .write = cia_write_config,
78 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_irongate.c linux-2.6.39.3/arch/alpha/kernel/core_irongate.c
79 --- linux-2.6.39.3/arch/alpha/kernel/core_irongate.c 2011-05-19 00:06:34.000000000 -0400
80 +++ linux-2.6.39.3/arch/alpha/kernel/core_irongate.c 2011-05-22 19:36:30.000000000 -0400
81 @@ -155,7 +155,7 @@ irongate_write_config(struct pci_bus *bu
82 return PCIBIOS_SUCCESSFUL;
83 }
84
85 -struct pci_ops irongate_pci_ops =
86 +const struct pci_ops irongate_pci_ops =
87 {
88 .read = irongate_read_config,
89 .write = irongate_write_config,
90 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_lca.c linux-2.6.39.3/arch/alpha/kernel/core_lca.c
91 --- linux-2.6.39.3/arch/alpha/kernel/core_lca.c 2011-05-19 00:06:34.000000000 -0400
92 +++ linux-2.6.39.3/arch/alpha/kernel/core_lca.c 2011-05-22 19:36:30.000000000 -0400
93 @@ -231,7 +231,7 @@ lca_write_config(struct pci_bus *bus, un
94 return PCIBIOS_SUCCESSFUL;
95 }
96
97 -struct pci_ops lca_pci_ops =
98 +const struct pci_ops lca_pci_ops =
99 {
100 .read = lca_read_config,
101 .write = lca_write_config,
102 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_marvel.c linux-2.6.39.3/arch/alpha/kernel/core_marvel.c
103 --- linux-2.6.39.3/arch/alpha/kernel/core_marvel.c 2011-05-19 00:06:34.000000000 -0400
104 +++ linux-2.6.39.3/arch/alpha/kernel/core_marvel.c 2011-05-22 19:36:30.000000000 -0400
105 @@ -588,7 +588,7 @@ marvel_write_config(struct pci_bus *bus,
106 return PCIBIOS_SUCCESSFUL;
107 }
108
109 -struct pci_ops marvel_pci_ops =
110 +const struct pci_ops marvel_pci_ops =
111 {
112 .read = marvel_read_config,
113 .write = marvel_write_config,
114 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c
115 --- linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c 2011-05-19 00:06:34.000000000 -0400
116 +++ linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c 2011-05-22 19:36:30.000000000 -0400
117 @@ -235,7 +235,7 @@ mcpcia_write_config(struct pci_bus *bus,
118 return PCIBIOS_SUCCESSFUL;
119 }
120
121 -struct pci_ops mcpcia_pci_ops =
122 +const struct pci_ops mcpcia_pci_ops =
123 {
124 .read = mcpcia_read_config,
125 .write = mcpcia_write_config,
126 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_polaris.c linux-2.6.39.3/arch/alpha/kernel/core_polaris.c
127 --- linux-2.6.39.3/arch/alpha/kernel/core_polaris.c 2011-05-19 00:06:34.000000000 -0400
128 +++ linux-2.6.39.3/arch/alpha/kernel/core_polaris.c 2011-05-22 19:36:30.000000000 -0400
129 @@ -136,7 +136,7 @@ polaris_write_config(struct pci_bus *bus
130 return PCIBIOS_SUCCESSFUL;
131 }
132
133 -struct pci_ops polaris_pci_ops =
134 +const struct pci_ops polaris_pci_ops =
135 {
136 .read = polaris_read_config,
137 .write = polaris_write_config,
138 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_t2.c linux-2.6.39.3/arch/alpha/kernel/core_t2.c
139 --- linux-2.6.39.3/arch/alpha/kernel/core_t2.c 2011-05-19 00:06:34.000000000 -0400
140 +++ linux-2.6.39.3/arch/alpha/kernel/core_t2.c 2011-05-22 19:36:30.000000000 -0400
141 @@ -314,7 +314,7 @@ t2_write_config(struct pci_bus *bus, uns
142 return PCIBIOS_SUCCESSFUL;
143 }
144
145 -struct pci_ops t2_pci_ops =
146 +const struct pci_ops t2_pci_ops =
147 {
148 .read = t2_read_config,
149 .write = t2_write_config,
150 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_titan.c linux-2.6.39.3/arch/alpha/kernel/core_titan.c
151 --- linux-2.6.39.3/arch/alpha/kernel/core_titan.c 2011-05-19 00:06:34.000000000 -0400
152 +++ linux-2.6.39.3/arch/alpha/kernel/core_titan.c 2011-05-22 19:36:30.000000000 -0400
153 @@ -191,7 +191,7 @@ titan_write_config(struct pci_bus *bus,
154 return PCIBIOS_SUCCESSFUL;
155 }
156
157 -struct pci_ops titan_pci_ops =
158 +const struct pci_ops titan_pci_ops =
159 {
160 .read = titan_read_config,
161 .write = titan_write_config,
162 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c
163 --- linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c 2011-05-19 00:06:34.000000000 -0400
164 +++ linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c 2011-05-22 19:36:30.000000000 -0400
165 @@ -166,7 +166,7 @@ tsunami_write_config(struct pci_bus *bus
166 return PCIBIOS_SUCCESSFUL;
167 }
168
169 -struct pci_ops tsunami_pci_ops =
170 +const struct pci_ops tsunami_pci_ops =
171 {
172 .read = tsunami_read_config,
173 .write = tsunami_write_config,
174 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c
175 --- linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c 2011-05-19 00:06:34.000000000 -0400
176 +++ linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c 2011-05-22 19:36:30.000000000 -0400
177 @@ -431,7 +431,7 @@ wildfire_write_config(struct pci_bus *bu
178 return PCIBIOS_SUCCESSFUL;
179 }
180
181 -struct pci_ops wildfire_pci_ops =
182 +const struct pci_ops wildfire_pci_ops =
183 {
184 .read = wildfire_read_config,
185 .write = wildfire_write_config,
186 diff -urNp linux-2.6.39.3/arch/alpha/kernel/module.c linux-2.6.39.3/arch/alpha/kernel/module.c
187 --- linux-2.6.39.3/arch/alpha/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
188 +++ linux-2.6.39.3/arch/alpha/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
189 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
190
191 /* The small sections were sorted to the end of the segment.
192 The following should definitely cover them. */
193 - gp = (u64)me->module_core + me->core_size - 0x8000;
194 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
195 got = sechdrs[me->arch.gotsecindex].sh_addr;
196
197 for (i = 0; i < n; i++) {
198 diff -urNp linux-2.6.39.3/arch/alpha/kernel/osf_sys.c linux-2.6.39.3/arch/alpha/kernel/osf_sys.c
199 --- linux-2.6.39.3/arch/alpha/kernel/osf_sys.c 2011-05-19 00:06:34.000000000 -0400
200 +++ linux-2.6.39.3/arch/alpha/kernel/osf_sys.c 2011-06-13 17:19:07.000000000 -0400
201 @@ -409,7 +409,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char
202 return -EFAULT;
203
204 len = namelen;
205 - if (namelen > 32)
206 + if (len > 32)
207 len = 32;
208
209 down_read(&uts_sem);
210 @@ -594,7 +594,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
211 down_read(&uts_sem);
212 res = sysinfo_table[offset];
213 len = strlen(res)+1;
214 - if (len > count)
215 + if ((unsigned long)len > (unsigned long)count)
216 len = count;
217 if (copy_to_user(buf, res, len))
218 err = -EFAULT;
219 @@ -649,7 +649,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned
220 return 1;
221
222 case GSI_GET_HWRPB:
223 - if (nbytes < sizeof(*hwrpb))
224 + if (nbytes > sizeof(*hwrpb))
225 return -EINVAL;
226 if (copy_to_user(buffer, hwrpb, nbytes) != 0)
227 return -EFAULT;
228 @@ -1008,6 +1008,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
229 {
230 struct rusage r;
231 long ret, err;
232 + unsigned int status = 0;
233 mm_segment_t old_fs;
234
235 if (!ur)
236 @@ -1016,13 +1017,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
237 old_fs = get_fs();
238
239 set_fs (KERNEL_DS);
240 - ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r);
241 + ret = sys_wait4(pid, (unsigned int __user *) &status, options,
242 + (struct rusage __user *) &r);
243 set_fs (old_fs);
244
245 if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
246 return -EFAULT;
247
248 err = 0;
249 + err |= put_user(status, ustatus);
250 err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
251 err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
252 err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
253 @@ -1142,7 +1145,7 @@ arch_get_unmapped_area_1(unsigned long a
254 /* At this point: (!vma || addr < vma->vm_end). */
255 if (limit - len < addr)
256 return -ENOMEM;
257 - if (!vma || addr + len <= vma->vm_start)
258 + if (check_heap_stack_gap(vma, addr, len))
259 return addr;
260 addr = vma->vm_end;
261 vma = vma->vm_next;
262 @@ -1178,6 +1181,10 @@ arch_get_unmapped_area(struct file *filp
263 merely specific addresses, but regions of memory -- perhaps
264 this feature should be incorporated into all ports? */
265
266 +#ifdef CONFIG_PAX_RANDMMAP
267 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
268 +#endif
269 +
270 if (addr) {
271 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
272 if (addr != (unsigned long) -ENOMEM)
273 @@ -1185,8 +1192,8 @@ arch_get_unmapped_area(struct file *filp
274 }
275
276 /* Next, try allocating at TASK_UNMAPPED_BASE. */
277 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
278 - len, limit);
279 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
280 +
281 if (addr != (unsigned long) -ENOMEM)
282 return addr;
283
284 diff -urNp linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c
285 --- linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c 2011-05-19 00:06:34.000000000 -0400
286 +++ linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c 2011-05-22 19:36:30.000000000 -0400
287 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
288 return 0;
289 }
290
291 -struct dma_map_ops alpha_pci_ops = {
292 +const struct dma_map_ops alpha_pci_ops = {
293 .alloc_coherent = alpha_pci_alloc_coherent,
294 .free_coherent = alpha_pci_free_coherent,
295 .map_page = alpha_pci_map_page,
296 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
297 .set_dma_mask = alpha_pci_set_mask,
298 };
299
300 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
301 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
302 EXPORT_SYMBOL(dma_ops);
303 diff -urNp linux-2.6.39.3/arch/alpha/kernel/pci-noop.c linux-2.6.39.3/arch/alpha/kernel/pci-noop.c
304 --- linux-2.6.39.3/arch/alpha/kernel/pci-noop.c 2011-05-19 00:06:34.000000000 -0400
305 +++ linux-2.6.39.3/arch/alpha/kernel/pci-noop.c 2011-05-22 19:36:30.000000000 -0400
306 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
307 return 0;
308 }
309
310 -struct dma_map_ops alpha_noop_ops = {
311 +const struct dma_map_ops alpha_noop_ops = {
312 .alloc_coherent = alpha_noop_alloc_coherent,
313 .free_coherent = alpha_noop_free_coherent,
314 .map_page = alpha_noop_map_page,
315 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
316 .set_dma_mask = alpha_noop_set_mask,
317 };
318
319 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
320 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
321 EXPORT_SYMBOL(dma_ops);
322
323 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
324 diff -urNp linux-2.6.39.3/arch/alpha/kernel/proto.h linux-2.6.39.3/arch/alpha/kernel/proto.h
325 --- linux-2.6.39.3/arch/alpha/kernel/proto.h 2011-05-19 00:06:34.000000000 -0400
326 +++ linux-2.6.39.3/arch/alpha/kernel/proto.h 2011-05-22 19:36:30.000000000 -0400
327 @@ -17,14 +17,14 @@ struct pci_dev;
328 struct pci_controller;
329
330 /* core_apecs.c */
331 -extern struct pci_ops apecs_pci_ops;
332 +extern const struct pci_ops apecs_pci_ops;
333 extern void apecs_init_arch(void);
334 extern void apecs_pci_clr_err(void);
335 extern void apecs_machine_check(unsigned long vector, unsigned long la_ptr);
336 extern void apecs_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
337
338 /* core_cia.c */
339 -extern struct pci_ops cia_pci_ops;
340 +extern const struct pci_ops cia_pci_ops;
341 extern void cia_init_pci(void);
342 extern void cia_init_arch(void);
343 extern void pyxis_init_arch(void);
344 @@ -33,19 +33,19 @@ extern void cia_machine_check(unsigned l
345 extern void cia_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
346
347 /* core_irongate.c */
348 -extern struct pci_ops irongate_pci_ops;
349 +extern const struct pci_ops irongate_pci_ops;
350 extern int irongate_pci_clr_err(void);
351 extern void irongate_init_arch(void);
352 #define irongate_pci_tbi ((void *)0)
353
354 /* core_lca.c */
355 -extern struct pci_ops lca_pci_ops;
356 +extern const struct pci_ops lca_pci_ops;
357 extern void lca_init_arch(void);
358 extern void lca_machine_check(unsigned long vector, unsigned long la_ptr);
359 extern void lca_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
360
361 /* core_marvel.c */
362 -extern struct pci_ops marvel_pci_ops;
363 +extern const struct pci_ops marvel_pci_ops;
364 extern void marvel_init_arch(void);
365 extern void marvel_kill_arch(int);
366 extern void marvel_machine_check(unsigned long, unsigned long);
367 @@ -60,14 +60,14 @@ struct io7 *marvel_next_io7(struct io7 *
368 void io7_clear_errors(struct io7 *io7);
369
370 /* core_mcpcia.c */
371 -extern struct pci_ops mcpcia_pci_ops;
372 +extern const struct pci_ops mcpcia_pci_ops;
373 extern void mcpcia_init_arch(void);
374 extern void mcpcia_init_hoses(void);
375 extern void mcpcia_machine_check(unsigned long vector, unsigned long la_ptr);
376 extern void mcpcia_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
377
378 /* core_polaris.c */
379 -extern struct pci_ops polaris_pci_ops;
380 +extern const struct pci_ops polaris_pci_ops;
381 extern int polaris_read_config_dword(struct pci_dev *, int, u32 *);
382 extern int polaris_write_config_dword(struct pci_dev *, int, u32);
383 extern void polaris_init_arch(void);
384 @@ -75,14 +75,14 @@ extern void polaris_machine_check(unsign
385 #define polaris_pci_tbi ((void *)0)
386
387 /* core_t2.c */
388 -extern struct pci_ops t2_pci_ops;
389 +extern const struct pci_ops t2_pci_ops;
390 extern void t2_init_arch(void);
391 extern void t2_kill_arch(int);
392 extern void t2_machine_check(unsigned long vector, unsigned long la_ptr);
393 extern void t2_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
394
395 /* core_titan.c */
396 -extern struct pci_ops titan_pci_ops;
397 +extern const struct pci_ops titan_pci_ops;
398 extern void titan_init_arch(void);
399 extern void titan_kill_arch(int);
400 extern void titan_machine_check(unsigned long, unsigned long);
401 @@ -90,14 +90,14 @@ extern void titan_pci_tbi(struct pci_con
402 extern struct _alpha_agp_info *titan_agp_info(void);
403
404 /* core_tsunami.c */
405 -extern struct pci_ops tsunami_pci_ops;
406 +extern const struct pci_ops tsunami_pci_ops;
407 extern void tsunami_init_arch(void);
408 extern void tsunami_kill_arch(int);
409 extern void tsunami_machine_check(unsigned long vector, unsigned long la_ptr);
410 extern void tsunami_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
411
412 /* core_wildfire.c */
413 -extern struct pci_ops wildfire_pci_ops;
414 +extern const struct pci_ops wildfire_pci_ops;
415 extern void wildfire_init_arch(void);
416 extern void wildfire_kill_arch(int);
417 extern void wildfire_machine_check(unsigned long vector, unsigned long la_ptr);
418 diff -urNp linux-2.6.39.3/arch/alpha/mm/fault.c linux-2.6.39.3/arch/alpha/mm/fault.c
419 --- linux-2.6.39.3/arch/alpha/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
420 +++ linux-2.6.39.3/arch/alpha/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
421 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
422 __reload_thread(pcb);
423 }
424
425 +#ifdef CONFIG_PAX_PAGEEXEC
426 +/*
427 + * PaX: decide what to do with offenders (regs->pc = fault address)
428 + *
429 + * returns 1 when task should be killed
430 + * 2 when patched PLT trampoline was detected
431 + * 3 when unpatched PLT trampoline was detected
432 + */
433 +static int pax_handle_fetch_fault(struct pt_regs *regs)
434 +{
435 +
436 +#ifdef CONFIG_PAX_EMUPLT
437 + int err;
438 +
439 + do { /* PaX: patched PLT emulation #1 */
440 + unsigned int ldah, ldq, jmp;
441 +
442 + err = get_user(ldah, (unsigned int *)regs->pc);
443 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
444 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
445 +
446 + if (err)
447 + break;
448 +
449 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
450 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
451 + jmp == 0x6BFB0000U)
452 + {
453 + unsigned long r27, addr;
454 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
455 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
456 +
457 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
458 + err = get_user(r27, (unsigned long *)addr);
459 + if (err)
460 + break;
461 +
462 + regs->r27 = r27;
463 + regs->pc = r27;
464 + return 2;
465 + }
466 + } while (0);
467 +
468 + do { /* PaX: patched PLT emulation #2 */
469 + unsigned int ldah, lda, br;
470 +
471 + err = get_user(ldah, (unsigned int *)regs->pc);
472 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
473 + err |= get_user(br, (unsigned int *)(regs->pc+8));
474 +
475 + if (err)
476 + break;
477 +
478 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
479 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
480 + (br & 0xFFE00000U) == 0xC3E00000U)
481 + {
482 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
483 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
484 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
485 +
486 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
487 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
488 + return 2;
489 + }
490 + } while (0);
491 +
492 + do { /* PaX: unpatched PLT emulation */
493 + unsigned int br;
494 +
495 + err = get_user(br, (unsigned int *)regs->pc);
496 +
497 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
498 + unsigned int br2, ldq, nop, jmp;
499 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
500 +
501 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
502 + err = get_user(br2, (unsigned int *)addr);
503 + err |= get_user(ldq, (unsigned int *)(addr+4));
504 + err |= get_user(nop, (unsigned int *)(addr+8));
505 + err |= get_user(jmp, (unsigned int *)(addr+12));
506 + err |= get_user(resolver, (unsigned long *)(addr+16));
507 +
508 + if (err)
509 + break;
510 +
511 + if (br2 == 0xC3600000U &&
512 + ldq == 0xA77B000CU &&
513 + nop == 0x47FF041FU &&
514 + jmp == 0x6B7B0000U)
515 + {
516 + regs->r28 = regs->pc+4;
517 + regs->r27 = addr+16;
518 + regs->pc = resolver;
519 + return 3;
520 + }
521 + }
522 + } while (0);
523 +#endif
524 +
525 + return 1;
526 +}
527 +
528 +void pax_report_insns(void *pc, void *sp)
529 +{
530 + unsigned long i;
531 +
532 + printk(KERN_ERR "PAX: bytes at PC: ");
533 + for (i = 0; i < 5; i++) {
534 + unsigned int c;
535 + if (get_user(c, (unsigned int *)pc+i))
536 + printk(KERN_CONT "???????? ");
537 + else
538 + printk(KERN_CONT "%08x ", c);
539 + }
540 + printk("\n");
541 +}
542 +#endif
543
544 /*
545 * This routine handles page faults. It determines the address,
546 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
547 good_area:
548 si_code = SEGV_ACCERR;
549 if (cause < 0) {
550 - if (!(vma->vm_flags & VM_EXEC))
551 + if (!(vma->vm_flags & VM_EXEC)) {
552 +
553 +#ifdef CONFIG_PAX_PAGEEXEC
554 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
555 + goto bad_area;
556 +
557 + up_read(&mm->mmap_sem);
558 + switch (pax_handle_fetch_fault(regs)) {
559 +
560 +#ifdef CONFIG_PAX_EMUPLT
561 + case 2:
562 + case 3:
563 + return;
564 +#endif
565 +
566 + }
567 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
568 + do_group_exit(SIGKILL);
569 +#else
570 goto bad_area;
571 +#endif
572 +
573 + }
574 } else if (!cause) {
575 /* Allow reads even for write-only mappings */
576 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
577 diff -urNp linux-2.6.39.3/arch/arm/common/it8152.c linux-2.6.39.3/arch/arm/common/it8152.c
578 --- linux-2.6.39.3/arch/arm/common/it8152.c 2011-05-19 00:06:34.000000000 -0400
579 +++ linux-2.6.39.3/arch/arm/common/it8152.c 2011-05-22 19:36:30.000000000 -0400
580 @@ -221,7 +221,7 @@ static int it8152_pci_write_config(struc
581 return PCIBIOS_SUCCESSFUL;
582 }
583
584 -static struct pci_ops it8152_ops = {
585 +static const struct pci_ops it8152_ops = {
586 .read = it8152_pci_read_config,
587 .write = it8152_pci_write_config,
588 };
589 diff -urNp linux-2.6.39.3/arch/arm/common/via82c505.c linux-2.6.39.3/arch/arm/common/via82c505.c
590 --- linux-2.6.39.3/arch/arm/common/via82c505.c 2011-05-19 00:06:34.000000000 -0400
591 +++ linux-2.6.39.3/arch/arm/common/via82c505.c 2011-05-22 19:36:30.000000000 -0400
592 @@ -52,7 +52,7 @@ via82c505_write_config(struct pci_bus *b
593 return PCIBIOS_SUCCESSFUL;
594 }
595
596 -static struct pci_ops via82c505_ops = {
597 +static const struct pci_ops via82c505_ops = {
598 .read = via82c505_read_config,
599 .write = via82c505_write_config,
600 };
601 diff -urNp linux-2.6.39.3/arch/arm/include/asm/cacheflush.h linux-2.6.39.3/arch/arm/include/asm/cacheflush.h
602 --- linux-2.6.39.3/arch/arm/include/asm/cacheflush.h 2011-05-19 00:06:34.000000000 -0400
603 +++ linux-2.6.39.3/arch/arm/include/asm/cacheflush.h 2011-05-22 19:36:30.000000000 -0400
604 @@ -115,7 +115,7 @@ struct cpu_cache_fns {
605 */
606 #ifdef MULTI_CACHE
607
608 -extern struct cpu_cache_fns cpu_cache;
609 +extern const struct cpu_cache_fns cpu_cache;
610
611 #define __cpuc_flush_icache_all cpu_cache.flush_icache_all
612 #define __cpuc_flush_kern_all cpu_cache.flush_kern_all
613 diff -urNp linux-2.6.39.3/arch/arm/include/asm/elf.h linux-2.6.39.3/arch/arm/include/asm/elf.h
614 --- linux-2.6.39.3/arch/arm/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
615 +++ linux-2.6.39.3/arch/arm/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
616 @@ -115,7 +115,14 @@ int dump_task_regs(struct task_struct *t
617 the loader. We need to make sure that it is out of the way of the program
618 that it will "exec", and that there is sufficient room for the brk. */
619
620 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
621 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
622 +
623 +#ifdef CONFIG_PAX_ASLR
624 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
625 +
626 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
627 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
628 +#endif
629
630 /* When the program starts, a1 contains a pointer to a function to be
631 registered with atexit, as per the SVR4 ABI. A value of 0 means we
632 @@ -125,10 +132,6 @@ int dump_task_regs(struct task_struct *t
633 extern void elf_set_personality(const struct elf32_hdr *);
634 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
635
636 -struct mm_struct;
637 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
638 -#define arch_randomize_brk arch_randomize_brk
639 -
640 extern int vectors_user_mapping(void);
641 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
642 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
643 diff -urNp linux-2.6.39.3/arch/arm/include/asm/kmap_types.h linux-2.6.39.3/arch/arm/include/asm/kmap_types.h
644 --- linux-2.6.39.3/arch/arm/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
645 +++ linux-2.6.39.3/arch/arm/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
646 @@ -21,6 +21,7 @@ enum km_type {
647 KM_L1_CACHE,
648 KM_L2_CACHE,
649 KM_KDB,
650 + KM_CLEARPAGE,
651 KM_TYPE_NR
652 };
653
654 diff -urNp linux-2.6.39.3/arch/arm/include/asm/outercache.h linux-2.6.39.3/arch/arm/include/asm/outercache.h
655 --- linux-2.6.39.3/arch/arm/include/asm/outercache.h 2011-05-19 00:06:34.000000000 -0400
656 +++ linux-2.6.39.3/arch/arm/include/asm/outercache.h 2011-05-22 19:36:30.000000000 -0400
657 @@ -38,7 +38,7 @@ struct outer_cache_fns {
658
659 #ifdef CONFIG_OUTER_CACHE
660
661 -extern struct outer_cache_fns outer_cache;
662 +extern const struct outer_cache_fns outer_cache;
663
664 static inline void outer_inv_range(phys_addr_t start, phys_addr_t end)
665 {
666 diff -urNp linux-2.6.39.3/arch/arm/include/asm/page.h linux-2.6.39.3/arch/arm/include/asm/page.h
667 --- linux-2.6.39.3/arch/arm/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
668 +++ linux-2.6.39.3/arch/arm/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
669 @@ -126,7 +126,7 @@ struct cpu_user_fns {
670 };
671
672 #ifdef MULTI_USER
673 -extern struct cpu_user_fns cpu_user;
674 +extern const struct cpu_user_fns cpu_user;
675
676 #define __cpu_clear_user_highpage cpu_user.cpu_clear_user_highpage
677 #define __cpu_copy_user_highpage cpu_user.cpu_copy_user_highpage
678 diff -urNp linux-2.6.39.3/arch/arm/include/asm/uaccess.h linux-2.6.39.3/arch/arm/include/asm/uaccess.h
679 --- linux-2.6.39.3/arch/arm/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
680 +++ linux-2.6.39.3/arch/arm/include/asm/uaccess.h 2011-06-29 21:04:12.000000000 -0400
681 @@ -22,6 +22,8 @@
682 #define VERIFY_READ 0
683 #define VERIFY_WRITE 1
684
685 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
686 +
687 /*
688 * The exception table consists of pairs of addresses: the first is the
689 * address of an instruction that is allowed to fault, and the second is
690 @@ -387,8 +389,23 @@ do { \
691
692
693 #ifdef CONFIG_MMU
694 -extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
695 -extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
696 +extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n);
697 +extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n);
698 +
699 +static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
700 +{
701 + if (!__builtin_constant_p(n))
702 + check_object_size(to, n, false);
703 + return ___copy_from_user(to, from, n);
704 +}
705 +
706 +static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
707 +{
708 + if (!__builtin_constant_p(n))
709 + check_object_size(from, n, true);
710 + return ___copy_to_user(to, from, n);
711 +}
712 +
713 extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
714 extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
715 extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
716 @@ -403,6 +420,9 @@ extern unsigned long __must_check __strn
717
718 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
719 {
720 + if ((long)n < 0)
721 + return n;
722 +
723 if (access_ok(VERIFY_READ, from, n))
724 n = __copy_from_user(to, from, n);
725 else /* security hole - plug it */
726 @@ -412,6 +432,9 @@ static inline unsigned long __must_check
727
728 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
729 {
730 + if ((long)n < 0)
731 + return n;
732 +
733 if (access_ok(VERIFY_WRITE, to, n))
734 n = __copy_to_user(to, from, n);
735 return n;
736 diff -urNp linux-2.6.39.3/arch/arm/kernel/armksyms.c linux-2.6.39.3/arch/arm/kernel/armksyms.c
737 --- linux-2.6.39.3/arch/arm/kernel/armksyms.c 2011-05-19 00:06:34.000000000 -0400
738 +++ linux-2.6.39.3/arch/arm/kernel/armksyms.c 2011-07-06 19:52:45.000000000 -0400
739 @@ -98,8 +98,8 @@ EXPORT_SYMBOL(__strncpy_from_user);
740 #ifdef CONFIG_MMU
741 EXPORT_SYMBOL(copy_page);
742
743 -EXPORT_SYMBOL(__copy_from_user);
744 -EXPORT_SYMBOL(__copy_to_user);
745 +EXPORT_SYMBOL(___copy_from_user);
746 +EXPORT_SYMBOL(___copy_to_user);
747 EXPORT_SYMBOL(__clear_user);
748
749 EXPORT_SYMBOL(__get_user_1);
750 diff -urNp linux-2.6.39.3/arch/arm/kernel/kgdb.c linux-2.6.39.3/arch/arm/kernel/kgdb.c
751 --- linux-2.6.39.3/arch/arm/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
752 +++ linux-2.6.39.3/arch/arm/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
753 @@ -246,7 +246,7 @@ void kgdb_arch_exit(void)
754 * and we handle the normal undef case within the do_undefinstr
755 * handler.
756 */
757 -struct kgdb_arch arch_kgdb_ops = {
758 +const struct kgdb_arch arch_kgdb_ops = {
759 #ifndef __ARMEB__
760 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
761 #else /* ! __ARMEB__ */
762 diff -urNp linux-2.6.39.3/arch/arm/kernel/process.c linux-2.6.39.3/arch/arm/kernel/process.c
763 --- linux-2.6.39.3/arch/arm/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
764 +++ linux-2.6.39.3/arch/arm/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
765 @@ -28,7 +28,6 @@
766 #include <linux/tick.h>
767 #include <linux/utsname.h>
768 #include <linux/uaccess.h>
769 -#include <linux/random.h>
770 #include <linux/hw_breakpoint.h>
771
772 #include <asm/cacheflush.h>
773 @@ -479,12 +478,6 @@ unsigned long get_wchan(struct task_stru
774 return 0;
775 }
776
777 -unsigned long arch_randomize_brk(struct mm_struct *mm)
778 -{
779 - unsigned long range_end = mm->brk + 0x02000000;
780 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
781 -}
782 -
783 #ifdef CONFIG_MMU
784 /*
785 * The vectors page is always readable from user space for the
786 diff -urNp linux-2.6.39.3/arch/arm/kernel/traps.c linux-2.6.39.3/arch/arm/kernel/traps.c
787 --- linux-2.6.39.3/arch/arm/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
788 +++ linux-2.6.39.3/arch/arm/kernel/traps.c 2011-06-13 21:30:34.000000000 -0400
789 @@ -258,6 +258,8 @@ static int __die(const char *str, int er
790
791 static DEFINE_SPINLOCK(die_lock);
792
793 +extern void gr_handle_kernel_exploit(void);
794 +
795 /*
796 * This function is protected against re-entrancy.
797 */
798 @@ -285,6 +287,9 @@ void die(const char *str, struct pt_regs
799 panic("Fatal exception in interrupt");
800 if (panic_on_oops)
801 panic("Fatal exception");
802 +
803 + gr_handle_kernel_exploit();
804 +
805 if (ret != NOTIFY_STOP)
806 do_exit(SIGSEGV);
807 }
808 diff -urNp linux-2.6.39.3/arch/arm/lib/copy_from_user.S linux-2.6.39.3/arch/arm/lib/copy_from_user.S
809 --- linux-2.6.39.3/arch/arm/lib/copy_from_user.S 2011-05-19 00:06:34.000000000 -0400
810 +++ linux-2.6.39.3/arch/arm/lib/copy_from_user.S 2011-06-29 20:58:18.000000000 -0400
811 @@ -16,7 +16,7 @@
812 /*
813 * Prototype:
814 *
815 - * size_t __copy_from_user(void *to, const void *from, size_t n)
816 + * size_t ___copy_from_user(void *to, const void *from, size_t n)
817 *
818 * Purpose:
819 *
820 @@ -84,11 +84,11 @@
821
822 .text
823
824 -ENTRY(__copy_from_user)
825 +ENTRY(___copy_from_user)
826
827 #include "copy_template.S"
828
829 -ENDPROC(__copy_from_user)
830 +ENDPROC(___copy_from_user)
831
832 .pushsection .fixup,"ax"
833 .align 0
834 diff -urNp linux-2.6.39.3/arch/arm/lib/copy_to_user.S linux-2.6.39.3/arch/arm/lib/copy_to_user.S
835 --- linux-2.6.39.3/arch/arm/lib/copy_to_user.S 2011-05-19 00:06:34.000000000 -0400
836 +++ linux-2.6.39.3/arch/arm/lib/copy_to_user.S 2011-06-29 20:59:20.000000000 -0400
837 @@ -16,7 +16,7 @@
838 /*
839 * Prototype:
840 *
841 - * size_t __copy_to_user(void *to, const void *from, size_t n)
842 + * size_t ___copy_to_user(void *to, const void *from, size_t n)
843 *
844 * Purpose:
845 *
846 @@ -88,11 +88,11 @@
847 .text
848
849 ENTRY(__copy_to_user_std)
850 -WEAK(__copy_to_user)
851 +WEAK(___copy_to_user)
852
853 #include "copy_template.S"
854
855 -ENDPROC(__copy_to_user)
856 +ENDPROC(___copy_to_user)
857 ENDPROC(__copy_to_user_std)
858
859 .pushsection .fixup,"ax"
860 diff -urNp linux-2.6.39.3/arch/arm/lib/uaccess.S linux-2.6.39.3/arch/arm/lib/uaccess.S
861 --- linux-2.6.39.3/arch/arm/lib/uaccess.S 2011-05-19 00:06:34.000000000 -0400
862 +++ linux-2.6.39.3/arch/arm/lib/uaccess.S 2011-06-29 20:59:01.000000000 -0400
863 @@ -20,7 +20,7 @@
864
865 #define PAGE_SHIFT 12
866
867 -/* Prototype: int __copy_to_user(void *to, const char *from, size_t n)
868 +/* Prototype: int ___copy_to_user(void *to, const char *from, size_t n)
869 * Purpose : copy a block to user memory from kernel memory
870 * Params : to - user memory
871 * : from - kernel memory
872 @@ -40,7 +40,7 @@ USER( T(strgtb) r3, [r0], #1) @ May f
873 sub r2, r2, ip
874 b .Lc2u_dest_aligned
875
876 -ENTRY(__copy_to_user)
877 +ENTRY(___copy_to_user)
878 stmfd sp!, {r2, r4 - r7, lr}
879 cmp r2, #4
880 blt .Lc2u_not_enough
881 @@ -278,14 +278,14 @@ USER( T(strgeb) r3, [r0], #1) @ May f
882 ldrgtb r3, [r1], #0
883 USER( T(strgtb) r3, [r0], #1) @ May fault
884 b .Lc2u_finished
885 -ENDPROC(__copy_to_user)
886 +ENDPROC(___copy_to_user)
887
888 .pushsection .fixup,"ax"
889 .align 0
890 9001: ldmfd sp!, {r0, r4 - r7, pc}
891 .popsection
892
893 -/* Prototype: unsigned long __copy_from_user(void *to,const void *from,unsigned long n);
894 +/* Prototype: unsigned long ___copy_from_user(void *to,const void *from,unsigned long n);
895 * Purpose : copy a block from user memory to kernel memory
896 * Params : to - kernel memory
897 * : from - user memory
898 @@ -304,7 +304,7 @@ USER( T(ldrgtb) r3, [r1], #1) @ May f
899 sub r2, r2, ip
900 b .Lcfu_dest_aligned
901
902 -ENTRY(__copy_from_user)
903 +ENTRY(___copy_from_user)
904 stmfd sp!, {r0, r2, r4 - r7, lr}
905 cmp r2, #4
906 blt .Lcfu_not_enough
907 @@ -544,7 +544,7 @@ USER( T(ldrgeb) r3, [r1], #1) @ May f
908 USER( T(ldrgtb) r3, [r1], #1) @ May fault
909 strgtb r3, [r0], #1
910 b .Lcfu_finished
911 -ENDPROC(__copy_from_user)
912 +ENDPROC(___copy_from_user)
913
914 .pushsection .fixup,"ax"
915 .align 0
916 diff -urNp linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c
917 --- linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c 2011-05-19 00:06:34.000000000 -0400
918 +++ linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c 2011-06-29 20:59:55.000000000 -0400
919 @@ -103,7 +103,7 @@ out:
920 }
921
922 unsigned long
923 -__copy_to_user(void __user *to, const void *from, unsigned long n)
924 +___copy_to_user(void __user *to, const void *from, unsigned long n)
925 {
926 /*
927 * This test is stubbed out of the main function above to keep
928 diff -urNp linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c
929 --- linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c 2011-05-19 00:06:34.000000000 -0400
930 +++ linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c 2011-05-22 19:36:30.000000000 -0400
931 @@ -162,7 +162,7 @@ static int cns3xxx_pci_setup(int nr, str
932 return 1;
933 }
934
935 -static struct pci_ops cns3xxx_pcie_ops = {
936 +static const struct pci_ops cns3xxx_pcie_ops = {
937 .read = cns3xxx_pci_read_config,
938 .write = cns3xxx_pci_write_config,
939 };
940 diff -urNp linux-2.6.39.3/arch/arm/mach-dove/pcie.c linux-2.6.39.3/arch/arm/mach-dove/pcie.c
941 --- linux-2.6.39.3/arch/arm/mach-dove/pcie.c 2011-05-19 00:06:34.000000000 -0400
942 +++ linux-2.6.39.3/arch/arm/mach-dove/pcie.c 2011-05-22 19:36:30.000000000 -0400
943 @@ -155,7 +155,7 @@ static int pcie_wr_conf(struct pci_bus *
944 return ret;
945 }
946
947 -static struct pci_ops pcie_ops = {
948 +static const struct pci_ops pcie_ops = {
949 .read = pcie_rd_conf,
950 .write = pcie_wr_conf,
951 };
952 diff -urNp linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c
953 --- linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c 2011-05-19 00:06:34.000000000 -0400
954 +++ linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c 2011-05-22 19:36:30.000000000 -0400
955 @@ -129,7 +129,7 @@ dc21285_write_config(struct pci_bus *bus
956 return PCIBIOS_SUCCESSFUL;
957 }
958
959 -static struct pci_ops dc21285_ops = {
960 +static const struct pci_ops dc21285_ops = {
961 .read = dc21285_read_config,
962 .write = dc21285_write_config,
963 };
964 diff -urNp linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c
965 --- linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c 2011-05-19 00:06:34.000000000 -0400
966 +++ linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c 2011-05-22 19:36:30.000000000 -0400
967 @@ -340,7 +340,7 @@ static int v3_write_config(struct pci_bu
968 return PCIBIOS_SUCCESSFUL;
969 }
970
971 -static struct pci_ops pci_v3_ops = {
972 +static const struct pci_ops pci_v3_ops = {
973 .read = v3_read_config,
974 .write = v3_write_config,
975 };
976 diff -urNp linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c
977 --- linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c 2011-05-19 00:06:34.000000000 -0400
978 +++ linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c 2011-05-22 19:36:30.000000000 -0400
979 @@ -324,7 +324,7 @@ iop13xx_atux_write_config(struct pci_bus
980 return PCIBIOS_SUCCESSFUL;
981 }
982
983 -static struct pci_ops iop13xx_atux_ops = {
984 +static const struct pci_ops iop13xx_atux_ops = {
985 .read = iop13xx_atux_read_config,
986 .write = iop13xx_atux_write_config,
987 };
988 @@ -471,7 +471,7 @@ iop13xx_atue_write_config(struct pci_bus
989 return PCIBIOS_SUCCESSFUL;
990 }
991
992 -static struct pci_ops iop13xx_atue_ops = {
993 +static const struct pci_ops iop13xx_atue_ops = {
994 .read = iop13xx_atue_read_config,
995 .write = iop13xx_atue_write_config,
996 };
997 diff -urNp linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c
998 --- linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c 2011-05-19 00:06:34.000000000 -0400
999 +++ linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c 2011-05-22 19:36:30.000000000 -0400
1000 @@ -137,7 +137,7 @@ static int enp2611_pci_write_config(stru
1001 return PCIBIOS_DEVICE_NOT_FOUND;
1002 }
1003
1004 -static struct pci_ops enp2611_pci_ops = {
1005 +static const struct pci_ops enp2611_pci_ops = {
1006 .read = enp2611_pci_read_config,
1007 .write = enp2611_pci_write_config
1008 };
1009 diff -urNp linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c
1010 --- linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c 2011-05-19 00:06:34.000000000 -0400
1011 +++ linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c 2011-05-22 19:36:30.000000000 -0400
1012 @@ -125,7 +125,7 @@ int ixp2000_pci_write_config(struct pci_
1013 }
1014
1015
1016 -static struct pci_ops ixp2000_pci_ops = {
1017 +static const struct pci_ops ixp2000_pci_ops = {
1018 .read = ixp2000_pci_read_config,
1019 .write = ixp2000_pci_write_config
1020 };
1021 diff -urNp linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c
1022 --- linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c 2011-05-19 00:06:34.000000000 -0400
1023 +++ linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c 2011-05-22 19:36:30.000000000 -0400
1024 @@ -136,7 +136,7 @@ static int ixp23xx_pci_write_config(stru
1025 return PCIBIOS_SUCCESSFUL;
1026 }
1027
1028 -struct pci_ops ixp23xx_pci_ops = {
1029 +const struct pci_ops ixp23xx_pci_ops = {
1030 .read = ixp23xx_pci_read_config,
1031 .write = ixp23xx_pci_write_config,
1032 };
1033 diff -urNp linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c
1034 --- linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c 2011-05-19 00:06:34.000000000 -0400
1035 +++ linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c 2011-05-22 19:36:30.000000000 -0400
1036 @@ -283,7 +283,7 @@ static int ixp4xx_pci_write_config(struc
1037 return PCIBIOS_SUCCESSFUL;
1038 }
1039
1040 -struct pci_ops ixp4xx_ops = {
1041 +const struct pci_ops ixp4xx_ops = {
1042 .read = ixp4xx_pci_read_config,
1043 .write = ixp4xx_pci_write_config,
1044 };
1045 diff -urNp linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c
1046 --- linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c 2011-05-19 00:06:34.000000000 -0400
1047 +++ linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c 2011-05-22 19:36:30.000000000 -0400
1048 @@ -111,7 +111,7 @@ static int pcie_wr_conf(struct pci_bus *
1049 return ret;
1050 }
1051
1052 -static struct pci_ops pcie_ops = {
1053 +static const struct pci_ops pcie_ops = {
1054 .read = pcie_rd_conf,
1055 .write = pcie_wr_conf,
1056 };
1057 diff -urNp linux-2.6.39.3/arch/arm/mach-ks8695/pci.c linux-2.6.39.3/arch/arm/mach-ks8695/pci.c
1058 --- linux-2.6.39.3/arch/arm/mach-ks8695/pci.c 2011-05-19 00:06:34.000000000 -0400
1059 +++ linux-2.6.39.3/arch/arm/mach-ks8695/pci.c 2011-05-22 19:36:30.000000000 -0400
1060 @@ -136,7 +136,7 @@ static void ks8695_local_writeconfig(int
1061 __raw_writel(value, KS8695_PCI_VA + KS8695_PBCD);
1062 }
1063
1064 -static struct pci_ops ks8695_pci_ops = {
1065 +static const struct pci_ops ks8695_pci_ops = {
1066 .read = ks8695_pci_readconfig,
1067 .write = ks8695_pci_writeconfig,
1068 };
1069 diff -urNp linux-2.6.39.3/arch/arm/mach-mmp/clock.c linux-2.6.39.3/arch/arm/mach-mmp/clock.c
1070 --- linux-2.6.39.3/arch/arm/mach-mmp/clock.c 2011-05-19 00:06:34.000000000 -0400
1071 +++ linux-2.6.39.3/arch/arm/mach-mmp/clock.c 2011-05-22 19:36:30.000000000 -0400
1072 @@ -29,7 +29,7 @@ static void apbc_clk_disable(struct clk
1073 __raw_writel(0, clk->clk_rst);
1074 }
1075
1076 -struct clkops apbc_clk_ops = {
1077 +const struct clkops apbc_clk_ops = {
1078 .enable = apbc_clk_enable,
1079 .disable = apbc_clk_disable,
1080 };
1081 @@ -44,7 +44,7 @@ static void apmu_clk_disable(struct clk
1082 __raw_writel(0, clk->clk_rst);
1083 }
1084
1085 -struct clkops apmu_clk_ops = {
1086 +const struct clkops apmu_clk_ops = {
1087 .enable = apmu_clk_enable,
1088 .disable = apmu_clk_disable,
1089 };
1090 diff -urNp linux-2.6.39.3/arch/arm/mach-msm/iommu.c linux-2.6.39.3/arch/arm/mach-msm/iommu.c
1091 --- linux-2.6.39.3/arch/arm/mach-msm/iommu.c 2011-05-19 00:06:34.000000000 -0400
1092 +++ linux-2.6.39.3/arch/arm/mach-msm/iommu.c 2011-05-22 19:36:30.000000000 -0400
1093 @@ -669,7 +669,7 @@ fail:
1094 return 0;
1095 }
1096
1097 -static struct iommu_ops msm_iommu_ops = {
1098 +static const struct iommu_ops msm_iommu_ops = {
1099 .domain_init = msm_iommu_domain_init,
1100 .domain_destroy = msm_iommu_domain_destroy,
1101 .attach_dev = msm_iommu_attach_dev,
1102 diff -urNp linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c
1103 --- linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c 2011-05-19 00:06:34.000000000 -0400
1104 +++ linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c 2011-05-22 19:36:30.000000000 -0400
1105 @@ -48,6 +48,7 @@ static ssize_t last_radio_log_read(struc
1106 }
1107
1108 static struct file_operations last_radio_log_fops = {
1109 + /* cannot be const, see msm_init_last_radio_log */
1110 .read = last_radio_log_read,
1111 .llseek = default_llseek,
1112 };
1113 diff -urNp linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c
1114 --- linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c 2011-05-19 00:06:34.000000000 -0400
1115 +++ linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c 2011-05-22 19:36:30.000000000 -0400
1116 @@ -222,7 +222,7 @@ static int pcie_wr_conf(struct pci_bus *
1117 return ret;
1118 }
1119
1120 -static struct pci_ops pcie_ops = {
1121 +static const struct pci_ops pcie_ops = {
1122 .read = pcie_rd_conf,
1123 .write = pcie_wr_conf,
1124 };
1125 diff -urNp linux-2.6.39.3/arch/arm/mach-orion5x/pci.c linux-2.6.39.3/arch/arm/mach-orion5x/pci.c
1126 --- linux-2.6.39.3/arch/arm/mach-orion5x/pci.c 2011-05-19 00:06:34.000000000 -0400
1127 +++ linux-2.6.39.3/arch/arm/mach-orion5x/pci.c 2011-05-22 19:36:30.000000000 -0400
1128 @@ -130,7 +130,7 @@ static int pcie_wr_conf(struct pci_bus *
1129 return ret;
1130 }
1131
1132 -static struct pci_ops pcie_ops = {
1133 +static const struct pci_ops pcie_ops = {
1134 .read = pcie_rd_conf,
1135 .write = pcie_wr_conf,
1136 };
1137 @@ -368,7 +368,7 @@ static int orion5x_pci_wr_conf(struct pc
1138 PCI_FUNC(devfn), where, size, val);
1139 }
1140
1141 -static struct pci_ops pci_ops = {
1142 +static const struct pci_ops pci_ops = {
1143 .read = orion5x_pci_rd_conf,
1144 .write = orion5x_pci_wr_conf,
1145 };
1146 diff -urNp linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c
1147 --- linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c 2011-05-19 00:06:34.000000000 -0400
1148 +++ linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c 2011-05-22 19:36:30.000000000 -0400
1149 @@ -117,7 +117,7 @@ static int nanoengine_write_config(struc
1150 return PCIBIOS_SUCCESSFUL;
1151 }
1152
1153 -static struct pci_ops pci_nano_ops = {
1154 +static const struct pci_ops pci_nano_ops = {
1155 .read = nanoengine_read_config,
1156 .write = nanoengine_write_config,
1157 };
1158 diff -urNp linux-2.6.39.3/arch/arm/mach-tegra/pcie.c linux-2.6.39.3/arch/arm/mach-tegra/pcie.c
1159 --- linux-2.6.39.3/arch/arm/mach-tegra/pcie.c 2011-05-19 00:06:34.000000000 -0400
1160 +++ linux-2.6.39.3/arch/arm/mach-tegra/pcie.c 2011-05-22 19:36:30.000000000 -0400
1161 @@ -336,7 +336,7 @@ static int tegra_pcie_write_conf(struct
1162 return PCIBIOS_SUCCESSFUL;
1163 }
1164
1165 -static struct pci_ops tegra_pcie_ops = {
1166 +static const struct pci_ops tegra_pcie_ops = {
1167 .read = tegra_pcie_read_conf,
1168 .write = tegra_pcie_write_conf,
1169 };
1170 diff -urNp linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c
1171 --- linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c 2011-05-19 00:06:34.000000000 -0400
1172 +++ linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c 2011-05-22 19:41:32.000000000 -0400
1173 @@ -168,7 +168,7 @@ static ssize_t mbox_read_fifo(struct dev
1174 return sprintf(buf, "0x%X\n", mbox_value);
1175 }
1176
1177 -static DEVICE_ATTR(fifo, S_IWUGO | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
1178 +static DEVICE_ATTR(fifo, S_IWUSR | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
1179
1180 static int mbox_show(struct seq_file *s, void *data)
1181 {
1182 diff -urNp linux-2.6.39.3/arch/arm/mach-versatile/pci.c linux-2.6.39.3/arch/arm/mach-versatile/pci.c
1183 --- linux-2.6.39.3/arch/arm/mach-versatile/pci.c 2011-05-19 00:06:34.000000000 -0400
1184 +++ linux-2.6.39.3/arch/arm/mach-versatile/pci.c 2011-05-22 19:36:30.000000000 -0400
1185 @@ -165,7 +165,7 @@ static int versatile_write_config(struct
1186 return PCIBIOS_SUCCESSFUL;
1187 }
1188
1189 -static struct pci_ops pci_versatile_ops = {
1190 +static const struct pci_ops pci_versatile_ops = {
1191 .read = versatile_read_config,
1192 .write = versatile_write_config,
1193 };
1194 diff -urNp linux-2.6.39.3/arch/arm/mm/fault.c linux-2.6.39.3/arch/arm/mm/fault.c
1195 --- linux-2.6.39.3/arch/arm/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
1196 +++ linux-2.6.39.3/arch/arm/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
1197 @@ -182,6 +182,13 @@ __do_user_fault(struct task_struct *tsk,
1198 }
1199 #endif
1200
1201 +#ifdef CONFIG_PAX_PAGEEXEC
1202 + if (fsr & FSR_LNX_PF) {
1203 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
1204 + do_group_exit(SIGKILL);
1205 + }
1206 +#endif
1207 +
1208 tsk->thread.address = addr;
1209 tsk->thread.error_code = fsr;
1210 tsk->thread.trap_no = 14;
1211 @@ -379,6 +386,33 @@ do_page_fault(unsigned long addr, unsign
1212 }
1213 #endif /* CONFIG_MMU */
1214
1215 +#ifdef CONFIG_PAX_PAGEEXEC
1216 +void pax_report_insns(void *pc, void *sp)
1217 +{
1218 + long i;
1219 +
1220 + printk(KERN_ERR "PAX: bytes at PC: ");
1221 + for (i = 0; i < 20; i++) {
1222 + unsigned char c;
1223 + if (get_user(c, (__force unsigned char __user *)pc+i))
1224 + printk(KERN_CONT "?? ");
1225 + else
1226 + printk(KERN_CONT "%02x ", c);
1227 + }
1228 + printk("\n");
1229 +
1230 + printk(KERN_ERR "PAX: bytes at SP-4: ");
1231 + for (i = -1; i < 20; i++) {
1232 + unsigned long c;
1233 + if (get_user(c, (__force unsigned long __user *)sp+i))
1234 + printk(KERN_CONT "???????? ");
1235 + else
1236 + printk(KERN_CONT "%08lx ", c);
1237 + }
1238 + printk("\n");
1239 +}
1240 +#endif
1241 +
1242 /*
1243 * First Level Translation Fault Handler
1244 *
1245 diff -urNp linux-2.6.39.3/arch/arm/mm/mmap.c linux-2.6.39.3/arch/arm/mm/mmap.c
1246 --- linux-2.6.39.3/arch/arm/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
1247 +++ linux-2.6.39.3/arch/arm/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
1248 @@ -65,6 +65,10 @@ arch_get_unmapped_area(struct file *filp
1249 if (len > TASK_SIZE)
1250 return -ENOMEM;
1251
1252 +#ifdef CONFIG_PAX_RANDMMAP
1253 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
1254 +#endif
1255 +
1256 if (addr) {
1257 if (do_align)
1258 addr = COLOUR_ALIGN(addr, pgoff);
1259 @@ -72,15 +76,14 @@ arch_get_unmapped_area(struct file *filp
1260 addr = PAGE_ALIGN(addr);
1261
1262 vma = find_vma(mm, addr);
1263 - if (TASK_SIZE - len >= addr &&
1264 - (!vma || addr + len <= vma->vm_start))
1265 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
1266 return addr;
1267 }
1268 if (len > mm->cached_hole_size) {
1269 - start_addr = addr = mm->free_area_cache;
1270 + start_addr = addr = mm->free_area_cache;
1271 } else {
1272 - start_addr = addr = TASK_UNMAPPED_BASE;
1273 - mm->cached_hole_size = 0;
1274 + start_addr = addr = mm->mmap_base;
1275 + mm->cached_hole_size = 0;
1276 }
1277 /* 8 bits of randomness in 20 address space bits */
1278 if ((current->flags & PF_RANDOMIZE) &&
1279 @@ -100,14 +103,14 @@ full_search:
1280 * Start a new search - just in case we missed
1281 * some holes.
1282 */
1283 - if (start_addr != TASK_UNMAPPED_BASE) {
1284 - start_addr = addr = TASK_UNMAPPED_BASE;
1285 + if (start_addr != mm->mmap_base) {
1286 + start_addr = addr = mm->mmap_base;
1287 mm->cached_hole_size = 0;
1288 goto full_search;
1289 }
1290 return -ENOMEM;
1291 }
1292 - if (!vma || addr + len <= vma->vm_start) {
1293 + if (check_heap_stack_gap(vma, addr, len)) {
1294 /*
1295 * Remember the place where we stopped the search:
1296 */
1297 diff -urNp linux-2.6.39.3/arch/arm/plat-iop/pci.c linux-2.6.39.3/arch/arm/plat-iop/pci.c
1298 --- linux-2.6.39.3/arch/arm/plat-iop/pci.c 2011-05-19 00:06:34.000000000 -0400
1299 +++ linux-2.6.39.3/arch/arm/plat-iop/pci.c 2011-05-22 19:36:30.000000000 -0400
1300 @@ -161,7 +161,7 @@ iop3xx_write_config(struct pci_bus *bus,
1301 return PCIBIOS_SUCCESSFUL;
1302 }
1303
1304 -static struct pci_ops iop3xx_ops = {
1305 +static const struct pci_ops iop3xx_ops = {
1306 .read = iop3xx_read_config,
1307 .write = iop3xx_write_config,
1308 };
1309 diff -urNp linux-2.6.39.3/arch/avr32/include/asm/elf.h linux-2.6.39.3/arch/avr32/include/asm/elf.h
1310 --- linux-2.6.39.3/arch/avr32/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
1311 +++ linux-2.6.39.3/arch/avr32/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
1312 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
1313 the loader. We need to make sure that it is out of the way of the program
1314 that it will "exec", and that there is sufficient room for the brk. */
1315
1316 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
1317 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1318
1319 +#ifdef CONFIG_PAX_ASLR
1320 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
1321 +
1322 +#define PAX_DELTA_MMAP_LEN 15
1323 +#define PAX_DELTA_STACK_LEN 15
1324 +#endif
1325
1326 /* This yields a mask that user programs can use to figure out what
1327 instruction set this CPU supports. This could be done in user space,
1328 diff -urNp linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h
1329 --- linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
1330 +++ linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
1331 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
1332 D(11) KM_IRQ1,
1333 D(12) KM_SOFTIRQ0,
1334 D(13) KM_SOFTIRQ1,
1335 -D(14) KM_TYPE_NR
1336 +D(14) KM_CLEARPAGE,
1337 +D(15) KM_TYPE_NR
1338 };
1339
1340 #undef D
1341 diff -urNp linux-2.6.39.3/arch/avr32/mm/fault.c linux-2.6.39.3/arch/avr32/mm/fault.c
1342 --- linux-2.6.39.3/arch/avr32/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
1343 +++ linux-2.6.39.3/arch/avr32/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
1344 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
1345
1346 int exception_trace = 1;
1347
1348 +#ifdef CONFIG_PAX_PAGEEXEC
1349 +void pax_report_insns(void *pc, void *sp)
1350 +{
1351 + unsigned long i;
1352 +
1353 + printk(KERN_ERR "PAX: bytes at PC: ");
1354 + for (i = 0; i < 20; i++) {
1355 + unsigned char c;
1356 + if (get_user(c, (unsigned char *)pc+i))
1357 + printk(KERN_CONT "???????? ");
1358 + else
1359 + printk(KERN_CONT "%02x ", c);
1360 + }
1361 + printk("\n");
1362 +}
1363 +#endif
1364 +
1365 /*
1366 * This routine handles page faults. It determines the address and the
1367 * problem, and then passes it off to one of the appropriate routines.
1368 @@ -156,6 +173,16 @@ bad_area:
1369 up_read(&mm->mmap_sem);
1370
1371 if (user_mode(regs)) {
1372 +
1373 +#ifdef CONFIG_PAX_PAGEEXEC
1374 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
1375 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
1376 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
1377 + do_group_exit(SIGKILL);
1378 + }
1379 + }
1380 +#endif
1381 +
1382 if (exception_trace && printk_ratelimit())
1383 printk("%s%s[%d]: segfault at %08lx pc %08lx "
1384 "sp %08lx ecr %lu\n",
1385 diff -urNp linux-2.6.39.3/arch/blackfin/kernel/kgdb.c linux-2.6.39.3/arch/blackfin/kernel/kgdb.c
1386 --- linux-2.6.39.3/arch/blackfin/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
1387 +++ linux-2.6.39.3/arch/blackfin/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
1388 @@ -420,7 +420,7 @@ int kgdb_arch_handle_exception(int vecto
1389 return -1; /* this means that we do not want to exit from the handler */
1390 }
1391
1392 -struct kgdb_arch arch_kgdb_ops = {
1393 +const struct kgdb_arch arch_kgdb_ops = {
1394 .gdb_bpt_instr = {0xa1},
1395 .flags = KGDB_HW_BREAKPOINT,
1396 .set_hw_breakpoint = bfin_set_hw_break,
1397 diff -urNp linux-2.6.39.3/arch/blackfin/mm/maccess.c linux-2.6.39.3/arch/blackfin/mm/maccess.c
1398 --- linux-2.6.39.3/arch/blackfin/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400
1399 +++ linux-2.6.39.3/arch/blackfin/mm/maccess.c 2011-05-22 19:36:30.000000000 -0400
1400 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
1401 return bfin_mem_access_type(addr, size);
1402 }
1403
1404 -long probe_kernel_read(void *dst, void *src, size_t size)
1405 +long probe_kernel_read(void *dst, const void *src, size_t size)
1406 {
1407 unsigned long lsrc = (unsigned long)src;
1408 int mem_type;
1409 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
1410 return -EFAULT;
1411 }
1412
1413 -long probe_kernel_write(void *dst, void *src, size_t size)
1414 +long probe_kernel_write(void *dst, const void *src, size_t size)
1415 {
1416 unsigned long ldst = (unsigned long)dst;
1417 int mem_type;
1418 diff -urNp linux-2.6.39.3/arch/frv/include/asm/kmap_types.h linux-2.6.39.3/arch/frv/include/asm/kmap_types.h
1419 --- linux-2.6.39.3/arch/frv/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
1420 +++ linux-2.6.39.3/arch/frv/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
1421 @@ -23,6 +23,7 @@ enum km_type {
1422 KM_IRQ1,
1423 KM_SOFTIRQ0,
1424 KM_SOFTIRQ1,
1425 + KM_CLEARPAGE,
1426 KM_TYPE_NR
1427 };
1428
1429 diff -urNp linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h
1430 --- linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h 2011-05-19 00:06:34.000000000 -0400
1431 +++ linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h 2011-05-22 19:36:30.000000000 -0400
1432 @@ -34,7 +34,7 @@ void pcibios_resource_survey(void);
1433
1434 extern int __nongpreldata pcibios_last_bus;
1435 extern struct pci_bus *__nongpreldata pci_root_bus;
1436 -extern struct pci_ops *__nongpreldata pci_root_ops;
1437 +extern const struct pci_ops *__nongpreldata pci_root_ops;
1438
1439 /* pci-irq.c */
1440 extern unsigned int pcibios_irq_mask;
1441 diff -urNp linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c
1442 --- linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c 2011-05-19 00:06:34.000000000 -0400
1443 +++ linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c 2011-05-22 19:36:30.000000000 -0400
1444 @@ -27,7 +27,7 @@ unsigned int __nongpreldata pci_probe =
1445
1446 int __nongpreldata pcibios_last_bus = -1;
1447 struct pci_bus *__nongpreldata pci_root_bus;
1448 -struct pci_ops *__nongpreldata pci_root_ops;
1449 +const struct pci_ops *__nongpreldata pci_root_ops;
1450
1451 /*
1452 * The accessible PCI window does not cover the entire CPU address space, but
1453 @@ -169,7 +169,7 @@ static int pci_frv_write_config(struct p
1454 return PCIBIOS_SUCCESSFUL;
1455 }
1456
1457 -static struct pci_ops pci_direct_frv = {
1458 +static const struct pci_ops pci_direct_frv = {
1459 pci_frv_read_config,
1460 pci_frv_write_config,
1461 };
1462 @@ -356,7 +356,7 @@ void __init pcibios_fixup_bus(struct pci
1463
1464 int __init pcibios_init(void)
1465 {
1466 - struct pci_ops *dir = NULL;
1467 + const struct pci_ops *dir = NULL;
1468
1469 if (!mb93090_mb00_detected)
1470 return -ENXIO;
1471 diff -urNp linux-2.6.39.3/arch/frv/mm/elf-fdpic.c linux-2.6.39.3/arch/frv/mm/elf-fdpic.c
1472 --- linux-2.6.39.3/arch/frv/mm/elf-fdpic.c 2011-05-19 00:06:34.000000000 -0400
1473 +++ linux-2.6.39.3/arch/frv/mm/elf-fdpic.c 2011-05-22 19:36:30.000000000 -0400
1474 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
1475 if (addr) {
1476 addr = PAGE_ALIGN(addr);
1477 vma = find_vma(current->mm, addr);
1478 - if (TASK_SIZE - len >= addr &&
1479 - (!vma || addr + len <= vma->vm_start))
1480 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
1481 goto success;
1482 }
1483
1484 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
1485 for (; vma; vma = vma->vm_next) {
1486 if (addr > limit)
1487 break;
1488 - if (addr + len <= vma->vm_start)
1489 + if (check_heap_stack_gap(vma, addr, len))
1490 goto success;
1491 addr = vma->vm_end;
1492 }
1493 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
1494 for (; vma; vma = vma->vm_next) {
1495 if (addr > limit)
1496 break;
1497 - if (addr + len <= vma->vm_start)
1498 + if (check_heap_stack_gap(vma, addr, len))
1499 goto success;
1500 addr = vma->vm_end;
1501 }
1502 diff -urNp linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c
1503 --- linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c 2011-05-19 00:06:34.000000000 -0400
1504 +++ linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c 2011-05-22 19:36:30.000000000 -0400
1505 @@ -17,7 +17,7 @@
1506 #include <linux/swiotlb.h>
1507 #include <asm/machvec.h>
1508
1509 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
1510 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
1511
1512 /* swiotlb declarations & definitions: */
1513 extern int swiotlb_late_init_with_default_size (size_t size);
1514 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
1515 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
1516 }
1517
1518 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
1519 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
1520 {
1521 if (use_swiotlb(dev))
1522 return &swiotlb_dma_ops;
1523 diff -urNp linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c
1524 --- linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c 2011-05-19 00:06:34.000000000 -0400
1525 +++ linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c 2011-05-22 19:36:30.000000000 -0400
1526 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
1527 },
1528 };
1529
1530 -extern struct dma_map_ops swiotlb_dma_ops;
1531 +extern const struct dma_map_ops swiotlb_dma_ops;
1532
1533 static int __init
1534 sba_init(void)
1535 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
1536
1537 __setup("sbapagesize=",sba_page_override);
1538
1539 -struct dma_map_ops sba_dma_ops = {
1540 +const struct dma_map_ops sba_dma_ops = {
1541 .alloc_coherent = sba_alloc_coherent,
1542 .free_coherent = sba_free_coherent,
1543 .map_page = sba_map_page,
1544 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h
1545 --- linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
1546 +++ linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
1547 @@ -14,7 +14,7 @@
1548
1549 #define DMA_ERROR_CODE 0
1550
1551 -extern struct dma_map_ops *dma_ops;
1552 +extern const struct dma_map_ops *dma_ops;
1553 extern struct ia64_machine_vector ia64_mv;
1554 extern void set_iommu_machvec(void);
1555
1556 @@ -26,7 +26,7 @@ extern void machvec_dma_sync_sg(struct d
1557 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1558 dma_addr_t *daddr, gfp_t gfp)
1559 {
1560 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1561 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1562 void *caddr;
1563
1564 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
1565 @@ -37,7 +37,7 @@ static inline void *dma_alloc_coherent(s
1566 static inline void dma_free_coherent(struct device *dev, size_t size,
1567 void *caddr, dma_addr_t daddr)
1568 {
1569 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1570 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1571 debug_dma_free_coherent(dev, size, caddr, daddr);
1572 ops->free_coherent(dev, size, caddr, daddr);
1573 }
1574 @@ -51,13 +51,13 @@ static inline void dma_free_coherent(str
1575
1576 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
1577 {
1578 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1579 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1580 return ops->mapping_error(dev, daddr);
1581 }
1582
1583 static inline int dma_supported(struct device *dev, u64 mask)
1584 {
1585 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1586 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1587 return ops->dma_supported(dev, mask);
1588 }
1589
1590 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/elf.h linux-2.6.39.3/arch/ia64/include/asm/elf.h
1591 --- linux-2.6.39.3/arch/ia64/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
1592 +++ linux-2.6.39.3/arch/ia64/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
1593 @@ -42,6 +42,13 @@
1594 */
1595 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
1596
1597 +#ifdef CONFIG_PAX_ASLR
1598 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
1599 +
1600 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1601 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1602 +#endif
1603 +
1604 #define PT_IA_64_UNWIND 0x70000001
1605
1606 /* IA-64 relocations: */
1607 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/machvec.h linux-2.6.39.3/arch/ia64/include/asm/machvec.h
1608 --- linux-2.6.39.3/arch/ia64/include/asm/machvec.h 2011-05-19 00:06:34.000000000 -0400
1609 +++ linux-2.6.39.3/arch/ia64/include/asm/machvec.h 2011-05-22 19:36:30.000000000 -0400
1610 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
1611 /* DMA-mapping interface: */
1612 typedef void ia64_mv_dma_init (void);
1613 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
1614 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1615 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1616
1617 /*
1618 * WARNING: The legacy I/O space is _architected_. Platforms are
1619 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
1620 # endif /* CONFIG_IA64_GENERIC */
1621
1622 extern void swiotlb_dma_init(void);
1623 -extern struct dma_map_ops *dma_get_ops(struct device *);
1624 +extern const struct dma_map_ops *dma_get_ops(struct device *);
1625
1626 /*
1627 * Define default versions so we can extend machvec for new platforms without having
1628 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/pgtable.h linux-2.6.39.3/arch/ia64/include/asm/pgtable.h
1629 --- linux-2.6.39.3/arch/ia64/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
1630 +++ linux-2.6.39.3/arch/ia64/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
1631 @@ -12,7 +12,7 @@
1632 * David Mosberger-Tang <davidm@hpl.hp.com>
1633 */
1634
1635 -
1636 +#include <linux/const.h>
1637 #include <asm/mman.h>
1638 #include <asm/page.h>
1639 #include <asm/processor.h>
1640 @@ -143,6 +143,17 @@
1641 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1642 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1643 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
1644 +
1645 +#ifdef CONFIG_PAX_PAGEEXEC
1646 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
1647 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1648 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1649 +#else
1650 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1651 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1652 +# define PAGE_COPY_NOEXEC PAGE_COPY
1653 +#endif
1654 +
1655 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
1656 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
1657 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
1658 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/spinlock.h linux-2.6.39.3/arch/ia64/include/asm/spinlock.h
1659 --- linux-2.6.39.3/arch/ia64/include/asm/spinlock.h 2011-05-19 00:06:34.000000000 -0400
1660 +++ linux-2.6.39.3/arch/ia64/include/asm/spinlock.h 2011-05-22 19:36:30.000000000 -0400
1661 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
1662 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
1663
1664 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
1665 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
1666 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
1667 }
1668
1669 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
1670 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/uaccess.h linux-2.6.39.3/arch/ia64/include/asm/uaccess.h
1671 --- linux-2.6.39.3/arch/ia64/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
1672 +++ linux-2.6.39.3/arch/ia64/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
1673 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
1674 const void *__cu_from = (from); \
1675 long __cu_len = (n); \
1676 \
1677 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
1678 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
1679 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
1680 __cu_len; \
1681 })
1682 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
1683 long __cu_len = (n); \
1684 \
1685 __chk_user_ptr(__cu_from); \
1686 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
1687 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
1688 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
1689 __cu_len; \
1690 })
1691 diff -urNp linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c
1692 --- linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c 2011-05-19 00:06:34.000000000 -0400
1693 +++ linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c 2011-05-22 19:36:30.000000000 -0400
1694 @@ -3,7 +3,7 @@
1695 /* Set this to 1 if there is a HW IOMMU in the system */
1696 int iommu_detected __read_mostly;
1697
1698 -struct dma_map_ops *dma_ops;
1699 +const struct dma_map_ops *dma_ops;
1700 EXPORT_SYMBOL(dma_ops);
1701
1702 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1703 @@ -16,7 +16,7 @@ static int __init dma_init(void)
1704 }
1705 fs_initcall(dma_init);
1706
1707 -struct dma_map_ops *dma_get_ops(struct device *dev)
1708 +const struct dma_map_ops *dma_get_ops(struct device *dev)
1709 {
1710 return dma_ops;
1711 }
1712 diff -urNp linux-2.6.39.3/arch/ia64/kernel/module.c linux-2.6.39.3/arch/ia64/kernel/module.c
1713 --- linux-2.6.39.3/arch/ia64/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
1714 +++ linux-2.6.39.3/arch/ia64/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
1715 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1716 void
1717 module_free (struct module *mod, void *module_region)
1718 {
1719 - if (mod && mod->arch.init_unw_table &&
1720 - module_region == mod->module_init) {
1721 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1722 unw_remove_unwind_table(mod->arch.init_unw_table);
1723 mod->arch.init_unw_table = NULL;
1724 }
1725 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1726 }
1727
1728 static inline int
1729 +in_init_rx (const struct module *mod, uint64_t addr)
1730 +{
1731 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1732 +}
1733 +
1734 +static inline int
1735 +in_init_rw (const struct module *mod, uint64_t addr)
1736 +{
1737 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1738 +}
1739 +
1740 +static inline int
1741 in_init (const struct module *mod, uint64_t addr)
1742 {
1743 - return addr - (uint64_t) mod->module_init < mod->init_size;
1744 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1745 +}
1746 +
1747 +static inline int
1748 +in_core_rx (const struct module *mod, uint64_t addr)
1749 +{
1750 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1751 +}
1752 +
1753 +static inline int
1754 +in_core_rw (const struct module *mod, uint64_t addr)
1755 +{
1756 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1757 }
1758
1759 static inline int
1760 in_core (const struct module *mod, uint64_t addr)
1761 {
1762 - return addr - (uint64_t) mod->module_core < mod->core_size;
1763 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1764 }
1765
1766 static inline int
1767 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1768 break;
1769
1770 case RV_BDREL:
1771 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1772 + if (in_init_rx(mod, val))
1773 + val -= (uint64_t) mod->module_init_rx;
1774 + else if (in_init_rw(mod, val))
1775 + val -= (uint64_t) mod->module_init_rw;
1776 + else if (in_core_rx(mod, val))
1777 + val -= (uint64_t) mod->module_core_rx;
1778 + else if (in_core_rw(mod, val))
1779 + val -= (uint64_t) mod->module_core_rw;
1780 break;
1781
1782 case RV_LTV:
1783 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1784 * addresses have been selected...
1785 */
1786 uint64_t gp;
1787 - if (mod->core_size > MAX_LTOFF)
1788 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1789 /*
1790 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1791 * at the end of the module.
1792 */
1793 - gp = mod->core_size - MAX_LTOFF / 2;
1794 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1795 else
1796 - gp = mod->core_size / 2;
1797 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1798 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1799 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1800 mod->arch.gp = gp;
1801 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1802 }
1803 diff -urNp linux-2.6.39.3/arch/ia64/kernel/pci-dma.c linux-2.6.39.3/arch/ia64/kernel/pci-dma.c
1804 --- linux-2.6.39.3/arch/ia64/kernel/pci-dma.c 2011-05-19 00:06:34.000000000 -0400
1805 +++ linux-2.6.39.3/arch/ia64/kernel/pci-dma.c 2011-05-22 19:36:30.000000000 -0400
1806 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1807 .dma_mask = &fallback_dev.coherent_dma_mask,
1808 };
1809
1810 -extern struct dma_map_ops intel_dma_ops;
1811 +extern const struct dma_map_ops intel_dma_ops;
1812
1813 static int __init pci_iommu_init(void)
1814 {
1815 diff -urNp linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c
1816 --- linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c 2011-05-19 00:06:34.000000000 -0400
1817 +++ linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c 2011-05-22 19:36:30.000000000 -0400
1818 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
1819 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1820 }
1821
1822 -struct dma_map_ops swiotlb_dma_ops = {
1823 +const struct dma_map_ops swiotlb_dma_ops = {
1824 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1825 .free_coherent = swiotlb_free_coherent,
1826 .map_page = swiotlb_map_page,
1827 diff -urNp linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c
1828 --- linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c 2011-05-19 00:06:34.000000000 -0400
1829 +++ linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c 2011-05-22 19:36:30.000000000 -0400
1830 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1831 if (REGION_NUMBER(addr) == RGN_HPAGE)
1832 addr = 0;
1833 #endif
1834 +
1835 +#ifdef CONFIG_PAX_RANDMMAP
1836 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1837 + addr = mm->free_area_cache;
1838 + else
1839 +#endif
1840 +
1841 if (!addr)
1842 addr = mm->free_area_cache;
1843
1844 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1845 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1846 /* At this point: (!vma || addr < vma->vm_end). */
1847 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1848 - if (start_addr != TASK_UNMAPPED_BASE) {
1849 + if (start_addr != mm->mmap_base) {
1850 /* Start a new search --- just in case we missed some holes. */
1851 - addr = TASK_UNMAPPED_BASE;
1852 + addr = mm->mmap_base;
1853 goto full_search;
1854 }
1855 return -ENOMEM;
1856 }
1857 - if (!vma || addr + len <= vma->vm_start) {
1858 + if (check_heap_stack_gap(vma, addr, len)) {
1859 /* Remember the address where we stopped this search: */
1860 mm->free_area_cache = addr + len;
1861 return addr;
1862 diff -urNp linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S
1863 --- linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S 2011-05-19 00:06:34.000000000 -0400
1864 +++ linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S 2011-05-22 19:36:30.000000000 -0400
1865 @@ -199,7 +199,7 @@ SECTIONS {
1866 /* Per-cpu data: */
1867 . = ALIGN(PERCPU_PAGE_SIZE);
1868 PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu)
1869 - __phys_per_cpu_start = __per_cpu_load;
1870 + __phys_per_cpu_start = per_cpu_load;
1871 /*
1872 * ensure percpu data fits
1873 * into percpu page size
1874 diff -urNp linux-2.6.39.3/arch/ia64/mm/fault.c linux-2.6.39.3/arch/ia64/mm/fault.c
1875 --- linux-2.6.39.3/arch/ia64/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
1876 +++ linux-2.6.39.3/arch/ia64/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
1877 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1878 return pte_present(pte);
1879 }
1880
1881 +#ifdef CONFIG_PAX_PAGEEXEC
1882 +void pax_report_insns(void *pc, void *sp)
1883 +{
1884 + unsigned long i;
1885 +
1886 + printk(KERN_ERR "PAX: bytes at PC: ");
1887 + for (i = 0; i < 8; i++) {
1888 + unsigned int c;
1889 + if (get_user(c, (unsigned int *)pc+i))
1890 + printk(KERN_CONT "???????? ");
1891 + else
1892 + printk(KERN_CONT "%08x ", c);
1893 + }
1894 + printk("\n");
1895 +}
1896 +#endif
1897 +
1898 void __kprobes
1899 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1900 {
1901 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1902 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1903 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1904
1905 - if ((vma->vm_flags & mask) != mask)
1906 + if ((vma->vm_flags & mask) != mask) {
1907 +
1908 +#ifdef CONFIG_PAX_PAGEEXEC
1909 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1910 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1911 + goto bad_area;
1912 +
1913 + up_read(&mm->mmap_sem);
1914 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1915 + do_group_exit(SIGKILL);
1916 + }
1917 +#endif
1918 +
1919 goto bad_area;
1920
1921 + }
1922 +
1923 /*
1924 * If for any reason at all we couldn't handle the fault, make
1925 * sure we exit gracefully rather than endlessly redo the
1926 diff -urNp linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c
1927 --- linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400
1928 +++ linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400
1929 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1930 /* At this point: (!vmm || addr < vmm->vm_end). */
1931 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1932 return -ENOMEM;
1933 - if (!vmm || (addr + len) <= vmm->vm_start)
1934 + if (check_heap_stack_gap(vmm, addr, len))
1935 return addr;
1936 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1937 }
1938 diff -urNp linux-2.6.39.3/arch/ia64/mm/init.c linux-2.6.39.3/arch/ia64/mm/init.c
1939 --- linux-2.6.39.3/arch/ia64/mm/init.c 2011-05-19 00:06:34.000000000 -0400
1940 +++ linux-2.6.39.3/arch/ia64/mm/init.c 2011-05-22 19:36:30.000000000 -0400
1941 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1942 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1943 vma->vm_end = vma->vm_start + PAGE_SIZE;
1944 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1945 +
1946 +#ifdef CONFIG_PAX_PAGEEXEC
1947 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1948 + vma->vm_flags &= ~VM_EXEC;
1949 +
1950 +#ifdef CONFIG_PAX_MPROTECT
1951 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1952 + vma->vm_flags &= ~VM_MAYEXEC;
1953 +#endif
1954 +
1955 + }
1956 +#endif
1957 +
1958 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1959 down_write(&current->mm->mmap_sem);
1960 if (insert_vm_struct(current->mm, vma)) {
1961 diff -urNp linux-2.6.39.3/arch/ia64/pci/pci.c linux-2.6.39.3/arch/ia64/pci/pci.c
1962 --- linux-2.6.39.3/arch/ia64/pci/pci.c 2011-05-19 00:06:34.000000000 -0400
1963 +++ linux-2.6.39.3/arch/ia64/pci/pci.c 2011-05-22 19:36:30.000000000 -0400
1964 @@ -109,7 +109,7 @@ static int pci_write(struct pci_bus *bus
1965 devfn, where, size, value);
1966 }
1967
1968 -struct pci_ops pci_root_ops = {
1969 +const struct pci_ops pci_root_ops = {
1970 .read = pci_read,
1971 .write = pci_write,
1972 };
1973 diff -urNp linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c
1974 --- linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c 2011-05-19 00:06:34.000000000 -0400
1975 +++ linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c 2011-05-22 19:36:30.000000000 -0400
1976 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1977 return ret;
1978 }
1979
1980 -static struct dma_map_ops sn_dma_ops = {
1981 +static const struct dma_map_ops sn_dma_ops = {
1982 .alloc_coherent = sn_dma_alloc_coherent,
1983 .free_coherent = sn_dma_free_coherent,
1984 .map_page = sn_dma_map_page,
1985 diff -urNp linux-2.6.39.3/arch/m32r/lib/usercopy.c linux-2.6.39.3/arch/m32r/lib/usercopy.c
1986 --- linux-2.6.39.3/arch/m32r/lib/usercopy.c 2011-05-19 00:06:34.000000000 -0400
1987 +++ linux-2.6.39.3/arch/m32r/lib/usercopy.c 2011-05-22 19:36:30.000000000 -0400
1988 @@ -14,6 +14,9 @@
1989 unsigned long
1990 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1991 {
1992 + if ((long)n < 0)
1993 + return n;
1994 +
1995 prefetch(from);
1996 if (access_ok(VERIFY_WRITE, to, n))
1997 __copy_user(to,from,n);
1998 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1999 unsigned long
2000 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
2001 {
2002 + if ((long)n < 0)
2003 + return n;
2004 +
2005 prefetchw(to);
2006 if (access_ok(VERIFY_READ, from, n))
2007 __copy_user_zeroing(to,from,n);
2008 diff -urNp linux-2.6.39.3/arch/microblaze/include/asm/device.h linux-2.6.39.3/arch/microblaze/include/asm/device.h
2009 --- linux-2.6.39.3/arch/microblaze/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
2010 +++ linux-2.6.39.3/arch/microblaze/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
2011 @@ -13,7 +13,7 @@ struct device_node;
2012
2013 struct dev_archdata {
2014 /* DMA operations on that device */
2015 - struct dma_map_ops *dma_ops;
2016 + const struct dma_map_ops *dma_ops;
2017 void *dma_data;
2018 };
2019
2020 diff -urNp linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h
2021 --- linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
2022 +++ linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
2023 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
2024 return 0xfffffffful;
2025 }
2026
2027 -extern struct dma_map_ops *dma_ops;
2028 +extern const struct dma_map_ops *dma_ops;
2029
2030 /*
2031 * Available generic sets of operations
2032 */
2033 -extern struct dma_map_ops dma_direct_ops;
2034 +extern const struct dma_map_ops dma_direct_ops;
2035
2036 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2037 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2038 {
2039 /* We don't handle the NULL dev case for ISA for now. We could
2040 * do it via an out of line call but it is not needed for now. The
2041 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
2042 return dev->archdata.dma_ops;
2043 }
2044
2045 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2046 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2047 {
2048 dev->archdata.dma_ops = ops;
2049 }
2050
2051 static inline int dma_supported(struct device *dev, u64 mask)
2052 {
2053 - struct dma_map_ops *ops = get_dma_ops(dev);
2054 + const struct dma_map_ops *ops = get_dma_ops(dev);
2055
2056 if (unlikely(!ops))
2057 return 0;
2058 @@ -81,7 +81,7 @@ static inline int dma_supported(struct d
2059
2060 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
2061 {
2062 - struct dma_map_ops *ops = get_dma_ops(dev);
2063 + const struct dma_map_ops *ops = get_dma_ops(dev);
2064
2065 if (unlikely(ops == NULL))
2066 return -EIO;
2067 @@ -97,7 +97,7 @@ static inline int dma_set_mask(struct de
2068
2069 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2070 {
2071 - struct dma_map_ops *ops = get_dma_ops(dev);
2072 + const struct dma_map_ops *ops = get_dma_ops(dev);
2073 if (ops->mapping_error)
2074 return ops->mapping_error(dev, dma_addr);
2075
2076 @@ -110,7 +110,7 @@ static inline int dma_mapping_error(stru
2077 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2078 dma_addr_t *dma_handle, gfp_t flag)
2079 {
2080 - struct dma_map_ops *ops = get_dma_ops(dev);
2081 + const struct dma_map_ops *ops = get_dma_ops(dev);
2082 void *memory;
2083
2084 BUG_ON(!ops);
2085 @@ -124,7 +124,7 @@ static inline void *dma_alloc_coherent(s
2086 static inline void dma_free_coherent(struct device *dev, size_t size,
2087 void *cpu_addr, dma_addr_t dma_handle)
2088 {
2089 - struct dma_map_ops *ops = get_dma_ops(dev);
2090 + const struct dma_map_ops *ops = get_dma_ops(dev);
2091
2092 BUG_ON(!ops);
2093 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
2094 diff -urNp linux-2.6.39.3/arch/microblaze/include/asm/pci.h linux-2.6.39.3/arch/microblaze/include/asm/pci.h
2095 --- linux-2.6.39.3/arch/microblaze/include/asm/pci.h 2011-05-19 00:06:34.000000000 -0400
2096 +++ linux-2.6.39.3/arch/microblaze/include/asm/pci.h 2011-05-22 19:36:30.000000000 -0400
2097 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
2098 }
2099
2100 #ifdef CONFIG_PCI
2101 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2102 -extern struct dma_map_ops *get_pci_dma_ops(void);
2103 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2104 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2105 #else /* CONFIG_PCI */
2106 #define set_pci_dma_ops(d)
2107 #define get_pci_dma_ops() NULL
2108 diff -urNp linux-2.6.39.3/arch/microblaze/kernel/dma.c linux-2.6.39.3/arch/microblaze/kernel/dma.c
2109 --- linux-2.6.39.3/arch/microblaze/kernel/dma.c 2011-05-19 00:06:34.000000000 -0400
2110 +++ linux-2.6.39.3/arch/microblaze/kernel/dma.c 2011-05-22 19:36:30.000000000 -0400
2111 @@ -134,7 +134,7 @@ static inline void dma_direct_unmap_page
2112 __dma_sync_page(dma_address, 0 , size, direction);
2113 }
2114
2115 -struct dma_map_ops dma_direct_ops = {
2116 +const struct dma_map_ops dma_direct_ops = {
2117 .alloc_coherent = dma_direct_alloc_coherent,
2118 .free_coherent = dma_direct_free_coherent,
2119 .map_sg = dma_direct_map_sg,
2120 diff -urNp linux-2.6.39.3/arch/microblaze/kernel/kgdb.c linux-2.6.39.3/arch/microblaze/kernel/kgdb.c
2121 --- linux-2.6.39.3/arch/microblaze/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
2122 +++ linux-2.6.39.3/arch/microblaze/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
2123 @@ -141,7 +141,7 @@ void kgdb_arch_exit(void)
2124 /*
2125 * Global data
2126 */
2127 -struct kgdb_arch arch_kgdb_ops = {
2128 +const struct kgdb_arch arch_kgdb_ops = {
2129 #ifdef __MICROBLAZEEL__
2130 .gdb_bpt_instr = {0x18, 0x00, 0x0c, 0xba}, /* brki r16, 0x18 */
2131 #else
2132 diff -urNp linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c
2133 --- linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c 2011-05-19 00:06:34.000000000 -0400
2134 +++ linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c 2011-05-22 19:36:30.000000000 -0400
2135 @@ -140,7 +140,7 @@ indirect_write_config(struct pci_bus *bu
2136 return PCIBIOS_SUCCESSFUL;
2137 }
2138
2139 -static struct pci_ops indirect_pci_ops = {
2140 +static const struct pci_ops indirect_pci_ops = {
2141 .read = indirect_read_config,
2142 .write = indirect_write_config,
2143 };
2144 diff -urNp linux-2.6.39.3/arch/microblaze/pci/pci-common.c linux-2.6.39.3/arch/microblaze/pci/pci-common.c
2145 --- linux-2.6.39.3/arch/microblaze/pci/pci-common.c 2011-05-19 00:06:34.000000000 -0400
2146 +++ linux-2.6.39.3/arch/microblaze/pci/pci-common.c 2011-05-22 19:36:30.000000000 -0400
2147 @@ -48,14 +48,14 @@ resource_size_t isa_mem_base;
2148 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
2149 unsigned int pci_flags;
2150
2151 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2152 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2153
2154 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2155 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2156 {
2157 pci_dma_ops = dma_ops;
2158 }
2159
2160 -struct dma_map_ops *get_pci_dma_ops(void)
2161 +const struct dma_map_ops *get_pci_dma_ops(void)
2162 {
2163 return pci_dma_ops;
2164 }
2165 @@ -1583,7 +1583,7 @@ null_write_config(struct pci_bus *bus, u
2166 return PCIBIOS_DEVICE_NOT_FOUND;
2167 }
2168
2169 -static struct pci_ops null_pci_ops = {
2170 +static const struct pci_ops null_pci_ops = {
2171 .read = null_read_config,
2172 .write = null_write_config,
2173 };
2174 diff -urNp linux-2.6.39.3/arch/mips/alchemy/common/pci.c linux-2.6.39.3/arch/mips/alchemy/common/pci.c
2175 --- linux-2.6.39.3/arch/mips/alchemy/common/pci.c 2011-05-19 00:06:34.000000000 -0400
2176 +++ linux-2.6.39.3/arch/mips/alchemy/common/pci.c 2011-05-22 19:36:30.000000000 -0400
2177 @@ -51,7 +51,7 @@ static struct resource pci_mem_resource
2178 .flags = IORESOURCE_MEM
2179 };
2180
2181 -extern struct pci_ops au1x_pci_ops;
2182 +extern const struct pci_ops au1x_pci_ops;
2183
2184 static struct pci_controller au1x_controller = {
2185 .pci_ops = &au1x_pci_ops,
2186 diff -urNp linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c
2187 --- linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c 2011-05-19 00:06:34.000000000 -0400
2188 +++ linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c 2011-05-22 19:36:30.000000000 -0400
2189 @@ -202,7 +202,7 @@ static phys_addr_t octeon_unity_dma_to_p
2190 }
2191
2192 struct octeon_dma_map_ops {
2193 - struct dma_map_ops dma_map_ops;
2194 + const struct dma_map_ops dma_map_ops;
2195 dma_addr_t (*phys_to_dma)(struct device *dev, phys_addr_t paddr);
2196 phys_addr_t (*dma_to_phys)(struct device *dev, dma_addr_t daddr);
2197 };
2198 @@ -324,7 +324,7 @@ static struct octeon_dma_map_ops _octeon
2199 },
2200 };
2201
2202 -struct dma_map_ops *octeon_pci_dma_map_ops;
2203 +const struct dma_map_ops *octeon_pci_dma_map_ops;
2204
2205 void __init octeon_pci_dma_init(void)
2206 {
2207 diff -urNp linux-2.6.39.3/arch/mips/cobalt/pci.c linux-2.6.39.3/arch/mips/cobalt/pci.c
2208 --- linux-2.6.39.3/arch/mips/cobalt/pci.c 2011-05-19 00:06:34.000000000 -0400
2209 +++ linux-2.6.39.3/arch/mips/cobalt/pci.c 2011-05-22 19:36:30.000000000 -0400
2210 @@ -14,7 +14,7 @@
2211
2212 #include <asm/gt64120.h>
2213
2214 -extern struct pci_ops gt64xxx_pci0_ops;
2215 +extern const struct pci_ops gt64xxx_pci0_ops;
2216
2217 static struct resource cobalt_mem_resource = {
2218 .start = GT_DEF_PCI0_MEM0_BASE,
2219 diff -urNp linux-2.6.39.3/arch/mips/include/asm/device.h linux-2.6.39.3/arch/mips/include/asm/device.h
2220 --- linux-2.6.39.3/arch/mips/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
2221 +++ linux-2.6.39.3/arch/mips/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
2222 @@ -10,7 +10,7 @@ struct dma_map_ops;
2223
2224 struct dev_archdata {
2225 /* DMA operations on that device */
2226 - struct dma_map_ops *dma_ops;
2227 + const struct dma_map_ops *dma_ops;
2228 };
2229
2230 struct pdev_archdata {
2231 diff -urNp linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h
2232 --- linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
2233 +++ linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
2234 @@ -9,9 +9,9 @@
2235 #include <dma-coherence.h>
2236 #endif
2237
2238 -extern struct dma_map_ops *mips_dma_map_ops;
2239 +extern const struct dma_map_ops *mips_dma_map_ops;
2240
2241 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2242 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2243 {
2244 if (dev && dev->archdata.dma_ops)
2245 return dev->archdata.dma_ops;
2246 @@ -33,13 +33,13 @@ static inline void dma_mark_clean(void *
2247
2248 static inline int dma_supported(struct device *dev, u64 mask)
2249 {
2250 - struct dma_map_ops *ops = get_dma_ops(dev);
2251 + const struct dma_map_ops *ops = get_dma_ops(dev);
2252 return ops->dma_supported(dev, mask);
2253 }
2254
2255 static inline int dma_mapping_error(struct device *dev, u64 mask)
2256 {
2257 - struct dma_map_ops *ops = get_dma_ops(dev);
2258 + const struct dma_map_ops *ops = get_dma_ops(dev);
2259 return ops->mapping_error(dev, mask);
2260 }
2261
2262 @@ -61,7 +61,7 @@ static inline void *dma_alloc_coherent(s
2263 dma_addr_t *dma_handle, gfp_t gfp)
2264 {
2265 void *ret;
2266 - struct dma_map_ops *ops = get_dma_ops(dev);
2267 + const struct dma_map_ops *ops = get_dma_ops(dev);
2268
2269 ret = ops->alloc_coherent(dev, size, dma_handle, gfp);
2270
2271 @@ -73,7 +73,7 @@ static inline void *dma_alloc_coherent(s
2272 static inline void dma_free_coherent(struct device *dev, size_t size,
2273 void *vaddr, dma_addr_t dma_handle)
2274 {
2275 - struct dma_map_ops *ops = get_dma_ops(dev);
2276 + const struct dma_map_ops *ops = get_dma_ops(dev);
2277
2278 ops->free_coherent(dev, size, vaddr, dma_handle);
2279
2280 diff -urNp linux-2.6.39.3/arch/mips/include/asm/elf.h linux-2.6.39.3/arch/mips/include/asm/elf.h
2281 --- linux-2.6.39.3/arch/mips/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
2282 +++ linux-2.6.39.3/arch/mips/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
2283 @@ -372,13 +372,16 @@ extern const char *__elf_platform;
2284 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
2285 #endif
2286
2287 +#ifdef CONFIG_PAX_ASLR
2288 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
2289 +
2290 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2291 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2292 +#endif
2293 +
2294 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
2295 struct linux_binprm;
2296 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
2297 int uses_interp);
2298
2299 -struct mm_struct;
2300 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2301 -#define arch_randomize_brk arch_randomize_brk
2302 -
2303 #endif /* _ASM_ELF_H */
2304 diff -urNp linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h
2305 --- linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-05-19 00:06:34.000000000 -0400
2306 +++ linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-05-22 19:36:30.000000000 -0400
2307 @@ -66,7 +66,7 @@ dma_addr_t phys_to_dma(struct device *de
2308 phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr);
2309
2310 struct dma_map_ops;
2311 -extern struct dma_map_ops *octeon_pci_dma_map_ops;
2312 +extern const struct dma_map_ops *octeon_pci_dma_map_ops;
2313 extern char *octeon_swiotlb;
2314
2315 #endif /* __ASM_MACH_CAVIUM_OCTEON_DMA_COHERENCE_H */
2316 diff -urNp linux-2.6.39.3/arch/mips/include/asm/page.h linux-2.6.39.3/arch/mips/include/asm/page.h
2317 --- linux-2.6.39.3/arch/mips/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
2318 +++ linux-2.6.39.3/arch/mips/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
2319 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
2320 #ifdef CONFIG_CPU_MIPS32
2321 typedef struct { unsigned long pte_low, pte_high; } pte_t;
2322 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
2323 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
2324 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
2325 #else
2326 typedef struct { unsigned long long pte; } pte_t;
2327 #define pte_val(x) ((x).pte)
2328 diff -urNp linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h
2329 --- linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h 2011-05-19 00:06:34.000000000 -0400
2330 +++ linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h 2011-05-22 19:36:30.000000000 -0400
2331 @@ -849,6 +849,6 @@ struct bridge_controller {
2332 extern void register_bridge_irq(unsigned int irq);
2333 extern int request_bridge_irq(struct bridge_controller *bc);
2334
2335 -extern struct pci_ops bridge_pci_ops;
2336 +extern const struct pci_ops bridge_pci_ops;
2337
2338 #endif /* _ASM_PCI_BRIDGE_H */
2339 diff -urNp linux-2.6.39.3/arch/mips/include/asm/system.h linux-2.6.39.3/arch/mips/include/asm/system.h
2340 --- linux-2.6.39.3/arch/mips/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
2341 +++ linux-2.6.39.3/arch/mips/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
2342 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
2343 */
2344 #define __ARCH_WANT_UNLOCKED_CTXSW
2345
2346 -extern unsigned long arch_align_stack(unsigned long sp);
2347 +#define arch_align_stack(x) ((x) & ~0xfUL)
2348
2349 #endif /* _ASM_SYSTEM_H */
2350 diff -urNp linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c
2351 --- linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c 2011-05-19 00:06:34.000000000 -0400
2352 +++ linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c 2011-05-22 19:36:30.000000000 -0400
2353 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
2354 #undef ELF_ET_DYN_BASE
2355 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
2356
2357 +#ifdef CONFIG_PAX_ASLR
2358 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
2359 +
2360 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2361 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2362 +#endif
2363 +
2364 #include <asm/processor.h>
2365 #include <linux/module.h>
2366 #include <linux/elfcore.h>
2367 diff -urNp linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c
2368 --- linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c 2011-05-19 00:06:34.000000000 -0400
2369 +++ linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c 2011-05-22 19:36:30.000000000 -0400
2370 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
2371 #undef ELF_ET_DYN_BASE
2372 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
2373
2374 +#ifdef CONFIG_PAX_ASLR
2375 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
2376 +
2377 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2378 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2379 +#endif
2380 +
2381 #include <asm/processor.h>
2382
2383 /*
2384 diff -urNp linux-2.6.39.3/arch/mips/kernel/kgdb.c linux-2.6.39.3/arch/mips/kernel/kgdb.c
2385 --- linux-2.6.39.3/arch/mips/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
2386 +++ linux-2.6.39.3/arch/mips/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
2387 @@ -351,7 +351,7 @@ int kgdb_arch_handle_exception(int vecto
2388 return -1;
2389 }
2390
2391 -struct kgdb_arch arch_kgdb_ops;
2392 +struct kgdb_arch arch_kgdb_ops; /* cannot be const, see kgdb_arch_init */
2393
2394 /*
2395 * We use kgdb_early_setup so that functions we need to call now don't
2396 diff -urNp linux-2.6.39.3/arch/mips/kernel/process.c linux-2.6.39.3/arch/mips/kernel/process.c
2397 --- linux-2.6.39.3/arch/mips/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
2398 +++ linux-2.6.39.3/arch/mips/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
2399 @@ -473,15 +473,3 @@ unsigned long get_wchan(struct task_stru
2400 out:
2401 return pc;
2402 }
2403 -
2404 -/*
2405 - * Don't forget that the stack pointer must be aligned on a 8 bytes
2406 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
2407 - */
2408 -unsigned long arch_align_stack(unsigned long sp)
2409 -{
2410 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2411 - sp -= get_random_int() & ~PAGE_MASK;
2412 -
2413 - return sp & ALMASK;
2414 -}
2415 diff -urNp linux-2.6.39.3/arch/mips/kernel/syscall.c linux-2.6.39.3/arch/mips/kernel/syscall.c
2416 --- linux-2.6.39.3/arch/mips/kernel/syscall.c 2011-05-19 00:06:34.000000000 -0400
2417 +++ linux-2.6.39.3/arch/mips/kernel/syscall.c 2011-05-22 19:36:30.000000000 -0400
2418 @@ -108,14 +108,18 @@ unsigned long arch_get_unmapped_area(str
2419 do_color_align = 0;
2420 if (filp || (flags & MAP_SHARED))
2421 do_color_align = 1;
2422 +
2423 +#ifdef CONFIG_PAX_RANDMMAP
2424 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
2425 +#endif
2426 +
2427 if (addr) {
2428 if (do_color_align)
2429 addr = COLOUR_ALIGN(addr, pgoff);
2430 else
2431 addr = PAGE_ALIGN(addr);
2432 vmm = find_vma(current->mm, addr);
2433 - if (task_size - len >= addr &&
2434 - (!vmm || addr + len <= vmm->vm_start))
2435 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
2436 return addr;
2437 }
2438 addr = current->mm->mmap_base;
2439 @@ -128,7 +132,7 @@ unsigned long arch_get_unmapped_area(str
2440 /* At this point: (!vmm || addr < vmm->vm_end). */
2441 if (task_size - len < addr)
2442 return -ENOMEM;
2443 - if (!vmm || addr + len <= vmm->vm_start)
2444 + if (check_heap_stack_gap(vmm, addr, len))
2445 return addr;
2446 addr = vmm->vm_end;
2447 if (do_color_align)
2448 @@ -154,33 +158,6 @@ void arch_pick_mmap_layout(struct mm_str
2449 mm->unmap_area = arch_unmap_area;
2450 }
2451
2452 -static inline unsigned long brk_rnd(void)
2453 -{
2454 - unsigned long rnd = get_random_int();
2455 -
2456 - rnd = rnd << PAGE_SHIFT;
2457 - /* 8MB for 32bit, 256MB for 64bit */
2458 - if (TASK_IS_32BIT_ADDR)
2459 - rnd = rnd & 0x7ffffful;
2460 - else
2461 - rnd = rnd & 0xffffffful;
2462 -
2463 - return rnd;
2464 -}
2465 -
2466 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2467 -{
2468 - unsigned long base = mm->brk;
2469 - unsigned long ret;
2470 -
2471 - ret = PAGE_ALIGN(base + brk_rnd());
2472 -
2473 - if (ret < mm->brk)
2474 - return mm->brk;
2475 -
2476 - return ret;
2477 -}
2478 -
2479 SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len,
2480 unsigned long, prot, unsigned long, flags, unsigned long,
2481 fd, off_t, offset)
2482 diff -urNp linux-2.6.39.3/arch/mips/mm/dma-default.c linux-2.6.39.3/arch/mips/mm/dma-default.c
2483 --- linux-2.6.39.3/arch/mips/mm/dma-default.c 2011-05-19 00:06:34.000000000 -0400
2484 +++ linux-2.6.39.3/arch/mips/mm/dma-default.c 2011-05-22 19:36:30.000000000 -0400
2485 @@ -300,7 +300,7 @@ void dma_cache_sync(struct device *dev,
2486
2487 EXPORT_SYMBOL(dma_cache_sync);
2488
2489 -static struct dma_map_ops mips_default_dma_map_ops = {
2490 +static const struct dma_map_ops mips_default_dma_map_ops = {
2491 .alloc_coherent = mips_dma_alloc_coherent,
2492 .free_coherent = mips_dma_free_coherent,
2493 .map_page = mips_dma_map_page,
2494 @@ -315,7 +315,7 @@ static struct dma_map_ops mips_default_d
2495 .dma_supported = mips_dma_supported
2496 };
2497
2498 -struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
2499 +const struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
2500 EXPORT_SYMBOL(mips_dma_map_ops);
2501
2502 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
2503 diff -urNp linux-2.6.39.3/arch/mips/mm/fault.c linux-2.6.39.3/arch/mips/mm/fault.c
2504 --- linux-2.6.39.3/arch/mips/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
2505 +++ linux-2.6.39.3/arch/mips/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
2506 @@ -28,6 +28,23 @@
2507 #include <asm/highmem.h> /* For VMALLOC_END */
2508 #include <linux/kdebug.h>
2509
2510 +#ifdef CONFIG_PAX_PAGEEXEC
2511 +void pax_report_insns(void *pc, void *sp)
2512 +{
2513 + unsigned long i;
2514 +
2515 + printk(KERN_ERR "PAX: bytes at PC: ");
2516 + for (i = 0; i < 5; i++) {
2517 + unsigned int c;
2518 + if (get_user(c, (unsigned int *)pc+i))
2519 + printk(KERN_CONT "???????? ");
2520 + else
2521 + printk(KERN_CONT "%08x ", c);
2522 + }
2523 + printk("\n");
2524 +}
2525 +#endif
2526 +
2527 /*
2528 * This routine handles page faults. It determines the address,
2529 * and the problem, and then passes it off to one of the appropriate
2530 diff -urNp linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c
2531 --- linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c 2011-05-19 00:06:34.000000000 -0400
2532 +++ linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c 2011-05-22 19:36:30.000000000 -0400
2533 @@ -64,9 +64,9 @@ static struct resource msc_io_resource =
2534 .flags = IORESOURCE_IO,
2535 };
2536
2537 -extern struct pci_ops bonito64_pci_ops;
2538 -extern struct pci_ops gt64xxx_pci0_ops;
2539 -extern struct pci_ops msc_pci_ops;
2540 +extern const struct pci_ops bonito64_pci_ops;
2541 +extern const struct pci_ops gt64xxx_pci0_ops;
2542 +extern const struct pci_ops msc_pci_ops;
2543
2544 static struct pci_controller bonito64_controller = {
2545 .pci_ops = &bonito64_pci_ops,
2546 diff -urNp linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c
2547 --- linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c 2011-05-19 00:06:34.000000000 -0400
2548 +++ linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c 2011-05-22 19:36:30.000000000 -0400
2549 @@ -40,7 +40,7 @@ static struct resource pci_mem_resource
2550 .flags = IORESOURCE_MEM
2551 };
2552
2553 -extern struct pci_ops pnx8550_pci_ops;
2554 +extern const struct pci_ops pnx8550_pci_ops;
2555
2556 static struct pci_controller pnx8550_controller = {
2557 .pci_ops = &pnx8550_pci_ops,
2558 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-au1000.c linux-2.6.39.3/arch/mips/pci/ops-au1000.c
2559 --- linux-2.6.39.3/arch/mips/pci/ops-au1000.c 2011-05-19 00:06:34.000000000 -0400
2560 +++ linux-2.6.39.3/arch/mips/pci/ops-au1000.c 2011-05-22 19:36:30.000000000 -0400
2561 @@ -302,7 +302,7 @@ static int config_write(struct pci_bus *
2562 }
2563 }
2564
2565 -struct pci_ops au1x_pci_ops = {
2566 +const struct pci_ops au1x_pci_ops = {
2567 config_read,
2568 config_write
2569 };
2570 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c
2571 --- linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c 2011-05-19 00:06:34.000000000 -0400
2572 +++ linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c 2011-05-22 19:36:30.000000000 -0400
2573 @@ -173,7 +173,7 @@ static int bcm63xx_pci_write(struct pci_
2574 where, size, val);
2575 }
2576
2577 -struct pci_ops bcm63xx_pci_ops = {
2578 +const struct pci_ops bcm63xx_pci_ops = {
2579 .read = bcm63xx_pci_read,
2580 .write = bcm63xx_pci_write
2581 };
2582 @@ -402,7 +402,7 @@ static int bcm63xx_cb_write(struct pci_b
2583 return PCIBIOS_DEVICE_NOT_FOUND;
2584 }
2585
2586 -struct pci_ops bcm63xx_cb_ops = {
2587 +const struct pci_ops bcm63xx_cb_ops = {
2588 .read = bcm63xx_cb_read,
2589 .write = bcm63xx_cb_write,
2590 };
2591 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-bonito64.c linux-2.6.39.3/arch/mips/pci/ops-bonito64.c
2592 --- linux-2.6.39.3/arch/mips/pci/ops-bonito64.c 2011-05-19 00:06:34.000000000 -0400
2593 +++ linux-2.6.39.3/arch/mips/pci/ops-bonito64.c 2011-05-22 19:36:30.000000000 -0400
2594 @@ -155,7 +155,7 @@ static int bonito64_pcibios_write(struct
2595 return PCIBIOS_SUCCESSFUL;
2596 }
2597
2598 -struct pci_ops bonito64_pci_ops = {
2599 +const struct pci_ops bonito64_pci_ops = {
2600 .read = bonito64_pcibios_read,
2601 .write = bonito64_pcibios_write
2602 };
2603 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-bridge.c linux-2.6.39.3/arch/mips/pci/ops-bridge.c
2604 --- linux-2.6.39.3/arch/mips/pci/ops-bridge.c 2011-05-19 00:06:34.000000000 -0400
2605 +++ linux-2.6.39.3/arch/mips/pci/ops-bridge.c 2011-05-22 19:36:30.000000000 -0400
2606 @@ -316,7 +316,7 @@ static int pci_write_config(struct pci_b
2607 return pci_conf0_write_config(bus, devfn, where, size, value);
2608 }
2609
2610 -struct pci_ops bridge_pci_ops = {
2611 +const struct pci_ops bridge_pci_ops = {
2612 .read = pci_read_config,
2613 .write = pci_write_config,
2614 };
2615 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c
2616 --- linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c 2011-05-19 00:06:34.000000000 -0400
2617 +++ linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c 2011-05-22 19:36:30.000000000 -0400
2618 @@ -176,7 +176,7 @@ static int pci_config_write(struct pci_b
2619 return PCIBIOS_SUCCESSFUL;
2620 }
2621
2622 -struct pci_ops emma2rh_pci_ops = {
2623 +const struct pci_ops emma2rh_pci_ops = {
2624 .read = pci_config_read,
2625 .write = pci_config_write,
2626 };
2627 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c
2628 --- linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c 2011-05-19 00:06:34.000000000 -0400
2629 +++ linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c 2011-05-22 19:36:30.000000000 -0400
2630 @@ -146,7 +146,7 @@ static int gt64xxx_pci0_pcibios_write(st
2631 return PCIBIOS_SUCCESSFUL;
2632 }
2633
2634 -struct pci_ops gt64xxx_pci0_ops = {
2635 +const struct pci_ops gt64xxx_pci0_ops = {
2636 .read = gt64xxx_pci0_pcibios_read,
2637 .write = gt64xxx_pci0_pcibios_write
2638 };
2639 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-loongson2.c linux-2.6.39.3/arch/mips/pci/ops-loongson2.c
2640 --- linux-2.6.39.3/arch/mips/pci/ops-loongson2.c 2011-05-19 00:06:34.000000000 -0400
2641 +++ linux-2.6.39.3/arch/mips/pci/ops-loongson2.c 2011-05-22 19:36:30.000000000 -0400
2642 @@ -174,7 +174,7 @@ static int loongson_pcibios_write(struct
2643 return PCIBIOS_SUCCESSFUL;
2644 }
2645
2646 -struct pci_ops loongson_pci_ops = {
2647 +const struct pci_ops loongson_pci_ops = {
2648 .read = loongson_pcibios_read,
2649 .write = loongson_pcibios_write
2650 };
2651 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-mace.c linux-2.6.39.3/arch/mips/pci/ops-mace.c
2652 --- linux-2.6.39.3/arch/mips/pci/ops-mace.c 2011-05-19 00:06:34.000000000 -0400
2653 +++ linux-2.6.39.3/arch/mips/pci/ops-mace.c 2011-05-22 19:36:30.000000000 -0400
2654 @@ -96,7 +96,7 @@ mace_pci_write_config(struct pci_bus *bu
2655 return PCIBIOS_SUCCESSFUL;
2656 }
2657
2658 -struct pci_ops mace_pci_ops = {
2659 +const struct pci_ops mace_pci_ops = {
2660 .read = mace_pci_read_config,
2661 .write = mace_pci_write_config,
2662 };
2663 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-msc.c linux-2.6.39.3/arch/mips/pci/ops-msc.c
2664 --- linux-2.6.39.3/arch/mips/pci/ops-msc.c 2011-05-19 00:06:34.000000000 -0400
2665 +++ linux-2.6.39.3/arch/mips/pci/ops-msc.c 2011-05-22 19:36:30.000000000 -0400
2666 @@ -142,7 +142,7 @@ static int msc_pcibios_write(struct pci_
2667 return PCIBIOS_SUCCESSFUL;
2668 }
2669
2670 -struct pci_ops msc_pci_ops = {
2671 +const struct pci_ops msc_pci_ops = {
2672 .read = msc_pcibios_read,
2673 .write = msc_pcibios_write
2674 };
2675 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-nile4.c linux-2.6.39.3/arch/mips/pci/ops-nile4.c
2676 --- linux-2.6.39.3/arch/mips/pci/ops-nile4.c 2011-05-19 00:06:34.000000000 -0400
2677 +++ linux-2.6.39.3/arch/mips/pci/ops-nile4.c 2011-05-22 19:36:30.000000000 -0400
2678 @@ -141,7 +141,7 @@ static int nile4_pcibios_write(struct pc
2679 return PCIBIOS_SUCCESSFUL;
2680 }
2681
2682 -struct pci_ops nile4_pci_ops = {
2683 +const struct pci_ops nile4_pci_ops = {
2684 .read = nile4_pcibios_read,
2685 .write = nile4_pcibios_write,
2686 };
2687 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c
2688 --- linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c 2011-05-19 00:06:34.000000000 -0400
2689 +++ linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c 2011-05-22 19:36:30.000000000 -0400
2690 @@ -904,7 +904,7 @@ msp_pcibios_write_config(struct pci_bus
2691 * write - function for Linux to generate PCI Configuration writes.
2692 *
2693 ****************************************************************************/
2694 -struct pci_ops msp_pci_ops = {
2695 +const struct pci_ops msp_pci_ops = {
2696 .read = msp_pcibios_read_config,
2697 .write = msp_pcibios_write_config
2698 };
2699 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c
2700 --- linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c 2011-05-19 00:06:34.000000000 -0400
2701 +++ linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c 2011-05-22 19:36:30.000000000 -0400
2702 @@ -276,7 +276,7 @@ static int config_write(struct pci_bus *
2703 }
2704 }
2705
2706 -struct pci_ops pnx8550_pci_ops = {
2707 +const struct pci_ops pnx8550_pci_ops = {
2708 config_read,
2709 config_write
2710 };
2711 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-rc32434.c linux-2.6.39.3/arch/mips/pci/ops-rc32434.c
2712 --- linux-2.6.39.3/arch/mips/pci/ops-rc32434.c 2011-05-19 00:06:34.000000000 -0400
2713 +++ linux-2.6.39.3/arch/mips/pci/ops-rc32434.c 2011-05-22 19:36:30.000000000 -0400
2714 @@ -201,7 +201,7 @@ static int pci_config_write(struct pci_b
2715 }
2716 }
2717
2718 -struct pci_ops rc32434_pci_ops = {
2719 +const struct pci_ops rc32434_pci_ops = {
2720 .read = pci_config_read,
2721 .write = pci_config_write,
2722 };
2723 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-sni.c linux-2.6.39.3/arch/mips/pci/ops-sni.c
2724 --- linux-2.6.39.3/arch/mips/pci/ops-sni.c 2011-05-19 00:06:34.000000000 -0400
2725 +++ linux-2.6.39.3/arch/mips/pci/ops-sni.c 2011-05-22 19:36:30.000000000 -0400
2726 @@ -83,7 +83,7 @@ static int pcimt_write(struct pci_bus *b
2727 return 0;
2728 }
2729
2730 -struct pci_ops sni_pcimt_ops = {
2731 +const struct pci_ops sni_pcimt_ops = {
2732 .read = pcimt_read,
2733 .write = pcimt_write,
2734 };
2735 @@ -158,7 +158,7 @@ static int pcit_write(struct pci_bus *bu
2736 }
2737
2738
2739 -struct pci_ops sni_pcit_ops = {
2740 +const struct pci_ops sni_pcit_ops = {
2741 .read = pcit_read,
2742 .write = pcit_write,
2743 };
2744 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-titan.c linux-2.6.39.3/arch/mips/pci/ops-titan.c
2745 --- linux-2.6.39.3/arch/mips/pci/ops-titan.c 2011-05-19 00:06:34.000000000 -0400
2746 +++ linux-2.6.39.3/arch/mips/pci/ops-titan.c 2011-05-22 19:36:30.000000000 -0400
2747 @@ -105,7 +105,7 @@ static int titan_write_config(struct pci
2748 /*
2749 * Titan PCI structure
2750 */
2751 -struct pci_ops titan_pci_ops = {
2752 +const struct pci_ops titan_pci_ops = {
2753 titan_read_config,
2754 titan_write_config,
2755 };
2756 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c
2757 --- linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c 2011-05-19 00:06:34.000000000 -0400
2758 +++ linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c 2011-05-22 19:36:30.000000000 -0400
2759 @@ -118,7 +118,7 @@ static int titan_ht_config_write(struct
2760 return PCIBIOS_SUCCESSFUL;
2761 }
2762
2763 -struct pci_ops titan_ht_pci_ops = {
2764 +const struct pci_ops titan_ht_pci_ops = {
2765 .read = titan_ht_config_read,
2766 .write = titan_ht_config_write,
2767 };
2768 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-tx3927.c linux-2.6.39.3/arch/mips/pci/ops-tx3927.c
2769 --- linux-2.6.39.3/arch/mips/pci/ops-tx3927.c 2011-05-19 00:06:34.000000000 -0400
2770 +++ linux-2.6.39.3/arch/mips/pci/ops-tx3927.c 2011-05-22 19:36:30.000000000 -0400
2771 @@ -121,7 +121,7 @@ static int tx3927_pci_write_config(struc
2772 return check_abort();
2773 }
2774
2775 -static struct pci_ops tx3927_pci_ops = {
2776 +static const struct pci_ops tx3927_pci_ops = {
2777 .read = tx3927_pci_read_config,
2778 .write = tx3927_pci_write_config,
2779 };
2780 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c
2781 --- linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c 2011-05-19 00:06:34.000000000 -0400
2782 +++ linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c 2011-05-22 19:36:30.000000000 -0400
2783 @@ -120,7 +120,7 @@ static int pci_config_write(struct pci_b
2784 return PCIBIOS_SUCCESSFUL;
2785 }
2786
2787 -struct pci_ops vr41xx_pci_ops = {
2788 +const struct pci_ops vr41xx_pci_ops = {
2789 .read = pci_config_read,
2790 .write = pci_config_write,
2791 };
2792 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c
2793 --- linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c 2011-05-19 00:06:34.000000000 -0400
2794 +++ linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c 2011-05-22 19:36:30.000000000 -0400
2795 @@ -171,7 +171,7 @@ static int bcm1480_pcibios_write(struct
2796 return PCIBIOS_SUCCESSFUL;
2797 }
2798
2799 -struct pci_ops bcm1480_pci_ops = {
2800 +const struct pci_ops bcm1480_pci_ops = {
2801 bcm1480_pcibios_read,
2802 bcm1480_pcibios_write,
2803 };
2804 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c
2805 --- linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c 2011-05-19 00:06:34.000000000 -0400
2806 +++ linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c 2011-05-22 19:36:30.000000000 -0400
2807 @@ -166,7 +166,7 @@ static int bcm1480ht_pcibios_get_busno(v
2808 return 0;
2809 }
2810
2811 -struct pci_ops bcm1480ht_pci_ops = {
2812 +const struct pci_ops bcm1480ht_pci_ops = {
2813 .read = bcm1480ht_pcibios_read,
2814 .write = bcm1480ht_pcibios_write,
2815 };
2816 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h
2817 --- linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h 2011-05-19 00:06:34.000000000 -0400
2818 +++ linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h 2011-05-22 19:36:30.000000000 -0400
2819 @@ -16,8 +16,8 @@
2820 /*
2821 * defined in ops-bcm63xx.c
2822 */
2823 -extern struct pci_ops bcm63xx_pci_ops;
2824 -extern struct pci_ops bcm63xx_cb_ops;
2825 +extern const struct pci_ops bcm63xx_pci_ops;
2826 +extern const struct pci_ops bcm63xx_cb_ops;
2827
2828 /*
2829 * defined in pci-bcm63xx.c
2830 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c
2831 --- linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c 2011-05-19 00:06:34.000000000 -0400
2832 +++ linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c 2011-05-22 19:36:30.000000000 -0400
2833 @@ -43,7 +43,7 @@ static struct resource pci_mem_resource
2834 .flags = IORESOURCE_MEM,
2835 };
2836
2837 -extern struct pci_ops emma2rh_pci_ops;
2838 +extern const struct pci_ops emma2rh_pci_ops;
2839
2840 static struct pci_controller emma2rh_pci_controller = {
2841 .pci_ops = &emma2rh_pci_ops,
2842 diff -urNp linux-2.6.39.3/arch/mips/pci/pcie-octeon.c linux-2.6.39.3/arch/mips/pci/pcie-octeon.c
2843 --- linux-2.6.39.3/arch/mips/pci/pcie-octeon.c 2011-05-19 00:06:34.000000000 -0400
2844 +++ linux-2.6.39.3/arch/mips/pci/pcie-octeon.c 2011-05-22 19:36:30.000000000 -0400
2845 @@ -1237,7 +1237,7 @@ static int octeon_pcie1_write_config(str
2846 return octeon_pcie_write_config(1, bus, devfn, reg, size, val);
2847 }
2848
2849 -static struct pci_ops octeon_pcie0_ops = {
2850 +static const struct pci_ops octeon_pcie0_ops = {
2851 octeon_pcie0_read_config,
2852 octeon_pcie0_write_config,
2853 };
2854 @@ -1258,7 +1258,7 @@ static struct pci_controller octeon_pcie
2855 .io_resource = &octeon_pcie0_io_resource,
2856 };
2857
2858 -static struct pci_ops octeon_pcie1_ops = {
2859 +static const struct pci_ops octeon_pcie1_ops = {
2860 octeon_pcie1_read_config,
2861 octeon_pcie1_write_config,
2862 };
2863 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-ip27.c linux-2.6.39.3/arch/mips/pci/pci-ip27.c
2864 --- linux-2.6.39.3/arch/mips/pci/pci-ip27.c 2011-05-19 00:06:34.000000000 -0400
2865 +++ linux-2.6.39.3/arch/mips/pci/pci-ip27.c 2011-05-22 19:36:30.000000000 -0400
2866 @@ -39,7 +39,7 @@ static struct bridge_controller bridges[
2867 struct bridge_controller *irq_to_bridge[MAX_PCI_BUSSES * MAX_DEVICES_PER_PCIBUS];
2868 int irq_to_slot[MAX_PCI_BUSSES * MAX_DEVICES_PER_PCIBUS];
2869
2870 -extern struct pci_ops bridge_pci_ops;
2871 +extern const struct pci_ops bridge_pci_ops;
2872
2873 int __cpuinit bridge_probe(nasid_t nasid, int widget_id, int masterwid)
2874 {
2875 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-ip32.c linux-2.6.39.3/arch/mips/pci/pci-ip32.c
2876 --- linux-2.6.39.3/arch/mips/pci/pci-ip32.c 2011-05-19 00:06:34.000000000 -0400
2877 +++ linux-2.6.39.3/arch/mips/pci/pci-ip32.c 2011-05-22 19:36:30.000000000 -0400
2878 @@ -82,7 +82,7 @@ static irqreturn_t macepci_error(int irq
2879 }
2880
2881
2882 -extern struct pci_ops mace_pci_ops;
2883 +extern const struct pci_ops mace_pci_ops;
2884 #ifdef CONFIG_64BIT
2885 static struct resource mace_pci_mem_resource = {
2886 .name = "SGI O2 PCI MEM",
2887 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-lasat.c linux-2.6.39.3/arch/mips/pci/pci-lasat.c
2888 --- linux-2.6.39.3/arch/mips/pci/pci-lasat.c 2011-05-19 00:06:34.000000000 -0400
2889 +++ linux-2.6.39.3/arch/mips/pci/pci-lasat.c 2011-05-22 19:36:30.000000000 -0400
2890 @@ -14,8 +14,8 @@
2891
2892 #include <irq.h>
2893
2894 -extern struct pci_ops nile4_pci_ops;
2895 -extern struct pci_ops gt64xxx_pci0_ops;
2896 +extern const struct pci_ops nile4_pci_ops;
2897 +extern const struct pci_ops gt64xxx_pci0_ops;
2898 static struct resource lasat_pci_mem_resource = {
2899 .name = "LASAT PCI MEM",
2900 .start = 0x18000000,
2901 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-octeon.c linux-2.6.39.3/arch/mips/pci/pci-octeon.c
2902 --- linux-2.6.39.3/arch/mips/pci/pci-octeon.c 2011-05-19 00:06:34.000000000 -0400
2903 +++ linux-2.6.39.3/arch/mips/pci/pci-octeon.c 2011-05-22 19:36:30.000000000 -0400
2904 @@ -334,7 +334,7 @@ static int octeon_write_config(struct pc
2905 }
2906
2907
2908 -static struct pci_ops octeon_pci_ops = {
2909 +static const struct pci_ops octeon_pci_ops = {
2910 octeon_read_config,
2911 octeon_write_config,
2912 };
2913 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-rc32434.c linux-2.6.39.3/arch/mips/pci/pci-rc32434.c
2914 --- linux-2.6.39.3/arch/mips/pci/pci-rc32434.c 2011-05-19 00:06:34.000000000 -0400
2915 +++ linux-2.6.39.3/arch/mips/pci/pci-rc32434.c 2011-05-22 19:36:30.000000000 -0400
2916 @@ -75,7 +75,7 @@ static struct resource rc32434_res_pci_i
2917 .flags = IORESOURCE_IO,
2918 };
2919
2920 -extern struct pci_ops rc32434_pci_ops;
2921 +extern const struct pci_ops rc32434_pci_ops;
2922
2923 #define PCI_MEM1_START PCI_ADDR_START
2924 #define PCI_MEM1_END (PCI_ADDR_START + CPUTOPCI_MEM_WIN - 1)
2925 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-sb1250.c linux-2.6.39.3/arch/mips/pci/pci-sb1250.c
2926 --- linux-2.6.39.3/arch/mips/pci/pci-sb1250.c 2011-05-19 00:06:34.000000000 -0400
2927 +++ linux-2.6.39.3/arch/mips/pci/pci-sb1250.c 2011-05-22 19:36:30.000000000 -0400
2928 @@ -181,7 +181,7 @@ static int sb1250_pcibios_write(struct p
2929 return PCIBIOS_SUCCESSFUL;
2930 }
2931
2932 -struct pci_ops sb1250_pci_ops = {
2933 +const struct pci_ops sb1250_pci_ops = {
2934 .read = sb1250_pcibios_read,
2935 .write = sb1250_pcibios_write,
2936 };
2937 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c
2938 --- linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c 2011-05-19 00:06:34.000000000 -0400
2939 +++ linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c 2011-05-22 19:36:30.000000000 -0400
2940 @@ -36,7 +36,7 @@
2941
2942 #include "pci-vr41xx.h"
2943
2944 -extern struct pci_ops vr41xx_pci_ops;
2945 +extern const struct pci_ops vr41xx_pci_ops;
2946
2947 static void __iomem *pciu_base;
2948
2949 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-yosemite.c linux-2.6.39.3/arch/mips/pci/pci-yosemite.c
2950 --- linux-2.6.39.3/arch/mips/pci/pci-yosemite.c 2011-05-19 00:06:34.000000000 -0400
2951 +++ linux-2.6.39.3/arch/mips/pci/pci-yosemite.c 2011-05-22 19:36:30.000000000 -0400
2952 @@ -11,7 +11,7 @@
2953 #include <linux/pci.h>
2954 #include <asm/titan_dep.h>
2955
2956 -extern struct pci_ops titan_pci_ops;
2957 +extern const struct pci_ops titan_pci_ops;
2958
2959 static struct resource py_mem_resource = {
2960 .start = 0xe0000000UL,
2961 diff -urNp linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c
2962 --- linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c 2011-05-19 00:06:34.000000000 -0400
2963 +++ linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c 2011-05-22 19:36:30.000000000 -0400
2964 @@ -366,7 +366,7 @@ resource_size_t pcibios_align_resource(v
2965 return start;
2966 }
2967
2968 -struct pci_ops titan_pci_ops = {
2969 +const struct pci_ops titan_pci_ops = {
2970 titan_ht_config_read_byte,
2971 titan_ht_config_read_word,
2972 titan_ht_config_read_dword,
2973 diff -urNp linux-2.6.39.3/arch/mips/pnx8550/common/pci.c linux-2.6.39.3/arch/mips/pnx8550/common/pci.c
2974 --- linux-2.6.39.3/arch/mips/pnx8550/common/pci.c 2011-05-19 00:06:34.000000000 -0400
2975 +++ linux-2.6.39.3/arch/mips/pnx8550/common/pci.c 2011-05-22 19:36:30.000000000 -0400
2976 @@ -40,7 +40,7 @@ static struct resource pci_mem_resource
2977 .flags = IORESOURCE_MEM
2978 };
2979
2980 -extern struct pci_ops pnx8550_pci_ops;
2981 +extern const struct pci_ops pnx8550_pci_ops;
2982
2983 static struct pci_controller pnx8550_controller = {
2984 .pci_ops = &pnx8550_pci_ops,
2985 diff -urNp linux-2.6.39.3/arch/mips/sni/pcimt.c linux-2.6.39.3/arch/mips/sni/pcimt.c
2986 --- linux-2.6.39.3/arch/mips/sni/pcimt.c 2011-05-19 00:06:34.000000000 -0400
2987 +++ linux-2.6.39.3/arch/mips/sni/pcimt.c 2011-05-22 19:36:30.000000000 -0400
2988 @@ -183,7 +183,7 @@ static void __init sni_pcimt_resource_in
2989 request_resource(&sni_mem_resource, pcimt_mem_resources + i);
2990 }
2991
2992 -extern struct pci_ops sni_pcimt_ops;
2993 +extern const struct pci_ops sni_pcimt_ops;
2994
2995 static struct pci_controller sni_controller = {
2996 .pci_ops = &sni_pcimt_ops,
2997 diff -urNp linux-2.6.39.3/arch/mips/sni/pcit.c linux-2.6.39.3/arch/mips/sni/pcit.c
2998 --- linux-2.6.39.3/arch/mips/sni/pcit.c 2011-05-19 00:06:34.000000000 -0400
2999 +++ linux-2.6.39.3/arch/mips/sni/pcit.c 2011-05-22 19:36:30.000000000 -0400
3000 @@ -145,7 +145,7 @@ static void __init sni_pcit_resource_ini
3001 }
3002
3003
3004 -extern struct pci_ops sni_pcit_ops;
3005 +extern const struct pci_ops sni_pcit_ops;
3006
3007 static struct pci_controller sni_pcit_controller = {
3008 .pci_ops = &sni_pcit_ops,
3009 diff -urNp linux-2.6.39.3/arch/mips/wrppmc/pci.c linux-2.6.39.3/arch/mips/wrppmc/pci.c
3010 --- linux-2.6.39.3/arch/mips/wrppmc/pci.c 2011-05-19 00:06:34.000000000 -0400
3011 +++ linux-2.6.39.3/arch/mips/wrppmc/pci.c 2011-05-22 19:36:30.000000000 -0400
3012 @@ -14,7 +14,7 @@
3013
3014 #include <asm/gt64120.h>
3015
3016 -extern struct pci_ops gt64xxx_pci0_ops;
3017 +extern const struct pci_ops gt64xxx_pci0_ops;
3018
3019 static struct resource pci0_io_resource = {
3020 .name = "pci_0 io",
3021 diff -urNp linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h
3022 --- linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h 2011-05-19 00:06:34.000000000 -0400
3023 +++ linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h 2011-05-22 19:36:30.000000000 -0400
3024 @@ -39,7 +39,7 @@ extern void pcibios_resource_survey(void
3025
3026 extern int pcibios_last_bus;
3027 extern struct pci_bus *pci_root_bus;
3028 -extern struct pci_ops *pci_root_ops;
3029 +extern const struct pci_ops *pci_root_ops;
3030
3031 extern struct irq_routing_table *pcibios_get_irq_routing_table(void);
3032 extern int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq);
3033 diff -urNp linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c
3034 --- linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c 2011-05-19 00:06:34.000000000 -0400
3035 +++ linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c 2011-05-22 19:36:30.000000000 -0400
3036 @@ -24,7 +24,7 @@ unsigned int pci_probe = 1;
3037
3038 int pcibios_last_bus = -1;
3039 struct pci_bus *pci_root_bus;
3040 -struct pci_ops *pci_root_ops;
3041 +const struct pci_ops *pci_root_ops;
3042
3043 /*
3044 * The accessible PCI window does not cover the entire CPU address space, but
3045 @@ -274,7 +274,7 @@ static int pci_ampci_write_config(struct
3046 }
3047 }
3048
3049 -static struct pci_ops pci_direct_ampci = {
3050 +static const struct pci_ops pci_direct_ampci = {
3051 pci_ampci_read_config,
3052 pci_ampci_write_config,
3053 };
3054 @@ -289,7 +289,7 @@ static struct pci_ops pci_direct_ampci =
3055 * This should be close to trivial, but it isn't, because there are buggy
3056 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
3057 */
3058 -static int __init pci_sanity_check(struct pci_ops *o)
3059 +static int __init pci_sanity_check(const struct pci_ops *o)
3060 {
3061 struct pci_bus bus; /* Fake bus and device */
3062 u32 x;
3063 diff -urNp linux-2.6.39.3/arch/parisc/include/asm/elf.h linux-2.6.39.3/arch/parisc/include/asm/elf.h
3064 --- linux-2.6.39.3/arch/parisc/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
3065 +++ linux-2.6.39.3/arch/parisc/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
3066 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
3067
3068 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
3069
3070 +#ifdef CONFIG_PAX_ASLR
3071 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3072 +
3073 +#define PAX_DELTA_MMAP_LEN 16
3074 +#define PAX_DELTA_STACK_LEN 16
3075 +#endif
3076 +
3077 /* This yields a mask that user programs can use to figure out what
3078 instruction set this CPU supports. This could be done in user space,
3079 but it's not easy, and we've already done it here. */
3080 diff -urNp linux-2.6.39.3/arch/parisc/include/asm/pgtable.h linux-2.6.39.3/arch/parisc/include/asm/pgtable.h
3081 --- linux-2.6.39.3/arch/parisc/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
3082 +++ linux-2.6.39.3/arch/parisc/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
3083 @@ -207,6 +207,17 @@ struct vm_area_struct;
3084 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
3085 #define PAGE_COPY PAGE_EXECREAD
3086 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
3087 +
3088 +#ifdef CONFIG_PAX_PAGEEXEC
3089 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
3090 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
3091 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
3092 +#else
3093 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3094 +# define PAGE_COPY_NOEXEC PAGE_COPY
3095 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3096 +#endif
3097 +
3098 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
3099 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
3100 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
3101 diff -urNp linux-2.6.39.3/arch/parisc/kernel/module.c linux-2.6.39.3/arch/parisc/kernel/module.c
3102 --- linux-2.6.39.3/arch/parisc/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
3103 +++ linux-2.6.39.3/arch/parisc/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
3104 @@ -96,16 +96,38 @@
3105
3106 /* three functions to determine where in the module core
3107 * or init pieces the location is */
3108 +static inline int in_init_rx(struct module *me, void *loc)
3109 +{
3110 + return (loc >= me->module_init_rx &&
3111 + loc < (me->module_init_rx + me->init_size_rx));
3112 +}
3113 +
3114 +static inline int in_init_rw(struct module *me, void *loc)
3115 +{
3116 + return (loc >= me->module_init_rw &&
3117 + loc < (me->module_init_rw + me->init_size_rw));
3118 +}
3119 +
3120 static inline int in_init(struct module *me, void *loc)
3121 {
3122 - return (loc >= me->module_init &&
3123 - loc <= (me->module_init + me->init_size));
3124 + return in_init_rx(me, loc) || in_init_rw(me, loc);
3125 +}
3126 +
3127 +static inline int in_core_rx(struct module *me, void *loc)
3128 +{
3129 + return (loc >= me->module_core_rx &&
3130 + loc < (me->module_core_rx + me->core_size_rx));
3131 +}
3132 +
3133 +static inline int in_core_rw(struct module *me, void *loc)
3134 +{
3135 + return (loc >= me->module_core_rw &&
3136 + loc < (me->module_core_rw + me->core_size_rw));
3137 }
3138
3139 static inline int in_core(struct module *me, void *loc)
3140 {
3141 - return (loc >= me->module_core &&
3142 - loc <= (me->module_core + me->core_size));
3143 + return in_core_rx(me, loc) || in_core_rw(me, loc);
3144 }
3145
3146 static inline int in_local(struct module *me, void *loc)
3147 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
3148 }
3149
3150 /* align things a bit */
3151 - me->core_size = ALIGN(me->core_size, 16);
3152 - me->arch.got_offset = me->core_size;
3153 - me->core_size += gots * sizeof(struct got_entry);
3154 -
3155 - me->core_size = ALIGN(me->core_size, 16);
3156 - me->arch.fdesc_offset = me->core_size;
3157 - me->core_size += fdescs * sizeof(Elf_Fdesc);
3158 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
3159 + me->arch.got_offset = me->core_size_rw;
3160 + me->core_size_rw += gots * sizeof(struct got_entry);
3161 +
3162 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
3163 + me->arch.fdesc_offset = me->core_size_rw;
3164 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
3165
3166 me->arch.got_max = gots;
3167 me->arch.fdesc_max = fdescs;
3168 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
3169
3170 BUG_ON(value == 0);
3171
3172 - got = me->module_core + me->arch.got_offset;
3173 + got = me->module_core_rw + me->arch.got_offset;
3174 for (i = 0; got[i].addr; i++)
3175 if (got[i].addr == value)
3176 goto out;
3177 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
3178 #ifdef CONFIG_64BIT
3179 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
3180 {
3181 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
3182 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
3183
3184 if (!value) {
3185 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
3186 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
3187
3188 /* Create new one */
3189 fdesc->addr = value;
3190 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
3191 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
3192 return (Elf_Addr)fdesc;
3193 }
3194 #endif /* CONFIG_64BIT */
3195 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
3196
3197 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
3198 end = table + sechdrs[me->arch.unwind_section].sh_size;
3199 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
3200 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
3201
3202 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
3203 me->arch.unwind_section, table, end, gp);
3204 diff -urNp linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c
3205 --- linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c 2011-05-19 00:06:34.000000000 -0400
3206 +++ linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c 2011-05-22 19:36:30.000000000 -0400
3207 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
3208 /* At this point: (!vma || addr < vma->vm_end). */
3209 if (TASK_SIZE - len < addr)
3210 return -ENOMEM;
3211 - if (!vma || addr + len <= vma->vm_start)
3212 + if (check_heap_stack_gap(vma, addr, len))
3213 return addr;
3214 addr = vma->vm_end;
3215 }
3216 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
3217 /* At this point: (!vma || addr < vma->vm_end). */
3218 if (TASK_SIZE - len < addr)
3219 return -ENOMEM;
3220 - if (!vma || addr + len <= vma->vm_start)
3221 + if (check_heap_stack_gap(vma, addr, len))
3222 return addr;
3223 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
3224 if (addr < vma->vm_end) /* handle wraparound */
3225 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
3226 if (flags & MAP_FIXED)
3227 return addr;
3228 if (!addr)
3229 - addr = TASK_UNMAPPED_BASE;
3230 + addr = current->mm->mmap_base;
3231
3232 if (filp) {
3233 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
3234 diff -urNp linux-2.6.39.3/arch/parisc/kernel/traps.c linux-2.6.39.3/arch/parisc/kernel/traps.c
3235 --- linux-2.6.39.3/arch/parisc/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
3236 +++ linux-2.6.39.3/arch/parisc/kernel/traps.c 2011-05-22 19:36:30.000000000 -0400
3237 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
3238
3239 down_read(&current->mm->mmap_sem);
3240 vma = find_vma(current->mm,regs->iaoq[0]);
3241 - if (vma && (regs->iaoq[0] >= vma->vm_start)
3242 - && (vma->vm_flags & VM_EXEC)) {
3243 -
3244 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
3245 fault_address = regs->iaoq[0];
3246 fault_space = regs->iasq[0];
3247
3248 diff -urNp linux-2.6.39.3/arch/parisc/mm/fault.c linux-2.6.39.3/arch/parisc/mm/fault.c
3249 --- linux-2.6.39.3/arch/parisc/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
3250 +++ linux-2.6.39.3/arch/parisc/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
3251 @@ -15,6 +15,7 @@
3252 #include <linux/sched.h>
3253 #include <linux/interrupt.h>
3254 #include <linux/module.h>
3255 +#include <linux/unistd.h>
3256
3257 #include <asm/uaccess.h>
3258 #include <asm/traps.h>
3259 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
3260 static unsigned long
3261 parisc_acctyp(unsigned long code, unsigned int inst)
3262 {
3263 - if (code == 6 || code == 16)
3264 + if (code == 6 || code == 7 || code == 16)
3265 return VM_EXEC;
3266
3267 switch (inst & 0xf0000000) {
3268 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
3269 }
3270 #endif
3271
3272 +#ifdef CONFIG_PAX_PAGEEXEC
3273 +/*
3274 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
3275 + *
3276 + * returns 1 when task should be killed
3277 + * 2 when rt_sigreturn trampoline was detected
3278 + * 3 when unpatched PLT trampoline was detected
3279 + */
3280 +static int pax_handle_fetch_fault(struct pt_regs *regs)
3281 +{
3282 +
3283 +#ifdef CONFIG_PAX_EMUPLT
3284 + int err;
3285 +
3286 + do { /* PaX: unpatched PLT emulation */
3287 + unsigned int bl, depwi;
3288 +
3289 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
3290 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
3291 +
3292 + if (err)
3293 + break;
3294 +
3295 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
3296 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
3297 +
3298 + err = get_user(ldw, (unsigned int *)addr);
3299 + err |= get_user(bv, (unsigned int *)(addr+4));
3300 + err |= get_user(ldw2, (unsigned int *)(addr+8));
3301 +
3302 + if (err)
3303 + break;
3304 +
3305 + if (ldw == 0x0E801096U &&
3306 + bv == 0xEAC0C000U &&
3307 + ldw2 == 0x0E881095U)
3308 + {
3309 + unsigned int resolver, map;
3310 +
3311 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
3312 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
3313 + if (err)
3314 + break;
3315 +
3316 + regs->gr[20] = instruction_pointer(regs)+8;
3317 + regs->gr[21] = map;
3318 + regs->gr[22] = resolver;
3319 + regs->iaoq[0] = resolver | 3UL;
3320 + regs->iaoq[1] = regs->iaoq[0] + 4;
3321 + return 3;
3322 + }
3323 + }
3324 + } while (0);
3325 +#endif
3326 +
3327 +#ifdef CONFIG_PAX_EMUTRAMP
3328 +
3329 +#ifndef CONFIG_PAX_EMUSIGRT
3330 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
3331 + return 1;
3332 +#endif
3333 +
3334 + do { /* PaX: rt_sigreturn emulation */
3335 + unsigned int ldi1, ldi2, bel, nop;
3336 +
3337 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
3338 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
3339 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
3340 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
3341 +
3342 + if (err)
3343 + break;
3344 +
3345 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
3346 + ldi2 == 0x3414015AU &&
3347 + bel == 0xE4008200U &&
3348 + nop == 0x08000240U)
3349 + {
3350 + regs->gr[25] = (ldi1 & 2) >> 1;
3351 + regs->gr[20] = __NR_rt_sigreturn;
3352 + regs->gr[31] = regs->iaoq[1] + 16;
3353 + regs->sr[0] = regs->iasq[1];
3354 + regs->iaoq[0] = 0x100UL;
3355 + regs->iaoq[1] = regs->iaoq[0] + 4;
3356 + regs->iasq[0] = regs->sr[2];
3357 + regs->iasq[1] = regs->sr[2];
3358 + return 2;
3359 + }
3360 + } while (0);
3361 +#endif
3362 +
3363 + return 1;
3364 +}
3365 +
3366 +void pax_report_insns(void *pc, void *sp)
3367 +{
3368 + unsigned long i;
3369 +
3370 + printk(KERN_ERR "PAX: bytes at PC: ");
3371 + for (i = 0; i < 5; i++) {
3372 + unsigned int c;
3373 + if (get_user(c, (unsigned int *)pc+i))
3374 + printk(KERN_CONT "???????? ");
3375 + else
3376 + printk(KERN_CONT "%08x ", c);
3377 + }
3378 + printk("\n");
3379 +}
3380 +#endif
3381 +
3382 int fixup_exception(struct pt_regs *regs)
3383 {
3384 const struct exception_table_entry *fix;
3385 @@ -192,8 +303,33 @@ good_area:
3386
3387 acc_type = parisc_acctyp(code,regs->iir);
3388
3389 - if ((vma->vm_flags & acc_type) != acc_type)
3390 + if ((vma->vm_flags & acc_type) != acc_type) {
3391 +
3392 +#ifdef CONFIG_PAX_PAGEEXEC
3393 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
3394 + (address & ~3UL) == instruction_pointer(regs))
3395 + {
3396 + up_read(&mm->mmap_sem);
3397 + switch (pax_handle_fetch_fault(regs)) {
3398 +
3399 +#ifdef CONFIG_PAX_EMUPLT
3400 + case 3:
3401 + return;
3402 +#endif
3403 +
3404 +#ifdef CONFIG_PAX_EMUTRAMP
3405 + case 2:
3406 + return;
3407 +#endif
3408 +
3409 + }
3410 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
3411 + do_group_exit(SIGKILL);
3412 + }
3413 +#endif
3414 +
3415 goto bad_area;
3416 + }
3417
3418 /*
3419 * If for any reason at all we couldn't handle the fault, make
3420 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/device.h linux-2.6.39.3/arch/powerpc/include/asm/device.h
3421 --- linux-2.6.39.3/arch/powerpc/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
3422 +++ linux-2.6.39.3/arch/powerpc/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
3423 @@ -17,7 +17,7 @@ struct device_node;
3424 */
3425 struct dev_archdata {
3426 /* DMA operations on that device */
3427 - struct dma_map_ops *dma_ops;
3428 + const struct dma_map_ops *dma_ops;
3429
3430 /*
3431 * When an iommu is in use, dma_data is used as a ptr to the base of the
3432 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h
3433 --- linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
3434 +++ linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
3435 @@ -67,12 +67,13 @@ static inline unsigned long device_to_ma
3436 /*
3437 * Available generic sets of operations
3438 */
3439 +/* cannot be const */
3440 #ifdef CONFIG_PPC64
3441 -extern struct dma_map_ops dma_iommu_ops;
3442 +extern const struct dma_map_ops dma_iommu_ops;
3443 #endif
3444 -extern struct dma_map_ops dma_direct_ops;
3445 +extern const struct dma_map_ops dma_direct_ops;
3446
3447 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3448 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3449 {
3450 /* We don't handle the NULL dev case for ISA for now. We could
3451 * do it via an out of line call but it is not needed for now. The
3452 @@ -85,7 +86,7 @@ static inline struct dma_map_ops *get_dm
3453 return dev->archdata.dma_ops;
3454 }
3455
3456 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
3457 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
3458 {
3459 dev->archdata.dma_ops = ops;
3460 }
3461 @@ -119,7 +120,7 @@ static inline void set_dma_offset(struct
3462
3463 static inline int dma_supported(struct device *dev, u64 mask)
3464 {
3465 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3466 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3467
3468 if (unlikely(dma_ops == NULL))
3469 return 0;
3470 @@ -133,7 +134,7 @@ extern int dma_set_mask(struct device *d
3471 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3472 dma_addr_t *dma_handle, gfp_t flag)
3473 {
3474 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3475 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3476 void *cpu_addr;
3477
3478 BUG_ON(!dma_ops);
3479 @@ -148,7 +149,7 @@ static inline void *dma_alloc_coherent(s
3480 static inline void dma_free_coherent(struct device *dev, size_t size,
3481 void *cpu_addr, dma_addr_t dma_handle)
3482 {
3483 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3484 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3485
3486 BUG_ON(!dma_ops);
3487
3488 @@ -159,7 +160,7 @@ static inline void dma_free_coherent(str
3489
3490 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3491 {
3492 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3493 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3494
3495 if (dma_ops->mapping_error)
3496 return dma_ops->mapping_error(dev, dma_addr);
3497 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/elf.h linux-2.6.39.3/arch/powerpc/include/asm/elf.h
3498 --- linux-2.6.39.3/arch/powerpc/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
3499 +++ linux-2.6.39.3/arch/powerpc/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
3500 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
3501 the loader. We need to make sure that it is out of the way of the program
3502 that it will "exec", and that there is sufficient room for the brk. */
3503
3504 -extern unsigned long randomize_et_dyn(unsigned long base);
3505 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
3506 +#define ELF_ET_DYN_BASE (0x20000000)
3507 +
3508 +#ifdef CONFIG_PAX_ASLR
3509 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
3510 +
3511 +#ifdef __powerpc64__
3512 +#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
3513 +#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
3514 +#else
3515 +#define PAX_DELTA_MMAP_LEN 15
3516 +#define PAX_DELTA_STACK_LEN 15
3517 +#endif
3518 +#endif
3519
3520 /*
3521 * Our registers are always unsigned longs, whether we're a 32 bit
3522 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
3523 (0x7ff >> (PAGE_SHIFT - 12)) : \
3524 (0x3ffff >> (PAGE_SHIFT - 12)))
3525
3526 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
3527 -#define arch_randomize_brk arch_randomize_brk
3528 -
3529 #endif /* __KERNEL__ */
3530
3531 /*
3532 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/iommu.h linux-2.6.39.3/arch/powerpc/include/asm/iommu.h
3533 --- linux-2.6.39.3/arch/powerpc/include/asm/iommu.h 2011-05-19 00:06:34.000000000 -0400
3534 +++ linux-2.6.39.3/arch/powerpc/include/asm/iommu.h 2011-05-22 19:36:30.000000000 -0400
3535 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
3536 extern void iommu_init_early_dart(void);
3537 extern void iommu_init_early_pasemi(void);
3538
3539 +/* dma-iommu.c */
3540 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
3541 +
3542 #ifdef CONFIG_PCI
3543 extern void pci_iommu_init(void);
3544 extern void pci_direct_iommu_init(void);
3545 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h
3546 --- linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
3547 +++ linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
3548 @@ -27,6 +27,7 @@ enum km_type {
3549 KM_PPC_SYNC_PAGE,
3550 KM_PPC_SYNC_ICACHE,
3551 KM_KDB,
3552 + KM_CLEARPAGE,
3553 KM_TYPE_NR
3554 };
3555
3556 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/page_64.h linux-2.6.39.3/arch/powerpc/include/asm/page_64.h
3557 --- linux-2.6.39.3/arch/powerpc/include/asm/page_64.h 2011-05-19 00:06:34.000000000 -0400
3558 +++ linux-2.6.39.3/arch/powerpc/include/asm/page_64.h 2011-05-22 19:36:30.000000000 -0400
3559 @@ -172,15 +172,18 @@ do { \
3560 * stack by default, so in the absence of a PT_GNU_STACK program header
3561 * we turn execute permission off.
3562 */
3563 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
3564 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3565 +#define VM_STACK_DEFAULT_FLAGS32 \
3566 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
3567 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3568
3569 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
3570 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3571
3572 +#ifndef CONFIG_PAX_PAGEEXEC
3573 #define VM_STACK_DEFAULT_FLAGS \
3574 (is_32bit_task() ? \
3575 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
3576 +#endif
3577
3578 #include <asm-generic/getorder.h>
3579
3580 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/page.h linux-2.6.39.3/arch/powerpc/include/asm/page.h
3581 --- linux-2.6.39.3/arch/powerpc/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
3582 +++ linux-2.6.39.3/arch/powerpc/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
3583 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
3584 * and needs to be executable. This means the whole heap ends
3585 * up being executable.
3586 */
3587 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
3588 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3589 +#define VM_DATA_DEFAULT_FLAGS32 \
3590 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
3591 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3592
3593 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
3594 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3595 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
3596 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
3597 #endif
3598
3599 +#define ktla_ktva(addr) (addr)
3600 +#define ktva_ktla(addr) (addr)
3601 +
3602 #ifndef __ASSEMBLY__
3603
3604 #undef STRICT_MM_TYPECHECKS
3605 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/pci.h linux-2.6.39.3/arch/powerpc/include/asm/pci.h
3606 --- linux-2.6.39.3/arch/powerpc/include/asm/pci.h 2011-05-19 00:06:34.000000000 -0400
3607 +++ linux-2.6.39.3/arch/powerpc/include/asm/pci.h 2011-05-22 19:36:30.000000000 -0400
3608 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
3609 }
3610
3611 #ifdef CONFIG_PCI
3612 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
3613 -extern struct dma_map_ops *get_pci_dma_ops(void);
3614 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
3615 +extern const struct dma_map_ops *get_pci_dma_ops(void);
3616 #else /* CONFIG_PCI */
3617 #define set_pci_dma_ops(d)
3618 #define get_pci_dma_ops() NULL
3619 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h
3620 --- linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
3621 +++ linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
3622 @@ -2,6 +2,7 @@
3623 #define _ASM_POWERPC_PGTABLE_H
3624 #ifdef __KERNEL__
3625
3626 +#include <linux/const.h>
3627 #ifndef __ASSEMBLY__
3628 #include <asm/processor.h> /* For TASK_SIZE */
3629 #include <asm/mmu.h>
3630 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h
3631 --- linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h 2011-05-19 00:06:34.000000000 -0400
3632 +++ linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h 2011-05-22 19:36:30.000000000 -0400
3633 @@ -21,6 +21,7 @@
3634 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
3635 #define _PAGE_USER 0x004 /* usermode access allowed */
3636 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
3637 +#define _PAGE_EXEC _PAGE_GUARDED
3638 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
3639 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
3640 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
3641 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/reg.h linux-2.6.39.3/arch/powerpc/include/asm/reg.h
3642 --- linux-2.6.39.3/arch/powerpc/include/asm/reg.h 2011-05-19 00:06:34.000000000 -0400
3643 +++ linux-2.6.39.3/arch/powerpc/include/asm/reg.h 2011-05-22 19:36:30.000000000 -0400
3644 @@ -201,6 +201,7 @@
3645 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
3646 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
3647 #define DSISR_NOHPTE 0x40000000 /* no translation found */
3648 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
3649 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
3650 #define DSISR_ISSTORE 0x02000000 /* access was a store */
3651 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
3652 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h
3653 --- linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h 2011-05-19 00:06:34.000000000 -0400
3654 +++ linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h 2011-05-22 19:36:30.000000000 -0400
3655 @@ -13,7 +13,7 @@
3656
3657 #include <linux/swiotlb.h>
3658
3659 -extern struct dma_map_ops swiotlb_dma_ops;
3660 +extern const struct dma_map_ops swiotlb_dma_ops;
3661
3662 static inline void dma_mark_clean(void *addr, size_t size) {}
3663
3664 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/system.h linux-2.6.39.3/arch/powerpc/include/asm/system.h
3665 --- linux-2.6.39.3/arch/powerpc/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
3666 +++ linux-2.6.39.3/arch/powerpc/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
3667 @@ -533,7 +533,7 @@ __cmpxchg_local(volatile void *ptr, unsi
3668 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
3669 #endif
3670
3671 -extern unsigned long arch_align_stack(unsigned long sp);
3672 +#define arch_align_stack(x) ((x) & ~0xfUL)
3673
3674 /* Used in very early kernel initialization. */
3675 extern unsigned long reloc_offset(void);
3676 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h
3677 --- linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
3678 +++ linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
3679 @@ -13,6 +13,8 @@
3680 #define VERIFY_READ 0
3681 #define VERIFY_WRITE 1
3682
3683 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
3684 +
3685 /*
3686 * The fs value determines whether argument validity checking should be
3687 * performed or not. If get_fs() == USER_DS, checking is performed, with
3688 @@ -327,52 +329,6 @@ do { \
3689 extern unsigned long __copy_tofrom_user(void __user *to,
3690 const void __user *from, unsigned long size);
3691
3692 -#ifndef __powerpc64__
3693 -
3694 -static inline unsigned long copy_from_user(void *to,
3695 - const void __user *from, unsigned long n)
3696 -{
3697 - unsigned long over;
3698 -
3699 - if (access_ok(VERIFY_READ, from, n))
3700 - return __copy_tofrom_user((__force void __user *)to, from, n);
3701 - if ((unsigned long)from < TASK_SIZE) {
3702 - over = (unsigned long)from + n - TASK_SIZE;
3703 - return __copy_tofrom_user((__force void __user *)to, from,
3704 - n - over) + over;
3705 - }
3706 - return n;
3707 -}
3708 -
3709 -static inline unsigned long copy_to_user(void __user *to,
3710 - const void *from, unsigned long n)
3711 -{
3712 - unsigned long over;
3713 -
3714 - if (access_ok(VERIFY_WRITE, to, n))
3715 - return __copy_tofrom_user(to, (__force void __user *)from, n);
3716 - if ((unsigned long)to < TASK_SIZE) {
3717 - over = (unsigned long)to + n - TASK_SIZE;
3718 - return __copy_tofrom_user(to, (__force void __user *)from,
3719 - n - over) + over;
3720 - }
3721 - return n;
3722 -}
3723 -
3724 -#else /* __powerpc64__ */
3725 -
3726 -#define __copy_in_user(to, from, size) \
3727 - __copy_tofrom_user((to), (from), (size))
3728 -
3729 -extern unsigned long copy_from_user(void *to, const void __user *from,
3730 - unsigned long n);
3731 -extern unsigned long copy_to_user(void __user *to, const void *from,
3732 - unsigned long n);
3733 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
3734 - unsigned long n);
3735 -
3736 -#endif /* __powerpc64__ */
3737 -
3738 static inline unsigned long __copy_from_user_inatomic(void *to,
3739 const void __user *from, unsigned long n)
3740 {
3741 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
3742 if (ret == 0)
3743 return 0;
3744 }
3745 +
3746 + if (!__builtin_constant_p(n))
3747 + check_object_size(to, n, false);
3748 +
3749 return __copy_tofrom_user((__force void __user *)to, from, n);
3750 }
3751
3752 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
3753 if (ret == 0)
3754 return 0;
3755 }
3756 +
3757 + if (!__builtin_constant_p(n))
3758 + check_object_size(from, n, true);
3759 +
3760 return __copy_tofrom_user(to, (__force const void __user *)from, n);
3761 }
3762
3763 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
3764 return __copy_to_user_inatomic(to, from, size);
3765 }
3766
3767 +#ifndef __powerpc64__
3768 +
3769 +static inline unsigned long __must_check copy_from_user(void *to,
3770 + const void __user *from, unsigned long n)
3771 +{
3772 + unsigned long over;
3773 +
3774 + if ((long)n < 0)
3775 + return n;
3776 +
3777 + if (access_ok(VERIFY_READ, from, n)) {
3778 + if (!__builtin_constant_p(n))
3779 + check_object_size(to, n, false);
3780 + return __copy_tofrom_user((__force void __user *)to, from, n);
3781 + }
3782 + if ((unsigned long)from < TASK_SIZE) {
3783 + over = (unsigned long)from + n - TASK_SIZE;
3784 + if (!__builtin_constant_p(n - over))
3785 + check_object_size(to, n - over, false);
3786 + return __copy_tofrom_user((__force void __user *)to, from,
3787 + n - over) + over;
3788 + }
3789 + return n;
3790 +}
3791 +
3792 +static inline unsigned long __must_check copy_to_user(void __user *to,
3793 + const void *from, unsigned long n)
3794 +{
3795 + unsigned long over;
3796 +
3797 + if ((long)n < 0)
3798 + return n;
3799 +
3800 + if (access_ok(VERIFY_WRITE, to, n)) {
3801 + if (!__builtin_constant_p(n))
3802 + check_object_size(from, n, true);
3803 + return __copy_tofrom_user(to, (__force void __user *)from, n);
3804 + }
3805 + if ((unsigned long)to < TASK_SIZE) {
3806 + over = (unsigned long)to + n - TASK_SIZE;
3807 + if (!__builtin_constant_p(n))
3808 + check_object_size(from, n - over, true);
3809 + return __copy_tofrom_user(to, (__force void __user *)from,
3810 + n - over) + over;
3811 + }
3812 + return n;
3813 +}
3814 +
3815 +#else /* __powerpc64__ */
3816 +
3817 +#define __copy_in_user(to, from, size) \
3818 + __copy_tofrom_user((to), (from), (size))
3819 +
3820 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
3821 +{
3822 + if ((long)n < 0 || n > INT_MAX)
3823 + return n;
3824 +
3825 + if (!__builtin_constant_p(n))
3826 + check_object_size(to, n, false);
3827 +
3828 + if (likely(access_ok(VERIFY_READ, from, n)))
3829 + n = __copy_from_user(to, from, n);
3830 + else
3831 + memset(to, 0, n);
3832 + return n;
3833 +}
3834 +
3835 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
3836 +{
3837 + if ((long)n < 0 || n > INT_MAX)
3838 + return n;
3839 +
3840 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
3841 + if (!__builtin_constant_p(n))
3842 + check_object_size(from, n, true);
3843 + n = __copy_to_user(to, from, n);
3844 + }
3845 + return n;
3846 +}
3847 +
3848 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
3849 + unsigned long n);
3850 +
3851 +#endif /* __powerpc64__ */
3852 +
3853 extern unsigned long __clear_user(void __user *addr, unsigned long size);
3854
3855 static inline unsigned long clear_user(void __user *addr, unsigned long size)
3856 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/dma.c linux-2.6.39.3/arch/powerpc/kernel/dma.c
3857 --- linux-2.6.39.3/arch/powerpc/kernel/dma.c 2011-05-19 00:06:34.000000000 -0400
3858 +++ linux-2.6.39.3/arch/powerpc/kernel/dma.c 2011-05-22 19:36:30.000000000 -0400
3859 @@ -136,7 +136,7 @@ static inline void dma_direct_sync_singl
3860 }
3861 #endif
3862
3863 -struct dma_map_ops dma_direct_ops = {
3864 +const struct dma_map_ops dma_direct_ops = {
3865 .alloc_coherent = dma_direct_alloc_coherent,
3866 .free_coherent = dma_direct_free_coherent,
3867 .map_sg = dma_direct_map_sg,
3868 @@ -157,7 +157,7 @@ EXPORT_SYMBOL(dma_direct_ops);
3869
3870 int dma_set_mask(struct device *dev, u64 dma_mask)
3871 {
3872 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3873 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3874
3875 if (ppc_md.dma_set_mask)
3876 return ppc_md.dma_set_mask(dev, dma_mask);
3877 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c
3878 --- linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c 2011-05-19 00:06:34.000000000 -0400
3879 +++ linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c 2011-05-22 19:36:30.000000000 -0400
3880 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
3881 }
3882
3883 /* We support DMA to/from any memory page via the iommu */
3884 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
3885 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
3886 {
3887 struct iommu_table *tbl = get_iommu_table_base(dev);
3888
3889 @@ -90,7 +90,7 @@ static int dma_iommu_dma_supported(struc
3890 return 1;
3891 }
3892
3893 -struct dma_map_ops dma_iommu_ops = {
3894 +struct dma_map_ops dma_iommu_ops = { /* cannot be const, see arch/powerpc/platforms/cell/iommu.c */
3895 .alloc_coherent = dma_iommu_alloc_coherent,
3896 .free_coherent = dma_iommu_free_coherent,
3897 .map_sg = dma_iommu_map_sg,
3898 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c
3899 --- linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c 2011-05-19 00:06:34.000000000 -0400
3900 +++ linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c 2011-05-22 19:36:30.000000000 -0400
3901 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
3902 * map_page, and unmap_page on highmem, use normal dma_ops
3903 * for everything else.
3904 */
3905 -struct dma_map_ops swiotlb_dma_ops = {
3906 +const struct dma_map_ops swiotlb_dma_ops = {
3907 .alloc_coherent = dma_direct_alloc_coherent,
3908 .free_coherent = dma_direct_free_coherent,
3909 .map_sg = swiotlb_map_sg_attrs,
3910 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S
3911 --- linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S 2011-05-19 00:06:34.000000000 -0400
3912 +++ linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S 2011-05-22 19:36:30.000000000 -0400
3913 @@ -495,6 +495,7 @@ storage_fault_common:
3914 std r14,_DAR(r1)
3915 std r15,_DSISR(r1)
3916 addi r3,r1,STACK_FRAME_OVERHEAD
3917 + bl .save_nvgprs
3918 mr r4,r14
3919 mr r5,r15
3920 ld r14,PACA_EXGEN+EX_R14(r13)
3921 @@ -504,8 +505,7 @@ storage_fault_common:
3922 cmpdi r3,0
3923 bne- 1f
3924 b .ret_from_except_lite
3925 -1: bl .save_nvgprs
3926 - mr r5,r3
3927 +1: mr r5,r3
3928 addi r3,r1,STACK_FRAME_OVERHEAD
3929 ld r4,_DAR(r1)
3930 bl .bad_page_fault
3931 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S
3932 --- linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S 2011-05-19 00:06:34.000000000 -0400
3933 +++ linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S 2011-05-22 19:36:30.000000000 -0400
3934 @@ -848,10 +848,10 @@ handle_page_fault:
3935 11: ld r4,_DAR(r1)
3936 ld r5,_DSISR(r1)
3937 addi r3,r1,STACK_FRAME_OVERHEAD
3938 + bl .save_nvgprs
3939 bl .do_page_fault
3940 cmpdi r3,0
3941 beq+ 13f
3942 - bl .save_nvgprs
3943 mr r5,r3
3944 addi r3,r1,STACK_FRAME_OVERHEAD
3945 lwz r4,_DAR(r1)
3946 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c
3947 --- linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c 2011-05-19 00:06:34.000000000 -0400
3948 +++ linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c 2011-05-22 19:36:30.000000000 -0400
3949 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
3950 return 1;
3951 }
3952
3953 -static struct dma_map_ops ibmebus_dma_ops = {
3954 +static const struct dma_map_ops ibmebus_dma_ops = {
3955 .alloc_coherent = ibmebus_alloc_coherent,
3956 .free_coherent = ibmebus_free_coherent,
3957 .map_sg = ibmebus_map_sg,
3958 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/kgdb.c linux-2.6.39.3/arch/powerpc/kernel/kgdb.c
3959 --- linux-2.6.39.3/arch/powerpc/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
3960 +++ linux-2.6.39.3/arch/powerpc/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
3961 @@ -422,7 +422,7 @@ int kgdb_arch_handle_exception(int vecto
3962 /*
3963 * Global data
3964 */
3965 -struct kgdb_arch arch_kgdb_ops = {
3966 +const struct kgdb_arch arch_kgdb_ops = {
3967 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
3968 };
3969
3970 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/module_32.c linux-2.6.39.3/arch/powerpc/kernel/module_32.c
3971 --- linux-2.6.39.3/arch/powerpc/kernel/module_32.c 2011-05-19 00:06:34.000000000 -0400
3972 +++ linux-2.6.39.3/arch/powerpc/kernel/module_32.c 2011-05-22 19:36:30.000000000 -0400
3973 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
3974 me->arch.core_plt_section = i;
3975 }
3976 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
3977 - printk("Module doesn't contain .plt or .init.plt sections.\n");
3978 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
3979 return -ENOEXEC;
3980 }
3981
3982 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
3983
3984 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
3985 /* Init, or core PLT? */
3986 - if (location >= mod->module_core
3987 - && location < mod->module_core + mod->core_size)
3988 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
3989 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
3990 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
3991 - else
3992 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
3993 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
3994 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
3995 + else {
3996 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
3997 + return ~0UL;
3998 + }
3999
4000 /* Find this entry, or if that fails, the next avail. entry */
4001 while (entry->jump[0]) {
4002 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/module.c linux-2.6.39.3/arch/powerpc/kernel/module.c
4003 --- linux-2.6.39.3/arch/powerpc/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
4004 +++ linux-2.6.39.3/arch/powerpc/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
4005 @@ -31,11 +31,24 @@
4006
4007 LIST_HEAD(module_bug_list);
4008
4009 +#ifdef CONFIG_PAX_KERNEXEC
4010 void *module_alloc(unsigned long size)
4011 {
4012 if (size == 0)
4013 return NULL;
4014
4015 + return vmalloc(size);
4016 +}
4017 +
4018 +void *module_alloc_exec(unsigned long size)
4019 +#else
4020 +void *module_alloc(unsigned long size)
4021 +#endif
4022 +
4023 +{
4024 + if (size == 0)
4025 + return NULL;
4026 +
4027 return vmalloc_exec(size);
4028 }
4029
4030 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
4031 vfree(module_region);
4032 }
4033
4034 +#ifdef CONFIG_PAX_KERNEXEC
4035 +void module_free_exec(struct module *mod, void *module_region)
4036 +{
4037 + module_free(mod, module_region);
4038 +}
4039 +#endif
4040 +
4041 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
4042 const Elf_Shdr *sechdrs,
4043 const char *name)
4044 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/pci-common.c linux-2.6.39.3/arch/powerpc/kernel/pci-common.c
4045 --- linux-2.6.39.3/arch/powerpc/kernel/pci-common.c 2011-05-19 00:06:34.000000000 -0400
4046 +++ linux-2.6.39.3/arch/powerpc/kernel/pci-common.c 2011-05-22 19:36:30.000000000 -0400
4047 @@ -53,14 +53,14 @@ resource_size_t isa_mem_base;
4048 unsigned int ppc_pci_flags = 0;
4049
4050
4051 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
4052 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
4053
4054 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
4055 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
4056 {
4057 pci_dma_ops = dma_ops;
4058 }
4059
4060 -struct dma_map_ops *get_pci_dma_ops(void)
4061 +const struct dma_map_ops *get_pci_dma_ops(void)
4062 {
4063 return pci_dma_ops;
4064 }
4065 @@ -1639,7 +1639,7 @@ null_write_config(struct pci_bus *bus, u
4066 return PCIBIOS_DEVICE_NOT_FOUND;
4067 }
4068
4069 -static struct pci_ops null_pci_ops =
4070 +static const struct pci_ops null_pci_ops =
4071 {
4072 .read = null_read_config,
4073 .write = null_write_config,
4074 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/process.c linux-2.6.39.3/arch/powerpc/kernel/process.c
4075 --- linux-2.6.39.3/arch/powerpc/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
4076 +++ linux-2.6.39.3/arch/powerpc/kernel/process.c 2011-05-22 19:41:32.000000000 -0400
4077 @@ -655,8 +655,8 @@ void show_regs(struct pt_regs * regs)
4078 * Lookup NIP late so we have the best change of getting the
4079 * above info out without failing
4080 */
4081 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
4082 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
4083 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
4084 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
4085 #endif
4086 show_stack(current, (unsigned long *) regs->gpr[1]);
4087 if (!user_mode(regs))
4088 @@ -1146,10 +1146,10 @@ void show_stack(struct task_struct *tsk,
4089 newsp = stack[0];
4090 ip = stack[STACK_FRAME_LR_SAVE];
4091 if (!firstframe || ip != lr) {
4092 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
4093 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
4094 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4095 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
4096 - printk(" (%pS)",
4097 + printk(" (%pA)",
4098 (void *)current->ret_stack[curr_frame].ret);
4099 curr_frame--;
4100 }
4101 @@ -1169,7 +1169,7 @@ void show_stack(struct task_struct *tsk,
4102 struct pt_regs *regs = (struct pt_regs *)
4103 (sp + STACK_FRAME_OVERHEAD);
4104 lr = regs->link;
4105 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
4106 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
4107 regs->trap, (void *)regs->nip, (void *)lr);
4108 firstframe = 1;
4109 }
4110 @@ -1244,58 +1244,3 @@ void thread_info_cache_init(void)
4111 }
4112
4113 #endif /* THREAD_SHIFT < PAGE_SHIFT */
4114 -
4115 -unsigned long arch_align_stack(unsigned long sp)
4116 -{
4117 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
4118 - sp -= get_random_int() & ~PAGE_MASK;
4119 - return sp & ~0xf;
4120 -}
4121 -
4122 -static inline unsigned long brk_rnd(void)
4123 -{
4124 - unsigned long rnd = 0;
4125 -
4126 - /* 8MB for 32bit, 1GB for 64bit */
4127 - if (is_32bit_task())
4128 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
4129 - else
4130 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
4131 -
4132 - return rnd << PAGE_SHIFT;
4133 -}
4134 -
4135 -unsigned long arch_randomize_brk(struct mm_struct *mm)
4136 -{
4137 - unsigned long base = mm->brk;
4138 - unsigned long ret;
4139 -
4140 -#ifdef CONFIG_PPC_STD_MMU_64
4141 - /*
4142 - * If we are using 1TB segments and we are allowed to randomise
4143 - * the heap, we can put it above 1TB so it is backed by a 1TB
4144 - * segment. Otherwise the heap will be in the bottom 1TB
4145 - * which always uses 256MB segments and this may result in a
4146 - * performance penalty.
4147 - */
4148 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
4149 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
4150 -#endif
4151 -
4152 - ret = PAGE_ALIGN(base + brk_rnd());
4153 -
4154 - if (ret < mm->brk)
4155 - return mm->brk;
4156 -
4157 - return ret;
4158 -}
4159 -
4160 -unsigned long randomize_et_dyn(unsigned long base)
4161 -{
4162 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
4163 -
4164 - if (ret < base)
4165 - return base;
4166 -
4167 - return ret;
4168 -}
4169 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c
4170 --- linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c 2011-05-19 00:06:34.000000000 -0400
4171 +++ linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c 2011-05-22 19:36:30.000000000 -0400
4172 @@ -149,7 +149,7 @@ static int rtas_pci_write_config(struct
4173 return PCIBIOS_DEVICE_NOT_FOUND;
4174 }
4175
4176 -static struct pci_ops rtas_pci_ops = {
4177 +static const struct pci_ops rtas_pci_ops = {
4178 .read = rtas_pci_read_config,
4179 .write = rtas_pci_write_config,
4180 };
4181 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/signal_32.c linux-2.6.39.3/arch/powerpc/kernel/signal_32.c
4182 --- linux-2.6.39.3/arch/powerpc/kernel/signal_32.c 2011-05-19 00:06:34.000000000 -0400
4183 +++ linux-2.6.39.3/arch/powerpc/kernel/signal_32.c 2011-05-22 19:36:30.000000000 -0400
4184 @@ -858,7 +858,7 @@ int handle_rt_signal32(unsigned long sig
4185 /* Save user registers on the stack */
4186 frame = &rt_sf->uc.uc_mcontext;
4187 addr = frame;
4188 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
4189 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
4190 if (save_user_regs(regs, frame, 0, 1))
4191 goto badframe;
4192 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
4193 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/signal_64.c linux-2.6.39.3/arch/powerpc/kernel/signal_64.c
4194 --- linux-2.6.39.3/arch/powerpc/kernel/signal_64.c 2011-05-19 00:06:34.000000000 -0400
4195 +++ linux-2.6.39.3/arch/powerpc/kernel/signal_64.c 2011-05-22 19:36:30.000000000 -0400
4196 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
4197 current->thread.fpscr.val = 0;
4198
4199 /* Set up to return from userspace. */
4200 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
4201 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
4202 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
4203 } else {
4204 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
4205 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/traps.c linux-2.6.39.3/arch/powerpc/kernel/traps.c
4206 --- linux-2.6.39.3/arch/powerpc/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
4207 +++ linux-2.6.39.3/arch/powerpc/kernel/traps.c 2011-06-13 21:33:04.000000000 -0400
4208 @@ -96,6 +96,8 @@ static void pmac_backlight_unblank(void)
4209 static inline void pmac_backlight_unblank(void) { }
4210 #endif
4211
4212 +extern void gr_handle_kernel_exploit(void);
4213 +
4214 int die(const char *str, struct pt_regs *regs, long err)
4215 {
4216 static struct {
4217 @@ -170,6 +172,8 @@ int die(const char *str, struct pt_regs
4218 if (panic_on_oops)
4219 panic("Fatal exception");
4220
4221 + gr_handle_kernel_exploit();
4222 +
4223 oops_exit();
4224 do_exit(err);
4225
4226 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/vdso.c linux-2.6.39.3/arch/powerpc/kernel/vdso.c
4227 --- linux-2.6.39.3/arch/powerpc/kernel/vdso.c 2011-05-19 00:06:34.000000000 -0400
4228 +++ linux-2.6.39.3/arch/powerpc/kernel/vdso.c 2011-05-22 19:36:30.000000000 -0400
4229 @@ -36,6 +36,7 @@
4230 #include <asm/firmware.h>
4231 #include <asm/vdso.h>
4232 #include <asm/vdso_datapage.h>
4233 +#include <asm/mman.h>
4234
4235 #include "setup.h"
4236
4237 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
4238 vdso_base = VDSO32_MBASE;
4239 #endif
4240
4241 - current->mm->context.vdso_base = 0;
4242 + current->mm->context.vdso_base = ~0UL;
4243
4244 /* vDSO has a problem and was disabled, just don't "enable" it for the
4245 * process
4246 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
4247 vdso_base = get_unmapped_area(NULL, vdso_base,
4248 (vdso_pages << PAGE_SHIFT) +
4249 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
4250 - 0, 0);
4251 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
4252 if (IS_ERR_VALUE(vdso_base)) {
4253 rc = vdso_base;
4254 goto fail_mmapsem;
4255 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/vio.c linux-2.6.39.3/arch/powerpc/kernel/vio.c
4256 --- linux-2.6.39.3/arch/powerpc/kernel/vio.c 2011-05-19 00:06:34.000000000 -0400
4257 +++ linux-2.6.39.3/arch/powerpc/kernel/vio.c 2011-05-22 19:36:30.000000000 -0400
4258 @@ -605,11 +605,12 @@ static int vio_dma_iommu_dma_supported(s
4259 return dma_iommu_ops.dma_supported(dev, mask);
4260 }
4261
4262 -struct dma_map_ops vio_dma_mapping_ops = {
4263 +const struct dma_map_ops vio_dma_mapping_ops = {
4264 .alloc_coherent = vio_dma_iommu_alloc_coherent,
4265 .free_coherent = vio_dma_iommu_free_coherent,
4266 .map_sg = vio_dma_iommu_map_sg,
4267 .unmap_sg = vio_dma_iommu_unmap_sg,
4268 + .dma_supported = dma_iommu_dma_supported,
4269 .map_page = vio_dma_iommu_map_page,
4270 .unmap_page = vio_dma_iommu_unmap_page,
4271 .dma_supported = vio_dma_iommu_dma_supported,
4272 diff -urNp linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c
4273 --- linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c 2011-05-19 00:06:34.000000000 -0400
4274 +++ linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c 2011-05-22 19:36:30.000000000 -0400
4275 @@ -9,22 +9,6 @@
4276 #include <linux/module.h>
4277 #include <asm/uaccess.h>
4278
4279 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
4280 -{
4281 - if (likely(access_ok(VERIFY_READ, from, n)))
4282 - n = __copy_from_user(to, from, n);
4283 - else
4284 - memset(to, 0, n);
4285 - return n;
4286 -}
4287 -
4288 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
4289 -{
4290 - if (likely(access_ok(VERIFY_WRITE, to, n)))
4291 - n = __copy_to_user(to, from, n);
4292 - return n;
4293 -}
4294 -
4295 unsigned long copy_in_user(void __user *to, const void __user *from,
4296 unsigned long n)
4297 {
4298 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
4299 return n;
4300 }
4301
4302 -EXPORT_SYMBOL(copy_from_user);
4303 -EXPORT_SYMBOL(copy_to_user);
4304 EXPORT_SYMBOL(copy_in_user);
4305
4306 diff -urNp linux-2.6.39.3/arch/powerpc/mm/fault.c linux-2.6.39.3/arch/powerpc/mm/fault.c
4307 --- linux-2.6.39.3/arch/powerpc/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
4308 +++ linux-2.6.39.3/arch/powerpc/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
4309 @@ -31,6 +31,10 @@
4310 #include <linux/kdebug.h>
4311 #include <linux/perf_event.h>
4312 #include <linux/magic.h>
4313 +#include <linux/slab.h>
4314 +#include <linux/pagemap.h>
4315 +#include <linux/compiler.h>
4316 +#include <linux/unistd.h>
4317
4318 #include <asm/firmware.h>
4319 #include <asm/page.h>
4320 @@ -42,6 +46,7 @@
4321 #include <asm/tlbflush.h>
4322 #include <asm/siginfo.h>
4323 #include <mm/mmu_decl.h>
4324 +#include <asm/ptrace.h>
4325
4326 #ifdef CONFIG_KPROBES
4327 static inline int notify_page_fault(struct pt_regs *regs)
4328 @@ -65,6 +70,33 @@ static inline int notify_page_fault(stru
4329 }
4330 #endif
4331
4332 +#ifdef CONFIG_PAX_PAGEEXEC
4333 +/*
4334 + * PaX: decide what to do with offenders (regs->nip = fault address)
4335 + *
4336 + * returns 1 when task should be killed
4337 + */
4338 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4339 +{
4340 + return 1;
4341 +}
4342 +
4343 +void pax_report_insns(void *pc, void *sp)
4344 +{
4345 + unsigned long i;
4346 +
4347 + printk(KERN_ERR "PAX: bytes at PC: ");
4348 + for (i = 0; i < 5; i++) {
4349 + unsigned int c;
4350 + if (get_user(c, (unsigned int __user *)pc+i))
4351 + printk(KERN_CONT "???????? ");
4352 + else
4353 + printk(KERN_CONT "%08x ", c);
4354 + }
4355 + printk("\n");
4356 +}
4357 +#endif
4358 +
4359 /*
4360 * Check whether the instruction at regs->nip is a store using
4361 * an update addressing form which will update r1.
4362 @@ -135,7 +167,7 @@ int __kprobes do_page_fault(struct pt_re
4363 * indicate errors in DSISR but can validly be set in SRR1.
4364 */
4365 if (trap == 0x400)
4366 - error_code &= 0x48200000;
4367 + error_code &= 0x58200000;
4368 else
4369 is_write = error_code & DSISR_ISSTORE;
4370 #else
4371 @@ -258,7 +290,7 @@ good_area:
4372 * "undefined". Of those that can be set, this is the only
4373 * one which seems bad.
4374 */
4375 - if (error_code & 0x10000000)
4376 + if (error_code & DSISR_GUARDED)
4377 /* Guarded storage error. */
4378 goto bad_area;
4379 #endif /* CONFIG_8xx */
4380 @@ -273,7 +305,7 @@ good_area:
4381 * processors use the same I/D cache coherency mechanism
4382 * as embedded.
4383 */
4384 - if (error_code & DSISR_PROTFAULT)
4385 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
4386 goto bad_area;
4387 #endif /* CONFIG_PPC_STD_MMU */
4388
4389 @@ -342,6 +374,23 @@ bad_area:
4390 bad_area_nosemaphore:
4391 /* User mode accesses cause a SIGSEGV */
4392 if (user_mode(regs)) {
4393 +
4394 +#ifdef CONFIG_PAX_PAGEEXEC
4395 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
4396 +#ifdef CONFIG_PPC_STD_MMU
4397 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
4398 +#else
4399 + if (is_exec && regs->nip == address) {
4400 +#endif
4401 + switch (pax_handle_fetch_fault(regs)) {
4402 + }
4403 +
4404 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
4405 + do_group_exit(SIGKILL);
4406 + }
4407 + }
4408 +#endif
4409 +
4410 _exception(SIGSEGV, regs, code, address);
4411 return 0;
4412 }
4413 diff -urNp linux-2.6.39.3/arch/powerpc/mm/mmap_64.c linux-2.6.39.3/arch/powerpc/mm/mmap_64.c
4414 --- linux-2.6.39.3/arch/powerpc/mm/mmap_64.c 2011-05-19 00:06:34.000000000 -0400
4415 +++ linux-2.6.39.3/arch/powerpc/mm/mmap_64.c 2011-05-22 19:36:30.000000000 -0400
4416 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
4417 */
4418 if (mmap_is_legacy()) {
4419 mm->mmap_base = TASK_UNMAPPED_BASE;
4420 +
4421 +#ifdef CONFIG_PAX_RANDMMAP
4422 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4423 + mm->mmap_base += mm->delta_mmap;
4424 +#endif
4425 +
4426 mm->get_unmapped_area = arch_get_unmapped_area;
4427 mm->unmap_area = arch_unmap_area;
4428 } else {
4429 mm->mmap_base = mmap_base();
4430 +
4431 +#ifdef CONFIG_PAX_RANDMMAP
4432 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4433 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4434 +#endif
4435 +
4436 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4437 mm->unmap_area = arch_unmap_area_topdown;
4438 }
4439 diff -urNp linux-2.6.39.3/arch/powerpc/mm/slice.c linux-2.6.39.3/arch/powerpc/mm/slice.c
4440 --- linux-2.6.39.3/arch/powerpc/mm/slice.c 2011-05-19 00:06:34.000000000 -0400
4441 +++ linux-2.6.39.3/arch/powerpc/mm/slice.c 2011-05-22 19:36:30.000000000 -0400
4442 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
4443 if ((mm->task_size - len) < addr)
4444 return 0;
4445 vma = find_vma(mm, addr);
4446 - return (!vma || (addr + len) <= vma->vm_start);
4447 + return check_heap_stack_gap(vma, addr, len);
4448 }
4449
4450 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
4451 @@ -256,7 +256,7 @@ full_search:
4452 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
4453 continue;
4454 }
4455 - if (!vma || addr + len <= vma->vm_start) {
4456 + if (check_heap_stack_gap(vma, addr, len)) {
4457 /*
4458 * Remember the place where we stopped the search:
4459 */
4460 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
4461 }
4462 }
4463
4464 - addr = mm->mmap_base;
4465 - while (addr > len) {
4466 + if (mm->mmap_base < len)
4467 + addr = -ENOMEM;
4468 + else
4469 + addr = mm->mmap_base - len;
4470 +
4471 + while (!IS_ERR_VALUE(addr)) {
4472 /* Go down by chunk size */
4473 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
4474 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
4475
4476 /* Check for hit with different page size */
4477 mask = slice_range_to_mask(addr, len);
4478 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
4479 * return with success:
4480 */
4481 vma = find_vma(mm, addr);
4482 - if (!vma || (addr + len) <= vma->vm_start) {
4483 + if (check_heap_stack_gap(vma, addr, len)) {
4484 /* remember the address as a hint for next time */
4485 if (use_cache)
4486 mm->free_area_cache = addr;
4487 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
4488 mm->cached_hole_size = vma->vm_start - addr;
4489
4490 /* try just below the current vma->vm_start */
4491 - addr = vma->vm_start;
4492 + addr = skip_heap_stack_gap(vma, len);
4493 }
4494
4495 /*
4496 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
4497 if (fixed && addr > (mm->task_size - len))
4498 return -EINVAL;
4499
4500 +#ifdef CONFIG_PAX_RANDMMAP
4501 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
4502 + addr = 0;
4503 +#endif
4504 +
4505 /* If hint, make sure it matches our alignment restrictions */
4506 if (!fixed && addr) {
4507 addr = _ALIGN_UP(addr, 1ul << pshift);
4508 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c
4509 --- linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c 2011-05-19 00:06:34.000000000 -0400
4510 +++ linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c 2011-05-22 19:36:30.000000000 -0400
4511 @@ -60,7 +60,7 @@ static int rtas_write_config(struct pci_
4512 return rval ? PCIBIOS_DEVICE_NOT_FOUND : PCIBIOS_SUCCESSFUL;
4513 }
4514
4515 -static struct pci_ops rtas_pci_ops = {
4516 +static const struct pci_ops rtas_pci_ops = {
4517 .read = rtas_read_config,
4518 .write = rtas_write_config,
4519 };
4520 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c
4521 --- linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c 2011-05-19 00:06:34.000000000 -0400
4522 +++ linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c 2011-05-22 19:36:30.000000000 -0400
4523 @@ -234,7 +234,7 @@ static int celleb_fake_pci_write_config(
4524 return PCIBIOS_SUCCESSFUL;
4525 }
4526
4527 -static struct pci_ops celleb_fake_pci_ops = {
4528 +static const struct pci_ops celleb_fake_pci_ops = {
4529 .read = celleb_fake_pci_read_config,
4530 .write = celleb_fake_pci_write_config,
4531 };
4532 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c
4533 --- linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c 2011-05-19 00:06:34.000000000 -0400
4534 +++ linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c 2011-05-22 19:36:30.000000000 -0400
4535 @@ -245,7 +245,7 @@ static int celleb_epci_write_config(stru
4536 return celleb_epci_check_abort(hose, addr);
4537 }
4538
4539 -struct pci_ops celleb_epci_ops = {
4540 +const struct pci_ops celleb_epci_ops = {
4541 .read = celleb_epci_read_config,
4542 .write = celleb_epci_write_config,
4543 };
4544 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c
4545 --- linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c 2011-05-19 00:06:34.000000000 -0400
4546 +++ linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c 2011-05-22 19:36:30.000000000 -0400
4547 @@ -399,7 +399,7 @@ static int scc_pciex_write_config(struct
4548 return PCIBIOS_SUCCESSFUL;
4549 }
4550
4551 -static struct pci_ops scc_pciex_pci_ops = {
4552 +static const struct pci_ops scc_pciex_pci_ops = {
4553 scc_pciex_read_config,
4554 scc_pciex_write_config,
4555 };
4556 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c
4557 --- linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c 2011-05-19 00:06:34.000000000 -0400
4558 +++ linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c 2011-05-22 19:36:30.000000000 -0400
4559 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
4560
4561 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
4562
4563 -struct dma_map_ops dma_iommu_fixed_ops = {
4564 +const struct dma_map_ops dma_iommu_fixed_ops = {
4565 .alloc_coherent = dma_fixed_alloc_coherent,
4566 .free_coherent = dma_fixed_free_coherent,
4567 .map_sg = dma_fixed_map_sg,
4568 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c
4569 --- linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c 2011-05-19 00:06:34.000000000 -0400
4570 +++ linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c 2011-05-22 19:36:30.000000000 -0400
4571 @@ -84,7 +84,7 @@ int gg2_write_config(struct pci_bus *bus
4572 return PCIBIOS_SUCCESSFUL;
4573 }
4574
4575 -static struct pci_ops gg2_pci_ops =
4576 +static const struct pci_ops gg2_pci_ops =
4577 {
4578 .read = gg2_read_config,
4579 .write = gg2_write_config,
4580 @@ -122,7 +122,7 @@ int rtas_write_config(struct pci_bus *bu
4581 return rval? PCIBIOS_DEVICE_NOT_FOUND: PCIBIOS_SUCCESSFUL;
4582 }
4583
4584 -static struct pci_ops rtas_pci_ops =
4585 +static const struct pci_ops rtas_pci_ops =
4586 {
4587 .read = rtas_read_config,
4588 .write = rtas_write_config,
4589 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c
4590 --- linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c 2011-05-19 00:06:34.000000000 -0400
4591 +++ linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c 2011-05-22 19:36:30.000000000 -0400
4592 @@ -533,7 +533,7 @@ static int iSeries_pci_write_config(stru
4593 return 0;
4594 }
4595
4596 -static struct pci_ops iSeries_pci_ops = {
4597 +static const struct pci_ops iSeries_pci_ops = {
4598 .read = iSeries_pci_read_config,
4599 .write = iSeries_pci_write_config
4600 };
4601 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c
4602 --- linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c 2011-05-19 00:06:34.000000000 -0400
4603 +++ linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c 2011-05-22 19:36:30.000000000 -0400
4604 @@ -180,7 +180,7 @@ static int u3_agp_write_config(struct pc
4605 return PCIBIOS_SUCCESSFUL;
4606 }
4607
4608 -static struct pci_ops u3_agp_pci_ops =
4609 +static const struct pci_ops u3_agp_pci_ops =
4610 {
4611 .read = u3_agp_read_config,
4612 .write = u3_agp_write_config,
4613 @@ -276,7 +276,7 @@ static int u3_ht_write_config(struct pci
4614 return PCIBIOS_SUCCESSFUL;
4615 }
4616
4617 -static struct pci_ops u3_ht_pci_ops =
4618 +static const struct pci_ops u3_ht_pci_ops =
4619 {
4620 .read = u3_ht_read_config,
4621 .write = u3_ht_write_config,
4622 @@ -381,7 +381,7 @@ static int u4_pcie_write_config(struct p
4623 return PCIBIOS_SUCCESSFUL;
4624 }
4625
4626 -static struct pci_ops u4_pcie_pci_ops =
4627 +static const struct pci_ops u4_pcie_pci_ops =
4628 {
4629 .read = u4_pcie_read_config,
4630 .write = u4_pcie_write_config,
4631 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c
4632 --- linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c 2011-05-19 00:06:34.000000000 -0400
4633 +++ linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c 2011-05-22 19:36:30.000000000 -0400
4634 @@ -176,7 +176,7 @@ static int pa_pxp_write_config(struct pc
4635 return PCIBIOS_SUCCESSFUL;
4636 }
4637
4638 -static struct pci_ops pa_pxp_ops = {
4639 +static const struct pci_ops pa_pxp_ops = {
4640 .read = pa_pxp_read_config,
4641 .write = pa_pxp_write_config,
4642 };
4643 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c
4644 --- linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c 2011-05-19 00:06:34.000000000 -0400
4645 +++ linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c 2011-05-22 19:36:30.000000000 -0400
4646 @@ -218,7 +218,7 @@ static int macrisc_write_config(struct p
4647 return PCIBIOS_SUCCESSFUL;
4648 }
4649
4650 -static struct pci_ops macrisc_pci_ops =
4651 +static const struct pci_ops macrisc_pci_ops =
4652 {
4653 .read = macrisc_read_config,
4654 .write = macrisc_write_config,
4655 @@ -273,7 +273,7 @@ chaos_write_config(struct pci_bus *bus,
4656 return macrisc_write_config(bus, devfn, offset, len, val);
4657 }
4658
4659 -static struct pci_ops chaos_pci_ops =
4660 +static const struct pci_ops chaos_pci_ops =
4661 {
4662 .read = chaos_read_config,
4663 .write = chaos_write_config,
4664 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c
4665 --- linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c 2011-05-19 00:06:34.000000000 -0400
4666 +++ linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c 2011-05-22 19:36:30.000000000 -0400
4667 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
4668 return mask >= DMA_BIT_MASK(32);
4669 }
4670
4671 -static struct dma_map_ops ps3_sb_dma_ops = {
4672 +static const struct dma_map_ops ps3_sb_dma_ops = {
4673 .alloc_coherent = ps3_alloc_coherent,
4674 .free_coherent = ps3_free_coherent,
4675 .map_sg = ps3_sb_map_sg,
4676 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
4677 .unmap_page = ps3_unmap_page,
4678 };
4679
4680 -static struct dma_map_ops ps3_ioc0_dma_ops = {
4681 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
4682 .alloc_coherent = ps3_alloc_coherent,
4683 .free_coherent = ps3_free_coherent,
4684 .map_sg = ps3_ioc0_map_sg,
4685 diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c
4686 --- linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c 2011-05-19 00:06:34.000000000 -0400
4687 +++ linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c 2011-05-22 19:36:30.000000000 -0400
4688 @@ -573,7 +573,7 @@ static int mpc83xx_pcie_write_config(str
4689 return PCIBIOS_SUCCESSFUL;
4690 }
4691
4692 -static struct pci_ops mpc83xx_pcie_ops = {
4693 +static const struct pci_ops mpc83xx_pcie_ops = {
4694 .read = mpc83xx_pcie_read_config,
4695 .write = mpc83xx_pcie_write_config,
4696 };
4697 diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c
4698 --- linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c 2011-05-19 00:06:34.000000000 -0400
4699 +++ linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c 2011-05-22 19:36:30.000000000 -0400
4700 @@ -148,7 +148,7 @@ indirect_write_config(struct pci_bus *bu
4701 return PCIBIOS_SUCCESSFUL;
4702 }
4703
4704 -static struct pci_ops indirect_pci_ops =
4705 +static const struct pci_ops indirect_pci_ops =
4706 {
4707 .read = indirect_read_config,
4708 .write = indirect_write_config,
4709 diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c
4710 --- linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c 2011-05-19 00:06:34.000000000 -0400
4711 +++ linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c 2011-05-22 19:36:30.000000000 -0400
4712 @@ -1514,7 +1514,7 @@ static int ppc4xx_pciex_write_config(str
4713 return PCIBIOS_SUCCESSFUL;
4714 }
4715
4716 -static struct pci_ops ppc4xx_pciex_pci_ops =
4717 +static const struct pci_ops ppc4xx_pciex_pci_ops =
4718 {
4719 .read = ppc4xx_pciex_read_config,
4720 .write = ppc4xx_pciex_write_config,
4721 diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c
4722 --- linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c 2011-05-19 00:06:34.000000000 -0400
4723 +++ linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c 2011-05-22 19:36:30.000000000 -0400
4724 @@ -190,7 +190,7 @@ void tsi108_clear_pci_cfg_error(void)
4725 tsi108_clear_pci_error(tsi108_pci_cfg_phys);
4726 }
4727
4728 -static struct pci_ops tsi108_direct_pci_ops = {
4729 +static const struct pci_ops tsi108_direct_pci_ops = {
4730 .read = tsi108_direct_read_config,
4731 .write = tsi108_direct_write_config,
4732 };
4733 diff -urNp linux-2.6.39.3/arch/s390/include/asm/elf.h linux-2.6.39.3/arch/s390/include/asm/elf.h
4734 --- linux-2.6.39.3/arch/s390/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
4735 +++ linux-2.6.39.3/arch/s390/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
4736 @@ -162,8 +162,14 @@ extern unsigned int vdso_enabled;
4737 the loader. We need to make sure that it is out of the way of the program
4738 that it will "exec", and that there is sufficient room for the brk. */
4739
4740 -extern unsigned long randomize_et_dyn(unsigned long base);
4741 -#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
4742 +#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
4743 +
4744 +#ifdef CONFIG_PAX_ASLR
4745 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
4746 +
4747 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
4748 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
4749 +#endif
4750
4751 /* This yields a mask that user programs can use to figure out what
4752 instruction set this CPU supports. */
4753 @@ -222,7 +228,4 @@ struct linux_binprm;
4754 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
4755 int arch_setup_additional_pages(struct linux_binprm *, int);
4756
4757 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
4758 -#define arch_randomize_brk arch_randomize_brk
4759 -
4760 #endif
4761 diff -urNp linux-2.6.39.3/arch/s390/include/asm/system.h linux-2.6.39.3/arch/s390/include/asm/system.h
4762 --- linux-2.6.39.3/arch/s390/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
4763 +++ linux-2.6.39.3/arch/s390/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
4764 @@ -255,7 +255,7 @@ extern void (*_machine_restart)(char *co
4765 extern void (*_machine_halt)(void);
4766 extern void (*_machine_power_off)(void);
4767
4768 -extern unsigned long arch_align_stack(unsigned long sp);
4769 +#define arch_align_stack(x) ((x) & ~0xfUL)
4770
4771 static inline int tprot(unsigned long addr)
4772 {
4773 diff -urNp linux-2.6.39.3/arch/s390/include/asm/uaccess.h linux-2.6.39.3/arch/s390/include/asm/uaccess.h
4774 --- linux-2.6.39.3/arch/s390/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
4775 +++ linux-2.6.39.3/arch/s390/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
4776 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
4777 copy_to_user(void __user *to, const void *from, unsigned long n)
4778 {
4779 might_fault();
4780 +
4781 + if ((long)n < 0)
4782 + return n;
4783 +
4784 if (access_ok(VERIFY_WRITE, to, n))
4785 n = __copy_to_user(to, from, n);
4786 return n;
4787 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
4788 static inline unsigned long __must_check
4789 __copy_from_user(void *to, const void __user *from, unsigned long n)
4790 {
4791 + if ((long)n < 0)
4792 + return n;
4793 +
4794 if (__builtin_constant_p(n) && (n <= 256))
4795 return uaccess.copy_from_user_small(n, from, to);
4796 else
4797 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
4798 unsigned int sz = __compiletime_object_size(to);
4799
4800 might_fault();
4801 +
4802 + if ((long)n < 0)
4803 + return n;
4804 +
4805 if (unlikely(sz != -1 && sz < n)) {
4806 copy_from_user_overflow();
4807 return n;
4808 diff -urNp linux-2.6.39.3/arch/s390/Kconfig linux-2.6.39.3/arch/s390/Kconfig
4809 --- linux-2.6.39.3/arch/s390/Kconfig 2011-05-19 00:06:34.000000000 -0400
4810 +++ linux-2.6.39.3/arch/s390/Kconfig 2011-05-22 19:36:30.000000000 -0400
4811 @@ -234,11 +234,9 @@ config S390_EXEC_PROTECT
4812 prompt "Data execute protection"
4813 help
4814 This option allows to enable a buffer overflow protection for user
4815 - space programs and it also selects the addressing mode option above.
4816 - The kernel parameter noexec=on will enable this feature and also
4817 - switch the addressing modes, default is disabled. Enabling this (via
4818 - kernel parameter) on machines earlier than IBM System z9 this will
4819 - reduce system performance.
4820 + space programs.
4821 + Enabling this (via kernel parameter) on machines earlier than IBM
4822 + System z9 this will reduce system performance.
4823
4824 comment "Code generation options"
4825
4826 diff -urNp linux-2.6.39.3/arch/s390/kernel/module.c linux-2.6.39.3/arch/s390/kernel/module.c
4827 --- linux-2.6.39.3/arch/s390/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
4828 +++ linux-2.6.39.3/arch/s390/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
4829 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
4830
4831 /* Increase core size by size of got & plt and set start
4832 offsets for got and plt. */
4833 - me->core_size = ALIGN(me->core_size, 4);
4834 - me->arch.got_offset = me->core_size;
4835 - me->core_size += me->arch.got_size;
4836 - me->arch.plt_offset = me->core_size;
4837 - me->core_size += me->arch.plt_size;
4838 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
4839 + me->arch.got_offset = me->core_size_rw;
4840 + me->core_size_rw += me->arch.got_size;
4841 + me->arch.plt_offset = me->core_size_rx;
4842 + me->core_size_rx += me->arch.plt_size;
4843 return 0;
4844 }
4845
4846 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4847 if (info->got_initialized == 0) {
4848 Elf_Addr *gotent;
4849
4850 - gotent = me->module_core + me->arch.got_offset +
4851 + gotent = me->module_core_rw + me->arch.got_offset +
4852 info->got_offset;
4853 *gotent = val;
4854 info->got_initialized = 1;
4855 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4856 else if (r_type == R_390_GOTENT ||
4857 r_type == R_390_GOTPLTENT)
4858 *(unsigned int *) loc =
4859 - (val + (Elf_Addr) me->module_core - loc) >> 1;
4860 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
4861 else if (r_type == R_390_GOT64 ||
4862 r_type == R_390_GOTPLT64)
4863 *(unsigned long *) loc = val;
4864 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4865 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
4866 if (info->plt_initialized == 0) {
4867 unsigned int *ip;
4868 - ip = me->module_core + me->arch.plt_offset +
4869 + ip = me->module_core_rx + me->arch.plt_offset +
4870 info->plt_offset;
4871 #ifndef CONFIG_64BIT
4872 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
4873 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4874 val - loc + 0xffffUL < 0x1ffffeUL) ||
4875 (r_type == R_390_PLT32DBL &&
4876 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
4877 - val = (Elf_Addr) me->module_core +
4878 + val = (Elf_Addr) me->module_core_rx +
4879 me->arch.plt_offset +
4880 info->plt_offset;
4881 val += rela->r_addend - loc;
4882 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4883 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
4884 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
4885 val = val + rela->r_addend -
4886 - ((Elf_Addr) me->module_core + me->arch.got_offset);
4887 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
4888 if (r_type == R_390_GOTOFF16)
4889 *(unsigned short *) loc = val;
4890 else if (r_type == R_390_GOTOFF32)
4891 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4892 break;
4893 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
4894 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
4895 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
4896 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
4897 rela->r_addend - loc;
4898 if (r_type == R_390_GOTPC)
4899 *(unsigned int *) loc = val;
4900 diff -urNp linux-2.6.39.3/arch/s390/kernel/process.c linux-2.6.39.3/arch/s390/kernel/process.c
4901 --- linux-2.6.39.3/arch/s390/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
4902 +++ linux-2.6.39.3/arch/s390/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
4903 @@ -334,39 +334,3 @@ unsigned long get_wchan(struct task_stru
4904 }
4905 return 0;
4906 }
4907 -
4908 -unsigned long arch_align_stack(unsigned long sp)
4909 -{
4910 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
4911 - sp -= get_random_int() & ~PAGE_MASK;
4912 - return sp & ~0xf;
4913 -}
4914 -
4915 -static inline unsigned long brk_rnd(void)
4916 -{
4917 - /* 8MB for 32bit, 1GB for 64bit */
4918 - if (is_32bit_task())
4919 - return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
4920 - else
4921 - return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
4922 -}
4923 -
4924 -unsigned long arch_randomize_brk(struct mm_struct *mm)
4925 -{
4926 - unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
4927 -
4928 - if (ret < mm->brk)
4929 - return mm->brk;
4930 - return ret;
4931 -}
4932 -
4933 -unsigned long randomize_et_dyn(unsigned long base)
4934 -{
4935 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
4936 -
4937 - if (!(current->flags & PF_RANDOMIZE))
4938 - return base;
4939 - if (ret < base)
4940 - return base;
4941 - return ret;
4942 -}
4943 diff -urNp linux-2.6.39.3/arch/s390/kernel/setup.c linux-2.6.39.3/arch/s390/kernel/setup.c
4944 --- linux-2.6.39.3/arch/s390/kernel/setup.c 2011-05-19 00:06:34.000000000 -0400
4945 +++ linux-2.6.39.3/arch/s390/kernel/setup.c 2011-05-22 19:36:30.000000000 -0400
4946 @@ -271,7 +271,7 @@ static int __init early_parse_mem(char *
4947 }
4948 early_param("mem", early_parse_mem);
4949
4950 -unsigned int user_mode = HOME_SPACE_MODE;
4951 +unsigned int user_mode = SECONDARY_SPACE_MODE;
4952 EXPORT_SYMBOL_GPL(user_mode);
4953
4954 static int set_amode_and_uaccess(unsigned long user_amode,
4955 @@ -300,17 +300,6 @@ static int set_amode_and_uaccess(unsigne
4956 }
4957 }
4958
4959 -/*
4960 - * Switch kernel/user addressing modes?
4961 - */
4962 -static int __init early_parse_switch_amode(char *p)
4963 -{
4964 - if (user_mode != SECONDARY_SPACE_MODE)
4965 - user_mode = PRIMARY_SPACE_MODE;
4966 - return 0;
4967 -}
4968 -early_param("switch_amode", early_parse_switch_amode);
4969 -
4970 static int __init early_parse_user_mode(char *p)
4971 {
4972 if (p && strcmp(p, "primary") == 0)
4973 @@ -327,20 +316,6 @@ static int __init early_parse_user_mode(
4974 }
4975 early_param("user_mode", early_parse_user_mode);
4976
4977 -#ifdef CONFIG_S390_EXEC_PROTECT
4978 -/*
4979 - * Enable execute protection?
4980 - */
4981 -static int __init early_parse_noexec(char *p)
4982 -{
4983 - if (!strncmp(p, "off", 3))
4984 - return 0;
4985 - user_mode = SECONDARY_SPACE_MODE;
4986 - return 0;
4987 -}
4988 -early_param("noexec", early_parse_noexec);
4989 -#endif /* CONFIG_S390_EXEC_PROTECT */
4990 -
4991 static void setup_addressing_mode(void)
4992 {
4993 if (user_mode == SECONDARY_SPACE_MODE) {
4994 diff -urNp linux-2.6.39.3/arch/s390/mm/maccess.c linux-2.6.39.3/arch/s390/mm/maccess.c
4995 --- linux-2.6.39.3/arch/s390/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400
4996 +++ linux-2.6.39.3/arch/s390/mm/maccess.c 2011-05-22 19:36:30.000000000 -0400
4997 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
4998 return rc ? rc : count;
4999 }
5000
5001 -long probe_kernel_write(void *dst, void *src, size_t size)
5002 +long probe_kernel_write(void *dst, const void *src, size_t size)
5003 {
5004 long copied = 0;
5005
5006 diff -urNp linux-2.6.39.3/arch/s390/mm/mmap.c linux-2.6.39.3/arch/s390/mm/mmap.c
5007 --- linux-2.6.39.3/arch/s390/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
5008 +++ linux-2.6.39.3/arch/s390/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
5009 @@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_str
5010 */
5011 if (mmap_is_legacy()) {
5012 mm->mmap_base = TASK_UNMAPPED_BASE;
5013 +
5014 +#ifdef CONFIG_PAX_RANDMMAP
5015 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5016 + mm->mmap_base += mm->delta_mmap;
5017 +#endif
5018 +
5019 mm->get_unmapped_area = arch_get_unmapped_area;
5020 mm->unmap_area = arch_unmap_area;
5021 } else {
5022 mm->mmap_base = mmap_base();
5023 +
5024 +#ifdef CONFIG_PAX_RANDMMAP
5025 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5026 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
5027 +#endif
5028 +
5029 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
5030 mm->unmap_area = arch_unmap_area_topdown;
5031 }
5032 @@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_str
5033 */
5034 if (mmap_is_legacy()) {
5035 mm->mmap_base = TASK_UNMAPPED_BASE;
5036 +
5037 +#ifdef CONFIG_PAX_RANDMMAP
5038 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5039 + mm->mmap_base += mm->delta_mmap;
5040 +#endif
5041 +
5042 mm->get_unmapped_area = s390_get_unmapped_area;
5043 mm->unmap_area = arch_unmap_area;
5044 } else {
5045 mm->mmap_base = mmap_base();
5046 +
5047 +#ifdef CONFIG_PAX_RANDMMAP
5048 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5049 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
5050 +#endif
5051 +
5052 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
5053 mm->unmap_area = arch_unmap_area_topdown;
5054 }
5055 diff -urNp linux-2.6.39.3/arch/score/include/asm/system.h linux-2.6.39.3/arch/score/include/asm/system.h
5056 --- linux-2.6.39.3/arch/score/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
5057 +++ linux-2.6.39.3/arch/score/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
5058 @@ -17,7 +17,7 @@ do { \
5059 #define finish_arch_switch(prev) do {} while (0)
5060
5061 typedef void (*vi_handler_t)(void);
5062 -extern unsigned long arch_align_stack(unsigned long sp);
5063 +#define arch_align_stack(x) (x)
5064
5065 #define mb() barrier()
5066 #define rmb() barrier()
5067 diff -urNp linux-2.6.39.3/arch/score/kernel/process.c linux-2.6.39.3/arch/score/kernel/process.c
5068 --- linux-2.6.39.3/arch/score/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
5069 +++ linux-2.6.39.3/arch/score/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
5070 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
5071
5072 return task_pt_regs(task)->cp0_epc;
5073 }
5074 -
5075 -unsigned long arch_align_stack(unsigned long sp)
5076 -{
5077 - return sp;
5078 -}
5079 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c
5080 --- linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c 2011-05-19 00:06:34.000000000 -0400
5081 +++ linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c 2011-05-22 19:36:30.000000000 -0400
5082 @@ -76,7 +76,7 @@ static int gapspci_write(struct pci_bus
5083 return PCIBIOS_SUCCESSFUL;
5084 }
5085
5086 -struct pci_ops gapspci_pci_ops = {
5087 +const struct pci_ops gapspci_pci_ops = {
5088 .read = gapspci_read,
5089 .write = gapspci_write,
5090 };
5091 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c
5092 --- linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c 2011-05-19 00:06:34.000000000 -0400
5093 +++ linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c 2011-05-22 19:36:30.000000000 -0400
5094 @@ -96,7 +96,7 @@ static int sh4_pci_write(struct pci_bus
5095 return PCIBIOS_SUCCESSFUL;
5096 }
5097
5098 -struct pci_ops sh4_pci_ops = {
5099 +const struct pci_ops sh4_pci_ops = {
5100 .read = sh4_pci_read,
5101 .write = sh4_pci_write,
5102 };
5103 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c
5104 --- linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c 2011-05-19 00:06:34.000000000 -0400
5105 +++ linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c 2011-05-22 19:36:30.000000000 -0400
5106 @@ -62,7 +62,7 @@ static int sh5pci_write(struct pci_bus *
5107 return PCIBIOS_SUCCESSFUL;
5108 }
5109
5110 -struct pci_ops sh5_pci_ops = {
5111 +const struct pci_ops sh5_pci_ops = {
5112 .read = sh5pci_read,
5113 .write = sh5pci_write,
5114 };
5115 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c
5116 --- linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c 2011-05-19 00:06:34.000000000 -0400
5117 +++ linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c 2011-05-22 19:36:30.000000000 -0400
5118 @@ -165,7 +165,7 @@ out:
5119 return ret;
5120 }
5121
5122 -struct pci_ops sh7786_pci_ops = {
5123 +const struct pci_ops sh7786_pci_ops = {
5124 .read = sh7786_pcie_read,
5125 .write = sh7786_pcie_write,
5126 };
5127 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c
5128 --- linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c 2011-05-19 00:06:34.000000000 -0400
5129 +++ linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c 2011-05-22 19:36:30.000000000 -0400
5130 @@ -109,7 +109,7 @@ static struct resource sh7786_pci2_resou
5131 },
5132 };
5133
5134 -extern struct pci_ops sh7786_pci_ops;
5135 +extern const struct pci_ops sh7786_pci_ops;
5136
5137 #define DEFINE_CONTROLLER(start, idx) \
5138 { \
5139 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h
5140 --- linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h 2011-05-19 00:06:34.000000000 -0400
5141 +++ linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h 2011-05-22 19:36:30.000000000 -0400
5142 @@ -161,7 +161,7 @@
5143 #define SH4_PCIPDR 0x220 /* Port IO Data Register */
5144
5145 /* arch/sh/kernel/drivers/pci/ops-sh4.c */
5146 -extern struct pci_ops sh4_pci_ops;
5147 +extern const struct pci_ops sh4_pci_ops;
5148 int pci_fixup_pcic(struct pci_channel *chan);
5149
5150 struct sh4_pci_address_space {
5151 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h
5152 --- linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h 2011-05-19 00:06:34.000000000 -0400
5153 +++ linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h 2011-05-22 19:36:30.000000000 -0400
5154 @@ -105,6 +105,6 @@ extern unsigned long pcicr_virt;
5155 #define PCISH5_MEM_SIZCONV(x) (((x / 0x40000) - 1) << 18)
5156 #define PCISH5_IO_SIZCONV(x) (((x / 0x40000) - 1) << 18)
5157
5158 -extern struct pci_ops sh5_pci_ops;
5159 +extern const struct pci_ops sh5_pci_ops;
5160
5161 #endif /* __PCI_SH5_H */
5162 diff -urNp linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h
5163 --- linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
5164 +++ linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
5165 @@ -1,10 +1,10 @@
5166 #ifndef __ASM_SH_DMA_MAPPING_H
5167 #define __ASM_SH_DMA_MAPPING_H
5168
5169 -extern struct dma_map_ops *dma_ops;
5170 +extern const struct dma_map_ops *dma_ops;
5171 extern void no_iommu_init(void);
5172
5173 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
5174 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
5175 {
5176 return dma_ops;
5177 }
5178 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
5179
5180 static inline int dma_supported(struct device *dev, u64 mask)
5181 {
5182 - struct dma_map_ops *ops = get_dma_ops(dev);
5183 + const struct dma_map_ops *ops = get_dma_ops(dev);
5184
5185 if (ops->dma_supported)
5186 return ops->dma_supported(dev, mask);
5187 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
5188
5189 static inline int dma_set_mask(struct device *dev, u64 mask)
5190 {
5191 - struct dma_map_ops *ops = get_dma_ops(dev);
5192 + const struct dma_map_ops *ops = get_dma_ops(dev);
5193
5194 if (!dev->dma_mask || !dma_supported(dev, mask))
5195 return -EIO;
5196 @@ -44,7 +44,7 @@ void dma_cache_sync(struct device *dev,
5197
5198 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
5199 {
5200 - struct dma_map_ops *ops = get_dma_ops(dev);
5201 + const struct dma_map_ops *ops = get_dma_ops(dev);
5202
5203 if (ops->mapping_error)
5204 return ops->mapping_error(dev, dma_addr);
5205 @@ -55,7 +55,7 @@ static inline int dma_mapping_error(stru
5206 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
5207 dma_addr_t *dma_handle, gfp_t gfp)
5208 {
5209 - struct dma_map_ops *ops = get_dma_ops(dev);
5210 + const struct dma_map_ops *ops = get_dma_ops(dev);
5211 void *memory;
5212
5213 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
5214 @@ -72,7 +72,7 @@ static inline void *dma_alloc_coherent(s
5215 static inline void dma_free_coherent(struct device *dev, size_t size,
5216 void *vaddr, dma_addr_t dma_handle)
5217 {
5218 - struct dma_map_ops *ops = get_dma_ops(dev);
5219 + const struct dma_map_ops *ops = get_dma_ops(dev);
5220
5221 if (dma_release_from_coherent(dev, get_order(size), vaddr))
5222 return;
5223 diff -urNp linux-2.6.39.3/arch/sh/kernel/dma-nommu.c linux-2.6.39.3/arch/sh/kernel/dma-nommu.c
5224 --- linux-2.6.39.3/arch/sh/kernel/dma-nommu.c 2011-05-19 00:06:34.000000000 -0400
5225 +++ linux-2.6.39.3/arch/sh/kernel/dma-nommu.c 2011-05-22 19:36:30.000000000 -0400
5226 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
5227 }
5228 #endif
5229
5230 -struct dma_map_ops nommu_dma_ops = {
5231 +const struct dma_map_ops nommu_dma_ops = {
5232 .alloc_coherent = dma_generic_alloc_coherent,
5233 .free_coherent = dma_generic_free_coherent,
5234 .map_page = nommu_map_page,
5235 diff -urNp linux-2.6.39.3/arch/sh/kernel/kgdb.c linux-2.6.39.3/arch/sh/kernel/kgdb.c
5236 --- linux-2.6.39.3/arch/sh/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
5237 +++ linux-2.6.39.3/arch/sh/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
5238 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
5239 unregister_die_notifier(&kgdb_notifier);
5240 }
5241
5242 -struct kgdb_arch arch_kgdb_ops = {
5243 +const struct kgdb_arch arch_kgdb_ops = {
5244 /* Breakpoint instruction: trapa #0x3c */
5245 #ifdef CONFIG_CPU_LITTLE_ENDIAN
5246 .gdb_bpt_instr = { 0x3c, 0xc3 },
5247 diff -urNp linux-2.6.39.3/arch/sh/mm/consistent.c linux-2.6.39.3/arch/sh/mm/consistent.c
5248 --- linux-2.6.39.3/arch/sh/mm/consistent.c 2011-05-19 00:06:34.000000000 -0400
5249 +++ linux-2.6.39.3/arch/sh/mm/consistent.c 2011-05-22 19:36:30.000000000 -0400
5250 @@ -22,7 +22,7 @@
5251
5252 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
5253
5254 -struct dma_map_ops *dma_ops;
5255 +const struct dma_map_ops *dma_ops;
5256 EXPORT_SYMBOL(dma_ops);
5257
5258 static int __init dma_init(void)
5259 diff -urNp linux-2.6.39.3/arch/sh/mm/mmap.c linux-2.6.39.3/arch/sh/mm/mmap.c
5260 --- linux-2.6.39.3/arch/sh/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
5261 +++ linux-2.6.39.3/arch/sh/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
5262 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
5263 addr = PAGE_ALIGN(addr);
5264
5265 vma = find_vma(mm, addr);
5266 - if (TASK_SIZE - len >= addr &&
5267 - (!vma || addr + len <= vma->vm_start))
5268 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
5269 return addr;
5270 }
5271
5272 @@ -106,7 +105,7 @@ full_search:
5273 }
5274 return -ENOMEM;
5275 }
5276 - if (likely(!vma || addr + len <= vma->vm_start)) {
5277 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5278 /*
5279 * Remember the place where we stopped the search:
5280 */
5281 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
5282 addr = PAGE_ALIGN(addr);
5283
5284 vma = find_vma(mm, addr);
5285 - if (TASK_SIZE - len >= addr &&
5286 - (!vma || addr + len <= vma->vm_start))
5287 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
5288 return addr;
5289 }
5290
5291 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
5292 /* make sure it can fit in the remaining address space */
5293 if (likely(addr > len)) {
5294 vma = find_vma(mm, addr-len);
5295 - if (!vma || addr <= vma->vm_start) {
5296 + if (check_heap_stack_gap(vma, addr - len, len)) {
5297 /* remember the address as a hint for next time */
5298 return (mm->free_area_cache = addr-len);
5299 }
5300 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
5301 if (unlikely(mm->mmap_base < len))
5302 goto bottomup;
5303
5304 - addr = mm->mmap_base-len;
5305 - if (do_colour_align)
5306 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5307 + addr = mm->mmap_base - len;
5308
5309 do {
5310 + if (do_colour_align)
5311 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5312 /*
5313 * Lookup failure means no vma is above this address,
5314 * else if new region fits below vma->vm_start,
5315 * return with success:
5316 */
5317 vma = find_vma(mm, addr);
5318 - if (likely(!vma || addr+len <= vma->vm_start)) {
5319 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5320 /* remember the address as a hint for next time */
5321 return (mm->free_area_cache = addr);
5322 }
5323 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
5324 mm->cached_hole_size = vma->vm_start - addr;
5325
5326 /* try just below the current vma->vm_start */
5327 - addr = vma->vm_start-len;
5328 - if (do_colour_align)
5329 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5330 - } while (likely(len < vma->vm_start));
5331 + addr = skip_heap_stack_gap(vma, len);
5332 + } while (!IS_ERR_VALUE(addr));
5333
5334 bottomup:
5335 /*
5336 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h
5337 --- linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h 2011-05-19 00:06:34.000000000 -0400
5338 +++ linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h 2011-05-22 19:36:30.000000000 -0400
5339 @@ -14,18 +14,40 @@
5340 #define ATOMIC64_INIT(i) { (i) }
5341
5342 #define atomic_read(v) (*(volatile int *)&(v)->counter)
5343 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5344 +{
5345 + return v->counter;
5346 +}
5347 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
5348 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
5349 +{
5350 + return v->counter;
5351 +}
5352
5353 #define atomic_set(v, i) (((v)->counter) = i)
5354 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5355 +{
5356 + v->counter = i;
5357 +}
5358 #define atomic64_set(v, i) (((v)->counter) = i)
5359 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
5360 +{
5361 + v->counter = i;
5362 +}
5363
5364 extern void atomic_add(int, atomic_t *);
5365 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
5366 extern void atomic64_add(long, atomic64_t *);
5367 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
5368 extern void atomic_sub(int, atomic_t *);
5369 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
5370 extern void atomic64_sub(long, atomic64_t *);
5371 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
5372
5373 extern int atomic_add_ret(int, atomic_t *);
5374 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
5375 extern long atomic64_add_ret(long, atomic64_t *);
5376 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
5377 extern int atomic_sub_ret(int, atomic_t *);
5378 extern long atomic64_sub_ret(long, atomic64_t *);
5379
5380 @@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi
5381 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
5382
5383 #define atomic_inc_return(v) atomic_add_ret(1, v)
5384 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
5385 +{
5386 + return atomic_add_ret_unchecked(1, v);
5387 +}
5388 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
5389 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
5390 +{
5391 + return atomic64_add_ret_unchecked(1, v);
5392 +}
5393
5394 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
5395 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
5396
5397 #define atomic_add_return(i, v) atomic_add_ret(i, v)
5398 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
5399 +{
5400 + return atomic_add_ret_unchecked(i, v);
5401 +}
5402 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
5403
5404 /*
5405 @@ -50,6 +84,7 @@ extern long atomic64_sub_ret(long, atomi
5406 * other cases.
5407 */
5408 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
5409 +#define atomic_inc_and_test_unchecked(v) (atomic_inc_return_unchecked(v) == 0)
5410 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
5411
5412 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
5413 @@ -59,30 +94,59 @@ extern long atomic64_sub_ret(long, atomi
5414 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
5415
5416 #define atomic_inc(v) atomic_add(1, v)
5417 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
5418 +{
5419 + atomic_add_unchecked(1, v);
5420 +}
5421 #define atomic64_inc(v) atomic64_add(1, v)
5422 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
5423 +{
5424 + atomic64_add_unchecked(1, v);
5425 +}
5426
5427 #define atomic_dec(v) atomic_sub(1, v)
5428 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
5429 +{
5430 + atomic_sub_unchecked(1, v);
5431 +}
5432 #define atomic64_dec(v) atomic64_sub(1, v)
5433 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
5434 +{
5435 + atomic64_sub_unchecked(1, v);
5436 +}
5437
5438 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
5439 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
5440
5441 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
5442 +#define atomic_cmpxchg_unchecked(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
5443 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
5444 +#define atomic_xchg_unchecked(v, new) (xchg(&((v)->counter), new))
5445
5446 static inline int atomic_add_unless(atomic_t *v, int a, int u)
5447 {
5448 - int c, old;
5449 + int c, old, new;
5450 c = atomic_read(v);
5451 for (;;) {
5452 - if (unlikely(c == (u)))
5453 + if (unlikely(c == u))
5454 break;
5455 - old = atomic_cmpxchg((v), c, c + (a));
5456 +
5457 + asm volatile("addcc %2, %0, %0\n"
5458 +
5459 +#ifdef CONFIG_PAX_REFCOUNT
5460 + "tvs %%icc, 6\n"
5461 +#endif
5462 +
5463 + : "=r" (new)
5464 + : "0" (c), "ir" (a)
5465 + : "cc");
5466 +
5467 + old = atomic_cmpxchg(v, c, new);
5468 if (likely(old == c))
5469 break;
5470 c = old;
5471 }
5472 - return c != (u);
5473 + return c != u;
5474 }
5475
5476 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
5477 @@ -93,17 +157,28 @@ static inline int atomic_add_unless(atom
5478
5479 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
5480 {
5481 - long c, old;
5482 + long c, old, new;
5483 c = atomic64_read(v);
5484 for (;;) {
5485 - if (unlikely(c == (u)))
5486 + if (unlikely(c == u))
5487 break;
5488 - old = atomic64_cmpxchg((v), c, c + (a));
5489 +
5490 + asm volatile("addcc %2, %0, %0\n"
5491 +
5492 +#ifdef CONFIG_PAX_REFCOUNT
5493 + "tvs %%xcc, 6\n"
5494 +#endif
5495 +
5496 + : "=r" (new)
5497 + : "0" (c), "ir" (a)
5498 + : "cc");
5499 +
5500 + old = atomic64_cmpxchg(v, c, new);
5501 if (likely(old == c))
5502 break;
5503 c = old;
5504 }
5505 - return c != (u);
5506 + return c != u;
5507 }
5508
5509 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
5510 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/cache.h linux-2.6.39.3/arch/sparc/include/asm/cache.h
5511 --- linux-2.6.39.3/arch/sparc/include/asm/cache.h 2011-05-19 00:06:34.000000000 -0400
5512 +++ linux-2.6.39.3/arch/sparc/include/asm/cache.h 2011-07-06 20:00:13.000000000 -0400
5513 @@ -10,7 +10,7 @@
5514 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long)
5515
5516 #define L1_CACHE_SHIFT 5
5517 -#define L1_CACHE_BYTES 32
5518 +#define L1_CACHE_BYTES 32UL
5519
5520 #ifdef CONFIG_SPARC32
5521 #define SMP_CACHE_BYTES_SHIFT 5
5522 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h
5523 --- linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
5524 +++ linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
5525 @@ -12,10 +12,10 @@ extern int dma_supported(struct device *
5526 #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f)
5527 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
5528
5529 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
5530 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
5531 extern struct bus_type pci_bus_type;
5532
5533 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
5534 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
5535 {
5536 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
5537 if (dev->bus == &pci_bus_type)
5538 @@ -29,7 +29,7 @@ static inline struct dma_map_ops *get_dm
5539 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
5540 dma_addr_t *dma_handle, gfp_t flag)
5541 {
5542 - struct dma_map_ops *ops = get_dma_ops(dev);
5543 + const struct dma_map_ops *ops = get_dma_ops(dev);
5544 void *cpu_addr;
5545
5546 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
5547 @@ -40,7 +40,7 @@ static inline void *dma_alloc_coherent(s
5548 static inline void dma_free_coherent(struct device *dev, size_t size,
5549 void *cpu_addr, dma_addr_t dma_handle)
5550 {
5551 - struct dma_map_ops *ops = get_dma_ops(dev);
5552 + const struct dma_map_ops *ops = get_dma_ops(dev);
5553
5554 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
5555 ops->free_coherent(dev, size, cpu_addr, dma_handle);
5556 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/elf_32.h linux-2.6.39.3/arch/sparc/include/asm/elf_32.h
5557 --- linux-2.6.39.3/arch/sparc/include/asm/elf_32.h 2011-05-19 00:06:34.000000000 -0400
5558 +++ linux-2.6.39.3/arch/sparc/include/asm/elf_32.h 2011-05-22 19:36:30.000000000 -0400
5559 @@ -114,6 +114,13 @@ typedef struct {
5560
5561 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
5562
5563 +#ifdef CONFIG_PAX_ASLR
5564 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
5565 +
5566 +#define PAX_DELTA_MMAP_LEN 16
5567 +#define PAX_DELTA_STACK_LEN 16
5568 +#endif
5569 +
5570 /* This yields a mask that user programs can use to figure out what
5571 instruction set this cpu supports. This can NOT be done in userspace
5572 on Sparc. */
5573 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/elf_64.h linux-2.6.39.3/arch/sparc/include/asm/elf_64.h
5574 --- linux-2.6.39.3/arch/sparc/include/asm/elf_64.h 2011-05-19 00:06:34.000000000 -0400
5575 +++ linux-2.6.39.3/arch/sparc/include/asm/elf_64.h 2011-05-22 19:36:30.000000000 -0400
5576 @@ -162,6 +162,12 @@ typedef struct {
5577 #define ELF_ET_DYN_BASE 0x0000010000000000UL
5578 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
5579
5580 +#ifdef CONFIG_PAX_ASLR
5581 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
5582 +
5583 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
5584 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
5585 +#endif
5586
5587 /* This yields a mask that user programs can use to figure out what
5588 instruction set this cpu supports. */
5589 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h
5590 --- linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h 2011-05-19 00:06:34.000000000 -0400
5591 +++ linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h 2011-05-22 19:36:30.000000000 -0400
5592 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
5593 BTFIXUPDEF_INT(page_none)
5594 BTFIXUPDEF_INT(page_copy)
5595 BTFIXUPDEF_INT(page_readonly)
5596 +
5597 +#ifdef CONFIG_PAX_PAGEEXEC
5598 +BTFIXUPDEF_INT(page_shared_noexec)
5599 +BTFIXUPDEF_INT(page_copy_noexec)
5600 +BTFIXUPDEF_INT(page_readonly_noexec)
5601 +#endif
5602 +
5603 BTFIXUPDEF_INT(page_kernel)
5604
5605 #define PMD_SHIFT SUN4C_PMD_SHIFT
5606 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
5607 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
5608 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
5609
5610 +#ifdef CONFIG_PAX_PAGEEXEC
5611 +extern pgprot_t PAGE_SHARED_NOEXEC;
5612 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
5613 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
5614 +#else
5615 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
5616 +# define PAGE_COPY_NOEXEC PAGE_COPY
5617 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
5618 +#endif
5619 +
5620 extern unsigned long page_kernel;
5621
5622 #ifdef MODULE
5623 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h
5624 --- linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h 2011-05-19 00:06:34.000000000 -0400
5625 +++ linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h 2011-05-22 19:36:30.000000000 -0400
5626 @@ -115,6 +115,13 @@
5627 SRMMU_EXEC | SRMMU_REF)
5628 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
5629 SRMMU_EXEC | SRMMU_REF)
5630 +
5631 +#ifdef CONFIG_PAX_PAGEEXEC
5632 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
5633 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
5634 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
5635 +#endif
5636 +
5637 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
5638 SRMMU_DIRTY | SRMMU_REF)
5639
5640 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h
5641 --- linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h 2011-05-19 00:06:34.000000000 -0400
5642 +++ linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h 2011-05-22 19:36:30.000000000 -0400
5643 @@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags(
5644
5645 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
5646
5647 -static void inline arch_read_lock(arch_rwlock_t *lock)
5648 +static inline void arch_read_lock(arch_rwlock_t *lock)
5649 {
5650 unsigned long tmp1, tmp2;
5651
5652 __asm__ __volatile__ (
5653 "1: ldsw [%2], %0\n"
5654 " brlz,pn %0, 2f\n"
5655 -"4: add %0, 1, %1\n"
5656 +"4: addcc %0, 1, %1\n"
5657 +
5658 +#ifdef CONFIG_PAX_REFCOUNT
5659 +" tvs %%icc, 6\n"
5660 +#endif
5661 +
5662 " cas [%2], %0, %1\n"
5663 " cmp %0, %1\n"
5664 " bne,pn %%icc, 1b\n"
5665 @@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_r
5666 " .previous"
5667 : "=&r" (tmp1), "=&r" (tmp2)
5668 : "r" (lock)
5669 - : "memory");
5670 + : "memory", "cc");
5671 }
5672
5673 -static int inline arch_read_trylock(arch_rwlock_t *lock)
5674 +static inline int arch_read_trylock(arch_rwlock_t *lock)
5675 {
5676 int tmp1, tmp2;
5677
5678 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
5679 "1: ldsw [%2], %0\n"
5680 " brlz,a,pn %0, 2f\n"
5681 " mov 0, %0\n"
5682 -" add %0, 1, %1\n"
5683 +" addcc %0, 1, %1\n"
5684 +
5685 +#ifdef CONFIG_PAX_REFCOUNT
5686 +" tvs %%icc, 6\n"
5687 +#endif
5688 +
5689 " cas [%2], %0, %1\n"
5690 " cmp %0, %1\n"
5691 " bne,pn %%icc, 1b\n"
5692 @@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch
5693 return tmp1;
5694 }
5695
5696 -static void inline arch_read_unlock(arch_rwlock_t *lock)
5697 +static inline void arch_read_unlock(arch_rwlock_t *lock)
5698 {
5699 unsigned long tmp1, tmp2;
5700
5701 __asm__ __volatile__(
5702 "1: lduw [%2], %0\n"
5703 -" sub %0, 1, %1\n"
5704 +" subcc %0, 1, %1\n"
5705 +
5706 +#ifdef CONFIG_PAX_REFCOUNT
5707 +" tvs %%icc, 6\n"
5708 +#endif
5709 +
5710 " cas [%2], %0, %1\n"
5711 " cmp %0, %1\n"
5712 " bne,pn %%xcc, 1b\n"
5713 @@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch
5714 : "memory");
5715 }
5716
5717 -static void inline arch_write_lock(arch_rwlock_t *lock)
5718 +static inline void arch_write_lock(arch_rwlock_t *lock)
5719 {
5720 unsigned long mask, tmp1, tmp2;
5721
5722 @@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_
5723 : "memory");
5724 }
5725
5726 -static void inline arch_write_unlock(arch_rwlock_t *lock)
5727 +static inline void arch_write_unlock(arch_rwlock_t *lock)
5728 {
5729 __asm__ __volatile__(
5730 " stw %%g0, [%0]"
5731 @@ -186,7 +201,7 @@ static void inline arch_write_unlock(arc
5732 : "memory");
5733 }
5734
5735 -static int inline arch_write_trylock(arch_rwlock_t *lock)
5736 +static inline int arch_write_trylock(arch_rwlock_t *lock)
5737 {
5738 unsigned long mask, tmp1, tmp2, result;
5739
5740 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h
5741 --- linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h 2011-05-19 00:06:34.000000000 -0400
5742 +++ linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h 2011-06-03 01:14:03.000000000 -0400
5743 @@ -50,6 +50,8 @@ struct thread_info {
5744 unsigned long w_saved;
5745
5746 struct restart_block restart_block;
5747 +
5748 + unsigned long lowest_stack;
5749 };
5750
5751 /*
5752 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h
5753 --- linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h 2011-05-19 00:06:34.000000000 -0400
5754 +++ linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h 2011-06-03 01:14:21.000000000 -0400
5755 @@ -63,6 +63,8 @@ struct thread_info {
5756 struct pt_regs *kern_una_regs;
5757 unsigned int kern_una_insn;
5758
5759 + unsigned long lowest_stack;
5760 +
5761 unsigned long fpregs[0] __attribute__ ((aligned(64)));
5762 };
5763
5764 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h
5765 --- linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h 2011-05-19 00:06:34.000000000 -0400
5766 +++ linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h 2011-05-22 19:36:30.000000000 -0400
5767 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
5768
5769 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
5770 {
5771 - if (n && __access_ok((unsigned long) to, n))
5772 + if ((long)n < 0)
5773 + return n;
5774 +
5775 + if (n && __access_ok((unsigned long) to, n)) {
5776 + if (!__builtin_constant_p(n))
5777 + check_object_size(from, n, true);
5778 return __copy_user(to, (__force void __user *) from, n);
5779 - else
5780 + } else
5781 return n;
5782 }
5783
5784 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
5785 {
5786 + if ((long)n < 0)
5787 + return n;
5788 +
5789 + if (!__builtin_constant_p(n))
5790 + check_object_size(from, n, true);
5791 +
5792 return __copy_user(to, (__force void __user *) from, n);
5793 }
5794
5795 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
5796 {
5797 - if (n && __access_ok((unsigned long) from, n))
5798 + if ((long)n < 0)
5799 + return n;
5800 +
5801 + if (n && __access_ok((unsigned long) from, n)) {
5802 + if (!__builtin_constant_p(n))
5803 + check_object_size(to, n, false);
5804 return __copy_user((__force void __user *) to, from, n);
5805 - else
5806 + } else
5807 return n;
5808 }
5809
5810 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
5811 {
5812 + if ((long)n < 0)
5813 + return n;
5814 +
5815 return __copy_user((__force void __user *) to, from, n);
5816 }
5817
5818 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h
5819 --- linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h 2011-05-19 00:06:34.000000000 -0400
5820 +++ linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h 2011-05-22 19:36:30.000000000 -0400
5821 @@ -10,6 +10,7 @@
5822 #include <linux/compiler.h>
5823 #include <linux/string.h>
5824 #include <linux/thread_info.h>
5825 +#include <linux/kernel.h>
5826 #include <asm/asi.h>
5827 #include <asm/system.h>
5828 #include <asm/spitfire.h>
5829 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
5830 static inline unsigned long __must_check
5831 copy_from_user(void *to, const void __user *from, unsigned long size)
5832 {
5833 - unsigned long ret = ___copy_from_user(to, from, size);
5834 + unsigned long ret;
5835
5836 + if ((long)size < 0 || size > INT_MAX)
5837 + return size;
5838 +
5839 + if (!__builtin_constant_p(size))
5840 + check_object_size(to, size, false);
5841 +
5842 + ret = ___copy_from_user(to, from, size);
5843 if (unlikely(ret))
5844 ret = copy_from_user_fixup(to, from, size);
5845
5846 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
5847 static inline unsigned long __must_check
5848 copy_to_user(void __user *to, const void *from, unsigned long size)
5849 {
5850 - unsigned long ret = ___copy_to_user(to, from, size);
5851 + unsigned long ret;
5852 +
5853 + if ((long)size < 0 || size > INT_MAX)
5854 + return size;
5855 +
5856 + if (!__builtin_constant_p(size))
5857 + check_object_size(from, size, true);
5858
5859 + ret = ___copy_to_user(to, from, size);
5860 if (unlikely(ret))
5861 ret = copy_to_user_fixup(to, from, size);
5862 return ret;
5863 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/uaccess.h linux-2.6.39.3/arch/sparc/include/asm/uaccess.h
5864 --- linux-2.6.39.3/arch/sparc/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
5865 +++ linux-2.6.39.3/arch/sparc/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
5866 @@ -1,5 +1,13 @@
5867 #ifndef ___ASM_SPARC_UACCESS_H
5868 #define ___ASM_SPARC_UACCESS_H
5869 +
5870 +#ifdef __KERNEL__
5871 +#ifndef __ASSEMBLY__
5872 +#include <linux/types.h>
5873 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
5874 +#endif
5875 +#endif
5876 +
5877 #if defined(__sparc__) && defined(__arch64__)
5878 #include <asm/uaccess_64.h>
5879 #else
5880 diff -urNp linux-2.6.39.3/arch/sparc/kernel/iommu.c linux-2.6.39.3/arch/sparc/kernel/iommu.c
5881 --- linux-2.6.39.3/arch/sparc/kernel/iommu.c 2011-05-19 00:06:34.000000000 -0400
5882 +++ linux-2.6.39.3/arch/sparc/kernel/iommu.c 2011-05-22 19:36:30.000000000 -0400
5883 @@ -824,7 +824,7 @@ static void dma_4u_sync_sg_for_cpu(struc
5884 spin_unlock_irqrestore(&iommu->lock, flags);
5885 }
5886
5887 -static struct dma_map_ops sun4u_dma_ops = {
5888 +static const struct dma_map_ops sun4u_dma_ops = {
5889 .alloc_coherent = dma_4u_alloc_coherent,
5890 .free_coherent = dma_4u_free_coherent,
5891 .map_page = dma_4u_map_page,
5892 @@ -835,7 +835,7 @@ static struct dma_map_ops sun4u_dma_ops
5893 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
5894 };
5895
5896 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
5897 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
5898 EXPORT_SYMBOL(dma_ops);
5899
5900 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
5901 diff -urNp linux-2.6.39.3/arch/sparc/kernel/ioport.c linux-2.6.39.3/arch/sparc/kernel/ioport.c
5902 --- linux-2.6.39.3/arch/sparc/kernel/ioport.c 2011-05-19 00:06:34.000000000 -0400
5903 +++ linux-2.6.39.3/arch/sparc/kernel/ioport.c 2011-05-22 19:36:30.000000000 -0400
5904 @@ -402,7 +402,7 @@ static void sbus_sync_sg_for_device(stru
5905 BUG();
5906 }
5907
5908 -struct dma_map_ops sbus_dma_ops = {
5909 +const struct dma_map_ops sbus_dma_ops = {
5910 .alloc_coherent = sbus_alloc_coherent,
5911 .free_coherent = sbus_free_coherent,
5912 .map_page = sbus_map_page,
5913 @@ -653,7 +653,7 @@ static void pci32_sync_sg_for_device(str
5914 }
5915 }
5916
5917 -struct dma_map_ops pci32_dma_ops = {
5918 +const struct dma_map_ops pci32_dma_ops = {
5919 .alloc_coherent = pci32_alloc_coherent,
5920 .free_coherent = pci32_free_coherent,
5921 .map_page = pci32_map_page,
5922 diff -urNp linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c
5923 --- linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c 2011-05-19 00:06:34.000000000 -0400
5924 +++ linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c 2011-05-22 19:36:30.000000000 -0400
5925 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
5926 regs->npc = regs->pc + 4;
5927 }
5928
5929 -struct kgdb_arch arch_kgdb_ops = {
5930 +const struct kgdb_arch arch_kgdb_ops = {
5931 /* Breakpoint instruction: ta 0x7d */
5932 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
5933 };
5934 diff -urNp linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c
5935 --- linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c 2011-05-19 00:06:34.000000000 -0400
5936 +++ linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c 2011-05-22 19:36:30.000000000 -0400
5937 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
5938 regs->tnpc = regs->tpc + 4;
5939 }
5940
5941 -struct kgdb_arch arch_kgdb_ops = {
5942 +const struct kgdb_arch arch_kgdb_ops = {
5943 /* Breakpoint instruction: ta 0x72 */
5944 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
5945 };
5946 diff -urNp linux-2.6.39.3/arch/sparc/kernel/Makefile linux-2.6.39.3/arch/sparc/kernel/Makefile
5947 --- linux-2.6.39.3/arch/sparc/kernel/Makefile 2011-05-19 00:06:34.000000000 -0400
5948 +++ linux-2.6.39.3/arch/sparc/kernel/Makefile 2011-05-22 19:36:30.000000000 -0400
5949 @@ -3,7 +3,7 @@
5950 #
5951
5952 asflags-y := -ansi
5953 -ccflags-y := -Werror
5954 +#ccflags-y := -Werror
5955
5956 extra-y := head_$(BITS).o
5957 extra-y += init_task.o
5958 diff -urNp linux-2.6.39.3/arch/sparc/kernel/pcic.c linux-2.6.39.3/arch/sparc/kernel/pcic.c
5959 --- linux-2.6.39.3/arch/sparc/kernel/pcic.c 2011-05-19 00:06:34.000000000 -0400
5960 +++ linux-2.6.39.3/arch/sparc/kernel/pcic.c 2011-05-22 19:36:30.000000000 -0400
5961 @@ -268,7 +268,7 @@ static int pcic_write_config(struct pci_
5962 return -EINVAL;
5963 }
5964
5965 -static struct pci_ops pcic_ops = {
5966 +static const struct pci_ops pcic_ops = {
5967 .read = pcic_read_config,
5968 .write = pcic_write_config,
5969 };
5970 diff -urNp linux-2.6.39.3/arch/sparc/kernel/pci_common.c linux-2.6.39.3/arch/sparc/kernel/pci_common.c
5971 --- linux-2.6.39.3/arch/sparc/kernel/pci_common.c 2011-05-19 00:06:34.000000000 -0400
5972 +++ linux-2.6.39.3/arch/sparc/kernel/pci_common.c 2011-05-22 19:36:30.000000000 -0400
5973 @@ -249,7 +249,7 @@ static int sun4u_write_pci_cfg(struct pc
5974 return PCIBIOS_SUCCESSFUL;
5975 }
5976
5977 -struct pci_ops sun4u_pci_ops = {
5978 +const struct pci_ops sun4u_pci_ops = {
5979 .read = sun4u_read_pci_cfg,
5980 .write = sun4u_write_pci_cfg,
5981 };
5982 @@ -310,7 +310,7 @@ static int sun4v_write_pci_cfg(struct pc
5983 return PCIBIOS_SUCCESSFUL;
5984 }
5985
5986 -struct pci_ops sun4v_pci_ops = {
5987 +const struct pci_ops sun4v_pci_ops = {
5988 .read = sun4v_read_pci_cfg,
5989 .write = sun4v_write_pci_cfg,
5990 };
5991 diff -urNp linux-2.6.39.3/arch/sparc/kernel/pci_impl.h linux-2.6.39.3/arch/sparc/kernel/pci_impl.h
5992 --- linux-2.6.39.3/arch/sparc/kernel/pci_impl.h 2011-05-19 00:06:34.000000000 -0400
5993 +++ linux-2.6.39.3/arch/sparc/kernel/pci_impl.h 2011-05-22 19:36:30.000000000 -0400
5994 @@ -175,8 +175,8 @@ extern void pci_config_write8(u8 *addr,
5995 extern void pci_config_write16(u16 *addr, u16 val);
5996 extern void pci_config_write32(u32 *addr, u32 val);
5997
5998 -extern struct pci_ops sun4u_pci_ops;
5999 -extern struct pci_ops sun4v_pci_ops;
6000 +extern const struct pci_ops sun4u_pci_ops;
6001 +extern const struct pci_ops sun4v_pci_ops;
6002
6003 extern volatile int pci_poke_in_progress;
6004 extern volatile int pci_poke_cpu;
6005 diff -urNp linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c
6006 --- linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c 2011-05-19 00:06:34.000000000 -0400
6007 +++ linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c 2011-05-22 19:36:30.000000000 -0400
6008 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
6009 spin_unlock_irqrestore(&iommu->lock, flags);
6010 }
6011
6012 -static struct dma_map_ops sun4v_dma_ops = {
6013 +static const struct dma_map_ops sun4v_dma_ops = {
6014 .alloc_coherent = dma_4v_alloc_coherent,
6015 .free_coherent = dma_4v_free_coherent,
6016 .map_page = dma_4v_map_page,
6017 diff -urNp linux-2.6.39.3/arch/sparc/kernel/process_32.c linux-2.6.39.3/arch/sparc/kernel/process_32.c
6018 --- linux-2.6.39.3/arch/sparc/kernel/process_32.c 2011-05-19 00:06:34.000000000 -0400
6019 +++ linux-2.6.39.3/arch/sparc/kernel/process_32.c 2011-05-22 19:41:32.000000000 -0400
6020 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
6021 rw->ins[4], rw->ins[5],
6022 rw->ins[6],
6023 rw->ins[7]);
6024 - printk("%pS\n", (void *) rw->ins[7]);
6025 + printk("%pA\n", (void *) rw->ins[7]);
6026 rw = (struct reg_window32 *) rw->ins[6];
6027 }
6028 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
6029 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
6030
6031 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
6032 r->psr, r->pc, r->npc, r->y, print_tainted());
6033 - printk("PC: <%pS>\n", (void *) r->pc);
6034 + printk("PC: <%pA>\n", (void *) r->pc);
6035 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
6036 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
6037 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
6038 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
6039 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
6040 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
6041 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
6042 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
6043
6044 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
6045 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
6046 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
6047 rw = (struct reg_window32 *) fp;
6048 pc = rw->ins[7];
6049 printk("[%08lx : ", pc);
6050 - printk("%pS ] ", (void *) pc);
6051 + printk("%pA ] ", (void *) pc);
6052 fp = rw->ins[6];
6053 } while (++count < 16);
6054 printk("\n");
6055 diff -urNp linux-2.6.39.3/arch/sparc/kernel/process_64.c linux-2.6.39.3/arch/sparc/kernel/process_64.c
6056 --- linux-2.6.39.3/arch/sparc/kernel/process_64.c 2011-05-19 00:06:34.000000000 -0400
6057 +++ linux-2.6.39.3/arch/sparc/kernel/process_64.c 2011-05-22 19:41:32.000000000 -0400
6058 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
6059 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
6060 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
6061 if (regs->tstate & TSTATE_PRIV)
6062 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
6063 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
6064 }
6065
6066 void show_regs(struct pt_regs *regs)
6067 {
6068 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
6069 regs->tpc, regs->tnpc, regs->y, print_tainted());
6070 - printk("TPC: <%pS>\n", (void *) regs->tpc);
6071 + printk("TPC: <%pA>\n", (void *) regs->tpc);
6072 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
6073 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
6074 regs->u_regs[3]);
6075 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
6076 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
6077 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
6078 regs->u_regs[15]);
6079 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
6080 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
6081 show_regwindow(regs);
6082 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
6083 }
6084 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
6085 ((tp && tp->task) ? tp->task->pid : -1));
6086
6087 if (gp->tstate & TSTATE_PRIV) {
6088 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
6089 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
6090 (void *) gp->tpc,
6091 (void *) gp->o7,
6092 (void *) gp->i7,
6093 diff -urNp linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c
6094 --- linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c 2011-05-19 00:06:34.000000000 -0400
6095 +++ linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c 2011-05-22 19:36:30.000000000 -0400
6096 @@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
6097 if (ARCH_SUN4C && len > 0x20000000)
6098 return -ENOMEM;
6099 if (!addr)
6100 - addr = TASK_UNMAPPED_BASE;
6101 + addr = current->mm->mmap_base;
6102
6103 if (flags & MAP_SHARED)
6104 addr = COLOUR_ALIGN(addr);
6105 @@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
6106 }
6107 if (TASK_SIZE - PAGE_SIZE - len < addr)
6108 return -ENOMEM;
6109 - if (!vmm || addr + len <= vmm->vm_start)
6110 + if (check_heap_stack_gap(vmm, addr, len))
6111 return addr;
6112 addr = vmm->vm_end;
6113 if (flags & MAP_SHARED)
6114 diff -urNp linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c
6115 --- linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c 2011-05-19 00:06:34.000000000 -0400
6116 +++ linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c 2011-05-22 19:36:30.000000000 -0400
6117 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
6118 /* We do not accept a shared mapping if it would violate
6119 * cache aliasing constraints.
6120 */
6121 - if ((flags & MAP_SHARED) &&
6122 + if ((filp || (flags & MAP_SHARED)) &&
6123 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
6124 return -EINVAL;
6125 return addr;
6126 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
6127 if (filp || (flags & MAP_SHARED))
6128 do_color_align = 1;
6129
6130 +#ifdef CONFIG_PAX_RANDMMAP
6131 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
6132 +#endif
6133 +
6134 if (addr) {
6135 if (do_color_align)
6136 addr = COLOUR_ALIGN(addr, pgoff);
6137 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
6138 addr = PAGE_ALIGN(addr);
6139
6140 vma = find_vma(mm, addr);
6141 - if (task_size - len >= addr &&
6142 - (!vma || addr + len <= vma->vm_start))
6143 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
6144 return addr;
6145 }
6146
6147 if (len > mm->cached_hole_size) {
6148 - start_addr = addr = mm->free_area_cache;
6149 + start_addr = addr = mm->free_area_cache;
6150 } else {
6151 - start_addr = addr = TASK_UNMAPPED_BASE;
6152 + start_addr = addr = mm->mmap_base;
6153 mm->cached_hole_size = 0;
6154 }
6155
6156 @@ -174,14 +177,14 @@ full_search:
6157 vma = find_vma(mm, VA_EXCLUDE_END);
6158 }
6159 if (unlikely(task_size < addr)) {
6160 - if (start_addr != TASK_UNMAPPED_BASE) {
6161 - start_addr = addr = TASK_UNMAPPED_BASE;
6162 + if (start_addr != mm->mmap_base) {
6163 + start_addr = addr = mm->mmap_base;
6164 mm->cached_hole_size = 0;
6165 goto full_search;
6166 }
6167 return -ENOMEM;
6168 }
6169 - if (likely(!vma || addr + len <= vma->vm_start)) {
6170 + if (likely(check_heap_stack_gap(vma, addr, len))) {
6171 /*
6172 * Remember the place where we stopped the search:
6173 */
6174 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
6175 /* We do not accept a shared mapping if it would violate
6176 * cache aliasing constraints.
6177 */
6178 - if ((flags & MAP_SHARED) &&
6179 + if ((filp || (flags & MAP_SHARED)) &&
6180 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
6181 return -EINVAL;
6182 return addr;
6183 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
6184 addr = PAGE_ALIGN(addr);
6185
6186 vma = find_vma(mm, addr);
6187 - if (task_size - len >= addr &&
6188 - (!vma || addr + len <= vma->vm_start))
6189 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
6190 return addr;
6191 }
6192
6193 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
6194 /* make sure it can fit in the remaining address space */
6195 if (likely(addr > len)) {
6196 vma = find_vma(mm, addr-len);
6197 - if (!vma || addr <= vma->vm_start) {
6198 + if (check_heap_stack_gap(vma, addr - len, len)) {
6199 /* remember the address as a hint for next time */
6200 return (mm->free_area_cache = addr-len);
6201 }
6202 @@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct fi
6203 if (unlikely(mm->mmap_base < len))
6204 goto bottomup;
6205
6206 - addr = mm->mmap_base-len;
6207 - if (do_color_align)
6208 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
6209 + addr = mm->mmap_base - len;
6210
6211 do {
6212 + if (do_color_align)
6213 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
6214 /*
6215 * Lookup failure means no vma is above this address,
6216 * else if new region fits below vma->vm_start,
6217 * return with success:
6218 */
6219 vma = find_vma(mm, addr);
6220 - if (likely(!vma || addr+len <= vma->vm_start)) {
6221 + if (likely(check_heap_stack_gap(vma, addr, len))) {
6222 /* remember the address as a hint for next time */
6223 return (mm->free_area_cache = addr);
6224 }
6225 @@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct fi
6226 mm->cached_hole_size = vma->vm_start - addr;
6227
6228 /* try just below the current vma->vm_start */
6229 - addr = vma->vm_start-len;
6230 - if (do_color_align)
6231 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
6232 - } while (likely(len < vma->vm_start));
6233 + addr = skip_heap_stack_gap(vma, len);
6234 + } while (!IS_ERR_VALUE(addr));
6235
6236 bottomup:
6237 /*
6238 @@ -390,6 +390,12 @@ void arch_pick_mmap_layout(struct mm_str
6239 gap == RLIM_INFINITY ||
6240 sysctl_legacy_va_layout) {
6241 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
6242 +
6243 +#ifdef CONFIG_PAX_RANDMMAP
6244 + if (mm->pax_flags & MF_PAX_RANDMMAP)
6245 + mm->mmap_base += mm->delta_mmap;
6246 +#endif
6247 +
6248 mm->get_unmapped_area = arch_get_unmapped_area;
6249 mm->unmap_area = arch_unmap_area;
6250 } else {
6251 @@ -402,6 +408,12 @@ void arch_pick_mmap_layout(struct mm_str
6252 gap = (task_size / 6 * 5);
6253
6254 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
6255 +
6256 +#ifdef CONFIG_PAX_RANDMMAP
6257 + if (mm->pax_flags & MF_PAX_RANDMMAP)
6258 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
6259 +#endif
6260 +
6261 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
6262 mm->unmap_area = arch_unmap_area_topdown;
6263 }
6264 diff -urNp linux-2.6.39.3/arch/sparc/kernel/traps_32.c linux-2.6.39.3/arch/sparc/kernel/traps_32.c
6265 --- linux-2.6.39.3/arch/sparc/kernel/traps_32.c 2011-05-19 00:06:34.000000000 -0400
6266 +++ linux-2.6.39.3/arch/sparc/kernel/traps_32.c 2011-06-13 21:29:23.000000000 -0400
6267 @@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
6268 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
6269 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
6270
6271 +extern void gr_handle_kernel_exploit(void);
6272 +
6273 void die_if_kernel(char *str, struct pt_regs *regs)
6274 {
6275 static int die_counter;
6276 @@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
6277 count++ < 30 &&
6278 (((unsigned long) rw) >= PAGE_OFFSET) &&
6279 !(((unsigned long) rw) & 0x7)) {
6280 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
6281 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
6282 (void *) rw->ins[7]);
6283 rw = (struct reg_window32 *)rw->ins[6];
6284 }
6285 }
6286 printk("Instruction DUMP:");
6287 instruction_dump ((unsigned long *) regs->pc);
6288 - if(regs->psr & PSR_PS)
6289 + if(regs->psr & PSR_PS) {
6290 + gr_handle_kernel_exploit();
6291 do_exit(SIGKILL);
6292 + }
6293 do_exit(SIGSEGV);
6294 }
6295
6296 diff -urNp linux-2.6.39.3/arch/sparc/kernel/traps_64.c linux-2.6.39.3/arch/sparc/kernel/traps_64.c
6297 --- linux-2.6.39.3/arch/sparc/kernel/traps_64.c 2011-05-19 00:06:34.000000000 -0400
6298 +++ linux-2.6.39.3/arch/sparc/kernel/traps_64.c 2011-06-13 21:28:54.000000000 -0400
6299 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
6300 i + 1,
6301 p->trapstack[i].tstate, p->trapstack[i].tpc,
6302 p->trapstack[i].tnpc, p->trapstack[i].tt);
6303 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
6304 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
6305 }
6306 }
6307
6308 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
6309
6310 lvl -= 0x100;
6311 if (regs->tstate & TSTATE_PRIV) {
6312 +
6313 +#ifdef CONFIG_PAX_REFCOUNT
6314 + if (lvl == 6)
6315 + pax_report_refcount_overflow(regs);
6316 +#endif
6317 +
6318 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
6319 die_if_kernel(buffer, regs);
6320 }
6321 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
6322 void bad_trap_tl1(struct pt_regs *regs, long lvl)
6323 {
6324 char buffer[32];
6325 -
6326 +
6327 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
6328 0, lvl, SIGTRAP) == NOTIFY_STOP)
6329 return;
6330
6331 +#ifdef CONFIG_PAX_REFCOUNT
6332 + if (lvl == 6)
6333 + pax_report_refcount_overflow(regs);
6334 +#endif
6335 +
6336 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
6337
6338 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
6339 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
6340 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
6341 printk("%s" "ERROR(%d): ",
6342 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
6343 - printk("TPC<%pS>\n", (void *) regs->tpc);
6344 + printk("TPC<%pA>\n", (void *) regs->tpc);
6345 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
6346 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
6347 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
6348 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
6349 smp_processor_id(),
6350 (type & 0x1) ? 'I' : 'D',
6351 regs->tpc);
6352 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
6353 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
6354 panic("Irrecoverable Cheetah+ parity error.");
6355 }
6356
6357 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
6358 smp_processor_id(),
6359 (type & 0x1) ? 'I' : 'D',
6360 regs->tpc);
6361 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
6362 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
6363 }
6364
6365 struct sun4v_error_entry {
6366 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
6367
6368 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
6369 regs->tpc, tl);
6370 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
6371 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
6372 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
6373 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
6374 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
6375 (void *) regs->u_regs[UREG_I7]);
6376 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
6377 "pte[%lx] error[%lx]\n",
6378 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
6379
6380 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
6381 regs->tpc, tl);
6382 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
6383 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
6384 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
6385 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
6386 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
6387 (void *) regs->u_regs[UREG_I7]);
6388 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
6389 "pte[%lx] error[%lx]\n",
6390 @@ -2195,13 +2206,13 @@ void show_stack(struct task_struct *tsk,
6391 fp = (unsigned long)sf->fp + STACK_BIAS;
6392 }
6393
6394 - printk(" [%016lx] %pS\n", pc, (void *) pc);
6395 + printk(" [%016lx] %pA\n", pc, (void *) pc);
6396 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
6397 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
6398 int index = tsk->curr_ret_stack;
6399 if (tsk->ret_stack && index >= graph) {
6400 pc = tsk->ret_stack[index - graph].ret;
6401 - printk(" [%016lx] %pS\n", pc, (void *) pc);
6402 + printk(" [%016lx] %pA\n", pc, (void *) pc);
6403 graph++;
6404 }
6405 }
6406 @@ -2226,6 +2237,8 @@ static inline struct reg_window *kernel_
6407 return (struct reg_window *) (fp + STACK_BIAS);
6408 }
6409
6410 +extern void gr_handle_kernel_exploit(void);
6411 +
6412 void die_if_kernel(char *str, struct pt_regs *regs)
6413 {
6414 static int die_counter;
6415 @@ -2254,7 +2267,7 @@ void die_if_kernel(char *str, struct pt_
6416 while (rw &&
6417 count++ < 30 &&
6418 kstack_valid(tp, (unsigned long) rw)) {
6419 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
6420 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
6421 (void *) rw->ins[7]);
6422
6423 rw = kernel_stack_up(rw);
6424 @@ -2267,8 +2280,10 @@ void die_if_kernel(char *str, struct pt_
6425 }
6426 user_instruction_dump ((unsigned int __user *) regs->tpc);
6427 }
6428 - if (regs->tstate & TSTATE_PRIV)
6429 + if (regs->tstate & TSTATE_PRIV) {
6430 + gr_handle_kernel_exploit();
6431 do_exit(SIGKILL);
6432 + }
6433 do_exit(SIGSEGV);
6434 }
6435 EXPORT_SYMBOL(die_if_kernel);
6436 diff -urNp linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c
6437 --- linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c 2011-05-19 00:06:34.000000000 -0400
6438 +++ linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c 2011-05-22 19:41:32.000000000 -0400
6439 @@ -278,7 +278,7 @@ static void log_unaligned(struct pt_regs
6440 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
6441
6442 if (__ratelimit(&ratelimit)) {
6443 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
6444 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
6445 regs->tpc, (void *) regs->tpc);
6446 }
6447 }
6448 diff -urNp linux-2.6.39.3/arch/sparc/lib/atomic_64.S linux-2.6.39.3/arch/sparc/lib/atomic_64.S
6449 --- linux-2.6.39.3/arch/sparc/lib/atomic_64.S 2011-05-19 00:06:34.000000000 -0400
6450 +++ linux-2.6.39.3/arch/sparc/lib/atomic_64.S 2011-05-22 19:36:30.000000000 -0400
6451 @@ -18,7 +18,12 @@
6452 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
6453 BACKOFF_SETUP(%o2)
6454 1: lduw [%o1], %g1
6455 - add %g1, %o0, %g7
6456 + addcc %g1, %o0, %g7
6457 +
6458 +#ifdef CONFIG_PAX_REFCOUNT
6459 + tvs %icc, 6
6460 +#endif
6461 +
6462 cas [%o1], %g1, %g7
6463 cmp %g1, %g7
6464 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6465 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
6466 2: BACKOFF_SPIN(%o2, %o3, 1b)
6467 .size atomic_add, .-atomic_add
6468
6469 + .globl atomic_add_unchecked
6470 + .type atomic_add_unchecked,#function
6471 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6472 + BACKOFF_SETUP(%o2)
6473 +1: lduw [%o1], %g1
6474 + add %g1, %o0, %g7
6475 + cas [%o1], %g1, %g7
6476 + cmp %g1, %g7
6477 + bne,pn %icc, 2f
6478 + nop
6479 + retl
6480 + nop
6481 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6482 + .size atomic_add_unchecked, .-atomic_add_unchecked
6483 +
6484 .globl atomic_sub
6485 .type atomic_sub,#function
6486 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
6487 BACKOFF_SETUP(%o2)
6488 1: lduw [%o1], %g1
6489 - sub %g1, %o0, %g7
6490 + subcc %g1, %o0, %g7
6491 +
6492 +#ifdef CONFIG_PAX_REFCOUNT
6493 + tvs %icc, 6
6494 +#endif
6495 +
6496 cas [%o1], %g1, %g7
6497 cmp %g1, %g7
6498 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6499 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
6500 2: BACKOFF_SPIN(%o2, %o3, 1b)
6501 .size atomic_sub, .-atomic_sub
6502
6503 + .globl atomic_sub_unchecked
6504 + .type atomic_sub_unchecked,#function
6505 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
6506 + BACKOFF_SETUP(%o2)
6507 +1: lduw [%o1], %g1
6508 + sub %g1, %o0, %g7
6509 + cas [%o1], %g1, %g7
6510 + cmp %g1, %g7
6511 + bne,pn %icc, 2f
6512 + nop
6513 + retl
6514 + nop
6515 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6516 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
6517 +
6518 .globl atomic_add_ret
6519 .type atomic_add_ret,#function
6520 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
6521 BACKOFF_SETUP(%o2)
6522 1: lduw [%o1], %g1
6523 - add %g1, %o0, %g7
6524 + addcc %g1, %o0, %g7
6525 +
6526 +#ifdef CONFIG_PAX_REFCOUNT
6527 + tvs %icc, 6
6528 +#endif
6529 +
6530 cas [%o1], %g1, %g7
6531 cmp %g1, %g7
6532 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6533 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
6534 2: BACKOFF_SPIN(%o2, %o3, 1b)
6535 .size atomic_add_ret, .-atomic_add_ret
6536
6537 + .globl atomic_add_ret_unchecked
6538 + .type atomic_add_ret_unchecked,#function
6539 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6540 + BACKOFF_SETUP(%o2)
6541 +1: lduw [%o1], %g1
6542 + addcc %g1, %o0, %g7
6543 + cas [%o1], %g1, %g7
6544 + cmp %g1, %g7
6545 + bne,pn %icc, 2f
6546 + add %g7, %o0, %g7
6547 + sra %g7, 0, %o0
6548 + retl
6549 + nop
6550 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6551 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
6552 +
6553 .globl atomic_sub_ret
6554 .type atomic_sub_ret,#function
6555 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
6556 BACKOFF_SETUP(%o2)
6557 1: lduw [%o1], %g1
6558 - sub %g1, %o0, %g7
6559 + subcc %g1, %o0, %g7
6560 +
6561 +#ifdef CONFIG_PAX_REFCOUNT
6562 + tvs %icc, 6
6563 +#endif
6564 +
6565 cas [%o1], %g1, %g7
6566 cmp %g1, %g7
6567 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6568 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
6569 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
6570 BACKOFF_SETUP(%o2)
6571 1: ldx [%o1], %g1
6572 - add %g1, %o0, %g7
6573 + addcc %g1, %o0, %g7
6574 +
6575 +#ifdef CONFIG_PAX_REFCOUNT
6576 + tvs %xcc, 6
6577 +#endif
6578 +
6579 casx [%o1], %g1, %g7
6580 cmp %g1, %g7
6581 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6582 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
6583 2: BACKOFF_SPIN(%o2, %o3, 1b)
6584 .size atomic64_add, .-atomic64_add
6585
6586 + .globl atomic64_add_unchecked
6587 + .type atomic64_add_unchecked,#function
6588 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6589 + BACKOFF_SETUP(%o2)
6590 +1: ldx [%o1], %g1
6591 + addcc %g1, %o0, %g7
6592 + casx [%o1], %g1, %g7
6593 + cmp %g1, %g7
6594 + bne,pn %xcc, 2f
6595 + nop
6596 + retl
6597 + nop
6598 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6599 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
6600 +
6601 .globl atomic64_sub
6602 .type atomic64_sub,#function
6603 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
6604 BACKOFF_SETUP(%o2)
6605 1: ldx [%o1], %g1
6606 - sub %g1, %o0, %g7
6607 + subcc %g1, %o0, %g7
6608 +
6609 +#ifdef CONFIG_PAX_REFCOUNT
6610 + tvs %xcc, 6
6611 +#endif
6612 +
6613 casx [%o1], %g1, %g7
6614 cmp %g1, %g7
6615 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6616 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
6617 2: BACKOFF_SPIN(%o2, %o3, 1b)
6618 .size atomic64_sub, .-atomic64_sub
6619
6620 + .globl atomic64_sub_unchecked
6621 + .type atomic64_sub_unchecked,#function
6622 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
6623 + BACKOFF_SETUP(%o2)
6624 +1: ldx [%o1], %g1
6625 + subcc %g1, %o0, %g7
6626 + casx [%o1], %g1, %g7
6627 + cmp %g1, %g7
6628 + bne,pn %xcc, 2f
6629 + nop
6630 + retl
6631 + nop
6632 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6633 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
6634 +
6635 .globl atomic64_add_ret
6636 .type atomic64_add_ret,#function
6637 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
6638 BACKOFF_SETUP(%o2)
6639 1: ldx [%o1], %g1
6640 - add %g1, %o0, %g7
6641 + addcc %g1, %o0, %g7
6642 +
6643 +#ifdef CONFIG_PAX_REFCOUNT
6644 + tvs %xcc, 6
6645 +#endif
6646 +
6647 casx [%o1], %g1, %g7
6648 cmp %g1, %g7
6649 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6650 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
6651 2: BACKOFF_SPIN(%o2, %o3, 1b)
6652 .size atomic64_add_ret, .-atomic64_add_ret
6653
6654 + .globl atomic64_add_ret_unchecked
6655 + .type atomic64_add_ret_unchecked,#function
6656 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6657 + BACKOFF_SETUP(%o2)
6658 +1: ldx [%o1], %g1
6659 + addcc %g1, %o0, %g7
6660 + casx [%o1], %g1, %g7
6661 + cmp %g1, %g7
6662 + bne,pn %xcc, 2f
6663 + add %g7, %o0, %g7
6664 + mov %g7, %o0
6665 + retl
6666 + nop
6667 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6668 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
6669 +
6670 .globl atomic64_sub_ret
6671 .type atomic64_sub_ret,#function
6672 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
6673 BACKOFF_SETUP(%o2)
6674 1: ldx [%o1], %g1
6675 - sub %g1, %o0, %g7
6676 + subcc %g1, %o0, %g7
6677 +
6678 +#ifdef CONFIG_PAX_REFCOUNT
6679 + tvs %xcc, 6
6680 +#endif
6681 +
6682 casx [%o1], %g1, %g7
6683 cmp %g1, %g7
6684 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6685 diff -urNp linux-2.6.39.3/arch/sparc/lib/ksyms.c linux-2.6.39.3/arch/sparc/lib/ksyms.c
6686 --- linux-2.6.39.3/arch/sparc/lib/ksyms.c 2011-05-19 00:06:34.000000000 -0400
6687 +++ linux-2.6.39.3/arch/sparc/lib/ksyms.c 2011-05-22 19:36:30.000000000 -0400
6688 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
6689
6690 /* Atomic counter implementation. */
6691 EXPORT_SYMBOL(atomic_add);
6692 +EXPORT_SYMBOL(atomic_add_unchecked);
6693 EXPORT_SYMBOL(atomic_add_ret);
6694 EXPORT_SYMBOL(atomic_sub);
6695 +EXPORT_SYMBOL(atomic_sub_unchecked);
6696 EXPORT_SYMBOL(atomic_sub_ret);
6697 EXPORT_SYMBOL(atomic64_add);
6698 +EXPORT_SYMBOL(atomic64_add_unchecked);
6699 EXPORT_SYMBOL(atomic64_add_ret);
6700 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
6701 EXPORT_SYMBOL(atomic64_sub);
6702 +EXPORT_SYMBOL(atomic64_sub_unchecked);
6703 EXPORT_SYMBOL(atomic64_sub_ret);
6704
6705 /* Atomic bit operations. */
6706 diff -urNp linux-2.6.39.3/arch/sparc/lib/Makefile linux-2.6.39.3/arch/sparc/lib/Makefile
6707 --- linux-2.6.39.3/arch/sparc/lib/Makefile 2011-05-19 00:06:34.000000000 -0400
6708 +++ linux-2.6.39.3/arch/sparc/lib/Makefile 2011-05-22 19:36:30.000000000 -0400
6709 @@ -2,7 +2,7 @@
6710 #
6711
6712 asflags-y := -ansi -DST_DIV0=0x02
6713 -ccflags-y := -Werror
6714 +#ccflags-y := -Werror
6715
6716 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
6717 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
6718 diff -urNp linux-2.6.39.3/arch/sparc/Makefile linux-2.6.39.3/arch/sparc/Makefile
6719 --- linux-2.6.39.3/arch/sparc/Makefile 2011-05-19 00:06:34.000000000 -0400
6720 +++ linux-2.6.39.3/arch/sparc/Makefile 2011-05-22 19:41:32.000000000 -0400
6721 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
6722 # Export what is needed by arch/sparc/boot/Makefile
6723 export VMLINUX_INIT VMLINUX_MAIN
6724 VMLINUX_INIT := $(head-y) $(init-y)
6725 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
6726 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
6727 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
6728 VMLINUX_MAIN += $(drivers-y) $(net-y)
6729
6730 diff -urNp linux-2.6.39.3/arch/sparc/mm/fault_32.c linux-2.6.39.3/arch/sparc/mm/fault_32.c
6731 --- linux-2.6.39.3/arch/sparc/mm/fault_32.c 2011-05-19 00:06:34.000000000 -0400
6732 +++ linux-2.6.39.3/arch/sparc/mm/fault_32.c 2011-05-22 19:36:30.000000000 -0400
6733 @@ -22,6 +22,9 @@
6734 #include <linux/interrupt.h>
6735 #include <linux/module.h>
6736 #include <linux/kdebug.h>
6737 +#include <linux/slab.h>
6738 +#include <linux/pagemap.h>
6739 +#include <linux/compiler.h>
6740
6741 #include <asm/system.h>
6742 #include <asm/page.h>
6743 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
6744 return safe_compute_effective_address(regs, insn);
6745 }
6746
6747 +#ifdef CONFIG_PAX_PAGEEXEC
6748 +#ifdef CONFIG_PAX_DLRESOLVE
6749 +static void pax_emuplt_close(struct vm_area_struct *vma)
6750 +{
6751 + vma->vm_mm->call_dl_resolve = 0UL;
6752 +}
6753 +
6754 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
6755 +{
6756 + unsigned int *kaddr;
6757 +
6758 + vmf->page = alloc_page(GFP_HIGHUSER);
6759 + if (!vmf->page)
6760 + return VM_FAULT_OOM;
6761 +
6762 + kaddr = kmap(vmf->page);
6763 + memset(kaddr, 0, PAGE_SIZE);
6764 + kaddr[0] = 0x9DE3BFA8U; /* save */
6765 + flush_dcache_page(vmf->page);
6766 + kunmap(vmf->page);
6767 + return VM_FAULT_MAJOR;
6768 +}
6769 +
6770 +static const struct vm_operations_struct pax_vm_ops = {
6771 + .close = pax_emuplt_close,
6772 + .fault = pax_emuplt_fault
6773 +};
6774 +
6775 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
6776 +{
6777 + int ret;
6778 +
6779 + INIT_LIST_HEAD(&vma->anon_vma_chain);
6780 + vma->vm_mm = current->mm;
6781 + vma->vm_start = addr;
6782 + vma->vm_end = addr + PAGE_SIZE;
6783 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
6784 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
6785 + vma->vm_ops = &pax_vm_ops;
6786 +
6787 + ret = insert_vm_struct(current->mm, vma);
6788 + if (ret)
6789 + return ret;
6790 +
6791 + ++current->mm->total_vm;
6792 + return 0;
6793 +}
6794 +#endif
6795 +
6796 +/*
6797 + * PaX: decide what to do with offenders (regs->pc = fault address)
6798 + *
6799 + * returns 1 when task should be killed
6800 + * 2 when patched PLT trampoline was detected
6801 + * 3 when unpatched PLT trampoline was detected
6802 + */
6803 +static int pax_handle_fetch_fault(struct pt_regs *regs)
6804 +{
6805 +
6806 +#ifdef CONFIG_PAX_EMUPLT
6807 + int err;
6808 +
6809 + do { /* PaX: patched PLT emulation #1 */
6810 + unsigned int sethi1, sethi2, jmpl;
6811 +
6812 + err = get_user(sethi1, (unsigned int *)regs->pc);
6813 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
6814 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
6815 +
6816 + if (err)
6817 + break;
6818 +
6819 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
6820 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
6821 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
6822 + {
6823 + unsigned int addr;
6824 +
6825 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
6826 + addr = regs->u_regs[UREG_G1];
6827 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6828 + regs->pc = addr;
6829 + regs->npc = addr+4;
6830 + return 2;
6831 + }
6832 + } while (0);
6833 +
6834 + { /* PaX: patched PLT emulation #2 */
6835 + unsigned int ba;
6836 +
6837 + err = get_user(ba, (unsigned int *)regs->pc);
6838 +
6839 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
6840 + unsigned int addr;
6841 +
6842 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
6843 + regs->pc = addr;
6844 + regs->npc = addr+4;
6845 + return 2;
6846 + }
6847 + }
6848 +
6849 + do { /* PaX: patched PLT emulation #3 */
6850 + unsigned int sethi, jmpl, nop;
6851 +
6852 + err = get_user(sethi, (unsigned int *)regs->pc);
6853 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
6854 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
6855 +
6856 + if (err)
6857 + break;
6858 +
6859 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
6860 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
6861 + nop == 0x01000000U)
6862 + {
6863 + unsigned int addr;
6864 +
6865 + addr = (sethi & 0x003FFFFFU) << 10;
6866 + regs->u_regs[UREG_G1] = addr;
6867 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6868 + regs->pc = addr;
6869 + regs->npc = addr+4;
6870 + return 2;
6871 + }
6872 + } while (0);
6873 +
6874 + do { /* PaX: unpatched PLT emulation step 1 */
6875 + unsigned int sethi, ba, nop;
6876 +
6877 + err = get_user(sethi, (unsigned int *)regs->pc);
6878 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
6879 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
6880 +
6881 + if (err)
6882 + break;
6883 +
6884 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
6885 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
6886 + nop == 0x01000000U)
6887 + {
6888 + unsigned int addr, save, call;
6889 +
6890 + if ((ba & 0xFFC00000U) == 0x30800000U)
6891 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
6892 + else
6893 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
6894 +
6895 + err = get_user(save, (unsigned int *)addr);
6896 + err |= get_user(call, (unsigned int *)(addr+4));
6897 + err |= get_user(nop, (unsigned int *)(addr+8));
6898 + if (err)
6899 + break;
6900 +
6901 +#ifdef CONFIG_PAX_DLRESOLVE
6902 + if (save == 0x9DE3BFA8U &&
6903 + (call & 0xC0000000U) == 0x40000000U &&
6904 + nop == 0x01000000U)
6905 + {
6906 + struct vm_area_struct *vma;
6907 + unsigned long call_dl_resolve;
6908 +
6909 + down_read(&current->mm->mmap_sem);
6910 + call_dl_resolve = current->mm->call_dl_resolve;
6911 + up_read(&current->mm->mmap_sem);
6912 + if (likely(call_dl_resolve))
6913 + goto emulate;
6914 +
6915 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
6916 +
6917 + down_write(&current->mm->mmap_sem);
6918 + if (current->mm->call_dl_resolve) {
6919 + call_dl_resolve = current->mm->call_dl_resolve;
6920 + up_write(&current->mm->mmap_sem);
6921 + if (vma)
6922 + kmem_cache_free(vm_area_cachep, vma);
6923 + goto emulate;
6924 + }
6925 +
6926 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
6927 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
6928 + up_write(&current->mm->mmap_sem);
6929 + if (vma)
6930 + kmem_cache_free(vm_area_cachep, vma);
6931 + return 1;
6932 + }
6933 +
6934 + if (pax_insert_vma(vma, call_dl_resolve)) {
6935 + up_write(&current->mm->mmap_sem);
6936 + kmem_cache_free(vm_area_cachep, vma);
6937 + return 1;
6938 + }
6939 +
6940 + current->mm->call_dl_resolve = call_dl_resolve;
6941 + up_write(&current->mm->mmap_sem);
6942 +
6943 +emulate:
6944 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
6945 + regs->pc = call_dl_resolve;
6946 + regs->npc = addr+4;
6947 + return 3;
6948 + }
6949 +#endif
6950 +
6951 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
6952 + if ((save & 0xFFC00000U) == 0x05000000U &&
6953 + (call & 0xFFFFE000U) == 0x85C0A000U &&
6954 + nop == 0x01000000U)
6955 + {
6956 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
6957 + regs->u_regs[UREG_G2] = addr + 4;
6958 + addr = (save & 0x003FFFFFU) << 10;
6959 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6960 + regs->pc = addr;
6961 + regs->npc = addr+4;
6962 + return 3;
6963 + }
6964 + }
6965 + } while (0);
6966 +
6967 + do { /* PaX: unpatched PLT emulation step 2 */
6968 + unsigned int save, call, nop;
6969 +
6970 + err = get_user(save, (unsigned int *)(regs->pc-4));
6971 + err |= get_user(call, (unsigned int *)regs->pc);
6972 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
6973 + if (err)
6974 + break;
6975 +
6976 + if (save == 0x9DE3BFA8U &&
6977 + (call & 0xC0000000U) == 0x40000000U &&
6978 + nop == 0x01000000U)
6979 + {
6980 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
6981 +
6982 + regs->u_regs[UREG_RETPC] = regs->pc;
6983 + regs->pc = dl_resolve;
6984 + regs->npc = dl_resolve+4;
6985 + return 3;
6986 + }
6987 + } while (0);
6988 +#endif
6989 +
6990 + return 1;
6991 +}
6992 +
6993 +void pax_report_insns(void *pc, void *sp)
6994 +{
6995 + unsigned long i;
6996 +
6997 + printk(KERN_ERR "PAX: bytes at PC: ");
6998 + for (i = 0; i < 8; i++) {
6999 + unsigned int c;
7000 + if (get_user(c, (unsigned int *)pc+i))
7001 + printk(KERN_CONT "???????? ");
7002 + else
7003 + printk(KERN_CONT "%08x ", c);
7004 + }
7005 + printk("\n");
7006 +}
7007 +#endif
7008 +
7009 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
7010 int text_fault)
7011 {
7012 @@ -281,6 +546,24 @@ good_area:
7013 if(!(vma->vm_flags & VM_WRITE))
7014 goto bad_area;
7015 } else {
7016 +
7017 +#ifdef CONFIG_PAX_PAGEEXEC
7018 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
7019 + up_read(&mm->mmap_sem);
7020 + switch (pax_handle_fetch_fault(regs)) {
7021 +
7022 +#ifdef CONFIG_PAX_EMUPLT
7023 + case 2:
7024 + case 3:
7025 + return;
7026 +#endif
7027 +
7028 + }
7029 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
7030 + do_group_exit(SIGKILL);
7031 + }
7032 +#endif
7033 +
7034 /* Allow reads even for write-only mappings */
7035 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
7036 goto bad_area;
7037 diff -urNp linux-2.6.39.3/arch/sparc/mm/fault_64.c linux-2.6.39.3/arch/sparc/mm/fault_64.c
7038 --- linux-2.6.39.3/arch/sparc/mm/fault_64.c 2011-05-19 00:06:34.000000000 -0400
7039 +++ linux-2.6.39.3/arch/sparc/mm/fault_64.c 2011-05-22 19:41:32.000000000 -0400
7040 @@ -21,6 +21,9 @@
7041 #include <linux/kprobes.h>
7042 #include <linux/kdebug.h>
7043 #include <linux/percpu.h>
7044 +#include <linux/slab.h>
7045 +#include <linux/pagemap.h>
7046 +#include <linux/compiler.h>
7047
7048 #include <asm/page.h>
7049 #include <asm/pgtable.h>
7050 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
7051 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
7052 regs->tpc);
7053 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
7054 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
7055 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
7056 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
7057 dump_stack();
7058 unhandled_fault(regs->tpc, current, regs);
7059 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
7060 show_regs(regs);
7061 }
7062
7063 +#ifdef CONFIG_PAX_PAGEEXEC
7064 +#ifdef CONFIG_PAX_DLRESOLVE
7065 +static void pax_emuplt_close(struct vm_area_struct *vma)
7066 +{
7067 + vma->vm_mm->call_dl_resolve = 0UL;
7068 +}
7069 +
7070 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
7071 +{
7072 + unsigned int *kaddr;
7073 +
7074 + vmf->page = alloc_page(GFP_HIGHUSER);
7075 + if (!vmf->page)
7076 + return VM_FAULT_OOM;
7077 +
7078 + kaddr = kmap(vmf->page);
7079 + memset(kaddr, 0, PAGE_SIZE);
7080 + kaddr[0] = 0x9DE3BFA8U; /* save */
7081 + flush_dcache_page(vmf->page);
7082 + kunmap(vmf->page);
7083 + return VM_FAULT_MAJOR;
7084 +}
7085 +
7086 +static const struct vm_operations_struct pax_vm_ops = {
7087 + .close = pax_emuplt_close,
7088 + .fault = pax_emuplt_fault
7089 +};
7090 +
7091 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
7092 +{
7093 + int ret;
7094 +
7095 + INIT_LIST_HEAD(&vma->anon_vma_chain);
7096 + vma->vm_mm = current->mm;
7097 + vma->vm_start = addr;
7098 + vma->vm_end = addr + PAGE_SIZE;
7099 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
7100 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
7101 + vma->vm_ops = &pax_vm_ops;
7102 +
7103 + ret = insert_vm_struct(current->mm, vma);
7104 + if (ret)
7105 + return ret;
7106 +
7107 + ++current->mm->total_vm;
7108 + return 0;
7109 +}
7110 +#endif
7111 +
7112 +/*
7113 + * PaX: decide what to do with offenders (regs->tpc = fault address)
7114 + *
7115 + * returns 1 when task should be killed
7116 + * 2 when patched PLT trampoline was detected
7117 + * 3 when unpatched PLT trampoline was detected
7118 + */
7119 +static int pax_handle_fetch_fault(struct pt_regs *regs)
7120 +{
7121 +
7122 +#ifdef CONFIG_PAX_EMUPLT
7123 + int err;
7124 +
7125 + do { /* PaX: patched PLT emulation #1 */
7126 + unsigned int sethi1, sethi2, jmpl;
7127 +
7128 + err = get_user(sethi1, (unsigned int *)regs->tpc);
7129 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
7130 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
7131 +
7132 + if (err)
7133 + break;
7134 +
7135 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
7136 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
7137 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
7138 + {
7139 + unsigned long addr;
7140 +
7141 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
7142 + addr = regs->u_regs[UREG_G1];
7143 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
7144 +
7145 + if (test_thread_flag(TIF_32BIT))
7146 + addr &= 0xFFFFFFFFUL;
7147 +
7148 + regs->tpc = addr;
7149 + regs->tnpc = addr+4;
7150 + return 2;
7151 + }
7152 + } while (0);
7153 +
7154 + { /* PaX: patched PLT emulation #2 */
7155 + unsigned int ba;
7156 +
7157 + err = get_user(ba, (unsigned int *)regs->tpc);
7158 +
7159 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
7160 + unsigned long addr;
7161 +
7162 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
7163 +
7164 + if (test_thread_flag(TIF_32BIT))
7165 + addr &= 0xFFFFFFFFUL;
7166 +
7167 + regs->tpc = addr;
7168 + regs->tnpc = addr+4;
7169 + return 2;
7170 + }
7171 + }
7172 +
7173 + do { /* PaX: patched PLT emulation #3 */
7174 + unsigned int sethi, jmpl, nop;
7175 +
7176 + err = get_user(sethi, (unsigned int *)regs->tpc);
7177 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
7178 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
7179 +
7180 + if (err)
7181 + break;
7182 +
7183 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7184 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
7185 + nop == 0x01000000U)
7186 + {
7187 + unsigned long addr;
7188 +
7189 + addr = (sethi & 0x003FFFFFU) << 10;
7190 + regs->u_regs[UREG_G1] = addr;
7191 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
7192 +
7193 + if (test_thread_flag(TIF_32BIT))
7194 + addr &= 0xFFFFFFFFUL;
7195 +
7196 + regs->tpc = addr;
7197 + regs->tnpc = addr+4;
7198 + return 2;
7199 + }
7200 + } while (0);
7201 +
7202 + do { /* PaX: patched PLT emulation #4 */
7203 + unsigned int sethi, mov1, call, mov2;
7204 +
7205 + err = get_user(sethi, (unsigned int *)regs->tpc);
7206 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
7207 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
7208 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
7209 +
7210 + if (err)
7211 + break;
7212 +
7213 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7214 + mov1 == 0x8210000FU &&
7215 + (call & 0xC0000000U) == 0x40000000U &&
7216 + mov2 == 0x9E100001U)
7217 + {
7218 + unsigned long addr;
7219 +
7220 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
7221 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
7222 +
7223 + if (test_thread_flag(TIF_32BIT))
7224 + addr &= 0xFFFFFFFFUL;
7225 +
7226 + regs->tpc = addr;
7227 + regs->tnpc = addr+4;
7228 + return 2;
7229 + }
7230 + } while (0);
7231 +
7232 + do { /* PaX: patched PLT emulation #5 */
7233 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
7234 +
7235 + err = get_user(sethi, (unsigned int *)regs->tpc);
7236 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
7237 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
7238 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
7239 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
7240 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
7241 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
7242 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
7243 +
7244 + if (err)
7245 + break;
7246 +
7247 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7248 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
7249 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
7250 + (or1 & 0xFFFFE000U) == 0x82106000U &&
7251 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
7252 + sllx == 0x83287020U &&
7253 + jmpl == 0x81C04005U &&
7254 + nop == 0x01000000U)
7255 + {
7256 + unsigned long addr;
7257 +
7258 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
7259 + regs->u_regs[UREG_G1] <<= 32;
7260 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
7261 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
7262 + regs->tpc = addr;
7263 + regs->tnpc = addr+4;
7264 + return 2;
7265 + }
7266 + } while (0);
7267 +
7268 + do { /* PaX: patched PLT emulation #6 */
7269 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
7270 +
7271 + err = get_user(sethi, (unsigned int *)regs->tpc);
7272 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
7273 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
7274 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
7275 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
7276 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
7277 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
7278 +
7279 + if (err)
7280 + break;
7281 +
7282 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7283 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
7284 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
7285 + sllx == 0x83287020U &&
7286 + (or & 0xFFFFE000U) == 0x8A116000U &&
7287 + jmpl == 0x81C04005U &&
7288 + nop == 0x01000000U)
7289 + {
7290 + unsigned long addr;
7291 +
7292 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
7293 + regs->u_regs[UREG_G1] <<= 32;
7294 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
7295 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
7296 + regs->tpc = addr;
7297 + regs->tnpc = addr+4;
7298 + return 2;
7299 + }
7300 + } while (0);
7301 +
7302 + do { /* PaX: unpatched PLT emulation step 1 */
7303 + unsigned int sethi, ba, nop;
7304 +
7305 + err = get_user(sethi, (unsigned int *)regs->tpc);
7306 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
7307 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
7308 +
7309 + if (err)
7310 + break;
7311 +
7312 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7313 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
7314 + nop == 0x01000000U)
7315 + {
7316 + unsigned long addr;
7317 + unsigned int save, call;
7318 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
7319 +
7320 + if ((ba & 0xFFC00000U) == 0x30800000U)
7321 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
7322 + else
7323 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
7324 +
7325 + if (test_thread_flag(TIF_32BIT))
7326 + addr &= 0xFFFFFFFFUL;
7327 +
7328 + err = get_user(save, (unsigned int *)addr);
7329 + err |= get_user(call, (unsigned int *)(addr+4));
7330 + err |= get_user(nop, (unsigned int *)(addr+8));
7331 + if (err)
7332 + break;
7333 +
7334 +#ifdef CONFIG_PAX_DLRESOLVE
7335 + if (save == 0x9DE3BFA8U &&
7336 + (call & 0xC0000000U) == 0x40000000U &&
7337 + nop == 0x01000000U)
7338 + {
7339 + struct vm_area_struct *vma;
7340 + unsigned long call_dl_resolve;
7341 +
7342 + down_read(&current->mm->mmap_sem);
7343 + call_dl_resolve = current->mm->call_dl_resolve;
7344 + up_read(&current->mm->mmap_sem);
7345 + if (likely(call_dl_resolve))
7346 + goto emulate;
7347 +
7348 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
7349 +
7350 + down_write(&current->mm->mmap_sem);
7351 + if (current->mm->call_dl_resolve) {
7352 + call_dl_resolve = current->mm->call_dl_resolve;
7353 + up_write(&current->mm->mmap_sem);
7354 + if (vma)
7355 + kmem_cache_free(vm_area_cachep, vma);
7356 + goto emulate;
7357 + }
7358 +
7359 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
7360 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
7361 + up_write(&current->mm->mmap_sem);
7362 + if (vma)
7363 + kmem_cache_free(vm_area_cachep, vma);
7364 + return 1;
7365 + }
7366 +
7367 + if (pax_insert_vma(vma, call_dl_resolve)) {
7368 + up_write(&current->mm->mmap_sem);
7369 + kmem_cache_free(vm_area_cachep, vma);
7370 + return 1;
7371 + }
7372 +
7373 + current->mm->call_dl_resolve = call_dl_resolve;
7374 + up_write(&current->mm->mmap_sem);
7375 +
7376 +emulate:
7377 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
7378 + regs->tpc = call_dl_resolve;
7379 + regs->tnpc = addr+4;
7380 + return 3;
7381 + }
7382 +#endif
7383 +
7384 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
7385 + if ((save & 0xFFC00000U) == 0x05000000U &&
7386 + (call & 0xFFFFE000U) == 0x85C0A000U &&
7387 + nop == 0x01000000U)
7388 + {
7389 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
7390 + regs->u_regs[UREG_G2] = addr + 4;
7391 + addr = (save & 0x003FFFFFU) << 10;
7392 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
7393 +
7394 + if (test_thread_flag(TIF_32BIT))
7395 + addr &= 0xFFFFFFFFUL;
7396 +
7397 + regs->tpc = addr;
7398 + regs->tnpc = addr+4;
7399 + return 3;
7400 + }
7401 +
7402 + /* PaX: 64-bit PLT stub */
7403 + err = get_user(sethi1, (unsigned int *)addr);
7404 + err |= get_user(sethi2, (unsigned int *)(addr+4));
7405 + err |= get_user(or1, (unsigned int *)(addr+8));
7406 + err |= get_user(or2, (unsigned int *)(addr+12));
7407 + err |= get_user(sllx, (unsigned int *)(addr+16));
7408 + err |= get_user(add, (unsigned int *)(addr+20));
7409 + err |= get_user(jmpl, (unsigned int *)(addr+24));
7410 + err |= get_user(nop, (unsigned int *)(addr+28));
7411 + if (err)
7412 + break;
7413 +
7414 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
7415 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
7416 + (or1 & 0xFFFFE000U) == 0x88112000U &&
7417 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
7418 + sllx == 0x89293020U &&
7419 + add == 0x8A010005U &&
7420 + jmpl == 0x89C14000U &&
7421 + nop == 0x01000000U)
7422 + {
7423 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
7424 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
7425 + regs->u_regs[UREG_G4] <<= 32;
7426 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
7427 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
7428 + regs->u_regs[UREG_G4] = addr + 24;
7429 + addr = regs->u_regs[UREG_G5];
7430 + regs->tpc = addr;
7431 + regs->tnpc = addr+4;
7432 + return 3;
7433 + }
7434 + }
7435 + } while (0);
7436 +
7437 +#ifdef CONFIG_PAX_DLRESOLVE
7438 + do { /* PaX: unpatched PLT emulation step 2 */
7439 + unsigned int save, call, nop;
7440 +
7441 + err = get_user(save, (unsigned int *)(regs->tpc-4));
7442 + err |= get_user(call, (unsigned int *)regs->tpc);
7443 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
7444 + if (err)
7445 + break;
7446 +
7447 + if (save == 0x9DE3BFA8U &&
7448 + (call & 0xC0000000U) == 0x40000000U &&
7449 + nop == 0x01000000U)
7450 + {
7451 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
7452 +
7453 + if (test_thread_flag(TIF_32BIT))
7454 + dl_resolve &= 0xFFFFFFFFUL;
7455 +
7456 + regs->u_regs[UREG_RETPC] = regs->tpc;
7457 + regs->tpc = dl_resolve;
7458 + regs->tnpc = dl_resolve+4;
7459 + return 3;
7460 + }
7461 + } while (0);
7462 +#endif
7463 +
7464 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
7465 + unsigned int sethi, ba, nop;
7466 +
7467 + err = get_user(sethi, (unsigned int *)regs->tpc);
7468 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
7469 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
7470 +
7471 + if (err)
7472 + break;
7473 +
7474 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7475 + (ba & 0xFFF00000U) == 0x30600000U &&
7476 + nop == 0x01000000U)
7477 + {
7478 + unsigned long addr;
7479 +
7480 + addr = (sethi & 0x003FFFFFU) << 10;
7481 + regs->u_regs[UREG_G1] = addr;
7482 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
7483 +
7484 + if (test_thread_flag(TIF_32BIT))
7485 + addr &= 0xFFFFFFFFUL;
7486 +
7487 + regs->tpc = addr;
7488 + regs->tnpc = addr+4;
7489 + return 2;
7490 + }
7491 + } while (0);
7492 +
7493 +#endif
7494 +
7495 + return 1;
7496 +}
7497 +
7498 +void pax_report_insns(void *pc, void *sp)
7499 +{
7500 + unsigned long i;
7501 +
7502 + printk(KERN_ERR "PAX: bytes at PC: ");
7503 + for (i = 0; i < 8; i++) {
7504 + unsigned int c;
7505 + if (get_user(c, (unsigned int *)pc+i))
7506 + printk(KERN_CONT "???????? ");
7507 + else
7508 + printk(KERN_CONT "%08x ", c);
7509 + }
7510 + printk("\n");
7511 +}
7512 +#endif
7513 +
7514 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
7515 {
7516 struct mm_struct *mm = current->mm;
7517 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
7518 if (!vma)
7519 goto bad_area;
7520
7521 +#ifdef CONFIG_PAX_PAGEEXEC
7522 + /* PaX: detect ITLB misses on non-exec pages */
7523 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
7524 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
7525 + {
7526 + if (address != regs->tpc)
7527 + goto good_area;
7528 +
7529 + up_read(&mm->mmap_sem);
7530 + switch (pax_handle_fetch_fault(regs)) {
7531 +
7532 +#ifdef CONFIG_PAX_EMUPLT
7533 + case 2:
7534 + case 3:
7535 + return;
7536 +#endif
7537 +
7538 + }
7539 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
7540 + do_group_exit(SIGKILL);
7541 + }
7542 +#endif
7543 +
7544 /* Pure DTLB misses do not tell us whether the fault causing
7545 * load/store/atomic was a write or not, it only says that there
7546 * was no match. So in such a case we (carefully) read the
7547 diff -urNp linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c
7548 --- linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400
7549 +++ linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400
7550 @@ -68,7 +68,7 @@ full_search:
7551 }
7552 return -ENOMEM;
7553 }
7554 - if (likely(!vma || addr + len <= vma->vm_start)) {
7555 + if (likely(check_heap_stack_gap(vma, addr, len))) {
7556 /*
7557 * Remember the place where we stopped the search:
7558 */
7559 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
7560 /* make sure it can fit in the remaining address space */
7561 if (likely(addr > len)) {
7562 vma = find_vma(mm, addr-len);
7563 - if (!vma || addr <= vma->vm_start) {
7564 + if (check_heap_stack_gap(vma, addr - len, len)) {
7565 /* remember the address as a hint for next time */
7566 return (mm->free_area_cache = addr-len);
7567 }
7568 @@ -116,16 +116,17 @@ hugetlb_get_unmapped_area_topdown(struct
7569 if (unlikely(mm->mmap_base < len))
7570 goto bottomup;
7571
7572 - addr = (mm->mmap_base-len) & HPAGE_MASK;
7573 + addr = mm->mmap_base - len;
7574
7575 do {
7576 + addr &= HPAGE_MASK;
7577 /*
7578 * Lookup failure means no vma is above this address,
7579 * else if new region fits below vma->vm_start,
7580 * return with success:
7581 */
7582 vma = find_vma(mm, addr);
7583 - if (likely(!vma || addr+len <= vma->vm_start)) {
7584 + if (likely(check_heap_stack_gap(vma, addr, len))) {
7585 /* remember the address as a hint for next time */
7586 return (mm->free_area_cache = addr);
7587 }
7588 @@ -135,8 +136,8 @@ hugetlb_get_unmapped_area_topdown(struct
7589 mm->cached_hole_size = vma->vm_start - addr;
7590
7591 /* try just below the current vma->vm_start */
7592 - addr = (vma->vm_start-len) & HPAGE_MASK;
7593 - } while (likely(len < vma->vm_start));
7594 + addr = skip_heap_stack_gap(vma, len);
7595 + } while (!IS_ERR_VALUE(addr));
7596
7597 bottomup:
7598 /*
7599 @@ -182,8 +183,7 @@ hugetlb_get_unmapped_area(struct file *f
7600 if (addr) {
7601 addr = ALIGN(addr, HPAGE_SIZE);
7602 vma = find_vma(mm, addr);
7603 - if (task_size - len >= addr &&
7604 - (!vma || addr + len <= vma->vm_start))
7605 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
7606 return addr;
7607 }
7608 if (mm->get_unmapped_area == arch_get_unmapped_area)
7609 diff -urNp linux-2.6.39.3/arch/sparc/mm/init_32.c linux-2.6.39.3/arch/sparc/mm/init_32.c
7610 --- linux-2.6.39.3/arch/sparc/mm/init_32.c 2011-05-19 00:06:34.000000000 -0400
7611 +++ linux-2.6.39.3/arch/sparc/mm/init_32.c 2011-05-22 19:36:30.000000000 -0400
7612 @@ -318,6 +318,9 @@ extern void device_scan(void);
7613 pgprot_t PAGE_SHARED __read_mostly;
7614 EXPORT_SYMBOL(PAGE_SHARED);
7615
7616 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
7617 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
7618 +
7619 void __init paging_init(void)
7620 {
7621 switch(sparc_cpu_model) {
7622 @@ -346,17 +349,17 @@ void __init paging_init(void)
7623
7624 /* Initialize the protection map with non-constant, MMU dependent values. */
7625 protection_map[0] = PAGE_NONE;
7626 - protection_map[1] = PAGE_READONLY;
7627 - protection_map[2] = PAGE_COPY;
7628 - protection_map[3] = PAGE_COPY;
7629 + protection_map[1] = PAGE_READONLY_NOEXEC;
7630 + protection_map[2] = PAGE_COPY_NOEXEC;
7631 + protection_map[3] = PAGE_COPY_NOEXEC;
7632 protection_map[4] = PAGE_READONLY;
7633 protection_map[5] = PAGE_READONLY;
7634 protection_map[6] = PAGE_COPY;
7635 protection_map[7] = PAGE_COPY;
7636 protection_map[8] = PAGE_NONE;
7637 - protection_map[9] = PAGE_READONLY;
7638 - protection_map[10] = PAGE_SHARED;
7639 - protection_map[11] = PAGE_SHARED;
7640 + protection_map[9] = PAGE_READONLY_NOEXEC;
7641 + protection_map[10] = PAGE_SHARED_NOEXEC;
7642 + protection_map[11] = PAGE_SHARED_NOEXEC;
7643 protection_map[12] = PAGE_READONLY;
7644 protection_map[13] = PAGE_READONLY;
7645 protection_map[14] = PAGE_SHARED;
7646 diff -urNp linux-2.6.39.3/arch/sparc/mm/Makefile linux-2.6.39.3/arch/sparc/mm/Makefile
7647 --- linux-2.6.39.3/arch/sparc/mm/Makefile 2011-05-19 00:06:34.000000000 -0400
7648 +++ linux-2.6.39.3/arch/sparc/mm/Makefile 2011-05-22 19:36:30.000000000 -0400
7649 @@ -2,7 +2,7 @@
7650 #
7651
7652 asflags-y := -ansi
7653 -ccflags-y := -Werror
7654 +#ccflags-y := -Werror
7655
7656 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
7657 obj-y += fault_$(BITS).o
7658 diff -urNp linux-2.6.39.3/arch/sparc/mm/srmmu.c linux-2.6.39.3/arch/sparc/mm/srmmu.c
7659 --- linux-2.6.39.3/arch/sparc/mm/srmmu.c 2011-05-19 00:06:34.000000000 -0400
7660 +++ linux-2.6.39.3/arch/sparc/mm/srmmu.c 2011-05-22 19:36:30.000000000 -0400
7661 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
7662 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
7663 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
7664 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
7665 +
7666 +#ifdef CONFIG_PAX_PAGEEXEC
7667 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
7668 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
7669 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
7670 +#endif
7671 +
7672 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
7673 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
7674
7675 diff -urNp linux-2.6.39.3/arch/tile/kernel/pci.c linux-2.6.39.3/arch/tile/kernel/pci.c
7676 --- linux-2.6.39.3/arch/tile/kernel/pci.c 2011-06-25 12:55:22.000000000 -0400
7677 +++ linux-2.6.39.3/arch/tile/kernel/pci.c 2011-06-25 13:00:25.000000000 -0400
7678 @@ -60,7 +60,7 @@ int __write_once tile_plx_gen1;
7679 static struct pci_controller controllers[TILE_NUM_PCIE];
7680 static int num_controllers;
7681
7682 -static struct pci_ops tile_cfg_ops;
7683 +static const struct pci_ops tile_cfg_ops;
7684
7685
7686 /*
7687 @@ -563,7 +563,7 @@ static int __devinit tile_cfg_write(stru
7688 }
7689
7690
7691 -static struct pci_ops tile_cfg_ops = {
7692 +static const struct pci_ops tile_cfg_ops = {
7693 .read = tile_cfg_read,
7694 .write = tile_cfg_write,
7695 };
7696 diff -urNp linux-2.6.39.3/arch/um/include/asm/kmap_types.h linux-2.6.39.3/arch/um/include/asm/kmap_types.h
7697 --- linux-2.6.39.3/arch/um/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
7698 +++ linux-2.6.39.3/arch/um/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
7699 @@ -23,6 +23,7 @@ enum km_type {
7700 KM_IRQ1,
7701 KM_SOFTIRQ0,
7702 KM_SOFTIRQ1,
7703 + KM_CLEARPAGE,
7704 KM_TYPE_NR
7705 };
7706
7707 diff -urNp linux-2.6.39.3/arch/um/include/asm/page.h linux-2.6.39.3/arch/um/include/asm/page.h
7708 --- linux-2.6.39.3/arch/um/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
7709 +++ linux-2.6.39.3/arch/um/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
7710 @@ -14,6 +14,9 @@
7711 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
7712 #define PAGE_MASK (~(PAGE_SIZE-1))
7713
7714 +#define ktla_ktva(addr) (addr)
7715 +#define ktva_ktla(addr) (addr)
7716 +
7717 #ifndef __ASSEMBLY__
7718
7719 struct page;
7720 diff -urNp linux-2.6.39.3/arch/um/kernel/process.c linux-2.6.39.3/arch/um/kernel/process.c
7721 --- linux-2.6.39.3/arch/um/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
7722 +++ linux-2.6.39.3/arch/um/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
7723 @@ -404,22 +404,6 @@ int singlestepping(void * t)
7724 return 2;
7725 }
7726
7727 -/*
7728 - * Only x86 and x86_64 have an arch_align_stack().
7729 - * All other arches have "#define arch_align_stack(x) (x)"
7730 - * in their asm/system.h
7731 - * As this is included in UML from asm-um/system-generic.h,
7732 - * we can use it to behave as the subarch does.
7733 - */
7734 -#ifndef arch_align_stack
7735 -unsigned long arch_align_stack(unsigned long sp)
7736 -{
7737 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
7738 - sp -= get_random_int() % 8192;
7739 - return sp & ~0xf;
7740 -}
7741 -#endif
7742 -
7743 unsigned long get_wchan(struct task_struct *p)
7744 {
7745 unsigned long stack_page, sp, ip;
7746 diff -urNp linux-2.6.39.3/arch/um/sys-i386/syscalls.c linux-2.6.39.3/arch/um/sys-i386/syscalls.c
7747 --- linux-2.6.39.3/arch/um/sys-i386/syscalls.c 2011-05-19 00:06:34.000000000 -0400
7748 +++ linux-2.6.39.3/arch/um/sys-i386/syscalls.c 2011-05-22 19:36:30.000000000 -0400
7749 @@ -11,6 +11,21 @@
7750 #include "asm/uaccess.h"
7751 #include "asm/unistd.h"
7752
7753 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
7754 +{
7755 + unsigned long pax_task_size = TASK_SIZE;
7756 +
7757 +#ifdef CONFIG_PAX_SEGMEXEC
7758 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
7759 + pax_task_size = SEGMEXEC_TASK_SIZE;
7760 +#endif
7761 +
7762 + if (len > pax_task_size || addr > pax_task_size - len)
7763 + return -EINVAL;
7764 +
7765 + return 0;
7766 +}
7767 +
7768 /*
7769 * The prototype on i386 is:
7770 *
7771 diff -urNp linux-2.6.39.3/arch/unicore32/kernel/pci.c linux-2.6.39.3/arch/unicore32/kernel/pci.c
7772 --- linux-2.6.39.3/arch/unicore32/kernel/pci.c 2011-05-19 00:06:34.000000000 -0400
7773 +++ linux-2.6.39.3/arch/unicore32/kernel/pci.c 2011-05-22 19:36:30.000000000 -0400
7774 @@ -66,7 +66,7 @@ puv3_write_config(struct pci_bus *bus, u
7775 return PCIBIOS_SUCCESSFUL;
7776 }
7777
7778 -struct pci_ops pci_puv3_ops = {
7779 +const struct pci_ops pci_puv3_ops = {
7780 .read = puv3_read_config,
7781 .write = puv3_write_config,
7782 };
7783 diff -urNp linux-2.6.39.3/arch/x86/boot/bitops.h linux-2.6.39.3/arch/x86/boot/bitops.h
7784 --- linux-2.6.39.3/arch/x86/boot/bitops.h 2011-05-19 00:06:34.000000000 -0400
7785 +++ linux-2.6.39.3/arch/x86/boot/bitops.h 2011-05-22 19:36:30.000000000 -0400
7786 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
7787 u8 v;
7788 const u32 *p = (const u32 *)addr;
7789
7790 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
7791 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
7792 return v;
7793 }
7794
7795 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
7796
7797 static inline void set_bit(int nr, void *addr)
7798 {
7799 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
7800 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
7801 }
7802
7803 #endif /* BOOT_BITOPS_H */
7804 diff -urNp linux-2.6.39.3/arch/x86/boot/boot.h linux-2.6.39.3/arch/x86/boot/boot.h
7805 --- linux-2.6.39.3/arch/x86/boot/boot.h 2011-05-19 00:06:34.000000000 -0400
7806 +++ linux-2.6.39.3/arch/x86/boot/boot.h 2011-05-22 19:36:30.000000000 -0400
7807 @@ -85,7 +85,7 @@ static inline void io_delay(void)
7808 static inline u16 ds(void)
7809 {
7810 u16 seg;
7811 - asm("movw %%ds,%0" : "=rm" (seg));
7812 + asm volatile("movw %%ds,%0" : "=rm" (seg));
7813 return seg;
7814 }
7815
7816 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
7817 static inline int memcmp(const void *s1, const void *s2, size_t len)
7818 {
7819 u8 diff;
7820 - asm("repe; cmpsb; setnz %0"
7821 + asm volatile("repe; cmpsb; setnz %0"
7822 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
7823 return diff;
7824 }
7825 diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/head_32.S linux-2.6.39.3/arch/x86/boot/compressed/head_32.S
7826 --- linux-2.6.39.3/arch/x86/boot/compressed/head_32.S 2011-05-19 00:06:34.000000000 -0400
7827 +++ linux-2.6.39.3/arch/x86/boot/compressed/head_32.S 2011-05-22 19:36:30.000000000 -0400
7828 @@ -76,7 +76,7 @@ ENTRY(startup_32)
7829 notl %eax
7830 andl %eax, %ebx
7831 #else
7832 - movl $LOAD_PHYSICAL_ADDR, %ebx
7833 + movl $____LOAD_PHYSICAL_ADDR, %ebx
7834 #endif
7835
7836 /* Target address to relocate to for decompression */
7837 @@ -162,7 +162,7 @@ relocated:
7838 * and where it was actually loaded.
7839 */
7840 movl %ebp, %ebx
7841 - subl $LOAD_PHYSICAL_ADDR, %ebx
7842 + subl $____LOAD_PHYSICAL_ADDR, %ebx
7843 jz 2f /* Nothing to be done if loaded at compiled addr. */
7844 /*
7845 * Process relocations.
7846 @@ -170,8 +170,7 @@ relocated:
7847
7848 1: subl $4, %edi
7849 movl (%edi), %ecx
7850 - testl %ecx, %ecx
7851 - jz 2f
7852 + jecxz 2f
7853 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
7854 jmp 1b
7855 2:
7856 diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/head_64.S linux-2.6.39.3/arch/x86/boot/compressed/head_64.S
7857 --- linux-2.6.39.3/arch/x86/boot/compressed/head_64.S 2011-05-19 00:06:34.000000000 -0400
7858 +++ linux-2.6.39.3/arch/x86/boot/compressed/head_64.S 2011-05-22 19:36:30.000000000 -0400
7859 @@ -91,7 +91,7 @@ ENTRY(startup_32)
7860 notl %eax
7861 andl %eax, %ebx
7862 #else
7863 - movl $LOAD_PHYSICAL_ADDR, %ebx
7864 + movl $____LOAD_PHYSICAL_ADDR, %ebx
7865 #endif
7866
7867 /* Target address to relocate to for decompression */
7868 @@ -233,7 +233,7 @@ ENTRY(startup_64)
7869 notq %rax
7870 andq %rax, %rbp
7871 #else
7872 - movq $LOAD_PHYSICAL_ADDR, %rbp
7873 + movq $____LOAD_PHYSICAL_ADDR, %rbp
7874 #endif
7875
7876 /* Target address to relocate to for decompression */
7877 diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/misc.c linux-2.6.39.3/arch/x86/boot/compressed/misc.c
7878 --- linux-2.6.39.3/arch/x86/boot/compressed/misc.c 2011-05-19 00:06:34.000000000 -0400
7879 +++ linux-2.6.39.3/arch/x86/boot/compressed/misc.c 2011-05-22 19:36:30.000000000 -0400
7880 @@ -310,7 +310,7 @@ static void parse_elf(void *output)
7881 case PT_LOAD:
7882 #ifdef CONFIG_RELOCATABLE
7883 dest = output;
7884 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
7885 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
7886 #else
7887 dest = (void *)(phdr->p_paddr);
7888 #endif
7889 @@ -363,7 +363,7 @@ asmlinkage void decompress_kernel(void *
7890 error("Destination address too large");
7891 #endif
7892 #ifndef CONFIG_RELOCATABLE
7893 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
7894 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
7895 error("Wrong destination address");
7896 #endif
7897
7898 diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/relocs.c linux-2.6.39.3/arch/x86/boot/compressed/relocs.c
7899 --- linux-2.6.39.3/arch/x86/boot/compressed/relocs.c 2011-05-19 00:06:34.000000000 -0400
7900 +++ linux-2.6.39.3/arch/x86/boot/compressed/relocs.c 2011-05-22 19:36:30.000000000 -0400
7901 @@ -13,8 +13,11 @@
7902
7903 static void die(char *fmt, ...);
7904
7905 +#include "../../../../include/generated/autoconf.h"
7906 +
7907 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
7908 static Elf32_Ehdr ehdr;
7909 +static Elf32_Phdr *phdr;
7910 static unsigned long reloc_count, reloc_idx;
7911 static unsigned long *relocs;
7912
7913 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
7914 }
7915 }
7916
7917 +static void read_phdrs(FILE *fp)
7918 +{
7919 + unsigned int i;
7920 +
7921 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
7922 + if (!phdr) {
7923 + die("Unable to allocate %d program headers\n",
7924 + ehdr.e_phnum);
7925 + }
7926 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
7927 + die("Seek to %d failed: %s\n",
7928 + ehdr.e_phoff, strerror(errno));
7929 + }
7930 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
7931 + die("Cannot read ELF program headers: %s\n",
7932 + strerror(errno));
7933 + }
7934 + for(i = 0; i < ehdr.e_phnum; i++) {
7935 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
7936 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
7937 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
7938 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
7939 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
7940 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
7941 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
7942 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
7943 + }
7944 +
7945 +}
7946 +
7947 static void read_shdrs(FILE *fp)
7948 {
7949 - int i;
7950 + unsigned int i;
7951 Elf32_Shdr shdr;
7952
7953 secs = calloc(ehdr.e_shnum, sizeof(struct section));
7954 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
7955
7956 static void read_strtabs(FILE *fp)
7957 {
7958 - int i;
7959 + unsigned int i;
7960 for (i = 0; i < ehdr.e_shnum; i++) {
7961 struct section *sec = &secs[i];
7962 if (sec->shdr.sh_type != SHT_STRTAB) {
7963 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
7964
7965 static void read_symtabs(FILE *fp)
7966 {
7967 - int i,j;
7968 + unsigned int i,j;
7969 for (i = 0; i < ehdr.e_shnum; i++) {
7970 struct section *sec = &secs[i];
7971 if (sec->shdr.sh_type != SHT_SYMTAB) {
7972 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
7973
7974 static void read_relocs(FILE *fp)
7975 {
7976 - int i,j;
7977 + unsigned int i,j;
7978 + uint32_t base;
7979 +
7980 for (i = 0; i < ehdr.e_shnum; i++) {
7981 struct section *sec = &secs[i];
7982 if (sec->shdr.sh_type != SHT_REL) {
7983 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
7984 die("Cannot read symbol table: %s\n",
7985 strerror(errno));
7986 }
7987 + base = 0;
7988 + for (j = 0; j < ehdr.e_phnum; j++) {
7989 + if (phdr[j].p_type != PT_LOAD )
7990 + continue;
7991 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
7992 + continue;
7993 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
7994 + break;
7995 + }
7996 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
7997 Elf32_Rel *rel = &sec->reltab[j];
7998 - rel->r_offset = elf32_to_cpu(rel->r_offset);
7999 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
8000 rel->r_info = elf32_to_cpu(rel->r_info);
8001 }
8002 }
8003 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
8004
8005 static void print_absolute_symbols(void)
8006 {
8007 - int i;
8008 + unsigned int i;
8009 printf("Absolute symbols\n");
8010 printf(" Num: Value Size Type Bind Visibility Name\n");
8011 for (i = 0; i < ehdr.e_shnum; i++) {
8012 struct section *sec = &secs[i];
8013 char *sym_strtab;
8014 Elf32_Sym *sh_symtab;
8015 - int j;
8016 + unsigned int j;
8017
8018 if (sec->shdr.sh_type != SHT_SYMTAB) {
8019 continue;
8020 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
8021
8022 static void print_absolute_relocs(void)
8023 {
8024 - int i, printed = 0;
8025 + unsigned int i, printed = 0;
8026
8027 for (i = 0; i < ehdr.e_shnum; i++) {
8028 struct section *sec = &secs[i];
8029 struct section *sec_applies, *sec_symtab;
8030 char *sym_strtab;
8031 Elf32_Sym *sh_symtab;
8032 - int j;
8033 + unsigned int j;
8034 if (sec->shdr.sh_type != SHT_REL) {
8035 continue;
8036 }
8037 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
8038
8039 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
8040 {
8041 - int i;
8042 + unsigned int i;
8043 /* Walk through the relocations */
8044 for (i = 0; i < ehdr.e_shnum; i++) {
8045 char *sym_strtab;
8046 Elf32_Sym *sh_symtab;
8047 struct section *sec_applies, *sec_symtab;
8048 - int j;
8049 + unsigned int j;
8050 struct section *sec = &secs[i];
8051
8052 if (sec->shdr.sh_type != SHT_REL) {
8053 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
8054 !is_rel_reloc(sym_name(sym_strtab, sym))) {
8055 continue;
8056 }
8057 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
8058 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
8059 + continue;
8060 +
8061 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
8062 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
8063 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
8064 + continue;
8065 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
8066 + continue;
8067 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
8068 + continue;
8069 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
8070 + continue;
8071 +#endif
8072 +
8073 switch (r_type) {
8074 case R_386_NONE:
8075 case R_386_PC32:
8076 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
8077
8078 static void emit_relocs(int as_text)
8079 {
8080 - int i;
8081 + unsigned int i;
8082 /* Count how many relocations I have and allocate space for them. */
8083 reloc_count = 0;
8084 walk_relocs(count_reloc);
8085 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
8086 fname, strerror(errno));
8087 }
8088 read_ehdr(fp);
8089 + read_phdrs(fp);
8090 read_shdrs(fp);
8091 read_strtabs(fp);
8092 read_symtabs(fp);
8093 diff -urNp linux-2.6.39.3/arch/x86/boot/cpucheck.c linux-2.6.39.3/arch/x86/boot/cpucheck.c
8094 --- linux-2.6.39.3/arch/x86/boot/cpucheck.c 2011-05-19 00:06:34.000000000 -0400
8095 +++ linux-2.6.39.3/arch/x86/boot/cpucheck.c 2011-05-22 19:36:30.000000000 -0400
8096 @@ -74,7 +74,7 @@ static int has_fpu(void)
8097 u16 fcw = -1, fsw = -1;
8098 u32 cr0;
8099
8100 - asm("movl %%cr0,%0" : "=r" (cr0));
8101 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
8102 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
8103 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
8104 asm volatile("movl %0,%%cr0" : : "r" (cr0));
8105 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
8106 {
8107 u32 f0, f1;
8108
8109 - asm("pushfl ; "
8110 + asm volatile("pushfl ; "
8111 "pushfl ; "
8112 "popl %0 ; "
8113 "movl %0,%1 ; "
8114 @@ -115,7 +115,7 @@ static void get_flags(void)
8115 set_bit(X86_FEATURE_FPU, cpu.flags);
8116
8117 if (has_eflag(X86_EFLAGS_ID)) {
8118 - asm("cpuid"
8119 + asm volatile("cpuid"
8120 : "=a" (max_intel_level),
8121 "=b" (cpu_vendor[0]),
8122 "=d" (cpu_vendor[1]),
8123 @@ -124,7 +124,7 @@ static void get_flags(void)
8124
8125 if (max_intel_level >= 0x00000001 &&
8126 max_intel_level <= 0x0000ffff) {
8127 - asm("cpuid"
8128 + asm volatile("cpuid"
8129 : "=a" (tfms),
8130 "=c" (cpu.flags[4]),
8131 "=d" (cpu.flags[0])
8132 @@ -136,7 +136,7 @@ static void get_flags(void)
8133 cpu.model += ((tfms >> 16) & 0xf) << 4;
8134 }
8135
8136 - asm("cpuid"
8137 + asm volatile("cpuid"
8138 : "=a" (max_amd_level)
8139 : "a" (0x80000000)
8140 : "ebx", "ecx", "edx");
8141 @@ -144,7 +144,7 @@ static void get_flags(void)
8142 if (max_amd_level >= 0x80000001 &&
8143 max_amd_level <= 0x8000ffff) {
8144 u32 eax = 0x80000001;
8145 - asm("cpuid"
8146 + asm volatile("cpuid"
8147 : "+a" (eax),
8148 "=c" (cpu.flags[6]),
8149 "=d" (cpu.flags[1])
8150 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
8151 u32 ecx = MSR_K7_HWCR;
8152 u32 eax, edx;
8153
8154 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8155 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8156 eax &= ~(1 << 15);
8157 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8158 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8159
8160 get_flags(); /* Make sure it really did something */
8161 err = check_flags();
8162 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
8163 u32 ecx = MSR_VIA_FCR;
8164 u32 eax, edx;
8165
8166 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8167 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8168 eax |= (1<<1)|(1<<7);
8169 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8170 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8171
8172 set_bit(X86_FEATURE_CX8, cpu.flags);
8173 err = check_flags();
8174 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
8175 u32 eax, edx;
8176 u32 level = 1;
8177
8178 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8179 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
8180 - asm("cpuid"
8181 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8182 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
8183 + asm volatile("cpuid"
8184 : "+a" (level), "=d" (cpu.flags[0])
8185 : : "ecx", "ebx");
8186 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8187 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8188
8189 err = check_flags();
8190 }
8191 diff -urNp linux-2.6.39.3/arch/x86/boot/header.S linux-2.6.39.3/arch/x86/boot/header.S
8192 --- linux-2.6.39.3/arch/x86/boot/header.S 2011-05-19 00:06:34.000000000 -0400
8193 +++ linux-2.6.39.3/arch/x86/boot/header.S 2011-05-22 19:36:30.000000000 -0400
8194 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
8195 # single linked list of
8196 # struct setup_data
8197
8198 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
8199 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
8200
8201 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
8202 #define VO_INIT_SIZE (VO__end - VO__text)
8203 diff -urNp linux-2.6.39.3/arch/x86/boot/memory.c linux-2.6.39.3/arch/x86/boot/memory.c
8204 --- linux-2.6.39.3/arch/x86/boot/memory.c 2011-05-19 00:06:34.000000000 -0400
8205 +++ linux-2.6.39.3/arch/x86/boot/memory.c 2011-05-22 19:36:30.000000000 -0400
8206 @@ -19,7 +19,7 @@
8207
8208 static int detect_memory_e820(void)
8209 {
8210 - int count = 0;
8211 + unsigned int count = 0;
8212 struct biosregs ireg, oreg;
8213 struct e820entry *desc = boot_params.e820_map;
8214 static struct e820entry buf; /* static so it is zeroed */
8215 diff -urNp linux-2.6.39.3/arch/x86/boot/video.c linux-2.6.39.3/arch/x86/boot/video.c
8216 --- linux-2.6.39.3/arch/x86/boot/video.c 2011-05-19 00:06:34.000000000 -0400
8217 +++ linux-2.6.39.3/arch/x86/boot/video.c 2011-05-22 19:36:30.000000000 -0400
8218 @@ -96,7 +96,7 @@ static void store_mode_params(void)
8219 static unsigned int get_entry(void)
8220 {
8221 char entry_buf[4];
8222 - int i, len = 0;
8223 + unsigned int i, len = 0;
8224 int key;
8225 unsigned int v;
8226
8227 diff -urNp linux-2.6.39.3/arch/x86/boot/video-vesa.c linux-2.6.39.3/arch/x86/boot/video-vesa.c
8228 --- linux-2.6.39.3/arch/x86/boot/video-vesa.c 2011-05-19 00:06:34.000000000 -0400
8229 +++ linux-2.6.39.3/arch/x86/boot/video-vesa.c 2011-05-22 19:36:30.000000000 -0400
8230 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
8231
8232 boot_params.screen_info.vesapm_seg = oreg.es;
8233 boot_params.screen_info.vesapm_off = oreg.di;
8234 + boot_params.screen_info.vesapm_size = oreg.cx;
8235 }
8236
8237 /*
8238 diff -urNp linux-2.6.39.3/arch/x86/ia32/ia32_aout.c linux-2.6.39.3/arch/x86/ia32/ia32_aout.c
8239 --- linux-2.6.39.3/arch/x86/ia32/ia32_aout.c 2011-05-19 00:06:34.000000000 -0400
8240 +++ linux-2.6.39.3/arch/x86/ia32/ia32_aout.c 2011-05-22 19:41:32.000000000 -0400
8241 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
8242 unsigned long dump_start, dump_size;
8243 struct user32 dump;
8244
8245 + memset(&dump, 0, sizeof(dump));
8246 +
8247 fs = get_fs();
8248 set_fs(KERNEL_DS);
8249 has_dumped = 1;
8250 diff -urNp linux-2.6.39.3/arch/x86/ia32/ia32entry.S linux-2.6.39.3/arch/x86/ia32/ia32entry.S
8251 --- linux-2.6.39.3/arch/x86/ia32/ia32entry.S 2011-05-19 00:06:34.000000000 -0400
8252 +++ linux-2.6.39.3/arch/x86/ia32/ia32entry.S 2011-05-23 17:16:01.000000000 -0400
8253 @@ -13,6 +13,7 @@
8254 #include <asm/thread_info.h>
8255 #include <asm/segment.h>
8256 #include <asm/irqflags.h>
8257 +#include <asm/pgtable.h>
8258 #include <linux/linkage.h>
8259
8260 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
8261 @@ -95,6 +96,32 @@ ENTRY(native_irq_enable_sysexit)
8262 ENDPROC(native_irq_enable_sysexit)
8263 #endif
8264
8265 + .macro pax_enter_kernel_user
8266 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8267 + call pax_enter_kernel_user
8268 +#endif
8269 + .endm
8270 +
8271 + .macro pax_exit_kernel_user
8272 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8273 + call pax_exit_kernel_user
8274 +#endif
8275 +#ifdef CONFIG_PAX_RANDKSTACK
8276 + pushq %rax
8277 + call pax_randomize_kstack
8278 + popq %rax
8279 +#endif
8280 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
8281 + call pax_erase_kstack
8282 +#endif
8283 + .endm
8284 +
8285 + .macro pax_erase_kstack
8286 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
8287 + call pax_erase_kstack
8288 +#endif
8289 + .endm
8290 +
8291 /*
8292 * 32bit SYSENTER instruction entry.
8293 *
8294 @@ -121,7 +148,7 @@ ENTRY(ia32_sysenter_target)
8295 CFI_REGISTER rsp,rbp
8296 SWAPGS_UNSAFE_STACK
8297 movq PER_CPU_VAR(kernel_stack), %rsp
8298 - addq $(KERNEL_STACK_OFFSET),%rsp
8299 + pax_enter_kernel_user
8300 /*
8301 * No need to follow this irqs on/off section: the syscall
8302 * disabled irqs, here we enable it straight after entry:
8303 @@ -134,7 +161,8 @@ ENTRY(ia32_sysenter_target)
8304 CFI_REL_OFFSET rsp,0
8305 pushfq_cfi
8306 /*CFI_REL_OFFSET rflags,0*/
8307 - movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
8308 + GET_THREAD_INFO(%r10)
8309 + movl TI_sysenter_return(%r10), %r10d
8310 CFI_REGISTER rip,r10
8311 pushq_cfi $__USER32_CS
8312 /*CFI_REL_OFFSET cs,0*/
8313 @@ -146,6 +174,12 @@ ENTRY(ia32_sysenter_target)
8314 SAVE_ARGS 0,0,1
8315 /* no need to do an access_ok check here because rbp has been
8316 32bit zero extended */
8317 +
8318 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8319 + mov $PAX_USER_SHADOW_BASE,%r10
8320 + add %r10,%rbp
8321 +#endif
8322 +
8323 1: movl (%rbp),%ebp
8324 .section __ex_table,"a"
8325 .quad 1b,ia32_badarg
8326 @@ -168,6 +202,7 @@ sysenter_dispatch:
8327 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
8328 jnz sysexit_audit
8329 sysexit_from_sys_call:
8330 + pax_exit_kernel_user
8331 andl $~TS_COMPAT,TI_status(%r10)
8332 /* clear IF, that popfq doesn't enable interrupts early */
8333 andl $~0x200,EFLAGS-R11(%rsp)
8334 @@ -194,6 +229,9 @@ sysexit_from_sys_call:
8335 movl %eax,%esi /* 2nd arg: syscall number */
8336 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
8337 call audit_syscall_entry
8338 +
8339 + pax_erase_kstack
8340 +
8341 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
8342 cmpq $(IA32_NR_syscalls-1),%rax
8343 ja ia32_badsys
8344 @@ -246,6 +284,9 @@ sysenter_tracesys:
8345 movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
8346 movq %rsp,%rdi /* &pt_regs -> arg1 */
8347 call syscall_trace_enter
8348 +
8349 + pax_erase_kstack
8350 +
8351 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
8352 RESTORE_REST
8353 cmpq $(IA32_NR_syscalls-1),%rax
8354 @@ -277,19 +318,24 @@ ENDPROC(ia32_sysenter_target)
8355 ENTRY(ia32_cstar_target)
8356 CFI_STARTPROC32 simple
8357 CFI_SIGNAL_FRAME
8358 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
8359 + CFI_DEF_CFA rsp,0
8360 CFI_REGISTER rip,rcx
8361 /*CFI_REGISTER rflags,r11*/
8362 SWAPGS_UNSAFE_STACK
8363 movl %esp,%r8d
8364 CFI_REGISTER rsp,r8
8365 movq PER_CPU_VAR(kernel_stack),%rsp
8366 +
8367 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8368 + pax_enter_kernel_user
8369 +#endif
8370 +
8371 /*
8372 * No need to follow this irqs on/off section: the syscall
8373 * disabled irqs and here we enable it straight after entry:
8374 */
8375 ENABLE_INTERRUPTS(CLBR_NONE)
8376 - SAVE_ARGS 8,1,1
8377 + SAVE_ARGS 8*6,1,1
8378 movl %eax,%eax /* zero extension */
8379 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
8380 movq %rcx,RIP-ARGOFFSET(%rsp)
8381 @@ -305,6 +351,12 @@ ENTRY(ia32_cstar_target)
8382 /* no need to do an access_ok check here because r8 has been
8383 32bit zero extended */
8384 /* hardware stack frame is complete now */
8385 +
8386 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8387 + mov $PAX_USER_SHADOW_BASE,%r10
8388 + add %r10,%r8
8389 +#endif
8390 +
8391 1: movl (%r8),%r9d
8392 .section __ex_table,"a"
8393 .quad 1b,ia32_badarg
8394 @@ -327,6 +379,7 @@ cstar_dispatch:
8395 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
8396 jnz sysretl_audit
8397 sysretl_from_sys_call:
8398 + pax_exit_kernel_user
8399 andl $~TS_COMPAT,TI_status(%r10)
8400 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
8401 movl RIP-ARGOFFSET(%rsp),%ecx
8402 @@ -364,6 +417,9 @@ cstar_tracesys:
8403 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
8404 movq %rsp,%rdi /* &pt_regs -> arg1 */
8405 call syscall_trace_enter
8406 +
8407 + pax_erase_kstack
8408 +
8409 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
8410 RESTORE_REST
8411 xchgl %ebp,%r9d
8412 @@ -409,6 +465,7 @@ ENTRY(ia32_syscall)
8413 CFI_REL_OFFSET rip,RIP-RIP
8414 PARAVIRT_ADJUST_EXCEPTION_FRAME
8415 SWAPGS
8416 + pax_enter_kernel_user
8417 /*
8418 * No need to follow this irqs on/off section: the syscall
8419 * disabled irqs and here we enable it straight after entry:
8420 @@ -441,6 +498,9 @@ ia32_tracesys:
8421 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
8422 movq %rsp,%rdi /* &pt_regs -> arg1 */
8423 call syscall_trace_enter
8424 +
8425 + pax_erase_kstack
8426 +
8427 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
8428 RESTORE_REST
8429 cmpq $(IA32_NR_syscalls-1),%rax
8430 diff -urNp linux-2.6.39.3/arch/x86/ia32/ia32_signal.c linux-2.6.39.3/arch/x86/ia32/ia32_signal.c
8431 --- linux-2.6.39.3/arch/x86/ia32/ia32_signal.c 2011-05-19 00:06:34.000000000 -0400
8432 +++ linux-2.6.39.3/arch/x86/ia32/ia32_signal.c 2011-05-22 19:36:30.000000000 -0400
8433 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
8434 sp -= frame_size;
8435 /* Align the stack pointer according to the i386 ABI,
8436 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
8437 - sp = ((sp + 4) & -16ul) - 4;
8438 + sp = ((sp - 12) & -16ul) - 4;
8439 return (void __user *) sp;
8440 }
8441
8442 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
8443 * These are actually not used anymore, but left because some
8444 * gdb versions depend on them as a marker.
8445 */
8446 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
8447 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
8448 } put_user_catch(err);
8449
8450 if (err)
8451 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
8452 0xb8,
8453 __NR_ia32_rt_sigreturn,
8454 0x80cd,
8455 - 0,
8456 + 0
8457 };
8458
8459 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
8460 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
8461
8462 if (ka->sa.sa_flags & SA_RESTORER)
8463 restorer = ka->sa.sa_restorer;
8464 + else if (current->mm->context.vdso)
8465 + /* Return stub is in 32bit vsyscall page */
8466 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
8467 else
8468 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
8469 - rt_sigreturn);
8470 + restorer = &frame->retcode;
8471 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
8472
8473 /*
8474 * Not actually used anymore, but left because some gdb
8475 * versions need it.
8476 */
8477 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
8478 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
8479 } put_user_catch(err);
8480
8481 if (err)
8482 diff -urNp linux-2.6.39.3/arch/x86/include/asm/alternative.h linux-2.6.39.3/arch/x86/include/asm/alternative.h
8483 --- linux-2.6.39.3/arch/x86/include/asm/alternative.h 2011-05-19 00:06:34.000000000 -0400
8484 +++ linux-2.6.39.3/arch/x86/include/asm/alternative.h 2011-05-22 19:36:30.000000000 -0400
8485 @@ -94,7 +94,7 @@ static inline int alternatives_text_rese
8486 ".section .discard,\"aw\",@progbits\n" \
8487 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
8488 ".previous\n" \
8489 - ".section .altinstr_replacement, \"ax\"\n" \
8490 + ".section .altinstr_replacement, \"a\"\n" \
8491 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
8492 ".previous"
8493
8494 diff -urNp linux-2.6.39.3/arch/x86/include/asm/apm.h linux-2.6.39.3/arch/x86/include/asm/apm.h
8495 --- linux-2.6.39.3/arch/x86/include/asm/apm.h 2011-05-19 00:06:34.000000000 -0400
8496 +++ linux-2.6.39.3/arch/x86/include/asm/apm.h 2011-05-22 19:36:30.000000000 -0400
8497 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
8498 __asm__ __volatile__(APM_DO_ZERO_SEGS
8499 "pushl %%edi\n\t"
8500 "pushl %%ebp\n\t"
8501 - "lcall *%%cs:apm_bios_entry\n\t"
8502 + "lcall *%%ss:apm_bios_entry\n\t"
8503 "setc %%al\n\t"
8504 "popl %%ebp\n\t"
8505 "popl %%edi\n\t"
8506 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
8507 __asm__ __volatile__(APM_DO_ZERO_SEGS
8508 "pushl %%edi\n\t"
8509 "pushl %%ebp\n\t"
8510 - "lcall *%%cs:apm_bios_entry\n\t"
8511 + "lcall *%%ss:apm_bios_entry\n\t"
8512 "setc %%bl\n\t"
8513 "popl %%ebp\n\t"
8514 "popl %%edi\n\t"
8515 diff -urNp linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h
8516 --- linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h 2011-05-19 00:06:34.000000000 -0400
8517 +++ linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h 2011-05-22 19:36:30.000000000 -0400
8518 @@ -12,6 +12,14 @@ typedef struct {
8519 u64 __aligned(8) counter;
8520 } atomic64_t;
8521
8522 +#ifdef CONFIG_PAX_REFCOUNT
8523 +typedef struct {
8524 + u64 __aligned(8) counter;
8525 +} atomic64_unchecked_t;
8526 +#else
8527 +typedef atomic64_t atomic64_unchecked_t;
8528 +#endif
8529 +
8530 #define ATOMIC64_INIT(val) { (val) }
8531
8532 #ifdef CONFIG_X86_CMPXCHG64
8533 @@ -38,6 +46,21 @@ static inline long long atomic64_cmpxchg
8534 }
8535
8536 /**
8537 + * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable
8538 + * @p: pointer to type atomic64_unchecked_t
8539 + * @o: expected value
8540 + * @n: new value
8541 + *
8542 + * Atomically sets @v to @n if it was equal to @o and returns
8543 + * the old value.
8544 + */
8545 +
8546 +static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n)
8547 +{
8548 + return cmpxchg64(&v->counter, o, n);
8549 +}
8550 +
8551 +/**
8552 * atomic64_xchg - xchg atomic64 variable
8553 * @v: pointer to type atomic64_t
8554 * @n: value to assign
8555 @@ -77,6 +100,24 @@ static inline void atomic64_set(atomic64
8556 }
8557
8558 /**
8559 + * atomic64_set_unchecked - set atomic64 variable
8560 + * @v: pointer to type atomic64_unchecked_t
8561 + * @n: value to assign
8562 + *
8563 + * Atomically sets the value of @v to @n.
8564 + */
8565 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
8566 +{
8567 + unsigned high = (unsigned)(i >> 32);
8568 + unsigned low = (unsigned)i;
8569 + asm volatile(ATOMIC64_ALTERNATIVE(set)
8570 + : "+b" (low), "+c" (high)
8571 + : "S" (v)
8572 + : "eax", "edx", "memory"
8573 + );
8574 +}
8575 +
8576 +/**
8577 * atomic64_read - read atomic64 variable
8578 * @v: pointer to type atomic64_t
8579 *
8580 @@ -93,6 +134,22 @@ static inline long long atomic64_read(at
8581 }
8582
8583 /**
8584 + * atomic64_read_unchecked - read atomic64 variable
8585 + * @v: pointer to type atomic64_unchecked_t
8586 + *
8587 + * Atomically reads the value of @v and returns it.
8588 + */
8589 +static inline long long atomic64_read_unchecked(atomic64_unchecked_t *v)
8590 +{
8591 + long long r;
8592 + asm volatile(ATOMIC64_ALTERNATIVE(read_unchecked)
8593 + : "=A" (r), "+c" (v)
8594 + : : "memory"
8595 + );
8596 + return r;
8597 + }
8598 +
8599 +/**
8600 * atomic64_add_return - add and return
8601 * @i: integer value to add
8602 * @v: pointer to type atomic64_t
8603 @@ -108,6 +165,22 @@ static inline long long atomic64_add_ret
8604 return i;
8605 }
8606
8607 +/**
8608 + * atomic64_add_return_unchecked - add and return
8609 + * @i: integer value to add
8610 + * @v: pointer to type atomic64_unchecked_t
8611 + *
8612 + * Atomically adds @i to @v and returns @i + *@v
8613 + */
8614 +static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v)
8615 +{
8616 + asm volatile(ATOMIC64_ALTERNATIVE(add_return_unchecked)
8617 + : "+A" (i), "+c" (v)
8618 + : : "memory"
8619 + );
8620 + return i;
8621 +}
8622 +
8623 /*
8624 * Other variants with different arithmetic operators:
8625 */
8626 @@ -131,6 +204,17 @@ static inline long long atomic64_inc_ret
8627 return a;
8628 }
8629
8630 +static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8631 +{
8632 + long long a;
8633 + asm volatile(ATOMIC64_ALTERNATIVE(inc_return_unchecked)
8634 + : "=A" (a)
8635 + : "S" (v)
8636 + : "memory", "ecx"
8637 + );
8638 + return a;
8639 +}
8640 +
8641 static inline long long atomic64_dec_return(atomic64_t *v)
8642 {
8643 long long a;
8644 @@ -159,6 +243,22 @@ static inline long long atomic64_add(lon
8645 }
8646
8647 /**
8648 + * atomic64_add_unchecked - add integer to atomic64 variable
8649 + * @i: integer value to add
8650 + * @v: pointer to type atomic64_unchecked_t
8651 + *
8652 + * Atomically adds @i to @v.
8653 + */
8654 +static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v)
8655 +{
8656 + asm volatile(ATOMIC64_ALTERNATIVE_(add_unchecked, add_return_unchecked)
8657 + : "+A" (i), "+c" (v)
8658 + : : "memory"
8659 + );
8660 + return i;
8661 +}
8662 +
8663 +/**
8664 * atomic64_sub - subtract the atomic64 variable
8665 * @i: integer value to subtract
8666 * @v: pointer to type atomic64_t
8667 diff -urNp linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h
8668 --- linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h 2011-05-19 00:06:34.000000000 -0400
8669 +++ linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h 2011-05-22 19:36:30.000000000 -0400
8670 @@ -18,7 +18,19 @@
8671 */
8672 static inline long atomic64_read(const atomic64_t *v)
8673 {
8674 - return (*(volatile long *)&(v)->counter);
8675 + return (*(volatile const long *)&(v)->counter);
8676 +}
8677 +
8678 +/**
8679 + * atomic64_read_unchecked - read atomic64 variable
8680 + * @v: pointer of type atomic64_unchecked_t
8681 + *
8682 + * Atomically reads the value of @v.
8683 + * Doesn't imply a read memory barrier.
8684 + */
8685 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
8686 +{
8687 + return (*(volatile const long *)&(v)->counter);
8688 }
8689
8690 /**
8691 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
8692 }
8693
8694 /**
8695 + * atomic64_set_unchecked - set atomic64 variable
8696 + * @v: pointer to type atomic64_unchecked_t
8697 + * @i: required value
8698 + *
8699 + * Atomically sets the value of @v to @i.
8700 + */
8701 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
8702 +{
8703 + v->counter = i;
8704 +}
8705 +
8706 +/**
8707 * atomic64_add - add integer to atomic64 variable
8708 * @i: integer value to add
8709 * @v: pointer to type atomic64_t
8710 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
8711 */
8712 static inline void atomic64_add(long i, atomic64_t *v)
8713 {
8714 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
8715 +
8716 +#ifdef CONFIG_PAX_REFCOUNT
8717 + "jno 0f\n"
8718 + LOCK_PREFIX "subq %1,%0\n"
8719 + "int $4\n0:\n"
8720 + _ASM_EXTABLE(0b, 0b)
8721 +#endif
8722 +
8723 + : "=m" (v->counter)
8724 + : "er" (i), "m" (v->counter));
8725 +}
8726 +
8727 +/**
8728 + * atomic64_add_unchecked - add integer to atomic64 variable
8729 + * @i: integer value to add
8730 + * @v: pointer to type atomic64_unchecked_t
8731 + *
8732 + * Atomically adds @i to @v.
8733 + */
8734 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
8735 +{
8736 asm volatile(LOCK_PREFIX "addq %1,%0"
8737 : "=m" (v->counter)
8738 : "er" (i), "m" (v->counter));
8739 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
8740 */
8741 static inline void atomic64_sub(long i, atomic64_t *v)
8742 {
8743 - asm volatile(LOCK_PREFIX "subq %1,%0"
8744 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
8745 +
8746 +#ifdef CONFIG_PAX_REFCOUNT
8747 + "jno 0f\n"
8748 + LOCK_PREFIX "addq %1,%0\n"
8749 + "int $4\n0:\n"
8750 + _ASM_EXTABLE(0b, 0b)
8751 +#endif
8752 +
8753 + : "=m" (v->counter)
8754 + : "er" (i), "m" (v->counter));
8755 +}
8756 +
8757 +/**
8758 + * atomic64_sub_unchecked - subtract the atomic64 variable
8759 + * @i: integer value to subtract
8760 + * @v: pointer to type atomic64_unchecked_t
8761 + *
8762 + * Atomically subtracts @i from @v.
8763 + */
8764 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
8765 +{
8766 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
8767 : "=m" (v->counter)
8768 : "er" (i), "m" (v->counter));
8769 }
8770 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
8771 {
8772 unsigned char c;
8773
8774 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
8775 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
8776 +
8777 +#ifdef CONFIG_PAX_REFCOUNT
8778 + "jno 0f\n"
8779 + LOCK_PREFIX "addq %2,%0\n"
8780 + "int $4\n0:\n"
8781 + _ASM_EXTABLE(0b, 0b)
8782 +#endif
8783 +
8784 + "sete %1\n"
8785 : "=m" (v->counter), "=qm" (c)
8786 : "er" (i), "m" (v->counter) : "memory");
8787 return c;
8788 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
8789 */
8790 static inline void atomic64_inc(atomic64_t *v)
8791 {
8792 + asm volatile(LOCK_PREFIX "incq %0\n"
8793 +
8794 +#ifdef CONFIG_PAX_REFCOUNT
8795 + "jno 0f\n"
8796 + LOCK_PREFIX "decq %0\n"
8797 + "int $4\n0:\n"
8798 + _ASM_EXTABLE(0b, 0b)
8799 +#endif
8800 +
8801 + : "=m" (v->counter)
8802 + : "m" (v->counter));
8803 +}
8804 +
8805 +/**
8806 + * atomic64_inc_unchecked - increment atomic64 variable
8807 + * @v: pointer to type atomic64_unchecked_t
8808 + *
8809 + * Atomically increments @v by 1.
8810 + */
8811 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
8812 +{
8813 asm volatile(LOCK_PREFIX "incq %0"
8814 : "=m" (v->counter)
8815 : "m" (v->counter));
8816 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
8817 */
8818 static inline void atomic64_dec(atomic64_t *v)
8819 {
8820 - asm volatile(LOCK_PREFIX "decq %0"
8821 + asm volatile(LOCK_PREFIX "decq %0\n"
8822 +
8823 +#ifdef CONFIG_PAX_REFCOUNT
8824 + "jno 0f\n"
8825 + LOCK_PREFIX "incq %0\n"
8826 + "int $4\n0:\n"
8827 + _ASM_EXTABLE(0b, 0b)
8828 +#endif
8829 +
8830 + : "=m" (v->counter)
8831 + : "m" (v->counter));
8832 +}
8833 +
8834 +/**
8835 + * atomic64_dec_unchecked - decrement atomic64 variable
8836 + * @v: pointer to type atomic64_t
8837 + *
8838 + * Atomically decrements @v by 1.
8839 + */
8840 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
8841 +{
8842 + asm volatile(LOCK_PREFIX "decq %0\n"
8843 : "=m" (v->counter)
8844 : "m" (v->counter));
8845 }
8846 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
8847 {
8848 unsigned char c;
8849
8850 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
8851 + asm volatile(LOCK_PREFIX "decq %0\n"
8852 +
8853 +#ifdef CONFIG_PAX_REFCOUNT
8854 + "jno 0f\n"
8855 + LOCK_PREFIX "incq %0\n"
8856 + "int $4\n0:\n"
8857 + _ASM_EXTABLE(0b, 0b)
8858 +#endif
8859 +
8860 + "sete %1\n"
8861 : "=m" (v->counter), "=qm" (c)
8862 : "m" (v->counter) : "memory");
8863 return c != 0;
8864 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
8865 {
8866 unsigned char c;
8867
8868 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
8869 + asm volatile(LOCK_PREFIX "incq %0\n"
8870 +
8871 +#ifdef CONFIG_PAX_REFCOUNT
8872 + "jno 0f\n"
8873 + LOCK_PREFIX "decq %0\n"
8874 + "int $4\n0:\n"
8875 + _ASM_EXTABLE(0b, 0b)
8876 +#endif
8877 +
8878 + "sete %1\n"
8879 : "=m" (v->counter), "=qm" (c)
8880 : "m" (v->counter) : "memory");
8881 return c != 0;
8882 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
8883 {
8884 unsigned char c;
8885
8886 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
8887 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
8888 +
8889 +#ifdef CONFIG_PAX_REFCOUNT
8890 + "jno 0f\n"
8891 + LOCK_PREFIX "subq %2,%0\n"
8892 + "int $4\n0:\n"
8893 + _ASM_EXTABLE(0b, 0b)
8894 +#endif
8895 +
8896 + "sets %1\n"
8897 : "=m" (v->counter), "=qm" (c)
8898 : "er" (i), "m" (v->counter) : "memory");
8899 return c;
8900 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
8901 static inline long atomic64_add_return(long i, atomic64_t *v)
8902 {
8903 long __i = i;
8904 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
8905 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
8906 +
8907 +#ifdef CONFIG_PAX_REFCOUNT
8908 + "jno 0f\n"
8909 + "movq %0, %1\n"
8910 + "int $4\n0:\n"
8911 + _ASM_EXTABLE(0b, 0b)
8912 +#endif
8913 +
8914 + : "+r" (i), "+m" (v->counter)
8915 + : : "memory");
8916 + return i + __i;
8917 +}
8918 +
8919 +/**
8920 + * atomic64_add_return_unchecked - add and return
8921 + * @i: integer value to add
8922 + * @v: pointer to type atomic64_unchecked_t
8923 + *
8924 + * Atomically adds @i to @v and returns @i + @v
8925 + */
8926 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
8927 +{
8928 + long __i = i;
8929 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
8930 : "+r" (i), "+m" (v->counter)
8931 : : "memory");
8932 return i + __i;
8933 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
8934 }
8935
8936 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
8937 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8938 +{
8939 + return atomic64_add_return_unchecked(1, v);
8940 +}
8941 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
8942
8943 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
8944 @@ -190,6 +364,11 @@ static inline long atomic64_cmpxchg(atom
8945 return cmpxchg(&v->counter, old, new);
8946 }
8947
8948 +static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
8949 +{
8950 + return cmpxchg(&v->counter, old, new);
8951 +}
8952 +
8953 static inline long atomic64_xchg(atomic64_t *v, long new)
8954 {
8955 return xchg(&v->counter, new);
8956 @@ -206,17 +385,30 @@ static inline long atomic64_xchg(atomic6
8957 */
8958 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
8959 {
8960 - long c, old;
8961 + long c, old, new;
8962 c = atomic64_read(v);
8963 for (;;) {
8964 - if (unlikely(c == (u)))
8965 + if (unlikely(c == u))
8966 break;
8967 - old = atomic64_cmpxchg((v), c, c + (a));
8968 +
8969 + asm volatile("add %2,%0\n"
8970 +
8971 +#ifdef CONFIG_PAX_REFCOUNT
8972 + "jno 0f\n"
8973 + "sub %2,%0\n"
8974 + "int $4\n0:\n"
8975 + _ASM_EXTABLE(0b, 0b)
8976 +#endif
8977 +
8978 + : "=r" (new)
8979 + : "0" (c), "ir" (a));
8980 +
8981 + old = atomic64_cmpxchg(v, c, new);
8982 if (likely(old == c))
8983 break;
8984 c = old;
8985 }
8986 - return c != (u);
8987 + return c != u;
8988 }
8989
8990 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
8991 diff -urNp linux-2.6.39.3/arch/x86/include/asm/atomic.h linux-2.6.39.3/arch/x86/include/asm/atomic.h
8992 --- linux-2.6.39.3/arch/x86/include/asm/atomic.h 2011-05-19 00:06:34.000000000 -0400
8993 +++ linux-2.6.39.3/arch/x86/include/asm/atomic.h 2011-05-22 19:36:30.000000000 -0400
8994 @@ -22,7 +22,18 @@
8995 */
8996 static inline int atomic_read(const atomic_t *v)
8997 {
8998 - return (*(volatile int *)&(v)->counter);
8999 + return (*(volatile const int *)&(v)->counter);
9000 +}
9001 +
9002 +/**
9003 + * atomic_read_unchecked - read atomic variable
9004 + * @v: pointer of type atomic_unchecked_t
9005 + *
9006 + * Atomically reads the value of @v.
9007 + */
9008 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
9009 +{
9010 + return (*(volatile const int *)&(v)->counter);
9011 }
9012
9013 /**
9014 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
9015 }
9016
9017 /**
9018 + * atomic_set_unchecked - set atomic variable
9019 + * @v: pointer of type atomic_unchecked_t
9020 + * @i: required value
9021 + *
9022 + * Atomically sets the value of @v to @i.
9023 + */
9024 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
9025 +{
9026 + v->counter = i;
9027 +}
9028 +
9029 +/**
9030 * atomic_add - add integer to atomic variable
9031 * @i: integer value to add
9032 * @v: pointer of type atomic_t
9033 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
9034 */
9035 static inline void atomic_add(int i, atomic_t *v)
9036 {
9037 - asm volatile(LOCK_PREFIX "addl %1,%0"
9038 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
9039 +
9040 +#ifdef CONFIG_PAX_REFCOUNT
9041 + "jno 0f\n"
9042 + LOCK_PREFIX "subl %1,%0\n"
9043 + "int $4\n0:\n"
9044 + _ASM_EXTABLE(0b, 0b)
9045 +#endif
9046 +
9047 + : "+m" (v->counter)
9048 + : "ir" (i));
9049 +}
9050 +
9051 +/**
9052 + * atomic_add_unchecked - add integer to atomic variable
9053 + * @i: integer value to add
9054 + * @v: pointer of type atomic_unchecked_t
9055 + *
9056 + * Atomically adds @i to @v.
9057 + */
9058 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
9059 +{
9060 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
9061 : "+m" (v->counter)
9062 : "ir" (i));
9063 }
9064 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
9065 */
9066 static inline void atomic_sub(int i, atomic_t *v)
9067 {
9068 - asm volatile(LOCK_PREFIX "subl %1,%0"
9069 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
9070 +
9071 +#ifdef CONFIG_PAX_REFCOUNT
9072 + "jno 0f\n"
9073 + LOCK_PREFIX "addl %1,%0\n"
9074 + "int $4\n0:\n"
9075 + _ASM_EXTABLE(0b, 0b)
9076 +#endif
9077 +
9078 + : "+m" (v->counter)
9079 + : "ir" (i));
9080 +}
9081 +
9082 +/**
9083 + * atomic_sub_unchecked - subtract integer from atomic variable
9084 + * @i: integer value to subtract
9085 + * @v: pointer of type atomic_unchecked_t
9086 + *
9087 + * Atomically subtracts @i from @v.
9088 + */
9089 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
9090 +{
9091 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
9092 : "+m" (v->counter)
9093 : "ir" (i));
9094 }
9095 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
9096 {
9097 unsigned char c;
9098
9099 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
9100 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
9101 +
9102 +#ifdef CONFIG_PAX_REFCOUNT
9103 + "jno 0f\n"
9104 + LOCK_PREFIX "addl %2,%0\n"
9105 + "int $4\n0:\n"
9106 + _ASM_EXTABLE(0b, 0b)
9107 +#endif
9108 +
9109 + "sete %1\n"
9110 : "+m" (v->counter), "=qm" (c)
9111 : "ir" (i) : "memory");
9112 return c;
9113 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
9114 */
9115 static inline void atomic_inc(atomic_t *v)
9116 {
9117 - asm volatile(LOCK_PREFIX "incl %0"
9118 + asm volatile(LOCK_PREFIX "incl %0\n"
9119 +
9120 +#ifdef CONFIG_PAX_REFCOUNT
9121 + "jno 0f\n"
9122 + LOCK_PREFIX "decl %0\n"
9123 + "int $4\n0:\n"
9124 + _ASM_EXTABLE(0b, 0b)
9125 +#endif
9126 +
9127 + : "+m" (v->counter));
9128 +}
9129 +
9130 +/**
9131 + * atomic_inc_unchecked - increment atomic variable
9132 + * @v: pointer of type atomic_unchecked_t
9133 + *
9134 + * Atomically increments @v by 1.
9135 + */
9136 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
9137 +{
9138 + asm volatile(LOCK_PREFIX "incl %0\n"
9139 : "+m" (v->counter));
9140 }
9141
9142 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
9143 */
9144 static inline void atomic_dec(atomic_t *v)
9145 {
9146 - asm volatile(LOCK_PREFIX "decl %0"
9147 + asm volatile(LOCK_PREFIX "decl %0\n"
9148 +
9149 +#ifdef CONFIG_PAX_REFCOUNT
9150 + "jno 0f\n"
9151 + LOCK_PREFIX "incl %0\n"
9152 + "int $4\n0:\n"
9153 + _ASM_EXTABLE(0b, 0b)
9154 +#endif
9155 +
9156 + : "+m" (v->counter));
9157 +}
9158 +
9159 +/**
9160 + * atomic_dec_unchecked - decrement atomic variable
9161 + * @v: pointer of type atomic_unchecked_t
9162 + *
9163 + * Atomically decrements @v by 1.
9164 + */
9165 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
9166 +{
9167 + asm volatile(LOCK_PREFIX "decl %0\n"
9168 : "+m" (v->counter));
9169 }
9170
9171 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
9172 {
9173 unsigned char c;
9174
9175 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
9176 + asm volatile(LOCK_PREFIX "decl %0\n"
9177 +
9178 +#ifdef CONFIG_PAX_REFCOUNT
9179 + "jno 0f\n"
9180 + LOCK_PREFIX "incl %0\n"
9181 + "int $4\n0:\n"
9182 + _ASM_EXTABLE(0b, 0b)
9183 +#endif
9184 +
9185 + "sete %1\n"
9186 : "+m" (v->counter), "=qm" (c)
9187 : : "memory");
9188 return c != 0;
9189 @@ -138,7 +263,35 @@ static inline int atomic_inc_and_test(at
9190 {
9191 unsigned char c;
9192
9193 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
9194 + asm volatile(LOCK_PREFIX "incl %0\n"
9195 +
9196 +#ifdef CONFIG_PAX_REFCOUNT
9197 + "jno 0f\n"
9198 + LOCK_PREFIX "decl %0\n"
9199 + "int $4\n0:\n"
9200 + _ASM_EXTABLE(0b, 0b)
9201 +#endif
9202 +
9203 + "sete %1\n"
9204 + : "+m" (v->counter), "=qm" (c)
9205 + : : "memory");
9206 + return c != 0;
9207 +}
9208 +
9209 +/**
9210 + * atomic_inc_and_test_unchecked - increment and test
9211 + * @v: pointer of type atomic_unchecked_t
9212 + *
9213 + * Atomically increments @v by 1
9214 + * and returns true if the result is zero, or false for all
9215 + * other cases.
9216 + */
9217 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
9218 +{
9219 + unsigned char c;
9220 +
9221 + asm volatile(LOCK_PREFIX "incl %0\n"
9222 + "sete %1\n"
9223 : "+m" (v->counter), "=qm" (c)
9224 : : "memory");
9225 return c != 0;
9226 @@ -157,7 +310,16 @@ static inline int atomic_add_negative(in
9227 {
9228 unsigned char c;
9229
9230 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
9231 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
9232 +
9233 +#ifdef CONFIG_PAX_REFCOUNT
9234 + "jno 0f\n"
9235 + LOCK_PREFIX "subl %2,%0\n"
9236 + "int $4\n0:\n"
9237 + _ASM_EXTABLE(0b, 0b)
9238 +#endif
9239 +
9240 + "sets %1\n"
9241 : "+m" (v->counter), "=qm" (c)
9242 : "ir" (i) : "memory");
9243 return c;
9244 @@ -180,6 +342,46 @@ static inline int atomic_add_return(int
9245 #endif
9246 /* Modern 486+ processor */
9247 __i = i;
9248 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
9249 +
9250 +#ifdef CONFIG_PAX_REFCOUNT
9251 + "jno 0f\n"
9252 + "movl %0, %1\n"
9253 + "int $4\n0:\n"
9254 + _ASM_EXTABLE(0b, 0b)
9255 +#endif
9256 +
9257 + : "+r" (i), "+m" (v->counter)
9258 + : : "memory");
9259 + return i + __i;
9260 +
9261 +#ifdef CONFIG_M386
9262 +no_xadd: /* Legacy 386 processor */
9263 + local_irq_save(flags);
9264 + __i = atomic_read(v);
9265 + atomic_set(v, i + __i);
9266 + local_irq_restore(flags);
9267 + return i + __i;
9268 +#endif
9269 +}
9270 +
9271 +/**
9272 + * atomic_add_return_unchecked - add integer and return
9273 + * @v: pointer of type atomic_unchecked_t
9274 + * @i: integer value to add
9275 + *
9276 + * Atomically adds @i to @v and returns @i + @v
9277 + */
9278 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
9279 +{
9280 + int __i;
9281 +#ifdef CONFIG_M386
9282 + unsigned long flags;
9283 + if (unlikely(boot_cpu_data.x86 <= 3))
9284 + goto no_xadd;
9285 +#endif
9286 + /* Modern 486+ processor */
9287 + __i = i;
9288 asm volatile(LOCK_PREFIX "xaddl %0, %1"
9289 : "+r" (i), "+m" (v->counter)
9290 : : "memory");
9291 @@ -208,6 +410,10 @@ static inline int atomic_sub_return(int
9292 }
9293
9294 #define atomic_inc_return(v) (atomic_add_return(1, v))
9295 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
9296 +{
9297 + return atomic_add_return_unchecked(1, v);
9298 +}
9299 #define atomic_dec_return(v) (atomic_sub_return(1, v))
9300
9301 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
9302 @@ -215,11 +421,21 @@ static inline int atomic_cmpxchg(atomic_
9303 return cmpxchg(&v->counter, old, new);
9304 }
9305
9306 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
9307 +{
9308 + return cmpxchg(&v->counter, old, new);
9309 +}
9310 +
9311 static inline int atomic_xchg(atomic_t *v, int new)
9312 {
9313 return xchg(&v->counter, new);
9314 }
9315
9316 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
9317 +{
9318 + return xchg(&v->counter, new);
9319 +}
9320 +
9321 /**
9322 * atomic_add_unless - add unless the number is already a given value
9323 * @v: pointer of type atomic_t
9324 @@ -231,21 +447,77 @@ static inline int atomic_xchg(atomic_t *
9325 */
9326 static inline int atomic_add_unless(atomic_t *v, int a, int u)
9327 {
9328 - int c, old;
9329 + int c, old, new;
9330 c = atomic_read(v);
9331 for (;;) {
9332 - if (unlikely(c == (u)))
9333 + if (unlikely(c == u))
9334 break;
9335 - old = atomic_cmpxchg((v), c, c + (a));
9336 +
9337 + asm volatile("addl %2,%0\n"
9338 +
9339 +#ifdef CONFIG_PAX_REFCOUNT
9340 + "jno 0f\n"
9341 + "subl %2,%0\n"
9342 + "int $4\n0:\n"
9343 + _ASM_EXTABLE(0b, 0b)
9344 +#endif
9345 +
9346 + : "=r" (new)
9347 + : "0" (c), "ir" (a));
9348 +
9349 + old = atomic_cmpxchg(v, c, new);
9350 if (likely(old == c))
9351 break;
9352 c = old;
9353 }
9354 - return c != (u);
9355 + return c != u;
9356 }
9357
9358 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
9359
9360 +/**
9361 + * atomic_inc_not_zero_hint - increment if not null
9362 + * @v: pointer of type atomic_t
9363 + * @hint: probable value of the atomic before the increment
9364 + *
9365 + * This version of atomic_inc_not_zero() gives a hint of probable
9366 + * value of the atomic. This helps processor to not read the memory
9367 + * before doing the atomic read/modify/write cycle, lowering
9368 + * number of bus transactions on some arches.
9369 + *
9370 + * Returns: 0 if increment was not done, 1 otherwise.
9371 + */
9372 +#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
9373 +static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
9374 +{
9375 + int val, c = hint, new;
9376 +
9377 + /* sanity test, should be removed by compiler if hint is a constant */
9378 + if (!hint)
9379 + return atomic_inc_not_zero(v);
9380 +
9381 + do {
9382 + asm volatile("incl %0\n"
9383 +
9384 +#ifdef CONFIG_PAX_REFCOUNT
9385 + "jno 0f\n"
9386 + "decl %0\n"
9387 + "int $4\n0:\n"
9388 + _ASM_EXTABLE(0b, 0b)
9389 +#endif
9390 +
9391 + : "=r" (new)
9392 + : "0" (c));
9393 +
9394 + val = atomic_cmpxchg(v, c, new);
9395 + if (val == c)
9396 + return 1;
9397 + c = val;
9398 + } while (c);
9399 +
9400 + return 0;
9401 +}
9402 +
9403 /*
9404 * atomic_dec_if_positive - decrement by 1 if old value positive
9405 * @v: pointer of type atomic_t
9406 diff -urNp linux-2.6.39.3/arch/x86/include/asm/bitops.h linux-2.6.39.3/arch/x86/include/asm/bitops.h
9407 --- linux-2.6.39.3/arch/x86/include/asm/bitops.h 2011-05-19 00:06:34.000000000 -0400
9408 +++ linux-2.6.39.3/arch/x86/include/asm/bitops.h 2011-05-22 19:36:30.000000000 -0400
9409 @@ -38,7 +38,7 @@
9410 * a mask operation on a byte.
9411 */
9412 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
9413 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
9414 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
9415 #define CONST_MASK(nr) (1 << ((nr) & 7))
9416
9417 /**
9418 diff -urNp linux-2.6.39.3/arch/x86/include/asm/boot.h linux-2.6.39.3/arch/x86/include/asm/boot.h
9419 --- linux-2.6.39.3/arch/x86/include/asm/boot.h 2011-05-19 00:06:34.000000000 -0400
9420 +++ linux-2.6.39.3/arch/x86/include/asm/boot.h 2011-05-22 19:36:30.000000000 -0400
9421 @@ -11,10 +11,15 @@
9422 #include <asm/pgtable_types.h>
9423
9424 /* Physical address where kernel should be loaded. */
9425 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
9426 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
9427 + (CONFIG_PHYSICAL_ALIGN - 1)) \
9428 & ~(CONFIG_PHYSICAL_ALIGN - 1))
9429
9430 +#ifndef __ASSEMBLY__
9431 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
9432 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
9433 +#endif
9434 +
9435 /* Minimum kernel alignment, as a power of two */
9436 #ifdef CONFIG_X86_64
9437 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
9438 diff -urNp linux-2.6.39.3/arch/x86/include/asm/cacheflush.h linux-2.6.39.3/arch/x86/include/asm/cacheflush.h
9439 --- linux-2.6.39.3/arch/x86/include/asm/cacheflush.h 2011-05-19 00:06:34.000000000 -0400
9440 +++ linux-2.6.39.3/arch/x86/include/asm/cacheflush.h 2011-05-22 19:36:30.000000000 -0400
9441 @@ -26,7 +26,7 @@ static inline unsigned long get_page_mem
9442 unsigned long pg_flags = pg->flags & _PGMT_MASK;
9443
9444 if (pg_flags == _PGMT_DEFAULT)
9445 - return -1;
9446 + return ~0UL;
9447 else if (pg_flags == _PGMT_WC)
9448 return _PAGE_CACHE_WC;
9449 else if (pg_flags == _PGMT_UC_MINUS)
9450 diff -urNp linux-2.6.39.3/arch/x86/include/asm/cache.h linux-2.6.39.3/arch/x86/include/asm/cache.h
9451 --- linux-2.6.39.3/arch/x86/include/asm/cache.h 2011-05-19 00:06:34.000000000 -0400
9452 +++ linux-2.6.39.3/arch/x86/include/asm/cache.h 2011-07-06 20:00:13.000000000 -0400
9453 @@ -5,12 +5,13 @@
9454
9455 /* L1 cache line size */
9456 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
9457 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
9458 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
9459
9460 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
9461 +#define __read_only __attribute__((__section__(".data..read_only")))
9462
9463 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
9464 -#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
9465 +#define INTERNODE_CACHE_BYTES (_AC(1,UL) << INTERNODE_CACHE_SHIFT)
9466
9467 #ifdef CONFIG_X86_VSMP
9468 #ifdef CONFIG_SMP
9469 diff -urNp linux-2.6.39.3/arch/x86/include/asm/checksum_32.h linux-2.6.39.3/arch/x86/include/asm/checksum_32.h
9470 --- linux-2.6.39.3/arch/x86/include/asm/checksum_32.h 2011-05-19 00:06:34.000000000 -0400
9471 +++ linux-2.6.39.3/arch/x86/include/asm/checksum_32.h 2011-05-22 19:36:30.000000000 -0400
9472 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
9473 int len, __wsum sum,
9474 int *src_err_ptr, int *dst_err_ptr);
9475
9476 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
9477 + int len, __wsum sum,
9478 + int *src_err_ptr, int *dst_err_ptr);
9479 +
9480 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
9481 + int len, __wsum sum,
9482 + int *src_err_ptr, int *dst_err_ptr);
9483 +
9484 /*
9485 * Note: when you get a NULL pointer exception here this means someone
9486 * passed in an incorrect kernel address to one of these functions.
9487 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
9488 int *err_ptr)
9489 {
9490 might_sleep();
9491 - return csum_partial_copy_generic((__force void *)src, dst,
9492 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
9493 len, sum, err_ptr, NULL);
9494 }
9495
9496 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
9497 {
9498 might_sleep();
9499 if (access_ok(VERIFY_WRITE, dst, len))
9500 - return csum_partial_copy_generic(src, (__force void *)dst,
9501 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
9502 len, sum, NULL, err_ptr);
9503
9504 if (len)
9505 diff -urNp linux-2.6.39.3/arch/x86/include/asm/cpufeature.h linux-2.6.39.3/arch/x86/include/asm/cpufeature.h
9506 --- linux-2.6.39.3/arch/x86/include/asm/cpufeature.h 2011-06-03 00:04:13.000000000 -0400
9507 +++ linux-2.6.39.3/arch/x86/include/asm/cpufeature.h 2011-06-03 00:32:04.000000000 -0400
9508 @@ -351,7 +351,7 @@ static __always_inline __pure bool __sta
9509 ".section .discard,\"aw\",@progbits\n"
9510 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
9511 ".previous\n"
9512 - ".section .altinstr_replacement,\"ax\"\n"
9513 + ".section .altinstr_replacement,\"a\"\n"
9514 "3: movb $1,%0\n"
9515 "4:\n"
9516 ".previous\n"
9517 diff -urNp linux-2.6.39.3/arch/x86/include/asm/desc_defs.h linux-2.6.39.3/arch/x86/include/asm/desc_defs.h
9518 --- linux-2.6.39.3/arch/x86/include/asm/desc_defs.h 2011-05-19 00:06:34.000000000 -0400
9519 +++ linux-2.6.39.3/arch/x86/include/asm/desc_defs.h 2011-05-22 19:36:30.000000000 -0400
9520 @@ -31,6 +31,12 @@ struct desc_struct {
9521 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
9522 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
9523 };
9524 + struct {
9525 + u16 offset_low;
9526 + u16 seg;
9527 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
9528 + unsigned offset_high: 16;
9529 + } gate;
9530 };
9531 } __attribute__((packed));
9532
9533 diff -urNp linux-2.6.39.3/arch/x86/include/asm/desc.h linux-2.6.39.3/arch/x86/include/asm/desc.h
9534 --- linux-2.6.39.3/arch/x86/include/asm/desc.h 2011-05-19 00:06:34.000000000 -0400
9535 +++ linux-2.6.39.3/arch/x86/include/asm/desc.h 2011-05-22 19:36:30.000000000 -0400
9536 @@ -4,6 +4,7 @@
9537 #include <asm/desc_defs.h>
9538 #include <asm/ldt.h>
9539 #include <asm/mmu.h>
9540 +#include <asm/pgtable.h>
9541 #include <linux/smp.h>
9542
9543 static inline void fill_ldt(struct desc_struct *desc,
9544 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
9545 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
9546 desc->type = (info->read_exec_only ^ 1) << 1;
9547 desc->type |= info->contents << 2;
9548 + desc->type |= info->seg_not_present ^ 1;
9549 desc->s = 1;
9550 desc->dpl = 0x3;
9551 desc->p = info->seg_not_present ^ 1;
9552 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
9553 }
9554
9555 extern struct desc_ptr idt_descr;
9556 -extern gate_desc idt_table[];
9557 -
9558 -struct gdt_page {
9559 - struct desc_struct gdt[GDT_ENTRIES];
9560 -} __attribute__((aligned(PAGE_SIZE)));
9561 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
9562 +extern gate_desc idt_table[256];
9563
9564 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
9565 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
9566 {
9567 - return per_cpu(gdt_page, cpu).gdt;
9568 + return cpu_gdt_table[cpu];
9569 }
9570
9571 #ifdef CONFIG_X86_64
9572 @@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
9573 unsigned long base, unsigned dpl, unsigned flags,
9574 unsigned short seg)
9575 {
9576 - gate->a = (seg << 16) | (base & 0xffff);
9577 - gate->b = (base & 0xffff0000) |
9578 - (((0x80 | type | (dpl << 5)) & 0xff) << 8);
9579 + gate->gate.offset_low = base;
9580 + gate->gate.seg = seg;
9581 + gate->gate.reserved = 0;
9582 + gate->gate.type = type;
9583 + gate->gate.s = 0;
9584 + gate->gate.dpl = dpl;
9585 + gate->gate.p = 1;
9586 + gate->gate.offset_high = base >> 16;
9587 }
9588
9589 #endif
9590 @@ -115,13 +118,17 @@ static inline void paravirt_free_ldt(str
9591 static inline void native_write_idt_entry(gate_desc *idt, int entry,
9592 const gate_desc *gate)
9593 {
9594 + pax_open_kernel();
9595 memcpy(&idt[entry], gate, sizeof(*gate));
9596 + pax_close_kernel();
9597 }
9598
9599 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
9600 const void *desc)
9601 {
9602 + pax_open_kernel();
9603 memcpy(&ldt[entry], desc, 8);
9604 + pax_close_kernel();
9605 }
9606
9607 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
9608 @@ -139,7 +146,10 @@ static inline void native_write_gdt_entr
9609 size = sizeof(struct desc_struct);
9610 break;
9611 }
9612 +
9613 + pax_open_kernel();
9614 memcpy(&gdt[entry], desc, size);
9615 + pax_close_kernel();
9616 }
9617
9618 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
9619 @@ -211,7 +221,9 @@ static inline void native_set_ldt(const
9620
9621 static inline void native_load_tr_desc(void)
9622 {
9623 + pax_open_kernel();
9624 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
9625 + pax_close_kernel();
9626 }
9627
9628 static inline void native_load_gdt(const struct desc_ptr *dtr)
9629 @@ -246,8 +258,10 @@ static inline void native_load_tls(struc
9630 unsigned int i;
9631 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
9632
9633 + pax_open_kernel();
9634 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
9635 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
9636 + pax_close_kernel();
9637 }
9638
9639 #define _LDT_empty(info) \
9640 @@ -309,7 +323,7 @@ static inline void set_desc_limit(struct
9641 desc->limit = (limit >> 16) & 0xf;
9642 }
9643
9644 -static inline void _set_gate(int gate, unsigned type, void *addr,
9645 +static inline void _set_gate(int gate, unsigned type, const void *addr,
9646 unsigned dpl, unsigned ist, unsigned seg)
9647 {
9648 gate_desc s;
9649 @@ -327,7 +341,7 @@ static inline void _set_gate(int gate, u
9650 * Pentium F0 0F bugfix can have resulted in the mapped
9651 * IDT being write-protected.
9652 */
9653 -static inline void set_intr_gate(unsigned int n, void *addr)
9654 +static inline void set_intr_gate(unsigned int n, const void *addr)
9655 {
9656 BUG_ON((unsigned)n > 0xFF);
9657 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
9658 @@ -356,19 +370,19 @@ static inline void alloc_intr_gate(unsig
9659 /*
9660 * This routine sets up an interrupt gate at directory privilege level 3.
9661 */
9662 -static inline void set_system_intr_gate(unsigned int n, void *addr)
9663 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
9664 {
9665 BUG_ON((unsigned)n > 0xFF);
9666 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
9667 }
9668
9669 -static inline void set_system_trap_gate(unsigned int n, void *addr)
9670 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
9671 {
9672 BUG_ON((unsigned)n > 0xFF);
9673 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
9674 }
9675
9676 -static inline void set_trap_gate(unsigned int n, void *addr)
9677 +static inline void set_trap_gate(unsigned int n, const void *addr)
9678 {
9679 BUG_ON((unsigned)n > 0xFF);
9680 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
9681 @@ -377,19 +391,31 @@ static inline void set_trap_gate(unsigne
9682 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
9683 {
9684 BUG_ON((unsigned)n > 0xFF);
9685 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
9686 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
9687 }
9688
9689 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
9690 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
9691 {
9692 BUG_ON((unsigned)n > 0xFF);
9693 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
9694 }
9695
9696 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
9697 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
9698 {
9699 BUG_ON((unsigned)n > 0xFF);
9700 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
9701 }
9702
9703 +#ifdef CONFIG_X86_32
9704 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
9705 +{
9706 + struct desc_struct d;
9707 +
9708 + if (likely(limit))
9709 + limit = (limit - 1UL) >> PAGE_SHIFT;
9710 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
9711 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
9712 +}
9713 +#endif
9714 +
9715 #endif /* _ASM_X86_DESC_H */
9716 diff -urNp linux-2.6.39.3/arch/x86/include/asm/device.h linux-2.6.39.3/arch/x86/include/asm/device.h
9717 --- linux-2.6.39.3/arch/x86/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
9718 +++ linux-2.6.39.3/arch/x86/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
9719 @@ -6,7 +6,7 @@ struct dev_archdata {
9720 void *acpi_handle;
9721 #endif
9722 #ifdef CONFIG_X86_64
9723 -struct dma_map_ops *dma_ops;
9724 + const struct dma_map_ops *dma_ops;
9725 #endif
9726 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
9727 void *iommu; /* hook for IOMMU specific extension */
9728 diff -urNp linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h
9729 --- linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
9730 +++ linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
9731 @@ -26,9 +26,9 @@ extern int iommu_merge;
9732 extern struct device x86_dma_fallback_dev;
9733 extern int panic_on_overflow;
9734
9735 -extern struct dma_map_ops *dma_ops;
9736 +extern const struct dma_map_ops *dma_ops;
9737
9738 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
9739 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
9740 {
9741 #ifdef CONFIG_X86_32
9742 return dma_ops;
9743 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
9744 /* Make sure we keep the same behaviour */
9745 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
9746 {
9747 - struct dma_map_ops *ops = get_dma_ops(dev);
9748 + const struct dma_map_ops *ops = get_dma_ops(dev);
9749 if (ops->mapping_error)
9750 return ops->mapping_error(dev, dma_addr);
9751
9752 @@ -115,7 +115,7 @@ static inline void *
9753 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
9754 gfp_t gfp)
9755 {
9756 - struct dma_map_ops *ops = get_dma_ops(dev);
9757 + const struct dma_map_ops *ops = get_dma_ops(dev);
9758 void *memory;
9759
9760 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
9761 @@ -142,7 +142,7 @@ dma_alloc_coherent(struct device *dev, s
9762 static inline void dma_free_coherent(struct device *dev, size_t size,
9763 void *vaddr, dma_addr_t bus)
9764 {
9765 - struct dma_map_ops *ops = get_dma_ops(dev);
9766 + const struct dma_map_ops *ops = get_dma_ops(dev);
9767
9768 WARN_ON(irqs_disabled()); /* for portability */
9769
9770 diff -urNp linux-2.6.39.3/arch/x86/include/asm/e820.h linux-2.6.39.3/arch/x86/include/asm/e820.h
9771 --- linux-2.6.39.3/arch/x86/include/asm/e820.h 2011-05-19 00:06:34.000000000 -0400
9772 +++ linux-2.6.39.3/arch/x86/include/asm/e820.h 2011-05-22 19:36:30.000000000 -0400
9773 @@ -69,7 +69,7 @@ struct e820map {
9774 #define ISA_START_ADDRESS 0xa0000
9775 #define ISA_END_ADDRESS 0x100000
9776
9777 -#define BIOS_BEGIN 0x000a0000
9778 +#define BIOS_BEGIN 0x000c0000
9779 #define BIOS_END 0x00100000
9780
9781 #define BIOS_ROM_BASE 0xffe00000
9782 diff -urNp linux-2.6.39.3/arch/x86/include/asm/elf.h linux-2.6.39.3/arch/x86/include/asm/elf.h
9783 --- linux-2.6.39.3/arch/x86/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
9784 +++ linux-2.6.39.3/arch/x86/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
9785 @@ -237,7 +237,25 @@ extern int force_personality32;
9786 the loader. We need to make sure that it is out of the way of the program
9787 that it will "exec", and that there is sufficient room for the brk. */
9788
9789 +#ifdef CONFIG_PAX_SEGMEXEC
9790 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
9791 +#else
9792 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
9793 +#endif
9794 +
9795 +#ifdef CONFIG_PAX_ASLR
9796 +#ifdef CONFIG_X86_32
9797 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
9798 +
9799 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
9800 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
9801 +#else
9802 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
9803 +
9804 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
9805 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
9806 +#endif
9807 +#endif
9808
9809 /* This yields a mask that user programs can use to figure out what
9810 instruction set this CPU supports. This could be done in user space,
9811 @@ -291,8 +309,7 @@ do { \
9812 #define ARCH_DLINFO \
9813 do { \
9814 if (vdso_enabled) \
9815 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
9816 - (unsigned long)current->mm->context.vdso); \
9817 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
9818 } while (0)
9819
9820 #define AT_SYSINFO 32
9821 @@ -303,7 +320,7 @@ do { \
9822
9823 #endif /* !CONFIG_X86_32 */
9824
9825 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
9826 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
9827
9828 #define VDSO_ENTRY \
9829 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
9830 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
9831 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
9832 #define compat_arch_setup_additional_pages syscall32_setup_pages
9833
9834 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
9835 -#define arch_randomize_brk arch_randomize_brk
9836 -
9837 #endif /* _ASM_X86_ELF_H */
9838 diff -urNp linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h
9839 --- linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h 2011-05-19 00:06:34.000000000 -0400
9840 +++ linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h 2011-05-22 19:36:30.000000000 -0400
9841 @@ -15,6 +15,6 @@ enum reboot_type {
9842
9843 extern enum reboot_type reboot_type;
9844
9845 -extern void machine_emergency_restart(void);
9846 +extern void machine_emergency_restart(void) __noreturn;
9847
9848 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
9849 diff -urNp linux-2.6.39.3/arch/x86/include/asm/futex.h linux-2.6.39.3/arch/x86/include/asm/futex.h
9850 --- linux-2.6.39.3/arch/x86/include/asm/futex.h 2011-05-19 00:06:34.000000000 -0400
9851 +++ linux-2.6.39.3/arch/x86/include/asm/futex.h 2011-05-22 19:36:30.000000000 -0400
9852 @@ -12,16 +12,18 @@
9853 #include <asm/system.h>
9854
9855 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
9856 + typecheck(u32 *, uaddr); \
9857 asm volatile("1:\t" insn "\n" \
9858 "2:\t.section .fixup,\"ax\"\n" \
9859 "3:\tmov\t%3, %1\n" \
9860 "\tjmp\t2b\n" \
9861 "\t.previous\n" \
9862 _ASM_EXTABLE(1b, 3b) \
9863 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
9864 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\
9865 : "i" (-EFAULT), "0" (oparg), "1" (0))
9866
9867 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
9868 + typecheck(u32 *, uaddr); \
9869 asm volatile("1:\tmovl %2, %0\n" \
9870 "\tmovl\t%0, %3\n" \
9871 "\t" insn "\n" \
9872 @@ -34,7 +36,7 @@
9873 _ASM_EXTABLE(1b, 4b) \
9874 _ASM_EXTABLE(2b, 4b) \
9875 : "=&a" (oldval), "=&r" (ret), \
9876 - "+m" (*uaddr), "=&r" (tem) \
9877 + "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \
9878 : "r" (oparg), "i" (-EFAULT), "1" (0))
9879
9880 static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
9881 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
9882
9883 switch (op) {
9884 case FUTEX_OP_SET:
9885 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
9886 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
9887 break;
9888 case FUTEX_OP_ADD:
9889 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
9890 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
9891 uaddr, oparg);
9892 break;
9893 case FUTEX_OP_OR:
9894 @@ -123,13 +125,13 @@ static inline int futex_atomic_cmpxchg_i
9895 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
9896 return -EFAULT;
9897
9898 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n"
9899 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n"
9900 "2:\t.section .fixup, \"ax\"\n"
9901 "3:\tmov %3, %0\n"
9902 "\tjmp 2b\n"
9903 "\t.previous\n"
9904 _ASM_EXTABLE(1b, 3b)
9905 - : "+r" (ret), "=a" (oldval), "+m" (*uaddr)
9906 + : "+r" (ret), "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
9907 : "i" (-EFAULT), "r" (newval), "1" (oldval)
9908 : "memory"
9909 );
9910 diff -urNp linux-2.6.39.3/arch/x86/include/asm/hw_irq.h linux-2.6.39.3/arch/x86/include/asm/hw_irq.h
9911 --- linux-2.6.39.3/arch/x86/include/asm/hw_irq.h 2011-05-19 00:06:34.000000000 -0400
9912 +++ linux-2.6.39.3/arch/x86/include/asm/hw_irq.h 2011-05-22 19:36:30.000000000 -0400
9913 @@ -137,8 +137,8 @@ extern void setup_ioapic_dest(void);
9914 extern void enable_IO_APIC(void);
9915
9916 /* Statistics */
9917 -extern atomic_t irq_err_count;
9918 -extern atomic_t irq_mis_count;
9919 +extern atomic_unchecked_t irq_err_count;
9920 +extern atomic_unchecked_t irq_mis_count;
9921
9922 /* EISA */
9923 extern void eisa_set_level_irq(unsigned int irq);
9924 diff -urNp linux-2.6.39.3/arch/x86/include/asm/i387.h linux-2.6.39.3/arch/x86/include/asm/i387.h
9925 --- linux-2.6.39.3/arch/x86/include/asm/i387.h 2011-05-19 00:06:34.000000000 -0400
9926 +++ linux-2.6.39.3/arch/x86/include/asm/i387.h 2011-05-22 19:36:30.000000000 -0400
9927 @@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
9928 {
9929 int err;
9930
9931 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9932 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9933 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
9934 +#endif
9935 +
9936 /* See comment in fxsave() below. */
9937 #ifdef CONFIG_AS_FXSAVEQ
9938 asm volatile("1: fxrstorq %[fx]\n\t"
9939 @@ -121,6 +126,11 @@ static inline int fxsave_user(struct i38
9940 {
9941 int err;
9942
9943 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9944 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9945 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
9946 +#endif
9947 +
9948 /*
9949 * Clear the bytes not touched by the fxsave and reserved
9950 * for the SW usage.
9951 @@ -213,13 +223,8 @@ static inline void fpu_fxsave(struct fpu
9952 #endif /* CONFIG_X86_64 */
9953
9954 /* We need a safe address that is cheap to find and that is already
9955 - in L1 during context switch. The best choices are unfortunately
9956 - different for UP and SMP */
9957 -#ifdef CONFIG_SMP
9958 -#define safe_address (__per_cpu_offset[0])
9959 -#else
9960 -#define safe_address (kstat_cpu(0).cpustat.user)
9961 -#endif
9962 + in L1 during context switch. */
9963 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
9964
9965 /*
9966 * These must be called with preempt disabled
9967 @@ -312,7 +317,7 @@ static inline void kernel_fpu_begin(void
9968 struct thread_info *me = current_thread_info();
9969 preempt_disable();
9970 if (me->status & TS_USEDFPU)
9971 - __save_init_fpu(me->task);
9972 + __save_init_fpu(current);
9973 else
9974 clts();
9975 }
9976 diff -urNp linux-2.6.39.3/arch/x86/include/asm/io.h linux-2.6.39.3/arch/x86/include/asm/io.h
9977 --- linux-2.6.39.3/arch/x86/include/asm/io.h 2011-05-19 00:06:34.000000000 -0400
9978 +++ linux-2.6.39.3/arch/x86/include/asm/io.h 2011-05-22 19:36:30.000000000 -0400
9979 @@ -216,6 +216,17 @@ extern void set_iounmap_nonlazy(void);
9980
9981 #include <linux/vmalloc.h>
9982
9983 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
9984 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
9985 +{
9986 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9987 +}
9988 +
9989 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
9990 +{
9991 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9992 +}
9993 +
9994 /*
9995 * Convert a virtual cached pointer to an uncached pointer
9996 */
9997 diff -urNp linux-2.6.39.3/arch/x86/include/asm/iommu.h linux-2.6.39.3/arch/x86/include/asm/iommu.h
9998 --- linux-2.6.39.3/arch/x86/include/asm/iommu.h 2011-05-19 00:06:34.000000000 -0400
9999 +++ linux-2.6.39.3/arch/x86/include/asm/iommu.h 2011-05-22 19:36:30.000000000 -0400
10000 @@ -1,7 +1,7 @@
10001 #ifndef _ASM_X86_IOMMU_H
10002 #define _ASM_X86_IOMMU_H
10003
10004 -extern struct dma_map_ops nommu_dma_ops;
10005 +extern const struct dma_map_ops nommu_dma_ops;
10006 extern int force_iommu, no_iommu;
10007 extern int iommu_detected;
10008 extern int iommu_pass_through;
10009 diff -urNp linux-2.6.39.3/arch/x86/include/asm/irqflags.h linux-2.6.39.3/arch/x86/include/asm/irqflags.h
10010 --- linux-2.6.39.3/arch/x86/include/asm/irqflags.h 2011-05-19 00:06:34.000000000 -0400
10011 +++ linux-2.6.39.3/arch/x86/include/asm/irqflags.h 2011-05-22 19:36:30.000000000 -0400
10012 @@ -140,6 +140,11 @@ static inline unsigned long arch_local_i
10013 sti; \
10014 sysexit
10015
10016 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
10017 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
10018 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
10019 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
10020 +
10021 #else
10022 #define INTERRUPT_RETURN iret
10023 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
10024 diff -urNp linux-2.6.39.3/arch/x86/include/asm/kprobes.h linux-2.6.39.3/arch/x86/include/asm/kprobes.h
10025 --- linux-2.6.39.3/arch/x86/include/asm/kprobes.h 2011-05-19 00:06:34.000000000 -0400
10026 +++ linux-2.6.39.3/arch/x86/include/asm/kprobes.h 2011-05-22 19:36:30.000000000 -0400
10027 @@ -37,13 +37,8 @@ typedef u8 kprobe_opcode_t;
10028 #define RELATIVEJUMP_SIZE 5
10029 #define RELATIVECALL_OPCODE 0xe8
10030 #define RELATIVE_ADDR_SIZE 4
10031 -#define MAX_STACK_SIZE 64
10032 -#define MIN_STACK_SIZE(ADDR) \
10033 - (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
10034 - THREAD_SIZE - (unsigned long)(ADDR))) \
10035 - ? (MAX_STACK_SIZE) \
10036 - : (((unsigned long)current_thread_info()) + \
10037 - THREAD_SIZE - (unsigned long)(ADDR)))
10038 +#define MAX_STACK_SIZE 64UL
10039 +#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
10040
10041 #define flush_insn_slot(p) do { } while (0)
10042
10043 diff -urNp linux-2.6.39.3/arch/x86/include/asm/kvm_host.h linux-2.6.39.3/arch/x86/include/asm/kvm_host.h
10044 --- linux-2.6.39.3/arch/x86/include/asm/kvm_host.h 2011-05-19 00:06:34.000000000 -0400
10045 +++ linux-2.6.39.3/arch/x86/include/asm/kvm_host.h 2011-05-22 19:36:30.000000000 -0400
10046 @@ -419,7 +419,7 @@ struct kvm_arch {
10047 unsigned int n_used_mmu_pages;
10048 unsigned int n_requested_mmu_pages;
10049 unsigned int n_max_mmu_pages;
10050 - atomic_t invlpg_counter;
10051 + atomic_unchecked_t invlpg_counter;
10052 struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
10053 /*
10054 * Hash table of struct kvm_mmu_page.
10055 @@ -599,7 +599,7 @@ struct kvm_arch_async_pf {
10056 bool direct_map;
10057 };
10058
10059 -extern struct kvm_x86_ops *kvm_x86_ops;
10060 +extern const struct kvm_x86_ops *kvm_x86_ops;
10061
10062 int kvm_mmu_module_init(void);
10063 void kvm_mmu_module_exit(void);
10064 diff -urNp linux-2.6.39.3/arch/x86/include/asm/local.h linux-2.6.39.3/arch/x86/include/asm/local.h
10065 --- linux-2.6.39.3/arch/x86/include/asm/local.h 2011-05-19 00:06:34.000000000 -0400
10066 +++ linux-2.6.39.3/arch/x86/include/asm/local.h 2011-05-22 19:36:30.000000000 -0400
10067 @@ -18,26 +18,58 @@ typedef struct {
10068
10069 static inline void local_inc(local_t *l)
10070 {
10071 - asm volatile(_ASM_INC "%0"
10072 + asm volatile(_ASM_INC "%0\n"
10073 +
10074 +#ifdef CONFIG_PAX_REFCOUNT
10075 + "jno 0f\n"
10076 + _ASM_DEC "%0\n"
10077 + "int $4\n0:\n"
10078 + _ASM_EXTABLE(0b, 0b)
10079 +#endif
10080 +
10081 : "+m" (l->a.counter));
10082 }
10083
10084 static inline void local_dec(local_t *l)
10085 {
10086 - asm volatile(_ASM_DEC "%0"
10087 + asm volatile(_ASM_DEC "%0\n"
10088 +
10089 +#ifdef CONFIG_PAX_REFCOUNT
10090 + "jno 0f\n"
10091 + _ASM_INC "%0\n"
10092 + "int $4\n0:\n"
10093 + _ASM_EXTABLE(0b, 0b)
10094 +#endif
10095 +
10096 : "+m" (l->a.counter));
10097 }
10098
10099 static inline void local_add(long i, local_t *l)
10100 {
10101 - asm volatile(_ASM_ADD "%1,%0"
10102 + asm volatile(_ASM_ADD "%1,%0\n"
10103 +
10104 +#ifdef CONFIG_PAX_REFCOUNT
10105 + "jno 0f\n"
10106 + _ASM_SUB "%1,%0\n"
10107 + "int $4\n0:\n"
10108 + _ASM_EXTABLE(0b, 0b)
10109 +#endif
10110 +
10111 : "+m" (l->a.counter)
10112 : "ir" (i));
10113 }
10114
10115 static inline void local_sub(long i, local_t *l)
10116 {
10117 - asm volatile(_ASM_SUB "%1,%0"
10118 + asm volatile(_ASM_SUB "%1,%0\n"
10119 +
10120 +#ifdef CONFIG_PAX_REFCOUNT
10121 + "jno 0f\n"
10122 + _ASM_ADD "%1,%0\n"
10123 + "int $4\n0:\n"
10124 + _ASM_EXTABLE(0b, 0b)
10125 +#endif
10126 +
10127 : "+m" (l->a.counter)
10128 : "ir" (i));
10129 }
10130 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
10131 {
10132 unsigned char c;
10133
10134 - asm volatile(_ASM_SUB "%2,%0; sete %1"
10135 + asm volatile(_ASM_SUB "%2,%0\n"
10136 +
10137 +#ifdef CONFIG_PAX_REFCOUNT
10138 + "jno 0f\n"
10139 + _ASM_ADD "%2,%0\n"
10140 + "int $4\n0:\n"
10141 + _ASM_EXTABLE(0b, 0b)
10142 +#endif
10143 +
10144 + "sete %1\n"
10145 : "+m" (l->a.counter), "=qm" (c)
10146 : "ir" (i) : "memory");
10147 return c;
10148 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
10149 {
10150 unsigned char c;
10151
10152 - asm volatile(_ASM_DEC "%0; sete %1"
10153 + asm volatile(_ASM_DEC "%0\n"
10154 +
10155 +#ifdef CONFIG_PAX_REFCOUNT
10156 + "jno 0f\n"
10157 + _ASM_INC "%0\n"
10158 + "int $4\n0:\n"
10159 + _ASM_EXTABLE(0b, 0b)
10160 +#endif
10161 +
10162 + "sete %1\n"
10163 : "+m" (l->a.counter), "=qm" (c)
10164 : : "memory");
10165 return c != 0;
10166 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
10167 {
10168 unsigned char c;
10169
10170 - asm volatile(_ASM_INC "%0; sete %1"
10171 + asm volatile(_ASM_INC "%0\n"
10172 +
10173 +#ifdef CONFIG_PAX_REFCOUNT
10174 + "jno 0f\n"
10175 + _ASM_DEC "%0\n"
10176 + "int $4\n0:\n"
10177 + _ASM_EXTABLE(0b, 0b)
10178 +#endif
10179 +
10180 + "sete %1\n"
10181 : "+m" (l->a.counter), "=qm" (c)
10182 : : "memory");
10183 return c != 0;
10184 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
10185 {
10186 unsigned char c;
10187
10188 - asm volatile(_ASM_ADD "%2,%0; sets %1"
10189 + asm volatile(_ASM_ADD "%2,%0\n"
10190 +
10191 +#ifdef CONFIG_PAX_REFCOUNT
10192 + "jno 0f\n"
10193 + _ASM_SUB "%2,%0\n"
10194 + "int $4\n0:\n"
10195 + _ASM_EXTABLE(0b, 0b)
10196 +#endif
10197 +
10198 + "sets %1\n"
10199 : "+m" (l->a.counter), "=qm" (c)
10200 : "ir" (i) : "memory");
10201 return c;
10202 @@ -133,7 +201,15 @@ static inline long local_add_return(long
10203 #endif
10204 /* Modern 486+ processor */
10205 __i = i;
10206 - asm volatile(_ASM_XADD "%0, %1;"
10207 + asm volatile(_ASM_XADD "%0, %1\n"
10208 +
10209 +#ifdef CONFIG_PAX_REFCOUNT
10210 + "jno 0f\n"
10211 + _ASM_MOV "%0,%1\n"
10212 + "int $4\n0:\n"
10213 + _ASM_EXTABLE(0b, 0b)
10214 +#endif
10215 +
10216 : "+r" (i), "+m" (l->a.counter)
10217 : : "memory");
10218 return i + __i;
10219 diff -urNp linux-2.6.39.3/arch/x86/include/asm/mce.h linux-2.6.39.3/arch/x86/include/asm/mce.h
10220 --- linux-2.6.39.3/arch/x86/include/asm/mce.h 2011-05-19 00:06:34.000000000 -0400
10221 +++ linux-2.6.39.3/arch/x86/include/asm/mce.h 2011-05-22 19:36:30.000000000 -0400
10222 @@ -198,7 +198,7 @@ int mce_notify_irq(void);
10223 void mce_notify_process(void);
10224
10225 DECLARE_PER_CPU(struct mce, injectm);
10226 -extern struct file_operations mce_chrdev_ops;
10227 +extern struct file_operations mce_chrdev_ops; /* cannot be const, see arch/x86/kernel/cpu/mcheck/mce. */
10228
10229 /*
10230 * Exception handler
10231 diff -urNp linux-2.6.39.3/arch/x86/include/asm/microcode.h linux-2.6.39.3/arch/x86/include/asm/microcode.h
10232 --- linux-2.6.39.3/arch/x86/include/asm/microcode.h 2011-05-19 00:06:34.000000000 -0400
10233 +++ linux-2.6.39.3/arch/x86/include/asm/microcode.h 2011-05-22 19:36:30.000000000 -0400
10234 @@ -12,13 +12,13 @@ struct device;
10235 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
10236
10237 struct microcode_ops {
10238 - enum ucode_state (*request_microcode_user) (int cpu,
10239 + enum ucode_state (* const request_microcode_user) (int cpu,
10240 const void __user *buf, size_t size);
10241
10242 - enum ucode_state (*request_microcode_fw) (int cpu,
10243 + enum ucode_state (* const request_microcode_fw) (int cpu,
10244 struct device *device);
10245
10246 - void (*microcode_fini_cpu) (int cpu);
10247 + void (* const microcode_fini_cpu) (int cpu);
10248
10249 /*
10250 * The generic 'microcode_core' part guarantees that
10251 @@ -38,16 +38,16 @@ struct ucode_cpu_info {
10252 extern struct ucode_cpu_info ucode_cpu_info[];
10253
10254 #ifdef CONFIG_MICROCODE_INTEL
10255 -extern struct microcode_ops * __init init_intel_microcode(void);
10256 +extern const struct microcode_ops * __init init_intel_microcode(void);
10257 #else
10258 -static inline struct microcode_ops * __init init_intel_microcode(void)
10259 +static inline const struct microcode_ops * __init init_intel_microcode(void)
10260 {
10261 return NULL;
10262 }
10263 #endif /* CONFIG_MICROCODE_INTEL */
10264
10265 #ifdef CONFIG_MICROCODE_AMD
10266 -extern struct microcode_ops * __init init_amd_microcode(void);
10267 +extern const struct microcode_ops * __init init_amd_microcode(void);
10268
10269 static inline void get_ucode_data(void *to, const u8 *from, size_t n)
10270 {
10271 @@ -55,7 +55,7 @@ static inline void get_ucode_data(void *
10272 }
10273
10274 #else
10275 -static inline struct microcode_ops * __init init_amd_microcode(void)
10276 +static inline const struct microcode_ops * __init init_amd_microcode(void)
10277 {
10278 return NULL;
10279 }
10280 diff -urNp linux-2.6.39.3/arch/x86/include/asm/mman.h linux-2.6.39.3/arch/x86/include/asm/mman.h
10281 --- linux-2.6.39.3/arch/x86/include/asm/mman.h 2011-05-19 00:06:34.000000000 -0400
10282 +++ linux-2.6.39.3/arch/x86/include/asm/mman.h 2011-05-22 19:36:30.000000000 -0400
10283 @@ -5,4 +5,14 @@
10284
10285 #include <asm-generic/mman.h>
10286
10287 +#ifdef __KERNEL__
10288 +#ifndef __ASSEMBLY__
10289 +#ifdef CONFIG_X86_32
10290 +#define arch_mmap_check i386_mmap_check
10291 +int i386_mmap_check(unsigned long addr, unsigned long len,
10292 + unsigned long flags);
10293 +#endif
10294 +#endif
10295 +#endif
10296 +
10297 #endif /* _ASM_X86_MMAN_H */
10298 diff -urNp linux-2.6.39.3/arch/x86/include/asm/mmu_context.h linux-2.6.39.3/arch/x86/include/asm/mmu_context.h
10299 --- linux-2.6.39.3/arch/x86/include/asm/mmu_context.h 2011-05-19 00:06:34.000000000 -0400
10300 +++ linux-2.6.39.3/arch/x86/include/asm/mmu_context.h 2011-05-22 19:36:30.000000000 -0400
10301 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
10302
10303 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
10304 {
10305 +
10306 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10307 + unsigned int i;
10308 + pgd_t *pgd;
10309 +
10310 + pax_open_kernel();
10311 + pgd = get_cpu_pgd(smp_processor_id());
10312 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
10313 + if (paravirt_enabled())
10314 + set_pgd(pgd+i, native_make_pgd(0));
10315 + else
10316 + pgd[i] = native_make_pgd(0);
10317 + pax_close_kernel();
10318 +#endif
10319 +
10320 #ifdef CONFIG_SMP
10321 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
10322 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
10323 @@ -34,16 +49,30 @@ static inline void switch_mm(struct mm_s
10324 struct task_struct *tsk)
10325 {
10326 unsigned cpu = smp_processor_id();
10327 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
10328 + int tlbstate = TLBSTATE_OK;
10329 +#endif
10330
10331 if (likely(prev != next)) {
10332 #ifdef CONFIG_SMP
10333 +#ifdef CONFIG_X86_32
10334 + tlbstate = percpu_read(cpu_tlbstate.state);
10335 +#endif
10336 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
10337 percpu_write(cpu_tlbstate.active_mm, next);
10338 #endif
10339 cpumask_set_cpu(cpu, mm_cpumask(next));
10340
10341 /* Re-load page tables */
10342 +#ifdef CONFIG_PAX_PER_CPU_PGD
10343 + pax_open_kernel();
10344 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
10345 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
10346 + pax_close_kernel();
10347 + load_cr3(get_cpu_pgd(cpu));
10348 +#else
10349 load_cr3(next->pgd);
10350 +#endif
10351
10352 /* stop flush ipis for the previous mm */
10353 cpumask_clear_cpu(cpu, mm_cpumask(prev));
10354 @@ -53,9 +82,38 @@ static inline void switch_mm(struct mm_s
10355 */
10356 if (unlikely(prev->context.ldt != next->context.ldt))
10357 load_LDT_nolock(&next->context);
10358 - }
10359 +
10360 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
10361 + if (!(__supported_pte_mask & _PAGE_NX)) {
10362 + smp_mb__before_clear_bit();
10363 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
10364 + smp_mb__after_clear_bit();
10365 + cpu_set(cpu, next->context.cpu_user_cs_mask);
10366 + }
10367 +#endif
10368 +
10369 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
10370 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
10371 + prev->context.user_cs_limit != next->context.user_cs_limit))
10372 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10373 #ifdef CONFIG_SMP
10374 + else if (unlikely(tlbstate != TLBSTATE_OK))
10375 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10376 +#endif
10377 +#endif
10378 +
10379 + }
10380 else {
10381 +
10382 +#ifdef CONFIG_PAX_PER_CPU_PGD
10383 + pax_open_kernel();
10384 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
10385 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
10386 + pax_close_kernel();
10387 + load_cr3(get_cpu_pgd(cpu));
10388 +#endif
10389 +
10390 +#ifdef CONFIG_SMP
10391 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
10392 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
10393
10394 @@ -64,11 +122,28 @@ static inline void switch_mm(struct mm_s
10395 * tlb flush IPI delivery. We must reload CR3
10396 * to make sure to use no freed page tables.
10397 */
10398 +
10399 +#ifndef CONFIG_PAX_PER_CPU_PGD
10400 load_cr3(next->pgd);
10401 +#endif
10402 +
10403 load_LDT_nolock(&next->context);
10404 +
10405 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
10406 + if (!(__supported_pte_mask & _PAGE_NX))
10407 + cpu_set(cpu, next->context.cpu_user_cs_mask);
10408 +#endif
10409 +
10410 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
10411 +#ifdef CONFIG_PAX_PAGEEXEC
10412 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
10413 +#endif
10414 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10415 +#endif
10416 +
10417 }
10418 - }
10419 #endif
10420 + }
10421 }
10422
10423 #define activate_mm(prev, next) \
10424 diff -urNp linux-2.6.39.3/arch/x86/include/asm/mmu.h linux-2.6.39.3/arch/x86/include/asm/mmu.h
10425 --- linux-2.6.39.3/arch/x86/include/asm/mmu.h 2011-05-19 00:06:34.000000000 -0400
10426 +++ linux-2.6.39.3/arch/x86/include/asm/mmu.h 2011-05-22 19:36:30.000000000 -0400
10427 @@ -9,10 +9,22 @@
10428 * we put the segment information here.
10429 */
10430 typedef struct {
10431 - void *ldt;
10432 + struct desc_struct *ldt;
10433 int size;
10434 struct mutex lock;
10435 - void *vdso;
10436 + unsigned long vdso;
10437 +
10438 +#ifdef CONFIG_X86_32
10439 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
10440 + unsigned long user_cs_base;
10441 + unsigned long user_cs_limit;
10442 +
10443 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
10444 + cpumask_t cpu_user_cs_mask;
10445 +#endif
10446 +
10447 +#endif
10448 +#endif
10449
10450 #ifdef CONFIG_X86_64
10451 /* True if mm supports a task running in 32 bit compatibility mode. */
10452 diff -urNp linux-2.6.39.3/arch/x86/include/asm/module.h linux-2.6.39.3/arch/x86/include/asm/module.h
10453 --- linux-2.6.39.3/arch/x86/include/asm/module.h 2011-05-19 00:06:34.000000000 -0400
10454 +++ linux-2.6.39.3/arch/x86/include/asm/module.h 2011-05-22 19:41:32.000000000 -0400
10455 @@ -5,6 +5,7 @@
10456
10457 #ifdef CONFIG_X86_64
10458 /* X86_64 does not define MODULE_PROC_FAMILY */
10459 +#define MODULE_PROC_FAMILY ""
10460 #elif defined CONFIG_M386
10461 #define MODULE_PROC_FAMILY "386 "
10462 #elif defined CONFIG_M486
10463 @@ -59,8 +60,30 @@
10464 #error unknown processor family
10465 #endif
10466
10467 -#ifdef CONFIG_X86_32
10468 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
10469 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10470 +#define MODULE_PAX_UDEREF "UDEREF "
10471 +#else
10472 +#define MODULE_PAX_UDEREF ""
10473 +#endif
10474 +
10475 +#ifdef CONFIG_PAX_KERNEXEC
10476 +#define MODULE_PAX_KERNEXEC "KERNEXEC "
10477 +#else
10478 +#define MODULE_PAX_KERNEXEC ""
10479 #endif
10480
10481 +#ifdef CONFIG_PAX_REFCOUNT
10482 +#define MODULE_PAX_REFCOUNT "REFCOUNT "
10483 +#else
10484 +#define MODULE_PAX_REFCOUNT ""
10485 +#endif
10486 +
10487 +#ifdef CONFIG_GRKERNSEC
10488 +#define MODULE_GRSEC "GRSECURITY "
10489 +#else
10490 +#define MODULE_GRSEC ""
10491 +#endif
10492 +
10493 +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_REFCOUNT
10494 +
10495 #endif /* _ASM_X86_MODULE_H */
10496 diff -urNp linux-2.6.39.3/arch/x86/include/asm/page_64_types.h linux-2.6.39.3/arch/x86/include/asm/page_64_types.h
10497 --- linux-2.6.39.3/arch/x86/include/asm/page_64_types.h 2011-05-19 00:06:34.000000000 -0400
10498 +++ linux-2.6.39.3/arch/x86/include/asm/page_64_types.h 2011-05-22 19:36:30.000000000 -0400
10499 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
10500
10501 /* duplicated to the one in bootmem.h */
10502 extern unsigned long max_pfn;
10503 -extern unsigned long phys_base;
10504 +extern const unsigned long phys_base;
10505
10506 extern unsigned long __phys_addr(unsigned long);
10507 #define __phys_reloc_hide(x) (x)
10508 diff -urNp linux-2.6.39.3/arch/x86/include/asm/paravirt.h linux-2.6.39.3/arch/x86/include/asm/paravirt.h
10509 --- linux-2.6.39.3/arch/x86/include/asm/paravirt.h 2011-05-19 00:06:34.000000000 -0400
10510 +++ linux-2.6.39.3/arch/x86/include/asm/paravirt.h 2011-05-22 19:36:30.000000000 -0400
10511 @@ -739,6 +739,21 @@ static inline void __set_fixmap(unsigned
10512 pv_mmu_ops.set_fixmap(idx, phys, flags);
10513 }
10514
10515 +#ifdef CONFIG_PAX_KERNEXEC
10516 +static inline unsigned long pax_open_kernel(void)
10517 +{
10518 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
10519 +}
10520 +
10521 +static inline unsigned long pax_close_kernel(void)
10522 +{
10523 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
10524 +}
10525 +#else
10526 +static inline unsigned long pax_open_kernel(void) { return 0; }
10527 +static inline unsigned long pax_close_kernel(void) { return 0; }
10528 +#endif
10529 +
10530 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
10531
10532 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
10533 @@ -955,7 +970,7 @@ extern void default_banner(void);
10534
10535 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
10536 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
10537 -#define PARA_INDIRECT(addr) *%cs:addr
10538 +#define PARA_INDIRECT(addr) *%ss:addr
10539 #endif
10540
10541 #define INTERRUPT_RETURN \
10542 @@ -1032,6 +1047,21 @@ extern void default_banner(void);
10543 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
10544 CLBR_NONE, \
10545 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
10546 +
10547 +#define GET_CR0_INTO_RDI \
10548 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
10549 + mov %rax,%rdi
10550 +
10551 +#define SET_RDI_INTO_CR0 \
10552 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
10553 +
10554 +#define GET_CR3_INTO_RDI \
10555 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
10556 + mov %rax,%rdi
10557 +
10558 +#define SET_RDI_INTO_CR3 \
10559 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
10560 +
10561 #endif /* CONFIG_X86_32 */
10562
10563 #endif /* __ASSEMBLY__ */
10564 diff -urNp linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h
10565 --- linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h 2011-05-19 00:06:34.000000000 -0400
10566 +++ linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h 2011-05-22 19:36:30.000000000 -0400
10567 @@ -317,6 +317,12 @@ struct pv_mmu_ops {
10568 an mfn. We can tell which is which from the index. */
10569 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
10570 phys_addr_t phys, pgprot_t flags);
10571 +
10572 +#ifdef CONFIG_PAX_KERNEXEC
10573 + unsigned long (*pax_open_kernel)(void);
10574 + unsigned long (*pax_close_kernel)(void);
10575 +#endif
10576 +
10577 };
10578
10579 struct arch_spinlock;
10580 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pci_x86.h linux-2.6.39.3/arch/x86/include/asm/pci_x86.h
10581 --- linux-2.6.39.3/arch/x86/include/asm/pci_x86.h 2011-05-19 00:06:34.000000000 -0400
10582 +++ linux-2.6.39.3/arch/x86/include/asm/pci_x86.h 2011-05-22 19:36:30.000000000 -0400
10583 @@ -93,16 +93,16 @@ extern int (*pcibios_enable_irq)(struct
10584 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
10585
10586 struct pci_raw_ops {
10587 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
10588 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
10589 int reg, int len, u32 *val);
10590 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
10591 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
10592 int reg, int len, u32 val);
10593 };
10594
10595 -extern struct pci_raw_ops *raw_pci_ops;
10596 -extern struct pci_raw_ops *raw_pci_ext_ops;
10597 +extern const struct pci_raw_ops *raw_pci_ops;
10598 +extern const struct pci_raw_ops *raw_pci_ext_ops;
10599
10600 -extern struct pci_raw_ops pci_direct_conf1;
10601 +extern const struct pci_raw_ops pci_direct_conf1;
10602 extern bool port_cf9_safe;
10603
10604 /* arch_initcall level */
10605 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgalloc.h linux-2.6.39.3/arch/x86/include/asm/pgalloc.h
10606 --- linux-2.6.39.3/arch/x86/include/asm/pgalloc.h 2011-05-19 00:06:34.000000000 -0400
10607 +++ linux-2.6.39.3/arch/x86/include/asm/pgalloc.h 2011-05-22 19:36:30.000000000 -0400
10608 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
10609 pmd_t *pmd, pte_t *pte)
10610 {
10611 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
10612 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
10613 +}
10614 +
10615 +static inline void pmd_populate_user(struct mm_struct *mm,
10616 + pmd_t *pmd, pte_t *pte)
10617 +{
10618 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
10619 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
10620 }
10621
10622 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h
10623 --- linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h 2011-05-19 00:06:34.000000000 -0400
10624 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h 2011-05-22 19:36:30.000000000 -0400
10625 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
10626
10627 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10628 {
10629 + pax_open_kernel();
10630 *pmdp = pmd;
10631 + pax_close_kernel();
10632 }
10633
10634 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
10635 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h
10636 --- linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h 2011-05-19 00:06:34.000000000 -0400
10637 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h 2011-05-22 19:36:30.000000000 -0400
10638 @@ -25,9 +25,6 @@
10639 struct mm_struct;
10640 struct vm_area_struct;
10641
10642 -extern pgd_t swapper_pg_dir[1024];
10643 -extern pgd_t initial_page_table[1024];
10644 -
10645 static inline void pgtable_cache_init(void) { }
10646 static inline void check_pgt_cache(void) { }
10647 void paging_init(void);
10648 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
10649 # include <asm/pgtable-2level.h>
10650 #endif
10651
10652 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
10653 +extern pgd_t initial_page_table[PTRS_PER_PGD];
10654 +#ifdef CONFIG_X86_PAE
10655 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
10656 +#endif
10657 +
10658 #if defined(CONFIG_HIGHPTE)
10659 #define pte_offset_map(dir, address) \
10660 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
10661 @@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
10662 /* Clear a kernel PTE and flush it from the TLB */
10663 #define kpte_clear_flush(ptep, vaddr) \
10664 do { \
10665 + pax_open_kernel(); \
10666 pte_clear(&init_mm, (vaddr), (ptep)); \
10667 + pax_close_kernel(); \
10668 __flush_tlb_one((vaddr)); \
10669 } while (0)
10670
10671 @@ -74,6 +79,9 @@ do { \
10672
10673 #endif /* !__ASSEMBLY__ */
10674
10675 +#define HAVE_ARCH_UNMAPPED_AREA
10676 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
10677 +
10678 /*
10679 * kern_addr_valid() is (1) for FLATMEM and (0) for
10680 * SPARSEMEM and DISCONTIGMEM
10681 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h
10682 --- linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h 2011-05-19 00:06:34.000000000 -0400
10683 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h 2011-05-22 19:36:30.000000000 -0400
10684 @@ -8,7 +8,7 @@
10685 */
10686 #ifdef CONFIG_X86_PAE
10687 # include <asm/pgtable-3level_types.h>
10688 -# define PMD_SIZE (1UL << PMD_SHIFT)
10689 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
10690 # define PMD_MASK (~(PMD_SIZE - 1))
10691 #else
10692 # include <asm/pgtable-2level_types.h>
10693 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
10694 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
10695 #endif
10696
10697 +#ifdef CONFIG_PAX_KERNEXEC
10698 +#ifndef __ASSEMBLY__
10699 +extern unsigned char MODULES_EXEC_VADDR[];
10700 +extern unsigned char MODULES_EXEC_END[];
10701 +#endif
10702 +#include <asm/boot.h>
10703 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
10704 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
10705 +#else
10706 +#define ktla_ktva(addr) (addr)
10707 +#define ktva_ktla(addr) (addr)
10708 +#endif
10709 +
10710 #define MODULES_VADDR VMALLOC_START
10711 #define MODULES_END VMALLOC_END
10712 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
10713 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h
10714 --- linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h 2011-05-19 00:06:34.000000000 -0400
10715 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h 2011-05-22 19:36:30.000000000 -0400
10716 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
10717
10718 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10719 {
10720 + pax_open_kernel();
10721 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
10722 + pax_close_kernel();
10723 }
10724
10725 static inline void native_set_pud(pud_t *pudp, pud_t pud)
10726 {
10727 + pax_open_kernel();
10728 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
10729 + pax_close_kernel();
10730 }
10731
10732 /*
10733 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h
10734 --- linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h 2011-05-19 00:06:34.000000000 -0400
10735 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h 2011-05-22 19:36:30.000000000 -0400
10736 @@ -16,10 +16,13 @@
10737
10738 extern pud_t level3_kernel_pgt[512];
10739 extern pud_t level3_ident_pgt[512];
10740 +extern pud_t level3_vmalloc_pgt[512];
10741 +extern pud_t level3_vmemmap_pgt[512];
10742 +extern pud_t level2_vmemmap_pgt[512];
10743 extern pmd_t level2_kernel_pgt[512];
10744 extern pmd_t level2_fixmap_pgt[512];
10745 -extern pmd_t level2_ident_pgt[512];
10746 -extern pgd_t init_level4_pgt[];
10747 +extern pmd_t level2_ident_pgt[512*2];
10748 +extern pgd_t init_level4_pgt[512];
10749
10750 #define swapper_pg_dir init_level4_pgt
10751
10752 @@ -61,7 +64,9 @@ static inline void native_set_pte_atomic
10753
10754 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10755 {
10756 + pax_open_kernel();
10757 *pmdp = pmd;
10758 + pax_close_kernel();
10759 }
10760
10761 static inline void native_pmd_clear(pmd_t *pmd)
10762 @@ -107,7 +112,9 @@ static inline void native_pud_clear(pud_
10763
10764 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
10765 {
10766 + pax_open_kernel();
10767 *pgdp = pgd;
10768 + pax_close_kernel();
10769 }
10770
10771 static inline void native_pgd_clear(pgd_t *pgd)
10772 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h
10773 --- linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h 2011-05-19 00:06:34.000000000 -0400
10774 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h 2011-05-22 19:36:30.000000000 -0400
10775 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
10776 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
10777 #define MODULES_END _AC(0xffffffffff000000, UL)
10778 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
10779 +#define MODULES_EXEC_VADDR MODULES_VADDR
10780 +#define MODULES_EXEC_END MODULES_END
10781 +
10782 +#define ktla_ktva(addr) (addr)
10783 +#define ktva_ktla(addr) (addr)
10784
10785 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
10786 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable.h linux-2.6.39.3/arch/x86/include/asm/pgtable.h
10787 --- linux-2.6.39.3/arch/x86/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
10788 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
10789 @@ -81,12 +81,51 @@ extern struct mm_struct *pgd_page_get_mm
10790
10791 #define arch_end_context_switch(prev) do {} while(0)
10792
10793 +#define pax_open_kernel() native_pax_open_kernel()
10794 +#define pax_close_kernel() native_pax_close_kernel()
10795 #endif /* CONFIG_PARAVIRT */
10796
10797 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
10798 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
10799 +
10800 +#ifdef CONFIG_PAX_KERNEXEC
10801 +static inline unsigned long native_pax_open_kernel(void)
10802 +{
10803 + unsigned long cr0;
10804 +
10805 + preempt_disable();
10806 + barrier();
10807 + cr0 = read_cr0() ^ X86_CR0_WP;
10808 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
10809 + write_cr0(cr0);
10810 + return cr0 ^ X86_CR0_WP;
10811 +}
10812 +
10813 +static inline unsigned long native_pax_close_kernel(void)
10814 +{
10815 + unsigned long cr0;
10816 +
10817 + cr0 = read_cr0() ^ X86_CR0_WP;
10818 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
10819 + write_cr0(cr0);
10820 + barrier();
10821 + preempt_enable_no_resched();
10822 + return cr0 ^ X86_CR0_WP;
10823 +}
10824 +#else
10825 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
10826 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
10827 +#endif
10828 +
10829 /*
10830 * The following only work if pte_present() is true.
10831 * Undefined behaviour if not..
10832 */
10833 +static inline int pte_user(pte_t pte)
10834 +{
10835 + return pte_val(pte) & _PAGE_USER;
10836 +}
10837 +
10838 static inline int pte_dirty(pte_t pte)
10839 {
10840 return pte_flags(pte) & _PAGE_DIRTY;
10841 @@ -196,9 +235,29 @@ static inline pte_t pte_wrprotect(pte_t
10842 return pte_clear_flags(pte, _PAGE_RW);
10843 }
10844
10845 +static inline pte_t pte_mkread(pte_t pte)
10846 +{
10847 + return __pte(pte_val(pte) | _PAGE_USER);
10848 +}
10849 +
10850 static inline pte_t pte_mkexec(pte_t pte)
10851 {
10852 - return pte_clear_flags(pte, _PAGE_NX);
10853 +#ifdef CONFIG_X86_PAE
10854 + if (__supported_pte_mask & _PAGE_NX)
10855 + return pte_clear_flags(pte, _PAGE_NX);
10856 + else
10857 +#endif
10858 + return pte_set_flags(pte, _PAGE_USER);
10859 +}
10860 +
10861 +static inline pte_t pte_exprotect(pte_t pte)
10862 +{
10863 +#ifdef CONFIG_X86_PAE
10864 + if (__supported_pte_mask & _PAGE_NX)
10865 + return pte_set_flags(pte, _PAGE_NX);
10866 + else
10867 +#endif
10868 + return pte_clear_flags(pte, _PAGE_USER);
10869 }
10870
10871 static inline pte_t pte_mkdirty(pte_t pte)
10872 @@ -390,6 +449,15 @@ pte_t *populate_extra_pte(unsigned long
10873 #endif
10874
10875 #ifndef __ASSEMBLY__
10876 +
10877 +#ifdef CONFIG_PAX_PER_CPU_PGD
10878 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
10879 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
10880 +{
10881 + return cpu_pgd[cpu];
10882 +}
10883 +#endif
10884 +
10885 #include <linux/mm_types.h>
10886
10887 static inline int pte_none(pte_t pte)
10888 @@ -560,7 +628,7 @@ static inline pud_t *pud_offset(pgd_t *p
10889
10890 static inline int pgd_bad(pgd_t pgd)
10891 {
10892 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
10893 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
10894 }
10895
10896 static inline int pgd_none(pgd_t pgd)
10897 @@ -583,7 +651,12 @@ static inline int pgd_none(pgd_t pgd)
10898 * pgd_offset() returns a (pgd_t *)
10899 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
10900 */
10901 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
10902 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
10903 +
10904 +#ifdef CONFIG_PAX_PER_CPU_PGD
10905 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
10906 +#endif
10907 +
10908 /*
10909 * a shortcut which implies the use of the kernel's pgd, instead
10910 * of a process's
10911 @@ -594,6 +667,20 @@ static inline int pgd_none(pgd_t pgd)
10912 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
10913 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
10914
10915 +#ifdef CONFIG_X86_32
10916 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
10917 +#else
10918 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
10919 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
10920 +
10921 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10922 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
10923 +#else
10924 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
10925 +#endif
10926 +
10927 +#endif
10928 +
10929 #ifndef __ASSEMBLY__
10930
10931 extern int direct_gbpages;
10932 @@ -758,11 +845,23 @@ static inline void pmdp_set_wrprotect(st
10933 * dst and src can be on the same page, but the range must not overlap,
10934 * and must not cross a page boundary.
10935 */
10936 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
10937 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
10938 {
10939 - memcpy(dst, src, count * sizeof(pgd_t));
10940 + pax_open_kernel();
10941 + while (count--)
10942 + *dst++ = *src++;
10943 + pax_close_kernel();
10944 }
10945
10946 +#ifdef CONFIG_PAX_PER_CPU_PGD
10947 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10948 +#endif
10949 +
10950 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10951 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10952 +#else
10953 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
10954 +#endif
10955
10956 #include <asm-generic/pgtable.h>
10957 #endif /* __ASSEMBLY__ */
10958 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h
10959 --- linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h 2011-05-19 00:06:34.000000000 -0400
10960 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h 2011-05-22 19:36:30.000000000 -0400
10961 @@ -16,13 +16,12 @@
10962 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
10963 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
10964 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
10965 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
10966 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
10967 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
10968 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
10969 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
10970 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
10971 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
10972 -#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */
10973 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
10974 +#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */
10975 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
10976
10977 /* If _PAGE_BIT_PRESENT is clear, we use these: */
10978 @@ -40,7 +39,6 @@
10979 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
10980 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
10981 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
10982 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
10983 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
10984 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
10985 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
10986 @@ -57,8 +55,10 @@
10987
10988 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
10989 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
10990 -#else
10991 +#elif defined(CONFIG_KMEMCHECK)
10992 #define _PAGE_NX (_AT(pteval_t, 0))
10993 +#else
10994 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
10995 #endif
10996
10997 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
10998 @@ -96,6 +96,9 @@
10999 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
11000 _PAGE_ACCESSED)
11001
11002 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
11003 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
11004 +
11005 #define __PAGE_KERNEL_EXEC \
11006 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
11007 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
11008 @@ -106,8 +109,8 @@
11009 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
11010 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
11011 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
11012 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
11013 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
11014 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
11015 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
11016 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
11017 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
11018 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
11019 @@ -166,8 +169,8 @@
11020 * bits are combined, this will alow user to access the high address mapped
11021 * VDSO in the presence of CONFIG_COMPAT_VDSO
11022 */
11023 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
11024 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
11025 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
11026 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
11027 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
11028 #endif
11029
11030 @@ -205,7 +208,17 @@ static inline pgdval_t pgd_flags(pgd_t p
11031 {
11032 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
11033 }
11034 +#endif
11035
11036 +#if PAGETABLE_LEVELS == 3
11037 +#include <asm-generic/pgtable-nopud.h>
11038 +#endif
11039 +
11040 +#if PAGETABLE_LEVELS == 2
11041 +#include <asm-generic/pgtable-nopmd.h>
11042 +#endif
11043 +
11044 +#ifndef __ASSEMBLY__
11045 #if PAGETABLE_LEVELS > 3
11046 typedef struct { pudval_t pud; } pud_t;
11047
11048 @@ -219,8 +232,6 @@ static inline pudval_t native_pud_val(pu
11049 return pud.pud;
11050 }
11051 #else
11052 -#include <asm-generic/pgtable-nopud.h>
11053 -
11054 static inline pudval_t native_pud_val(pud_t pud)
11055 {
11056 return native_pgd_val(pud.pgd);
11057 @@ -240,8 +251,6 @@ static inline pmdval_t native_pmd_val(pm
11058 return pmd.pmd;
11059 }
11060 #else
11061 -#include <asm-generic/pgtable-nopmd.h>
11062 -
11063 static inline pmdval_t native_pmd_val(pmd_t pmd)
11064 {
11065 return native_pgd_val(pmd.pud.pgd);
11066 @@ -281,7 +290,6 @@ typedef struct page *pgtable_t;
11067
11068 extern pteval_t __supported_pte_mask;
11069 extern void set_nx(void);
11070 -extern int nx_enabled;
11071
11072 #define pgprot_writecombine pgprot_writecombine
11073 extern pgprot_t pgprot_writecombine(pgprot_t prot);
11074 diff -urNp linux-2.6.39.3/arch/x86/include/asm/processor.h linux-2.6.39.3/arch/x86/include/asm/processor.h
11075 --- linux-2.6.39.3/arch/x86/include/asm/processor.h 2011-05-19 00:06:34.000000000 -0400
11076 +++ linux-2.6.39.3/arch/x86/include/asm/processor.h 2011-05-22 19:36:30.000000000 -0400
11077 @@ -266,7 +266,7 @@ struct tss_struct {
11078
11079 } ____cacheline_aligned;
11080
11081 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
11082 +extern struct tss_struct init_tss[NR_CPUS];
11083
11084 /*
11085 * Save the original ist values for checking stack pointers during debugging
11086 @@ -860,11 +860,18 @@ static inline void spin_lock_prefetch(co
11087 */
11088 #define TASK_SIZE PAGE_OFFSET
11089 #define TASK_SIZE_MAX TASK_SIZE
11090 +
11091 +#ifdef CONFIG_PAX_SEGMEXEC
11092 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
11093 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
11094 +#else
11095 #define STACK_TOP TASK_SIZE
11096 -#define STACK_TOP_MAX STACK_TOP
11097 +#endif
11098 +
11099 +#define STACK_TOP_MAX TASK_SIZE
11100
11101 #define INIT_THREAD { \
11102 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
11103 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
11104 .vm86_info = NULL, \
11105 .sysenter_cs = __KERNEL_CS, \
11106 .io_bitmap_ptr = NULL, \
11107 @@ -878,7 +885,7 @@ static inline void spin_lock_prefetch(co
11108 */
11109 #define INIT_TSS { \
11110 .x86_tss = { \
11111 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
11112 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
11113 .ss0 = __KERNEL_DS, \
11114 .ss1 = __KERNEL_CS, \
11115 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
11116 @@ -889,11 +896,7 @@ static inline void spin_lock_prefetch(co
11117 extern unsigned long thread_saved_pc(struct task_struct *tsk);
11118
11119 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
11120 -#define KSTK_TOP(info) \
11121 -({ \
11122 - unsigned long *__ptr = (unsigned long *)(info); \
11123 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
11124 -})
11125 +#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
11126
11127 /*
11128 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
11129 @@ -908,7 +911,7 @@ extern unsigned long thread_saved_pc(str
11130 #define task_pt_regs(task) \
11131 ({ \
11132 struct pt_regs *__regs__; \
11133 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
11134 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
11135 __regs__ - 1; \
11136 })
11137
11138 @@ -918,13 +921,13 @@ extern unsigned long thread_saved_pc(str
11139 /*
11140 * User space process size. 47bits minus one guard page.
11141 */
11142 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
11143 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
11144
11145 /* This decides where the kernel will search for a free chunk of vm
11146 * space during mmap's.
11147 */
11148 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
11149 - 0xc0000000 : 0xFFFFe000)
11150 + 0xc0000000 : 0xFFFFf000)
11151
11152 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
11153 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
11154 @@ -935,11 +938,11 @@ extern unsigned long thread_saved_pc(str
11155 #define STACK_TOP_MAX TASK_SIZE_MAX
11156
11157 #define INIT_THREAD { \
11158 - .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
11159 + .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
11160 }
11161
11162 #define INIT_TSS { \
11163 - .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
11164 + .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
11165 }
11166
11167 /*
11168 @@ -961,6 +964,10 @@ extern void start_thread(struct pt_regs
11169 */
11170 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
11171
11172 +#ifdef CONFIG_PAX_SEGMEXEC
11173 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
11174 +#endif
11175 +
11176 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
11177
11178 /* Get/set a process' ability to use the timestamp counter instruction */
11179 diff -urNp linux-2.6.39.3/arch/x86/include/asm/ptrace.h linux-2.6.39.3/arch/x86/include/asm/ptrace.h
11180 --- linux-2.6.39.3/arch/x86/include/asm/ptrace.h 2011-05-19 00:06:34.000000000 -0400
11181 +++ linux-2.6.39.3/arch/x86/include/asm/ptrace.h 2011-05-22 19:36:30.000000000 -0400
11182 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
11183 }
11184
11185 /*
11186 - * user_mode_vm(regs) determines whether a register set came from user mode.
11187 + * user_mode(regs) determines whether a register set came from user mode.
11188 * This is true if V8086 mode was enabled OR if the register set was from
11189 * protected mode with RPL-3 CS value. This tricky test checks that with
11190 * one comparison. Many places in the kernel can bypass this full check
11191 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
11192 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
11193 + * be used.
11194 */
11195 -static inline int user_mode(struct pt_regs *regs)
11196 +static inline int user_mode_novm(struct pt_regs *regs)
11197 {
11198 #ifdef CONFIG_X86_32
11199 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
11200 #else
11201 - return !!(regs->cs & 3);
11202 + return !!(regs->cs & SEGMENT_RPL_MASK);
11203 #endif
11204 }
11205
11206 -static inline int user_mode_vm(struct pt_regs *regs)
11207 +static inline int user_mode(struct pt_regs *regs)
11208 {
11209 #ifdef CONFIG_X86_32
11210 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
11211 USER_RPL;
11212 #else
11213 - return user_mode(regs);
11214 + return user_mode_novm(regs);
11215 #endif
11216 }
11217
11218 diff -urNp linux-2.6.39.3/arch/x86/include/asm/reboot.h linux-2.6.39.3/arch/x86/include/asm/reboot.h
11219 --- linux-2.6.39.3/arch/x86/include/asm/reboot.h 2011-05-19 00:06:34.000000000 -0400
11220 +++ linux-2.6.39.3/arch/x86/include/asm/reboot.h 2011-05-22 19:36:30.000000000 -0400
11221 @@ -6,19 +6,19 @@
11222 struct pt_regs;
11223
11224 struct machine_ops {
11225 - void (*restart)(char *cmd);
11226 - void (*halt)(void);
11227 - void (*power_off)(void);
11228 + void (* __noreturn restart)(char *cmd);
11229 + void (* __noreturn halt)(void);
11230 + void (* __noreturn power_off)(void);
11231 void (*shutdown)(void);
11232 void (*crash_shutdown)(struct pt_regs *);
11233 - void (*emergency_restart)(void);
11234 + void (* __noreturn emergency_restart)(void);
11235 };
11236
11237 extern struct machine_ops machine_ops;
11238
11239 void native_machine_crash_shutdown(struct pt_regs *regs);
11240 void native_machine_shutdown(void);
11241 -void machine_real_restart(unsigned int type);
11242 +void machine_real_restart(unsigned int type) __noreturn;
11243 /* These must match dispatch_table in reboot_32.S */
11244 #define MRR_BIOS 0
11245 #define MRR_APM 1
11246 diff -urNp linux-2.6.39.3/arch/x86/include/asm/rwsem.h linux-2.6.39.3/arch/x86/include/asm/rwsem.h
11247 --- linux-2.6.39.3/arch/x86/include/asm/rwsem.h 2011-05-19 00:06:34.000000000 -0400
11248 +++ linux-2.6.39.3/arch/x86/include/asm/rwsem.h 2011-05-22 19:36:30.000000000 -0400
11249 @@ -64,6 +64,14 @@ static inline void __down_read(struct rw
11250 {
11251 asm volatile("# beginning down_read\n\t"
11252 LOCK_PREFIX _ASM_INC "(%1)\n\t"
11253 +
11254 +#ifdef CONFIG_PAX_REFCOUNT
11255 + "jno 0f\n"
11256 + LOCK_PREFIX _ASM_DEC "(%1)\n"
11257 + "int $4\n0:\n"
11258 + _ASM_EXTABLE(0b, 0b)
11259 +#endif
11260 +
11261 /* adds 0x00000001 */
11262 " jns 1f\n"
11263 " call call_rwsem_down_read_failed\n"
11264 @@ -85,6 +93,14 @@ static inline int __down_read_trylock(st
11265 "1:\n\t"
11266 " mov %1,%2\n\t"
11267 " add %3,%2\n\t"
11268 +
11269 +#ifdef CONFIG_PAX_REFCOUNT
11270 + "jno 0f\n"
11271 + "sub %3,%2\n"
11272 + "int $4\n0:\n"
11273 + _ASM_EXTABLE(0b, 0b)
11274 +#endif
11275 +
11276 " jle 2f\n\t"
11277 LOCK_PREFIX " cmpxchg %2,%0\n\t"
11278 " jnz 1b\n\t"
11279 @@ -104,6 +120,14 @@ static inline void __down_write_nested(s
11280 long tmp;
11281 asm volatile("# beginning down_write\n\t"
11282 LOCK_PREFIX " xadd %1,(%2)\n\t"
11283 +
11284 +#ifdef CONFIG_PAX_REFCOUNT
11285 + "jno 0f\n"
11286 + "mov %1,(%2)\n"
11287 + "int $4\n0:\n"
11288 + _ASM_EXTABLE(0b, 0b)
11289 +#endif
11290 +
11291 /* adds 0xffff0001, returns the old value */
11292 " test %1,%1\n\t"
11293 /* was the count 0 before? */
11294 @@ -141,6 +165,14 @@ static inline void __up_read(struct rw_s
11295 long tmp;
11296 asm volatile("# beginning __up_read\n\t"
11297 LOCK_PREFIX " xadd %1,(%2)\n\t"
11298 +
11299 +#ifdef CONFIG_PAX_REFCOUNT
11300 + "jno 0f\n"
11301 + "mov %1,(%2)\n"
11302 + "int $4\n0:\n"
11303 + _ASM_EXTABLE(0b, 0b)
11304 +#endif
11305 +
11306 /* subtracts 1, returns the old value */
11307 " jns 1f\n\t"
11308 " call call_rwsem_wake\n" /* expects old value in %edx */
11309 @@ -159,6 +191,14 @@ static inline void __up_write(struct rw_
11310 long tmp;
11311 asm volatile("# beginning __up_write\n\t"
11312 LOCK_PREFIX " xadd %1,(%2)\n\t"
11313 +
11314 +#ifdef CONFIG_PAX_REFCOUNT
11315 + "jno 0f\n"
11316 + "mov %1,(%2)\n"
11317 + "int $4\n0:\n"
11318 + _ASM_EXTABLE(0b, 0b)
11319 +#endif
11320 +
11321 /* subtracts 0xffff0001, returns the old value */
11322 " jns 1f\n\t"
11323 " call call_rwsem_wake\n" /* expects old value in %edx */
11324 @@ -176,6 +216,14 @@ static inline void __downgrade_write(str
11325 {
11326 asm volatile("# beginning __downgrade_write\n\t"
11327 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
11328 +
11329 +#ifdef CONFIG_PAX_REFCOUNT
11330 + "jno 0f\n"
11331 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
11332 + "int $4\n0:\n"
11333 + _ASM_EXTABLE(0b, 0b)
11334 +#endif
11335 +
11336 /*
11337 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
11338 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
11339 @@ -194,7 +242,15 @@ static inline void __downgrade_write(str
11340 */
11341 static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
11342 {
11343 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
11344 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
11345 +
11346 +#ifdef CONFIG_PAX_REFCOUNT
11347 + "jno 0f\n"
11348 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
11349 + "int $4\n0:\n"
11350 + _ASM_EXTABLE(0b, 0b)
11351 +#endif
11352 +
11353 : "+m" (sem->count)
11354 : "er" (delta));
11355 }
11356 @@ -206,7 +262,15 @@ static inline long rwsem_atomic_update(l
11357 {
11358 long tmp = delta;
11359
11360 - asm volatile(LOCK_PREFIX "xadd %0,%1"
11361 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
11362 +
11363 +#ifdef CONFIG_PAX_REFCOUNT
11364 + "jno 0f\n"
11365 + "mov %0,%1\n"
11366 + "int $4\n0:\n"
11367 + _ASM_EXTABLE(0b, 0b)
11368 +#endif
11369 +
11370 : "+r" (tmp), "+m" (sem->count)
11371 : : "memory");
11372
11373 diff -urNp linux-2.6.39.3/arch/x86/include/asm/segment.h linux-2.6.39.3/arch/x86/include/asm/segment.h
11374 --- linux-2.6.39.3/arch/x86/include/asm/segment.h 2011-05-19 00:06:34.000000000 -0400
11375 +++ linux-2.6.39.3/arch/x86/include/asm/segment.h 2011-05-22 19:36:30.000000000 -0400
11376 @@ -64,8 +64,8 @@
11377 * 26 - ESPFIX small SS
11378 * 27 - per-cpu [ offset to per-cpu data area ]
11379 * 28 - stack_canary-20 [ for stack protector ]
11380 - * 29 - unused
11381 - * 30 - unused
11382 + * 29 - PCI BIOS CS
11383 + * 30 - PCI BIOS DS
11384 * 31 - TSS for double fault handler
11385 */
11386 #define GDT_ENTRY_TLS_MIN 6
11387 @@ -79,6 +79,8 @@
11388
11389 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
11390
11391 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
11392 +
11393 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
11394
11395 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
11396 @@ -104,6 +106,12 @@
11397 #define __KERNEL_STACK_CANARY 0
11398 #endif
11399
11400 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
11401 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
11402 +
11403 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
11404 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
11405 +
11406 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
11407
11408 /*
11409 @@ -141,7 +149,7 @@
11410 */
11411
11412 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
11413 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
11414 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
11415
11416
11417 #else
11418 @@ -165,6 +173,8 @@
11419 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
11420 #define __USER32_DS __USER_DS
11421
11422 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
11423 +
11424 #define GDT_ENTRY_TSS 8 /* needs two entries */
11425 #define GDT_ENTRY_LDT 10 /* needs two entries */
11426 #define GDT_ENTRY_TLS_MIN 12
11427 @@ -185,6 +195,7 @@
11428 #endif
11429
11430 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
11431 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
11432 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
11433 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
11434 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
11435 diff -urNp linux-2.6.39.3/arch/x86/include/asm/smp.h linux-2.6.39.3/arch/x86/include/asm/smp.h
11436 --- linux-2.6.39.3/arch/x86/include/asm/smp.h 2011-05-19 00:06:34.000000000 -0400
11437 +++ linux-2.6.39.3/arch/x86/include/asm/smp.h 2011-05-22 19:36:30.000000000 -0400
11438 @@ -36,7 +36,7 @@ DECLARE_PER_CPU(cpumask_var_t, cpu_core_
11439 /* cpus sharing the last level cache: */
11440 DECLARE_PER_CPU(cpumask_var_t, cpu_llc_shared_map);
11441 DECLARE_PER_CPU(u16, cpu_llc_id);
11442 -DECLARE_PER_CPU(int, cpu_number);
11443 +DECLARE_PER_CPU(unsigned int, cpu_number);
11444
11445 static inline struct cpumask *cpu_sibling_mask(int cpu)
11446 {
11447 @@ -192,14 +192,8 @@ extern unsigned disabled_cpus __cpuinitd
11448 extern int safe_smp_processor_id(void);
11449
11450 #elif defined(CONFIG_X86_64_SMP)
11451 -#define raw_smp_processor_id() (percpu_read(cpu_number))
11452 -
11453 -#define stack_smp_processor_id() \
11454 -({ \
11455 - struct thread_info *ti; \
11456 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
11457 - ti->cpu; \
11458 -})
11459 +#define raw_smp_processor_id() (percpu_read(cpu_number))
11460 +#define stack_smp_processor_id() raw_smp_processor_id()
11461 #define safe_smp_processor_id() smp_processor_id()
11462
11463 #endif
11464 diff -urNp linux-2.6.39.3/arch/x86/include/asm/spinlock.h linux-2.6.39.3/arch/x86/include/asm/spinlock.h
11465 --- linux-2.6.39.3/arch/x86/include/asm/spinlock.h 2011-05-19 00:06:34.000000000 -0400
11466 +++ linux-2.6.39.3/arch/x86/include/asm/spinlock.h 2011-05-22 19:36:30.000000000 -0400
11467 @@ -249,6 +249,14 @@ static inline int arch_write_can_lock(ar
11468 static inline void arch_read_lock(arch_rwlock_t *rw)
11469 {
11470 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
11471 +
11472 +#ifdef CONFIG_PAX_REFCOUNT
11473 + "jno 0f\n"
11474 + LOCK_PREFIX " addl $1,(%0)\n"
11475 + "int $4\n0:\n"
11476 + _ASM_EXTABLE(0b, 0b)
11477 +#endif
11478 +
11479 "jns 1f\n"
11480 "call __read_lock_failed\n\t"
11481 "1:\n"
11482 @@ -258,6 +266,14 @@ static inline void arch_read_lock(arch_r
11483 static inline void arch_write_lock(arch_rwlock_t *rw)
11484 {
11485 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
11486 +
11487 +#ifdef CONFIG_PAX_REFCOUNT
11488 + "jno 0f\n"
11489 + LOCK_PREFIX " addl %1,(%0)\n"
11490 + "int $4\n0:\n"
11491 + _ASM_EXTABLE(0b, 0b)
11492 +#endif
11493 +
11494 "jz 1f\n"
11495 "call __write_lock_failed\n\t"
11496 "1:\n"
11497 @@ -286,12 +302,29 @@ static inline int arch_write_trylock(arc
11498
11499 static inline void arch_read_unlock(arch_rwlock_t *rw)
11500 {
11501 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
11502 + asm volatile(LOCK_PREFIX "incl %0\n"
11503 +
11504 +#ifdef CONFIG_PAX_REFCOUNT
11505 + "jno 0f\n"
11506 + LOCK_PREFIX "decl %0\n"
11507 + "int $4\n0:\n"
11508 + _ASM_EXTABLE(0b, 0b)
11509 +#endif
11510 +
11511 + :"+m" (rw->lock) : : "memory");
11512 }
11513
11514 static inline void arch_write_unlock(arch_rwlock_t *rw)
11515 {
11516 - asm volatile(LOCK_PREFIX "addl %1, %0"
11517 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
11518 +
11519 +#ifdef CONFIG_PAX_REFCOUNT
11520 + "jno 0f\n"
11521 + LOCK_PREFIX "subl %1, %0\n"
11522 + "int $4\n0:\n"
11523 + _ASM_EXTABLE(0b, 0b)
11524 +#endif
11525 +
11526 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
11527 }
11528
11529 diff -urNp linux-2.6.39.3/arch/x86/include/asm/stackprotector.h linux-2.6.39.3/arch/x86/include/asm/stackprotector.h
11530 --- linux-2.6.39.3/arch/x86/include/asm/stackprotector.h 2011-05-19 00:06:34.000000000 -0400
11531 +++ linux-2.6.39.3/arch/x86/include/asm/stackprotector.h 2011-07-06 20:00:13.000000000 -0400
11532 @@ -48,7 +48,7 @@
11533 * head_32 for boot CPU and setup_per_cpu_areas() for others.
11534 */
11535 #define GDT_STACK_CANARY_INIT \
11536 - [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
11537 + [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
11538
11539 /*
11540 * Initialize the stackprotector canary value.
11541 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
11542
11543 static inline void load_stack_canary_segment(void)
11544 {
11545 -#ifdef CONFIG_X86_32
11546 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
11547 asm volatile ("mov %0, %%gs" : : "r" (0));
11548 #endif
11549 }
11550 diff -urNp linux-2.6.39.3/arch/x86/include/asm/stacktrace.h linux-2.6.39.3/arch/x86/include/asm/stacktrace.h
11551 --- linux-2.6.39.3/arch/x86/include/asm/stacktrace.h 2011-05-19 00:06:34.000000000 -0400
11552 +++ linux-2.6.39.3/arch/x86/include/asm/stacktrace.h 2011-05-22 19:36:30.000000000 -0400
11553 @@ -11,28 +11,20 @@
11554
11555 extern int kstack_depth_to_print;
11556
11557 -struct thread_info;
11558 +struct task_struct;
11559 struct stacktrace_ops;
11560
11561 -typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
11562 - unsigned long *stack,
11563 - unsigned long bp,
11564 - const struct stacktrace_ops *ops,
11565 - void *data,
11566 - unsigned long *end,
11567 - int *graph);
11568 -
11569 -extern unsigned long
11570 -print_context_stack(struct thread_info *tinfo,
11571 - unsigned long *stack, unsigned long bp,
11572 - const struct stacktrace_ops *ops, void *data,
11573 - unsigned long *end, int *graph);
11574 -
11575 -extern unsigned long
11576 -print_context_stack_bp(struct thread_info *tinfo,
11577 - unsigned long *stack, unsigned long bp,
11578 - const struct stacktrace_ops *ops, void *data,
11579 - unsigned long *end, int *graph);
11580 +typedef unsigned long walk_stack_t(struct task_struct *task,
11581 + void *stack_start,
11582 + unsigned long *stack,
11583 + unsigned long bp,
11584 + const struct stacktrace_ops *ops,
11585 + void *data,
11586 + unsigned long *end,
11587 + int *graph);
11588 +
11589 +extern walk_stack_t print_context_stack;
11590 +extern walk_stack_t print_context_stack_bp;
11591
11592 /* Generic stack tracer with callbacks */
11593
11594 @@ -43,7 +35,7 @@ struct stacktrace_ops {
11595 void (*address)(void *data, unsigned long address, int reliable);
11596 /* On negative return stop dumping */
11597 int (*stack)(void *data, char *name);
11598 - walk_stack_t walk_stack;
11599 + walk_stack_t *walk_stack;
11600 };
11601
11602 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
11603 diff -urNp linux-2.6.39.3/arch/x86/include/asm/system.h linux-2.6.39.3/arch/x86/include/asm/system.h
11604 --- linux-2.6.39.3/arch/x86/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
11605 +++ linux-2.6.39.3/arch/x86/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
11606 @@ -129,7 +129,7 @@ do { \
11607 "call __switch_to\n\t" \
11608 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
11609 __switch_canary \
11610 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
11611 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
11612 "movq %%rax,%%rdi\n\t" \
11613 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
11614 "jnz ret_from_fork\n\t" \
11615 @@ -140,7 +140,7 @@ do { \
11616 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
11617 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
11618 [_tif_fork] "i" (_TIF_FORK), \
11619 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
11620 + [thread_info] "m" (current_tinfo), \
11621 [current_task] "m" (current_task) \
11622 __switch_canary_iparam \
11623 : "memory", "cc" __EXTRA_CLOBBER)
11624 @@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
11625 {
11626 unsigned long __limit;
11627 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
11628 - return __limit + 1;
11629 + return __limit;
11630 }
11631
11632 static inline void native_clts(void)
11633 @@ -340,12 +340,12 @@ void enable_hlt(void);
11634
11635 void cpu_idle_wait(void);
11636
11637 -extern unsigned long arch_align_stack(unsigned long sp);
11638 +#define arch_align_stack(x) ((x) & ~0xfUL)
11639 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
11640
11641 void default_idle(void);
11642
11643 -void stop_this_cpu(void *dummy);
11644 +void stop_this_cpu(void *dummy) __noreturn;
11645
11646 /*
11647 * Force strict CPU ordering.
11648 diff -urNp linux-2.6.39.3/arch/x86/include/asm/thread_info.h linux-2.6.39.3/arch/x86/include/asm/thread_info.h
11649 --- linux-2.6.39.3/arch/x86/include/asm/thread_info.h 2011-05-19 00:06:34.000000000 -0400
11650 +++ linux-2.6.39.3/arch/x86/include/asm/thread_info.h 2011-05-22 19:36:30.000000000 -0400
11651 @@ -10,6 +10,7 @@
11652 #include <linux/compiler.h>
11653 #include <asm/page.h>
11654 #include <asm/types.h>
11655 +#include <asm/percpu.h>
11656
11657 /*
11658 * low level task data that entry.S needs immediate access to
11659 @@ -24,7 +25,6 @@ struct exec_domain;
11660 #include <asm/atomic.h>
11661
11662 struct thread_info {
11663 - struct task_struct *task; /* main task structure */
11664 struct exec_domain *exec_domain; /* execution domain */
11665 __u32 flags; /* low level flags */
11666 __u32 status; /* thread synchronous flags */
11667 @@ -34,18 +34,12 @@ struct thread_info {
11668 mm_segment_t addr_limit;
11669 struct restart_block restart_block;
11670 void __user *sysenter_return;
11671 -#ifdef CONFIG_X86_32
11672 - unsigned long previous_esp; /* ESP of the previous stack in
11673 - case of nested (IRQ) stacks
11674 - */
11675 - __u8 supervisor_stack[0];
11676 -#endif
11677 + unsigned long lowest_stack;
11678 int uaccess_err;
11679 };
11680
11681 -#define INIT_THREAD_INFO(tsk) \
11682 +#define INIT_THREAD_INFO \
11683 { \
11684 - .task = &tsk, \
11685 .exec_domain = &default_exec_domain, \
11686 .flags = 0, \
11687 .cpu = 0, \
11688 @@ -56,7 +50,7 @@ struct thread_info {
11689 }, \
11690 }
11691
11692 -#define init_thread_info (init_thread_union.thread_info)
11693 +#define init_thread_info (init_thread_union.stack)
11694 #define init_stack (init_thread_union.stack)
11695
11696 #else /* !__ASSEMBLY__ */
11697 @@ -170,6 +164,23 @@ struct thread_info {
11698 ret; \
11699 })
11700
11701 +#ifdef __ASSEMBLY__
11702 +/* how to get the thread information struct from ASM */
11703 +#define GET_THREAD_INFO(reg) \
11704 + mov PER_CPU_VAR(current_tinfo), reg
11705 +
11706 +/* use this one if reg already contains %esp */
11707 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
11708 +#else
11709 +/* how to get the thread information struct from C */
11710 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
11711 +
11712 +static __always_inline struct thread_info *current_thread_info(void)
11713 +{
11714 + return percpu_read_stable(current_tinfo);
11715 +}
11716 +#endif
11717 +
11718 #ifdef CONFIG_X86_32
11719
11720 #define STACK_WARN (THREAD_SIZE/8)
11721 @@ -180,35 +191,13 @@ struct thread_info {
11722 */
11723 #ifndef __ASSEMBLY__
11724
11725 -
11726 /* how to get the current stack pointer from C */
11727 register unsigned long current_stack_pointer asm("esp") __used;
11728
11729 -/* how to get the thread information struct from C */
11730 -static inline struct thread_info *current_thread_info(void)
11731 -{
11732 - return (struct thread_info *)
11733 - (current_stack_pointer & ~(THREAD_SIZE - 1));
11734 -}
11735 -
11736 -#else /* !__ASSEMBLY__ */
11737 -
11738 -/* how to get the thread information struct from ASM */
11739 -#define GET_THREAD_INFO(reg) \
11740 - movl $-THREAD_SIZE, reg; \
11741 - andl %esp, reg
11742 -
11743 -/* use this one if reg already contains %esp */
11744 -#define GET_THREAD_INFO_WITH_ESP(reg) \
11745 - andl $-THREAD_SIZE, reg
11746 -
11747 #endif
11748
11749 #else /* X86_32 */
11750
11751 -#include <asm/percpu.h>
11752 -#define KERNEL_STACK_OFFSET (5*8)
11753 -
11754 /*
11755 * macros/functions for gaining access to the thread information structure
11756 * preempt_count needs to be 1 initially, until the scheduler is functional.
11757 @@ -216,21 +205,8 @@ static inline struct thread_info *curren
11758 #ifndef __ASSEMBLY__
11759 DECLARE_PER_CPU(unsigned long, kernel_stack);
11760
11761 -static inline struct thread_info *current_thread_info(void)
11762 -{
11763 - struct thread_info *ti;
11764 - ti = (void *)(percpu_read_stable(kernel_stack) +
11765 - KERNEL_STACK_OFFSET - THREAD_SIZE);
11766 - return ti;
11767 -}
11768 -
11769 -#else /* !__ASSEMBLY__ */
11770 -
11771 -/* how to get the thread information struct from ASM */
11772 -#define GET_THREAD_INFO(reg) \
11773 - movq PER_CPU_VAR(kernel_stack),reg ; \
11774 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
11775 -
11776 +/* how to get the current stack pointer from C */
11777 +register unsigned long current_stack_pointer asm("rsp") __used;
11778 #endif
11779
11780 #endif /* !X86_32 */
11781 @@ -266,5 +242,16 @@ extern void arch_task_cache_init(void);
11782 extern void free_thread_info(struct thread_info *ti);
11783 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
11784 #define arch_task_cache_init arch_task_cache_init
11785 +
11786 +#define __HAVE_THREAD_FUNCTIONS
11787 +#define task_thread_info(task) (&(task)->tinfo)
11788 +#define task_stack_page(task) ((task)->stack)
11789 +#define setup_thread_stack(p, org) do {} while (0)
11790 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
11791 +
11792 +#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
11793 +extern struct task_struct *alloc_task_struct_node(int node);
11794 +extern void free_task_struct(struct task_struct *);
11795 +
11796 #endif
11797 #endif /* _ASM_X86_THREAD_INFO_H */
11798 diff -urNp linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h
11799 --- linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h 2011-05-19 00:06:34.000000000 -0400
11800 +++ linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h 2011-05-22 19:36:30.000000000 -0400
11801 @@ -44,6 +44,11 @@ unsigned long __must_check __copy_from_u
11802 static __always_inline unsigned long __must_check
11803 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
11804 {
11805 + pax_track_stack();
11806 +
11807 + if ((long)n < 0)
11808 + return n;
11809 +
11810 if (__builtin_constant_p(n)) {
11811 unsigned long ret;
11812
11813 @@ -62,6 +67,8 @@ __copy_to_user_inatomic(void __user *to,
11814 return ret;
11815 }
11816 }
11817 + if (!__builtin_constant_p(n))
11818 + check_object_size(from, n, true);
11819 return __copy_to_user_ll(to, from, n);
11820 }
11821
11822 @@ -83,12 +90,16 @@ static __always_inline unsigned long __m
11823 __copy_to_user(void __user *to, const void *from, unsigned long n)
11824 {
11825 might_fault();
11826 +
11827 return __copy_to_user_inatomic(to, from, n);
11828 }
11829
11830 static __always_inline unsigned long
11831 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
11832 {
11833 + if ((long)n < 0)
11834 + return n;
11835 +
11836 /* Avoid zeroing the tail if the copy fails..
11837 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
11838 * but as the zeroing behaviour is only significant when n is not
11839 @@ -138,6 +149,12 @@ static __always_inline unsigned long
11840 __copy_from_user(void *to, const void __user *from, unsigned long n)
11841 {
11842 might_fault();
11843 +
11844 + pax_track_stack();
11845 +
11846 + if ((long)n < 0)
11847 + return n;
11848 +
11849 if (__builtin_constant_p(n)) {
11850 unsigned long ret;
11851
11852 @@ -153,6 +170,8 @@ __copy_from_user(void *to, const void __
11853 return ret;
11854 }
11855 }
11856 + if (!__builtin_constant_p(n))
11857 + check_object_size(to, n, false);
11858 return __copy_from_user_ll(to, from, n);
11859 }
11860
11861 @@ -160,6 +179,10 @@ static __always_inline unsigned long __c
11862 const void __user *from, unsigned long n)
11863 {
11864 might_fault();
11865 +
11866 + if ((long)n < 0)
11867 + return n;
11868 +
11869 if (__builtin_constant_p(n)) {
11870 unsigned long ret;
11871
11872 @@ -182,15 +205,19 @@ static __always_inline unsigned long
11873 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
11874 unsigned long n)
11875 {
11876 - return __copy_from_user_ll_nocache_nozero(to, from, n);
11877 -}
11878 + if ((long)n < 0)
11879 + return n;
11880
11881 -unsigned long __must_check copy_to_user(void __user *to,
11882 - const void *from, unsigned long n);
11883 -unsigned long __must_check _copy_from_user(void *to,
11884 - const void __user *from,
11885 - unsigned long n);
11886 + return __copy_from_user_ll_nocache_nozero(to, from, n);
11887 +}
11888
11889 +extern void copy_to_user_overflow(void)
11890 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
11891 + __compiletime_error("copy_to_user() buffer size is not provably correct")
11892 +#else
11893 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
11894 +#endif
11895 +;
11896
11897 extern void copy_from_user_overflow(void)
11898 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
11899 @@ -200,17 +227,61 @@ extern void copy_from_user_overflow(void
11900 #endif
11901 ;
11902
11903 -static inline unsigned long __must_check copy_from_user(void *to,
11904 - const void __user *from,
11905 - unsigned long n)
11906 +/**
11907 + * copy_to_user: - Copy a block of data into user space.
11908 + * @to: Destination address, in user space.
11909 + * @from: Source address, in kernel space.
11910 + * @n: Number of bytes to copy.
11911 + *
11912 + * Context: User context only. This function may sleep.
11913 + *
11914 + * Copy data from kernel space to user space.
11915 + *
11916 + * Returns number of bytes that could not be copied.
11917 + * On success, this will be zero.
11918 + */
11919 +static inline unsigned long __must_check
11920 +copy_to_user(void __user *to, const void *from, unsigned long n)
11921 +{
11922 + int sz = __compiletime_object_size(from);
11923 +
11924 + if (unlikely(sz != -1 && sz < n))
11925 + copy_to_user_overflow();
11926 + else if (access_ok(VERIFY_WRITE, to, n))
11927 + n = __copy_to_user(to, from, n);
11928 + return n;
11929 +}
11930 +
11931 +/**
11932 + * copy_from_user: - Copy a block of data from user space.
11933 + * @to: Destination address, in kernel space.
11934 + * @from: Source address, in user space.
11935 + * @n: Number of bytes to copy.
11936 + *
11937 + * Context: User context only. This function may sleep.
11938 + *
11939 + * Copy data from user space to kernel space.
11940 + *
11941 + * Returns number of bytes that could not be copied.
11942 + * On success, this will be zero.
11943 + *
11944 + * If some data could not be copied, this function will pad the copied
11945 + * data to the requested size using zero bytes.
11946 + */
11947 +static inline unsigned long __must_check
11948 +copy_from_user(void *to, const void __user *from, unsigned long n)
11949 {
11950 int sz = __compiletime_object_size(to);
11951
11952 - if (likely(sz == -1 || sz >= n))
11953 - n = _copy_from_user(to, from, n);
11954 - else
11955 + if (unlikely(sz != -1 && sz < n))
11956 copy_from_user_overflow();
11957 -
11958 + else if (access_ok(VERIFY_READ, from, n))
11959 + n = __copy_from_user(to, from, n);
11960 + else if ((long)n > 0) {
11961 + if (!__builtin_constant_p(n))
11962 + check_object_size(to, n, false);
11963 + memset(to, 0, n);
11964 + }
11965 return n;
11966 }
11967
11968 diff -urNp linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h
11969 --- linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h 2011-05-19 00:06:34.000000000 -0400
11970 +++ linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h 2011-05-22 19:36:30.000000000 -0400
11971 @@ -11,6 +11,9 @@
11972 #include <asm/alternative.h>
11973 #include <asm/cpufeature.h>
11974 #include <asm/page.h>
11975 +#include <asm/pgtable.h>
11976 +
11977 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
11978
11979 /*
11980 * Copy To/From Userspace
11981 @@ -37,26 +40,26 @@ copy_user_generic(void *to, const void *
11982 return ret;
11983 }
11984
11985 -__must_check unsigned long
11986 -_copy_to_user(void __user *to, const void *from, unsigned len);
11987 -__must_check unsigned long
11988 -_copy_from_user(void *to, const void __user *from, unsigned len);
11989 +static __always_inline __must_check unsigned long
11990 +__copy_to_user(void __user *to, const void *from, unsigned len);
11991 +static __always_inline __must_check unsigned long
11992 +__copy_from_user(void *to, const void __user *from, unsigned len);
11993 __must_check unsigned long
11994 copy_in_user(void __user *to, const void __user *from, unsigned len);
11995
11996 static inline unsigned long __must_check copy_from_user(void *to,
11997 const void __user *from,
11998 - unsigned long n)
11999 + unsigned n)
12000 {
12001 - int sz = __compiletime_object_size(to);
12002 -
12003 might_fault();
12004 - if (likely(sz == -1 || sz >= n))
12005 - n = _copy_from_user(to, from, n);
12006 -#ifdef CONFIG_DEBUG_VM
12007 - else
12008 - WARN(1, "Buffer overflow detected!\n");
12009 -#endif
12010 +
12011 + if (access_ok(VERIFY_READ, from, n))
12012 + n = __copy_from_user(to, from, n);
12013 + else if ((int)n > 0) {
12014 + if (!__builtin_constant_p(n))
12015 + check_object_size(to, n, false);
12016 + memset(to, 0, n);
12017 + }
12018 return n;
12019 }
12020
12021 @@ -65,110 +68,198 @@ int copy_to_user(void __user *dst, const
12022 {
12023 might_fault();
12024
12025 - return _copy_to_user(dst, src, size);
12026 + if (access_ok(VERIFY_WRITE, dst, size))
12027 + size = __copy_to_user(dst, src, size);
12028 + return size;
12029 }
12030
12031 static __always_inline __must_check
12032 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
12033 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
12034 {
12035 - int ret = 0;
12036 + int sz = __compiletime_object_size(dst);
12037 + unsigned ret = 0;
12038
12039 might_fault();
12040 - if (!__builtin_constant_p(size))
12041 - return copy_user_generic(dst, (__force void *)src, size);
12042 +
12043 + pax_track_stack();
12044 +
12045 + if ((int)size < 0)
12046 + return size;
12047 +
12048 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12049 + if (!__access_ok(VERIFY_READ, src, size))
12050 + return size;
12051 +#endif
12052 +
12053 + if (unlikely(sz != -1 && sz < size)) {
12054 +#ifdef CONFIG_DEBUG_VM
12055 + WARN(1, "Buffer overflow detected!\n");
12056 +#endif
12057 + return size;
12058 + }
12059 +
12060 + if (!__builtin_constant_p(size)) {
12061 + check_object_size(dst, size, false);
12062 +
12063 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12064 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12065 + src += PAX_USER_SHADOW_BASE;
12066 +#endif
12067 +
12068 + return copy_user_generic(dst, (__force const void *)src, size);
12069 + }
12070 switch (size) {
12071 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
12072 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
12073 ret, "b", "b", "=q", 1);
12074 return ret;
12075 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
12076 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
12077 ret, "w", "w", "=r", 2);
12078 return ret;
12079 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
12080 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
12081 ret, "l", "k", "=r", 4);
12082 return ret;
12083 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
12084 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
12085 ret, "q", "", "=r", 8);
12086 return ret;
12087 case 10:
12088 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
12089 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
12090 ret, "q", "", "=r", 10);
12091 if (unlikely(ret))
12092 return ret;
12093 __get_user_asm(*(u16 *)(8 + (char *)dst),
12094 - (u16 __user *)(8 + (char __user *)src),
12095 + (const u16 __user *)(8 + (const char __user *)src),
12096 ret, "w", "w", "=r", 2);
12097 return ret;
12098 case 16:
12099 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
12100 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
12101 ret, "q", "", "=r", 16);
12102 if (unlikely(ret))
12103 return ret;
12104 __get_user_asm(*(u64 *)(8 + (char *)dst),
12105 - (u64 __user *)(8 + (char __user *)src),
12106 + (const u64 __user *)(8 + (const char __user *)src),
12107 ret, "q", "", "=r", 8);
12108 return ret;
12109 default:
12110 - return copy_user_generic(dst, (__force void *)src, size);
12111 +
12112 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12113 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12114 + src += PAX_USER_SHADOW_BASE;
12115 +#endif
12116 +
12117 + return copy_user_generic(dst, (__force const void *)src, size);
12118 }
12119 }
12120
12121 static __always_inline __must_check
12122 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
12123 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
12124 {
12125 - int ret = 0;
12126 + int sz = __compiletime_object_size(src);
12127 + unsigned ret = 0;
12128
12129 might_fault();
12130 - if (!__builtin_constant_p(size))
12131 +
12132 + pax_track_stack();
12133 +
12134 + if ((int)size < 0)
12135 + return size;
12136 +
12137 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12138 + if (!__access_ok(VERIFY_WRITE, dst, size))
12139 + return size;
12140 +#endif
12141 +
12142 + if (unlikely(sz != -1 && sz < size)) {
12143 +#ifdef CONFIG_DEBUG_VM
12144 + WARN(1, "Buffer overflow detected!\n");
12145 +#endif
12146 + return size;
12147 + }
12148 +
12149 + if (!__builtin_constant_p(size)) {
12150 + check_object_size(src, size, true);
12151 +
12152 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12153 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12154 + dst += PAX_USER_SHADOW_BASE;
12155 +#endif
12156 +
12157 return copy_user_generic((__force void *)dst, src, size);
12158 + }
12159 switch (size) {
12160 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
12161 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
12162 ret, "b", "b", "iq", 1);
12163 return ret;
12164 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
12165 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
12166 ret, "w", "w", "ir", 2);
12167 return ret;
12168 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
12169 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
12170 ret, "l", "k", "ir", 4);
12171 return ret;
12172 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
12173 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
12174 ret, "q", "", "er", 8);
12175 return ret;
12176 case 10:
12177 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
12178 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
12179 ret, "q", "", "er", 10);
12180 if (unlikely(ret))
12181 return ret;
12182 asm("":::"memory");
12183 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
12184 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
12185 ret, "w", "w", "ir", 2);
12186 return ret;
12187 case 16:
12188 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
12189 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
12190 ret, "q", "", "er", 16);
12191 if (unlikely(ret))
12192 return ret;
12193 asm("":::"memory");
12194 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
12195 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
12196 ret, "q", "", "er", 8);
12197 return ret;
12198 default:
12199 +
12200 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12201 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12202 + dst += PAX_USER_SHADOW_BASE;
12203 +#endif
12204 +
12205 return copy_user_generic((__force void *)dst, src, size);
12206 }
12207 }
12208
12209 static __always_inline __must_check
12210 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
12211 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
12212 {
12213 - int ret = 0;
12214 + unsigned ret = 0;
12215
12216 might_fault();
12217 - if (!__builtin_constant_p(size))
12218 +
12219 + if ((int)size < 0)
12220 + return size;
12221 +
12222 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12223 + if (!__access_ok(VERIFY_READ, src, size))
12224 + return size;
12225 + if (!__access_ok(VERIFY_WRITE, dst, size))
12226 + return size;
12227 +#endif
12228 +
12229 + if (!__builtin_constant_p(size)) {
12230 +
12231 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12232 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12233 + src += PAX_USER_SHADOW_BASE;
12234 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12235 + dst += PAX_USER_SHADOW_BASE;
12236 +#endif
12237 +
12238 return copy_user_generic((__force void *)dst,
12239 - (__force void *)src, size);
12240 + (__force const void *)src, size);
12241 + }
12242 switch (size) {
12243 case 1: {
12244 u8 tmp;
12245 - __get_user_asm(tmp, (u8 __user *)src,
12246 + __get_user_asm(tmp, (const u8 __user *)src,
12247 ret, "b", "b", "=q", 1);
12248 if (likely(!ret))
12249 __put_user_asm(tmp, (u8 __user *)dst,
12250 @@ -177,7 +268,7 @@ int __copy_in_user(void __user *dst, con
12251 }
12252 case 2: {
12253 u16 tmp;
12254 - __get_user_asm(tmp, (u16 __user *)src,
12255 + __get_user_asm(tmp, (const u16 __user *)src,
12256 ret, "w", "w", "=r", 2);
12257 if (likely(!ret))
12258 __put_user_asm(tmp, (u16 __user *)dst,
12259 @@ -187,7 +278,7 @@ int __copy_in_user(void __user *dst, con
12260
12261 case 4: {
12262 u32 tmp;
12263 - __get_user_asm(tmp, (u32 __user *)src,
12264 + __get_user_asm(tmp, (const u32 __user *)src,
12265 ret, "l", "k", "=r", 4);
12266 if (likely(!ret))
12267 __put_user_asm(tmp, (u32 __user *)dst,
12268 @@ -196,7 +287,7 @@ int __copy_in_user(void __user *dst, con
12269 }
12270 case 8: {
12271 u64 tmp;
12272 - __get_user_asm(tmp, (u64 __user *)src,
12273 + __get_user_asm(tmp, (const u64 __user *)src,
12274 ret, "q", "", "=r", 8);
12275 if (likely(!ret))
12276 __put_user_asm(tmp, (u64 __user *)dst,
12277 @@ -204,8 +295,16 @@ int __copy_in_user(void __user *dst, con
12278 return ret;
12279 }
12280 default:
12281 +
12282 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12283 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12284 + src += PAX_USER_SHADOW_BASE;
12285 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12286 + dst += PAX_USER_SHADOW_BASE;
12287 +#endif
12288 +
12289 return copy_user_generic((__force void *)dst,
12290 - (__force void *)src, size);
12291 + (__force const void *)src, size);
12292 }
12293 }
12294
12295 @@ -222,33 +321,72 @@ __must_check unsigned long __clear_user(
12296 static __must_check __always_inline int
12297 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
12298 {
12299 + pax_track_stack();
12300 +
12301 + if ((int)size < 0)
12302 + return size;
12303 +
12304 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12305 + if (!__access_ok(VERIFY_READ, src, size))
12306 + return size;
12307 +
12308 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12309 + src += PAX_USER_SHADOW_BASE;
12310 +#endif
12311 +
12312 return copy_user_generic(dst, (__force const void *)src, size);
12313 }
12314
12315 -static __must_check __always_inline int
12316 +static __must_check __always_inline unsigned long
12317 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
12318 {
12319 + if ((int)size < 0)
12320 + return size;
12321 +
12322 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12323 + if (!__access_ok(VERIFY_WRITE, dst, size))
12324 + return size;
12325 +
12326 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12327 + dst += PAX_USER_SHADOW_BASE;
12328 +#endif
12329 +
12330 return copy_user_generic((__force void *)dst, src, size);
12331 }
12332
12333 -extern long __copy_user_nocache(void *dst, const void __user *src,
12334 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
12335 unsigned size, int zerorest);
12336
12337 -static inline int
12338 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
12339 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
12340 {
12341 might_sleep();
12342 +
12343 + if ((int)size < 0)
12344 + return size;
12345 +
12346 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12347 + if (!__access_ok(VERIFY_READ, src, size))
12348 + return size;
12349 +#endif
12350 +
12351 return __copy_user_nocache(dst, src, size, 1);
12352 }
12353
12354 -static inline int
12355 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
12356 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
12357 unsigned size)
12358 {
12359 + if ((int)size < 0)
12360 + return size;
12361 +
12362 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12363 + if (!__access_ok(VERIFY_READ, src, size))
12364 + return size;
12365 +#endif
12366 +
12367 return __copy_user_nocache(dst, src, size, 0);
12368 }
12369
12370 -unsigned long
12371 +extern unsigned long
12372 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
12373
12374 #endif /* _ASM_X86_UACCESS_64_H */
12375 diff -urNp linux-2.6.39.3/arch/x86/include/asm/uaccess.h linux-2.6.39.3/arch/x86/include/asm/uaccess.h
12376 --- linux-2.6.39.3/arch/x86/include/asm/uaccess.h 2011-06-03 00:04:13.000000000 -0400
12377 +++ linux-2.6.39.3/arch/x86/include/asm/uaccess.h 2011-06-03 00:32:04.000000000 -0400
12378 @@ -8,12 +8,15 @@
12379 #include <linux/thread_info.h>
12380 #include <linux/prefetch.h>
12381 #include <linux/string.h>
12382 +#include <linux/sched.h>
12383 #include <asm/asm.h>
12384 #include <asm/page.h>
12385
12386 #define VERIFY_READ 0
12387 #define VERIFY_WRITE 1
12388
12389 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
12390 +
12391 /*
12392 * The fs value determines whether argument validity checking should be
12393 * performed or not. If get_fs() == USER_DS, checking is performed, with
12394 @@ -29,7 +32,12 @@
12395
12396 #define get_ds() (KERNEL_DS)
12397 #define get_fs() (current_thread_info()->addr_limit)
12398 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
12399 +void __set_fs(mm_segment_t x);
12400 +void set_fs(mm_segment_t x);
12401 +#else
12402 #define set_fs(x) (current_thread_info()->addr_limit = (x))
12403 +#endif
12404
12405 #define segment_eq(a, b) ((a).seg == (b).seg)
12406
12407 @@ -77,7 +85,33 @@
12408 * checks that the pointer is in the user space range - after calling
12409 * this function, memory access functions may still return -EFAULT.
12410 */
12411 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
12412 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
12413 +#define access_ok(type, addr, size) \
12414 +({ \
12415 + long __size = size; \
12416 + unsigned long __addr = (unsigned long)addr; \
12417 + unsigned long __addr_ao = __addr & PAGE_MASK; \
12418 + unsigned long __end_ao = __addr + __size - 1; \
12419 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
12420 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
12421 + while(__addr_ao <= __end_ao) { \
12422 + char __c_ao; \
12423 + __addr_ao += PAGE_SIZE; \
12424 + if (__size > PAGE_SIZE) \
12425 + cond_resched(); \
12426 + if (__get_user(__c_ao, (char __user *)__addr)) \
12427 + break; \
12428 + if (type != VERIFY_WRITE) { \
12429 + __addr = __addr_ao; \
12430 + continue; \
12431 + } \
12432 + if (__put_user(__c_ao, (char __user *)__addr)) \
12433 + break; \
12434 + __addr = __addr_ao; \
12435 + } \
12436 + } \
12437 + __ret_ao; \
12438 +})
12439
12440 /*
12441 * The exception table consists of pairs of addresses: the first is the
12442 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
12443 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
12444 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
12445
12446 -
12447 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
12448 +#define __copyuser_seg "gs;"
12449 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
12450 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
12451 +#else
12452 +#define __copyuser_seg
12453 +#define __COPYUSER_SET_ES
12454 +#define __COPYUSER_RESTORE_ES
12455 +#endif
12456
12457 #ifdef CONFIG_X86_32
12458 #define __put_user_asm_u64(x, addr, err, errret) \
12459 - asm volatile("1: movl %%eax,0(%2)\n" \
12460 - "2: movl %%edx,4(%2)\n" \
12461 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
12462 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
12463 "3:\n" \
12464 ".section .fixup,\"ax\"\n" \
12465 "4: movl %3,%0\n" \
12466 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
12467 : "A" (x), "r" (addr), "i" (errret), "0" (err))
12468
12469 #define __put_user_asm_ex_u64(x, addr) \
12470 - asm volatile("1: movl %%eax,0(%1)\n" \
12471 - "2: movl %%edx,4(%1)\n" \
12472 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
12473 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
12474 "3:\n" \
12475 _ASM_EXTABLE(1b, 2b - 1b) \
12476 _ASM_EXTABLE(2b, 3b - 2b) \
12477 @@ -374,7 +416,7 @@ do { \
12478 } while (0)
12479
12480 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
12481 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
12482 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
12483 "2:\n" \
12484 ".section .fixup,\"ax\"\n" \
12485 "3: mov %3,%0\n" \
12486 @@ -382,7 +424,7 @@ do { \
12487 " jmp 2b\n" \
12488 ".previous\n" \
12489 _ASM_EXTABLE(1b, 3b) \
12490 - : "=r" (err), ltype(x) \
12491 + : "=r" (err), ltype (x) \
12492 : "m" (__m(addr)), "i" (errret), "0" (err))
12493
12494 #define __get_user_size_ex(x, ptr, size) \
12495 @@ -407,7 +449,7 @@ do { \
12496 } while (0)
12497
12498 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
12499 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
12500 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
12501 "2:\n" \
12502 _ASM_EXTABLE(1b, 2b - 1b) \
12503 : ltype(x) : "m" (__m(addr)))
12504 @@ -424,13 +466,24 @@ do { \
12505 int __gu_err; \
12506 unsigned long __gu_val; \
12507 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
12508 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
12509 + (x) = (__typeof__(*(ptr)))__gu_val; \
12510 __gu_err; \
12511 })
12512
12513 /* FIXME: this hack is definitely wrong -AK */
12514 struct __large_struct { unsigned long buf[100]; };
12515 -#define __m(x) (*(struct __large_struct __user *)(x))
12516 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12517 +#define ____m(x) \
12518 +({ \
12519 + unsigned long ____x = (unsigned long)(x); \
12520 + if (____x < PAX_USER_SHADOW_BASE) \
12521 + ____x += PAX_USER_SHADOW_BASE; \
12522 + (void __user *)____x; \
12523 +})
12524 +#else
12525 +#define ____m(x) (x)
12526 +#endif
12527 +#define __m(x) (*(struct __large_struct __user *)____m(x))
12528
12529 /*
12530 * Tell gcc we read from memory instead of writing: this is because
12531 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
12532 * aliasing issues.
12533 */
12534 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
12535 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
12536 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
12537 "2:\n" \
12538 ".section .fixup,\"ax\"\n" \
12539 "3: mov %3,%0\n" \
12540 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
12541 ".previous\n" \
12542 _ASM_EXTABLE(1b, 3b) \
12543 : "=r"(err) \
12544 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
12545 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
12546
12547 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
12548 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
12549 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
12550 "2:\n" \
12551 _ASM_EXTABLE(1b, 2b - 1b) \
12552 : : ltype(x), "m" (__m(addr)))
12553 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
12554 * On error, the variable @x is set to zero.
12555 */
12556
12557 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12558 +#define __get_user(x, ptr) get_user((x), (ptr))
12559 +#else
12560 #define __get_user(x, ptr) \
12561 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
12562 +#endif
12563
12564 /**
12565 * __put_user: - Write a simple value into user space, with less checking.
12566 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
12567 * Returns zero on success, or -EFAULT on error.
12568 */
12569
12570 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12571 +#define __put_user(x, ptr) put_user((x), (ptr))
12572 +#else
12573 #define __put_user(x, ptr) \
12574 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
12575 +#endif
12576
12577 #define __get_user_unaligned __get_user
12578 #define __put_user_unaligned __put_user
12579 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
12580 #define get_user_ex(x, ptr) do { \
12581 unsigned long __gue_val; \
12582 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
12583 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
12584 + (x) = (__typeof__(*(ptr)))__gue_val; \
12585 } while (0)
12586
12587 #ifdef CONFIG_X86_WP_WORKS_OK
12588 @@ -567,6 +628,7 @@ extern struct movsl_mask {
12589
12590 #define ARCH_HAS_NOCACHE_UACCESS 1
12591
12592 +#define ARCH_HAS_SORT_EXTABLE
12593 #ifdef CONFIG_X86_32
12594 # include "uaccess_32.h"
12595 #else
12596 diff -urNp linux-2.6.39.3/arch/x86/include/asm/vgtod.h linux-2.6.39.3/arch/x86/include/asm/vgtod.h
12597 --- linux-2.6.39.3/arch/x86/include/asm/vgtod.h 2011-05-19 00:06:34.000000000 -0400
12598 +++ linux-2.6.39.3/arch/x86/include/asm/vgtod.h 2011-05-22 19:36:30.000000000 -0400
12599 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
12600 int sysctl_enabled;
12601 struct timezone sys_tz;
12602 struct { /* extract of a clocksource struct */
12603 + char name[8];
12604 cycle_t (*vread)(void);
12605 cycle_t cycle_last;
12606 cycle_t mask;
12607 diff -urNp linux-2.6.39.3/arch/x86/include/asm/vsyscall.h linux-2.6.39.3/arch/x86/include/asm/vsyscall.h
12608 --- linux-2.6.39.3/arch/x86/include/asm/vsyscall.h 2011-05-19 00:06:34.000000000 -0400
12609 +++ linux-2.6.39.3/arch/x86/include/asm/vsyscall.h 2011-05-22 19:36:30.000000000 -0400
12610 @@ -15,9 +15,10 @@ enum vsyscall_num {
12611
12612 #ifdef __KERNEL__
12613 #include <linux/seqlock.h>
12614 +#include <linux/getcpu.h>
12615 +#include <linux/time.h>
12616
12617 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
12618 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
12619
12620 /* Definitions for CONFIG_GENERIC_TIME definitions */
12621 #define __section_vsyscall_gtod_data __attribute__ \
12622 @@ -31,7 +32,6 @@ enum vsyscall_num {
12623 #define VGETCPU_LSL 2
12624
12625 extern int __vgetcpu_mode;
12626 -extern volatile unsigned long __jiffies;
12627
12628 /* kernel space (writeable) */
12629 extern int vgetcpu_mode;
12630 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
12631
12632 extern void map_vsyscall(void);
12633
12634 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
12635 +extern time_t vtime(time_t *t);
12636 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
12637 #endif /* __KERNEL__ */
12638
12639 #endif /* _ASM_X86_VSYSCALL_H */
12640 diff -urNp linux-2.6.39.3/arch/x86/include/asm/xen/pci.h linux-2.6.39.3/arch/x86/include/asm/xen/pci.h
12641 --- linux-2.6.39.3/arch/x86/include/asm/xen/pci.h 2011-05-19 00:06:34.000000000 -0400
12642 +++ linux-2.6.39.3/arch/x86/include/asm/xen/pci.h 2011-05-22 19:36:30.000000000 -0400
12643 @@ -33,7 +33,7 @@ struct xen_pci_frontend_ops {
12644 void (*disable_msix)(struct pci_dev *dev);
12645 };
12646
12647 -extern struct xen_pci_frontend_ops *xen_pci_frontend;
12648 +extern const struct xen_pci_frontend_ops *xen_pci_frontend;
12649
12650 static inline int xen_pci_frontend_enable_msi(struct pci_dev *dev,
12651 int vectors[])
12652 diff -urNp linux-2.6.39.3/arch/x86/include/asm/xsave.h linux-2.6.39.3/arch/x86/include/asm/xsave.h
12653 --- linux-2.6.39.3/arch/x86/include/asm/xsave.h 2011-05-19 00:06:34.000000000 -0400
12654 +++ linux-2.6.39.3/arch/x86/include/asm/xsave.h 2011-05-22 19:36:30.000000000 -0400
12655 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
12656 {
12657 int err;
12658
12659 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12660 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
12661 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
12662 +#endif
12663 +
12664 /*
12665 * Clear the xsave header first, so that reserved fields are
12666 * initialized to zero.
12667 @@ -100,6 +105,11 @@ static inline int xrestore_user(struct x
12668 u32 lmask = mask;
12669 u32 hmask = mask >> 32;
12670
12671 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12672 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
12673 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
12674 +#endif
12675 +
12676 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
12677 "2:\n"
12678 ".section .fixup,\"ax\"\n"
12679 diff -urNp linux-2.6.39.3/arch/x86/Kconfig linux-2.6.39.3/arch/x86/Kconfig
12680 --- linux-2.6.39.3/arch/x86/Kconfig 2011-05-19 00:06:34.000000000 -0400
12681 +++ linux-2.6.39.3/arch/x86/Kconfig 2011-05-22 19:41:32.000000000 -0400
12682 @@ -224,7 +224,7 @@ config X86_HT
12683
12684 config X86_32_LAZY_GS
12685 def_bool y
12686 - depends on X86_32 && !CC_STACKPROTECTOR
12687 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
12688
12689 config ARCH_HWEIGHT_CFLAGS
12690 string
12691 @@ -1022,7 +1022,7 @@ choice
12692
12693 config NOHIGHMEM
12694 bool "off"
12695 - depends on !X86_NUMAQ
12696 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12697 ---help---
12698 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
12699 However, the address space of 32-bit x86 processors is only 4
12700 @@ -1059,7 +1059,7 @@ config NOHIGHMEM
12701
12702 config HIGHMEM4G
12703 bool "4GB"
12704 - depends on !X86_NUMAQ
12705 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12706 ---help---
12707 Select this if you have a 32-bit processor and between 1 and 4
12708 gigabytes of physical RAM.
12709 @@ -1113,7 +1113,7 @@ config PAGE_OFFSET
12710 hex
12711 default 0xB0000000 if VMSPLIT_3G_OPT
12712 default 0x80000000 if VMSPLIT_2G
12713 - default 0x78000000 if VMSPLIT_2G_OPT
12714 + default 0x70000000 if VMSPLIT_2G_OPT
12715 default 0x40000000 if VMSPLIT_1G
12716 default 0xC0000000
12717 depends on X86_32
12718 @@ -1457,7 +1457,7 @@ config ARCH_USES_PG_UNCACHED
12719
12720 config EFI
12721 bool "EFI runtime service support"
12722 - depends on ACPI
12723 + depends on ACPI && !PAX_KERNEXEC
12724 ---help---
12725 This enables the kernel to use EFI runtime services that are
12726 available (such as the EFI variable services).
12727 @@ -1487,6 +1487,7 @@ config SECCOMP
12728
12729 config CC_STACKPROTECTOR
12730 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
12731 + depends on X86_64 || !PAX_MEMORY_UDEREF
12732 ---help---
12733 This option turns on the -fstack-protector GCC feature. This
12734 feature puts, at the beginning of functions, a canary value on
12735 @@ -1544,6 +1545,7 @@ config KEXEC_JUMP
12736 config PHYSICAL_START
12737 hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
12738 default "0x1000000"
12739 + range 0x400000 0x40000000
12740 ---help---
12741 This gives the physical address where the kernel is loaded.
12742
12743 @@ -1607,6 +1609,7 @@ config X86_NEED_RELOCS
12744 config PHYSICAL_ALIGN
12745 hex "Alignment value to which kernel should be aligned" if X86_32
12746 default "0x1000000"
12747 + range 0x400000 0x1000000 if PAX_KERNEXEC
12748 range 0x2000 0x1000000
12749 ---help---
12750 This value puts the alignment restrictions on physical address
12751 @@ -1638,9 +1641,10 @@ config HOTPLUG_CPU
12752 Say N if you want to disable CPU hotplug.
12753
12754 config COMPAT_VDSO
12755 - def_bool y
12756 + def_bool n
12757 prompt "Compat VDSO support"
12758 depends on X86_32 || IA32_EMULATION
12759 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
12760 ---help---
12761 Map the 32-bit VDSO to the predictable old-style address too.
12762
12763 diff -urNp linux-2.6.39.3/arch/x86/Kconfig.cpu linux-2.6.39.3/arch/x86/Kconfig.cpu
12764 --- linux-2.6.39.3/arch/x86/Kconfig.cpu 2011-05-19 00:06:34.000000000 -0400
12765 +++ linux-2.6.39.3/arch/x86/Kconfig.cpu 2011-05-22 19:36:30.000000000 -0400
12766 @@ -334,7 +334,7 @@ config X86_PPRO_FENCE
12767
12768 config X86_F00F_BUG
12769 def_bool y
12770 - depends on M586MMX || M586TSC || M586 || M486 || M386
12771 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
12772
12773 config X86_INVD_BUG
12774 def_bool y
12775 @@ -358,7 +358,7 @@ config X86_POPAD_OK
12776
12777 config X86_ALIGNMENT_16
12778 def_bool y
12779 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12780 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12781
12782 config X86_INTEL_USERCOPY
12783 def_bool y
12784 @@ -404,7 +404,7 @@ config X86_CMPXCHG64
12785 # generates cmov.
12786 config X86_CMOV
12787 def_bool y
12788 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12789 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12790
12791 config X86_MINIMUM_CPU_FAMILY
12792 int
12793 diff -urNp linux-2.6.39.3/arch/x86/Kconfig.debug linux-2.6.39.3/arch/x86/Kconfig.debug
12794 --- linux-2.6.39.3/arch/x86/Kconfig.debug 2011-05-19 00:06:34.000000000 -0400
12795 +++ linux-2.6.39.3/arch/x86/Kconfig.debug 2011-05-22 19:36:30.000000000 -0400
12796 @@ -101,7 +101,7 @@ config X86_PTDUMP
12797 config DEBUG_RODATA
12798 bool "Write protect kernel read-only data structures"
12799 default y
12800 - depends on DEBUG_KERNEL
12801 + depends on DEBUG_KERNEL && BROKEN
12802 ---help---
12803 Mark the kernel read-only data as write-protected in the pagetables,
12804 in order to catch accidental (and incorrect) writes to such const
12805 @@ -119,7 +119,7 @@ config DEBUG_RODATA_TEST
12806
12807 config DEBUG_SET_MODULE_RONX
12808 bool "Set loadable kernel module data as NX and text as RO"
12809 - depends on MODULES
12810 + depends on MODULES && BROKEN
12811 ---help---
12812 This option helps catch unintended modifications to loadable
12813 kernel module's text and read-only data. It also prevents execution
12814 diff -urNp linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S
12815 --- linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S 2011-07-09 09:18:51.000000000 -0400
12816 +++ linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S 2011-07-09 09:19:18.000000000 -0400
12817 @@ -108,6 +108,9 @@ wakeup_code:
12818 /* Do any other stuff... */
12819
12820 #ifndef CONFIG_64BIT
12821 + /* Recheck NX bit overrides (64bit path does this in trampoline */
12822 + call verify_cpu
12823 +
12824 /* This could also be done in C code... */
12825 movl pmode_cr3, %eax
12826 movl %eax, %cr3
12827 @@ -131,6 +134,7 @@ wakeup_code:
12828 movl pmode_cr0, %eax
12829 movl %eax, %cr0
12830 jmp pmode_return
12831 +# include "../../verify_cpu.S"
12832 #else
12833 pushw $0
12834 pushw trampoline_segment
12835 diff -urNp linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c
12836 --- linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c 2011-07-09 09:18:51.000000000 -0400
12837 +++ linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c 2011-07-09 09:19:18.000000000 -0400
12838 @@ -94,8 +94,12 @@ int acpi_suspend_lowlevel(void)
12839 header->trampoline_segment = trampoline_address() >> 4;
12840 #ifdef CONFIG_SMP
12841 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
12842 +
12843 + pax_open_kernel();
12844 early_gdt_descr.address =
12845 (unsigned long)get_cpu_gdt_table(smp_processor_id());
12846 + pax_close_kernel();
12847 +
12848 initial_gs = per_cpu_offset(smp_processor_id());
12849 #endif
12850 initial_code = (unsigned long)wakeup_long64;
12851 diff -urNp linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S
12852 --- linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S 2011-05-19 00:06:34.000000000 -0400
12853 +++ linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S 2011-05-22 19:36:30.000000000 -0400
12854 @@ -30,13 +30,11 @@ wakeup_pmode_return:
12855 # and restore the stack ... but you need gdt for this to work
12856 movl saved_context_esp, %esp
12857
12858 - movl %cs:saved_magic, %eax
12859 - cmpl $0x12345678, %eax
12860 + cmpl $0x12345678, saved_magic
12861 jne bogus_magic
12862
12863 # jump to place where we left off
12864 - movl saved_eip, %eax
12865 - jmp *%eax
12866 + jmp *(saved_eip)
12867
12868 bogus_magic:
12869 jmp bogus_magic
12870 diff -urNp linux-2.6.39.3/arch/x86/kernel/alternative.c linux-2.6.39.3/arch/x86/kernel/alternative.c
12871 --- linux-2.6.39.3/arch/x86/kernel/alternative.c 2011-05-19 00:06:34.000000000 -0400
12872 +++ linux-2.6.39.3/arch/x86/kernel/alternative.c 2011-05-22 19:36:30.000000000 -0400
12873 @@ -248,7 +248,7 @@ static void alternatives_smp_lock(const
12874 if (!*poff || ptr < text || ptr >= text_end)
12875 continue;
12876 /* turn DS segment override prefix into lock prefix */
12877 - if (*ptr == 0x3e)
12878 + if (*ktla_ktva(ptr) == 0x3e)
12879 text_poke(ptr, ((unsigned char []){0xf0}), 1);
12880 };
12881 mutex_unlock(&text_mutex);
12882 @@ -269,7 +269,7 @@ static void alternatives_smp_unlock(cons
12883 if (!*poff || ptr < text || ptr >= text_end)
12884 continue;
12885 /* turn lock prefix into DS segment override prefix */
12886 - if (*ptr == 0xf0)
12887 + if (*ktla_ktva(ptr) == 0xf0)
12888 text_poke(ptr, ((unsigned char []){0x3E}), 1);
12889 };
12890 mutex_unlock(&text_mutex);
12891 @@ -438,7 +438,7 @@ void __init_or_module apply_paravirt(str
12892
12893 BUG_ON(p->len > MAX_PATCH_LEN);
12894 /* prep the buffer with the original instructions */
12895 - memcpy(insnbuf, p->instr, p->len);
12896 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
12897 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
12898 (unsigned long)p->instr, p->len);
12899
12900 @@ -506,7 +506,7 @@ void __init alternative_instructions(voi
12901 if (smp_alt_once)
12902 free_init_pages("SMP alternatives",
12903 (unsigned long)__smp_locks,
12904 - (unsigned long)__smp_locks_end);
12905 + PAGE_ALIGN((unsigned long)__smp_locks_end));
12906
12907 restart_nmi();
12908 }
12909 @@ -523,13 +523,17 @@ void __init alternative_instructions(voi
12910 * instructions. And on the local CPU you need to be protected again NMI or MCE
12911 * handlers seeing an inconsistent instruction while you patch.
12912 */
12913 -void *__init_or_module text_poke_early(void *addr, const void *opcode,
12914 +void *__kprobes text_poke_early(void *addr, const void *opcode,
12915 size_t len)
12916 {
12917 unsigned long flags;
12918 local_irq_save(flags);
12919 - memcpy(addr, opcode, len);
12920 +
12921 + pax_open_kernel();
12922 + memcpy(ktla_ktva(addr), opcode, len);
12923 sync_core();
12924 + pax_close_kernel();
12925 +
12926 local_irq_restore(flags);
12927 /* Could also do a CLFLUSH here to speed up CPU recovery; but
12928 that causes hangs on some VIA CPUs. */
12929 @@ -551,36 +555,22 @@ void *__init_or_module text_poke_early(v
12930 */
12931 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
12932 {
12933 - unsigned long flags;
12934 - char *vaddr;
12935 + unsigned char *vaddr = ktla_ktva(addr);
12936 struct page *pages[2];
12937 - int i;
12938 + size_t i;
12939
12940 if (!core_kernel_text((unsigned long)addr)) {
12941 - pages[0] = vmalloc_to_page(addr);
12942 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
12943 + pages[0] = vmalloc_to_page(vaddr);
12944 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
12945 } else {
12946 - pages[0] = virt_to_page(addr);
12947 + pages[0] = virt_to_page(vaddr);
12948 WARN_ON(!PageReserved(pages[0]));
12949 - pages[1] = virt_to_page(addr + PAGE_SIZE);
12950 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
12951 }
12952 BUG_ON(!pages[0]);
12953 - local_irq_save(flags);
12954 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
12955 - if (pages[1])
12956 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
12957 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
12958 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
12959 - clear_fixmap(FIX_TEXT_POKE0);
12960 - if (pages[1])
12961 - clear_fixmap(FIX_TEXT_POKE1);
12962 - local_flush_tlb();
12963 - sync_core();
12964 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
12965 - that causes hangs on some VIA CPUs. */
12966 + text_poke_early(addr, opcode, len);
12967 for (i = 0; i < len; i++)
12968 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
12969 - local_irq_restore(flags);
12970 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
12971 return addr;
12972 }
12973
12974 @@ -682,9 +672,9 @@ void __kprobes text_poke_smp_batch(struc
12975 #if defined(CONFIG_DYNAMIC_FTRACE) || defined(HAVE_JUMP_LABEL)
12976
12977 #ifdef CONFIG_X86_64
12978 -unsigned char ideal_nop5[5] = { 0x66, 0x66, 0x66, 0x66, 0x90 };
12979 +unsigned char ideal_nop5[5] __read_only = { 0x66, 0x66, 0x66, 0x66, 0x90 };
12980 #else
12981 -unsigned char ideal_nop5[5] = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
12982 +unsigned char ideal_nop5[5] __read_only = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
12983 #endif
12984
12985 void __init arch_init_ideal_nop5(void)
12986 diff -urNp linux-2.6.39.3/arch/x86/kernel/amd_iommu.c linux-2.6.39.3/arch/x86/kernel/amd_iommu.c
12987 --- linux-2.6.39.3/arch/x86/kernel/amd_iommu.c 2011-06-25 12:55:22.000000000 -0400
12988 +++ linux-2.6.39.3/arch/x86/kernel/amd_iommu.c 2011-06-25 13:00:25.000000000 -0400
12989 @@ -49,7 +49,7 @@ static DEFINE_SPINLOCK(iommu_pd_list_loc
12990 */
12991 static struct protection_domain *pt_domain;
12992
12993 -static struct iommu_ops amd_iommu_ops;
12994 +static const struct iommu_ops amd_iommu_ops;
12995
12996 /*
12997 * general struct to manage commands send to an IOMMU
12998 @@ -2307,7 +2307,7 @@ static void prealloc_protection_domains(
12999 }
13000 }
13001
13002 -static struct dma_map_ops amd_iommu_dma_ops = {
13003 +static const struct dma_map_ops amd_iommu_dma_ops = {
13004 .alloc_coherent = alloc_coherent,
13005 .free_coherent = free_coherent,
13006 .map_page = map_page,
13007 @@ -2624,7 +2624,7 @@ static int amd_iommu_domain_has_cap(stru
13008 return 0;
13009 }
13010
13011 -static struct iommu_ops amd_iommu_ops = {
13012 +static const struct iommu_ops amd_iommu_ops = {
13013 .domain_init = amd_iommu_domain_init,
13014 .domain_destroy = amd_iommu_domain_destroy,
13015 .attach_dev = amd_iommu_attach_device,
13016 diff -urNp linux-2.6.39.3/arch/x86/kernel/apic/apic.c linux-2.6.39.3/arch/x86/kernel/apic/apic.c
13017 --- linux-2.6.39.3/arch/x86/kernel/apic/apic.c 2011-05-19 00:06:34.000000000 -0400
13018 +++ linux-2.6.39.3/arch/x86/kernel/apic/apic.c 2011-05-22 19:36:30.000000000 -0400
13019 @@ -1821,7 +1821,7 @@ void smp_error_interrupt(struct pt_regs
13020 apic_write(APIC_ESR, 0);
13021 v1 = apic_read(APIC_ESR);
13022 ack_APIC_irq();
13023 - atomic_inc(&irq_err_count);
13024 + atomic_inc_unchecked(&irq_err_count);
13025
13026 /*
13027 * Here is what the APIC error bits mean:
13028 @@ -2204,6 +2204,8 @@ static int __cpuinit apic_cluster_num(vo
13029 u16 *bios_cpu_apicid;
13030 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
13031
13032 + pax_track_stack();
13033 +
13034 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
13035 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
13036
13037 diff -urNp linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c
13038 --- linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c 2011-06-03 00:04:13.000000000 -0400
13039 +++ linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c 2011-06-03 00:42:37.000000000 -0400
13040 @@ -623,7 +623,7 @@ struct IO_APIC_route_entry **alloc_ioapi
13041 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
13042 GFP_ATOMIC);
13043 if (!ioapic_entries)
13044 - return 0;
13045 + return NULL;
13046
13047 for (apic = 0; apic < nr_ioapics; apic++) {
13048 ioapic_entries[apic] =
13049 @@ -640,7 +640,7 @@ nomem:
13050 kfree(ioapic_entries[apic]);
13051 kfree(ioapic_entries);
13052
13053 - return 0;
13054 + return NULL;
13055 }
13056
13057 /*
13058 @@ -1040,7 +1040,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
13059 }
13060 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
13061
13062 -void lock_vector_lock(void)
13063 +void lock_vector_lock(void) __acquires(vector_lock)
13064 {
13065 /* Used to the online set of cpus does not change
13066 * during assign_irq_vector.
13067 @@ -1048,7 +1048,7 @@ void lock_vector_lock(void)
13068 raw_spin_lock(&vector_lock);
13069 }
13070
13071 -void unlock_vector_lock(void)
13072 +void unlock_vector_lock(void) __releases(vector_lock)
13073 {
13074 raw_spin_unlock(&vector_lock);
13075 }
13076 @@ -2379,7 +2379,7 @@ static void ack_apic_edge(struct irq_dat
13077 ack_APIC_irq();
13078 }
13079
13080 -atomic_t irq_mis_count;
13081 +atomic_unchecked_t irq_mis_count;
13082
13083 /*
13084 * IO-APIC versions below 0x20 don't support EOI register.
13085 @@ -2487,7 +2487,7 @@ static void ack_apic_level(struct irq_da
13086 * at the cpu.
13087 */
13088 if (!(v & (1 << (i & 0x1f)))) {
13089 - atomic_inc(&irq_mis_count);
13090 + atomic_inc_unchecked(&irq_mis_count);
13091
13092 eoi_ioapic_irq(irq, cfg);
13093 }
13094 diff -urNp linux-2.6.39.3/arch/x86/kernel/apm_32.c linux-2.6.39.3/arch/x86/kernel/apm_32.c
13095 --- linux-2.6.39.3/arch/x86/kernel/apm_32.c 2011-05-19 00:06:34.000000000 -0400
13096 +++ linux-2.6.39.3/arch/x86/kernel/apm_32.c 2011-05-22 19:36:30.000000000 -0400
13097 @@ -412,7 +412,7 @@ static DEFINE_MUTEX(apm_mutex);
13098 * This is for buggy BIOS's that refer to (real mode) segment 0x40
13099 * even though they are called in protected mode.
13100 */
13101 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
13102 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
13103 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
13104
13105 static const char driver_version[] = "1.16ac"; /* no spaces */
13106 @@ -590,7 +590,10 @@ static long __apm_bios_call(void *_call)
13107 BUG_ON(cpu != 0);
13108 gdt = get_cpu_gdt_table(cpu);
13109 save_desc_40 = gdt[0x40 / 8];
13110 +
13111 + pax_open_kernel();
13112 gdt[0x40 / 8] = bad_bios_desc;
13113 + pax_close_kernel();
13114
13115 apm_irq_save(flags);
13116 APM_DO_SAVE_SEGS;
13117 @@ -599,7 +602,11 @@ static long __apm_bios_call(void *_call)
13118 &call->esi);
13119 APM_DO_RESTORE_SEGS;
13120 apm_irq_restore(flags);
13121 +
13122 + pax_open_kernel();
13123 gdt[0x40 / 8] = save_desc_40;
13124 + pax_close_kernel();
13125 +
13126 put_cpu();
13127
13128 return call->eax & 0xff;
13129 @@ -666,7 +673,10 @@ static long __apm_bios_call_simple(void
13130 BUG_ON(cpu != 0);
13131 gdt = get_cpu_gdt_table(cpu);
13132 save_desc_40 = gdt[0x40 / 8];
13133 +
13134 + pax_open_kernel();
13135 gdt[0x40 / 8] = bad_bios_desc;
13136 + pax_close_kernel();
13137
13138 apm_irq_save(flags);
13139 APM_DO_SAVE_SEGS;
13140 @@ -674,7 +684,11 @@ static long __apm_bios_call_simple(void
13141 &call->eax);
13142 APM_DO_RESTORE_SEGS;
13143 apm_irq_restore(flags);
13144 +
13145 + pax_open_kernel();
13146 gdt[0x40 / 8] = save_desc_40;
13147 + pax_close_kernel();
13148 +
13149 put_cpu();
13150 return error;
13151 }
13152 @@ -2351,12 +2365,15 @@ static int __init apm_init(void)
13153 * code to that CPU.
13154 */
13155 gdt = get_cpu_gdt_table(0);
13156 +
13157 + pax_open_kernel();
13158 set_desc_base(&gdt[APM_CS >> 3],
13159 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
13160 set_desc_base(&gdt[APM_CS_16 >> 3],
13161 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
13162 set_desc_base(&gdt[APM_DS >> 3],
13163 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
13164 + pax_close_kernel();
13165
13166 proc_create("apm", 0, NULL, &apm_file_ops);
13167
13168 diff -urNp linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c
13169 --- linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c 2011-05-19 00:06:34.000000000 -0400
13170 +++ linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c 2011-05-22 19:36:30.000000000 -0400
13171 @@ -69,6 +69,7 @@ int main(void)
13172 BLANK();
13173 #undef ENTRY
13174
13175 + DEFINE(TSS_size, sizeof(struct tss_struct));
13176 OFFSET(TSS_ist, tss_struct, x86_tss.ist);
13177 BLANK();
13178
13179 diff -urNp linux-2.6.39.3/arch/x86/kernel/asm-offsets.c linux-2.6.39.3/arch/x86/kernel/asm-offsets.c
13180 --- linux-2.6.39.3/arch/x86/kernel/asm-offsets.c 2011-05-19 00:06:34.000000000 -0400
13181 +++ linux-2.6.39.3/arch/x86/kernel/asm-offsets.c 2011-05-25 17:35:48.000000000 -0400
13182 @@ -33,6 +33,8 @@ void common(void) {
13183 OFFSET(TI_status, thread_info, status);
13184 OFFSET(TI_addr_limit, thread_info, addr_limit);
13185 OFFSET(TI_preempt_count, thread_info, preempt_count);
13186 + OFFSET(TI_lowest_stack, thread_info, lowest_stack);
13187 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
13188
13189 BLANK();
13190 OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx);
13191 @@ -53,8 +55,26 @@ void common(void) {
13192 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
13193 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
13194 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
13195 +
13196 +#ifdef CONFIG_PAX_KERNEXEC
13197 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
13198 +#endif
13199 +
13200 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13201 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
13202 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
13203 +#ifdef CONFIG_X86_64
13204 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
13205 +#endif
13206 #endif
13207
13208 +#endif
13209 +
13210 + BLANK();
13211 + DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
13212 + DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
13213 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
13214 +
13215 #ifdef CONFIG_XEN
13216 BLANK();
13217 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
13218 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/amd.c linux-2.6.39.3/arch/x86/kernel/cpu/amd.c
13219 --- linux-2.6.39.3/arch/x86/kernel/cpu/amd.c 2011-06-03 00:04:13.000000000 -0400
13220 +++ linux-2.6.39.3/arch/x86/kernel/cpu/amd.c 2011-06-03 00:32:04.000000000 -0400
13221 @@ -647,7 +647,7 @@ static unsigned int __cpuinit amd_size_c
13222 unsigned int size)
13223 {
13224 /* AMD errata T13 (order #21922) */
13225 - if ((c->x86 == 6)) {
13226 + if (c->x86 == 6) {
13227 /* Duron Rev A0 */
13228 if (c->x86_model == 3 && c->x86_mask == 0)
13229 size = 64;
13230 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/common.c linux-2.6.39.3/arch/x86/kernel/cpu/common.c
13231 --- linux-2.6.39.3/arch/x86/kernel/cpu/common.c 2011-06-03 00:04:13.000000000 -0400
13232 +++ linux-2.6.39.3/arch/x86/kernel/cpu/common.c 2011-06-03 00:32:04.000000000 -0400
13233 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
13234
13235 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
13236
13237 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
13238 -#ifdef CONFIG_X86_64
13239 - /*
13240 - * We need valid kernel segments for data and code in long mode too
13241 - * IRET will check the segment types kkeil 2000/10/28
13242 - * Also sysret mandates a special GDT layout
13243 - *
13244 - * TLS descriptors are currently at a different place compared to i386.
13245 - * Hopefully nobody expects them at a fixed place (Wine?)
13246 - */
13247 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
13248 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
13249 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
13250 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
13251 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
13252 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
13253 -#else
13254 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
13255 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13256 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
13257 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
13258 - /*
13259 - * Segments used for calling PnP BIOS have byte granularity.
13260 - * They code segments and data segments have fixed 64k limits,
13261 - * the transfer segment sizes are set at run time.
13262 - */
13263 - /* 32-bit code */
13264 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
13265 - /* 16-bit code */
13266 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
13267 - /* 16-bit data */
13268 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
13269 - /* 16-bit data */
13270 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
13271 - /* 16-bit data */
13272 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
13273 - /*
13274 - * The APM segments have byte granularity and their bases
13275 - * are set at run time. All have 64k limits.
13276 - */
13277 - /* 32-bit code */
13278 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
13279 - /* 16-bit code */
13280 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
13281 - /* data */
13282 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
13283 -
13284 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13285 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13286 - GDT_STACK_CANARY_INIT
13287 -#endif
13288 -} };
13289 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
13290 -
13291 static int __init x86_xsave_setup(char *s)
13292 {
13293 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
13294 @@ -352,7 +298,7 @@ void switch_to_new_gdt(int cpu)
13295 {
13296 struct desc_ptr gdt_descr;
13297
13298 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
13299 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13300 gdt_descr.size = GDT_SIZE - 1;
13301 load_gdt(&gdt_descr);
13302 /* Reload the per-cpu base */
13303 @@ -824,6 +770,10 @@ static void __cpuinit identify_cpu(struc
13304 /* Filter out anything that depends on CPUID levels we don't have */
13305 filter_cpuid_features(c, true);
13306
13307 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
13308 + setup_clear_cpu_cap(X86_FEATURE_SEP);
13309 +#endif
13310 +
13311 /* If the model name is still unset, do table lookup. */
13312 if (!c->x86_model_id[0]) {
13313 const char *p;
13314 @@ -1003,6 +953,9 @@ static __init int setup_disablecpuid(cha
13315 }
13316 __setup("clearcpuid=", setup_disablecpuid);
13317
13318 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
13319 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
13320 +
13321 #ifdef CONFIG_X86_64
13322 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
13323
13324 @@ -1018,7 +971,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
13325 EXPORT_PER_CPU_SYMBOL(current_task);
13326
13327 DEFINE_PER_CPU(unsigned long, kernel_stack) =
13328 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
13329 + (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
13330 EXPORT_PER_CPU_SYMBOL(kernel_stack);
13331
13332 DEFINE_PER_CPU(char *, irq_stack_ptr) =
13333 @@ -1083,7 +1036,7 @@ struct pt_regs * __cpuinit idle_regs(str
13334 {
13335 memset(regs, 0, sizeof(struct pt_regs));
13336 regs->fs = __KERNEL_PERCPU;
13337 - regs->gs = __KERNEL_STACK_CANARY;
13338 + savesegment(gs, regs->gs);
13339
13340 return regs;
13341 }
13342 @@ -1138,7 +1091,7 @@ void __cpuinit cpu_init(void)
13343 int i;
13344
13345 cpu = stack_smp_processor_id();
13346 - t = &per_cpu(init_tss, cpu);
13347 + t = init_tss + cpu;
13348 oist = &per_cpu(orig_ist, cpu);
13349
13350 #ifdef CONFIG_NUMA
13351 @@ -1164,7 +1117,7 @@ void __cpuinit cpu_init(void)
13352 switch_to_new_gdt(cpu);
13353 loadsegment(fs, 0);
13354
13355 - load_idt((const struct desc_ptr *)&idt_descr);
13356 + load_idt(&idt_descr);
13357
13358 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
13359 syscall_init();
13360 @@ -1173,7 +1126,6 @@ void __cpuinit cpu_init(void)
13361 wrmsrl(MSR_KERNEL_GS_BASE, 0);
13362 barrier();
13363
13364 - x86_configure_nx();
13365 if (cpu != 0)
13366 enable_x2apic();
13367
13368 @@ -1227,7 +1179,7 @@ void __cpuinit cpu_init(void)
13369 {
13370 int cpu = smp_processor_id();
13371 struct task_struct *curr = current;
13372 - struct tss_struct *t = &per_cpu(init_tss, cpu);
13373 + struct tss_struct *t = init_tss + cpu;
13374 struct thread_struct *thread = &curr->thread;
13375
13376 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
13377 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/intel.c linux-2.6.39.3/arch/x86/kernel/cpu/intel.c
13378 --- linux-2.6.39.3/arch/x86/kernel/cpu/intel.c 2011-05-19 00:06:34.000000000 -0400
13379 +++ linux-2.6.39.3/arch/x86/kernel/cpu/intel.c 2011-05-22 19:36:30.000000000 -0400
13380 @@ -161,7 +161,7 @@ static void __cpuinit trap_init_f00f_bug
13381 * Update the IDT descriptor and reload the IDT so that
13382 * it uses the read-only mapped virtual address.
13383 */
13384 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
13385 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
13386 load_idt(&idt_descr);
13387 }
13388 #endif
13389 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/Makefile linux-2.6.39.3/arch/x86/kernel/cpu/Makefile
13390 --- linux-2.6.39.3/arch/x86/kernel/cpu/Makefile 2011-05-19 00:06:34.000000000 -0400
13391 +++ linux-2.6.39.3/arch/x86/kernel/cpu/Makefile 2011-05-22 19:36:30.000000000 -0400
13392 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
13393 CFLAGS_REMOVE_perf_event.o = -pg
13394 endif
13395
13396 -# Make sure load_percpu_segment has no stackprotector
13397 -nostackp := $(call cc-option, -fno-stack-protector)
13398 -CFLAGS_common.o := $(nostackp)
13399 -
13400 obj-y := intel_cacheinfo.o scattered.o topology.o
13401 obj-y += proc.o capflags.o powerflags.o common.o
13402 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
13403 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c
13404 --- linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-19 00:06:34.000000000 -0400
13405 +++ linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-22 19:36:30.000000000 -0400
13406 @@ -46,6 +46,7 @@
13407 #include <asm/ipi.h>
13408 #include <asm/mce.h>
13409 #include <asm/msr.h>
13410 +#include <asm/local.h>
13411
13412 #include "mce-internal.h"
13413
13414 @@ -220,7 +221,7 @@ static void print_mce(struct mce *m)
13415 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
13416 m->cs, m->ip);
13417
13418 - if (m->cs == __KERNEL_CS)
13419 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
13420 print_symbol("{%s}", m->ip);
13421 pr_cont("\n");
13422 }
13423 @@ -244,10 +245,10 @@ static void print_mce(struct mce *m)
13424
13425 #define PANIC_TIMEOUT 5 /* 5 seconds */
13426
13427 -static atomic_t mce_paniced;
13428 +static atomic_unchecked_t mce_paniced;
13429
13430 static int fake_panic;
13431 -static atomic_t mce_fake_paniced;
13432 +static atomic_unchecked_t mce_fake_paniced;
13433
13434 /* Panic in progress. Enable interrupts and wait for final IPI */
13435 static void wait_for_panic(void)
13436 @@ -271,7 +272,7 @@ static void mce_panic(char *msg, struct
13437 /*
13438 * Make sure only one CPU runs in machine check panic
13439 */
13440 - if (atomic_inc_return(&mce_paniced) > 1)
13441 + if (atomic_inc_return_unchecked(&mce_paniced) > 1)
13442 wait_for_panic();
13443 barrier();
13444
13445 @@ -279,7 +280,7 @@ static void mce_panic(char *msg, struct
13446 console_verbose();
13447 } else {
13448 /* Don't log too much for fake panic */
13449 - if (atomic_inc_return(&mce_fake_paniced) > 1)
13450 + if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
13451 return;
13452 }
13453 /* First print corrected ones that are still unlogged */
13454 @@ -647,7 +648,7 @@ static int mce_timed_out(u64 *t)
13455 * might have been modified by someone else.
13456 */
13457 rmb();
13458 - if (atomic_read(&mce_paniced))
13459 + if (atomic_read_unchecked(&mce_paniced))
13460 wait_for_panic();
13461 if (!monarch_timeout)
13462 goto out;
13463 @@ -1461,14 +1462,14 @@ void __cpuinit mcheck_cpu_init(struct cp
13464 */
13465
13466 static DEFINE_SPINLOCK(mce_state_lock);
13467 -static int open_count; /* #times opened */
13468 +static local_t open_count; /* #times opened */
13469 static int open_exclu; /* already open exclusive? */
13470
13471 static int mce_open(struct inode *inode, struct file *file)
13472 {
13473 spin_lock(&mce_state_lock);
13474
13475 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
13476 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
13477 spin_unlock(&mce_state_lock);
13478
13479 return -EBUSY;
13480 @@ -1476,7 +1477,7 @@ static int mce_open(struct inode *inode,
13481
13482 if (file->f_flags & O_EXCL)
13483 open_exclu = 1;
13484 - open_count++;
13485 + local_inc(&open_count);
13486
13487 spin_unlock(&mce_state_lock);
13488
13489 @@ -1487,7 +1488,7 @@ static int mce_release(struct inode *ino
13490 {
13491 spin_lock(&mce_state_lock);
13492
13493 - open_count--;
13494 + local_dec(&open_count);
13495 open_exclu = 0;
13496
13497 spin_unlock(&mce_state_lock);
13498 @@ -2174,7 +2175,7 @@ struct dentry *mce_get_debugfs_dir(void)
13499 static void mce_reset(void)
13500 {
13501 cpu_missing = 0;
13502 - atomic_set(&mce_fake_paniced, 0);
13503 + atomic_set_unchecked(&mce_fake_paniced, 0);
13504 atomic_set(&mce_executing, 0);
13505 atomic_set(&mce_callin, 0);
13506 atomic_set(&global_nwo, 0);
13507 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c
13508 --- linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c 2011-05-19 00:06:34.000000000 -0400
13509 +++ linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c 2011-05-22 19:36:30.000000000 -0400
13510 @@ -62,7 +62,7 @@ static DEFINE_MUTEX(mtrr_mutex);
13511 u64 size_or_mask, size_and_mask;
13512 static bool mtrr_aps_delayed_init;
13513
13514 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
13515 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
13516
13517 const struct mtrr_ops *mtrr_if;
13518
13519 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h
13520 --- linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-05-19 00:06:34.000000000 -0400
13521 +++ linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-05-22 19:36:30.000000000 -0400
13522 @@ -12,19 +12,19 @@
13523 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
13524
13525 struct mtrr_ops {
13526 - u32 vendor;
13527 - u32 use_intel_if;
13528 - void (*set)(unsigned int reg, unsigned long base,
13529 + const u32 vendor;
13530 + const u32 use_intel_if;
13531 + void (* const set)(unsigned int reg, unsigned long base,
13532 unsigned long size, mtrr_type type);
13533 - void (*set_all)(void);
13534 + void (* const set_all)(void);
13535
13536 - void (*get)(unsigned int reg, unsigned long *base,
13537 + void (* const get)(unsigned int reg, unsigned long *base,
13538 unsigned long *size, mtrr_type *type);
13539 - int (*get_free_region)(unsigned long base, unsigned long size,
13540 + int (* const get_free_region)(unsigned long base, unsigned long size,
13541 int replace_reg);
13542 - int (*validate_add_page)(unsigned long base, unsigned long size,
13543 + int (* const validate_add_page)(unsigned long base, unsigned long size,
13544 unsigned int type);
13545 - int (*have_wrcomb)(void);
13546 + int (* const have_wrcomb)(void);
13547 };
13548
13549 extern int generic_get_free_region(unsigned long base, unsigned long size,
13550 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c
13551 --- linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c 2011-05-19 00:06:34.000000000 -0400
13552 +++ linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c 2011-05-22 19:36:30.000000000 -0400
13553 @@ -774,6 +774,8 @@ static int x86_schedule_events(struct cp
13554 int i, j, w, wmax, num = 0;
13555 struct hw_perf_event *hwc;
13556
13557 + pax_track_stack();
13558 +
13559 bitmap_zero(used_mask, X86_PMC_IDX_MAX);
13560
13561 for (i = 0; i < n; i++) {
13562 @@ -1878,7 +1880,7 @@ perf_callchain_user(struct perf_callchai
13563 break;
13564
13565 perf_callchain_store(entry, frame.return_address);
13566 - fp = frame.next_frame;
13567 + fp = (__force const void __user *)frame.next_frame;
13568 }
13569 }
13570
13571 diff -urNp linux-2.6.39.3/arch/x86/kernel/crash.c linux-2.6.39.3/arch/x86/kernel/crash.c
13572 --- linux-2.6.39.3/arch/x86/kernel/crash.c 2011-05-19 00:06:34.000000000 -0400
13573 +++ linux-2.6.39.3/arch/x86/kernel/crash.c 2011-05-22 19:36:30.000000000 -0400
13574 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
13575 regs = args->regs;
13576
13577 #ifdef CONFIG_X86_32
13578 - if (!user_mode_vm(regs)) {
13579 + if (!user_mode(regs)) {
13580 crash_fixup_ss_esp(&fixed_regs, regs);
13581 regs = &fixed_regs;
13582 }
13583 diff -urNp linux-2.6.39.3/arch/x86/kernel/doublefault_32.c linux-2.6.39.3/arch/x86/kernel/doublefault_32.c
13584 --- linux-2.6.39.3/arch/x86/kernel/doublefault_32.c 2011-05-19 00:06:34.000000000 -0400
13585 +++ linux-2.6.39.3/arch/x86/kernel/doublefault_32.c 2011-05-22 19:36:30.000000000 -0400
13586 @@ -11,7 +11,7 @@
13587
13588 #define DOUBLEFAULT_STACKSIZE (1024)
13589 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
13590 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
13591 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
13592
13593 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
13594
13595 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
13596 unsigned long gdt, tss;
13597
13598 store_gdt(&gdt_desc);
13599 - gdt = gdt_desc.address;
13600 + gdt = (unsigned long)gdt_desc.address;
13601
13602 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
13603
13604 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
13605 /* 0x2 bit is always set */
13606 .flags = X86_EFLAGS_SF | 0x2,
13607 .sp = STACK_START,
13608 - .es = __USER_DS,
13609 + .es = __KERNEL_DS,
13610 .cs = __KERNEL_CS,
13611 .ss = __KERNEL_DS,
13612 - .ds = __USER_DS,
13613 + .ds = __KERNEL_DS,
13614 .fs = __KERNEL_PERCPU,
13615
13616 .__cr3 = __pa_nodebug(swapper_pg_dir),
13617 diff -urNp linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c
13618 --- linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c 2011-05-19 00:06:34.000000000 -0400
13619 +++ linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c 2011-05-22 19:36:30.000000000 -0400
13620 @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task
13621 bp = stack_frame(task, regs);
13622
13623 for (;;) {
13624 - struct thread_info *context;
13625 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13626
13627 - context = (struct thread_info *)
13628 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
13629 - bp = ops->walk_stack(context, stack, bp, ops, data, NULL, &graph);
13630 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13631
13632 - stack = (unsigned long *)context->previous_esp;
13633 - if (!stack)
13634 + if (stack_start == task_stack_page(task))
13635 break;
13636 + stack = *(unsigned long **)stack_start;
13637 if (ops->stack(data, "IRQ") < 0)
13638 break;
13639 touch_nmi_watchdog();
13640 @@ -96,21 +94,22 @@ void show_registers(struct pt_regs *regs
13641 * When in-kernel, we also print out the stack and code at the
13642 * time of the fault..
13643 */
13644 - if (!user_mode_vm(regs)) {
13645 + if (!user_mode(regs)) {
13646 unsigned int code_prologue = code_bytes * 43 / 64;
13647 unsigned int code_len = code_bytes;
13648 unsigned char c;
13649 u8 *ip;
13650 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
13651
13652 printk(KERN_EMERG "Stack:\n");
13653 show_stack_log_lvl(NULL, regs, &regs->sp, 0, KERN_EMERG);
13654
13655 printk(KERN_EMERG "Code: ");
13656
13657 - ip = (u8 *)regs->ip - code_prologue;
13658 + ip = (u8 *)regs->ip - code_prologue + cs_base;
13659 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
13660 /* try starting at IP */
13661 - ip = (u8 *)regs->ip;
13662 + ip = (u8 *)regs->ip + cs_base;
13663 code_len = code_len - code_prologue + 1;
13664 }
13665 for (i = 0; i < code_len; i++, ip++) {
13666 @@ -119,7 +118,7 @@ void show_registers(struct pt_regs *regs
13667 printk(" Bad EIP value.");
13668 break;
13669 }
13670 - if (ip == (u8 *)regs->ip)
13671 + if (ip == (u8 *)regs->ip + cs_base)
13672 printk("<%02x> ", c);
13673 else
13674 printk("%02x ", c);
13675 @@ -132,6 +131,7 @@ int is_valid_bugaddr(unsigned long ip)
13676 {
13677 unsigned short ud2;
13678
13679 + ip = ktla_ktva(ip);
13680 if (ip < PAGE_OFFSET)
13681 return 0;
13682 if (probe_kernel_address((unsigned short *)ip, ud2))
13683 diff -urNp linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c
13684 --- linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c 2011-05-19 00:06:34.000000000 -0400
13685 +++ linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c 2011-05-22 19:36:30.000000000 -0400
13686 @@ -147,9 +147,9 @@ void dump_trace(struct task_struct *task
13687 unsigned long *irq_stack_end =
13688 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
13689 unsigned used = 0;
13690 - struct thread_info *tinfo;
13691 int graph = 0;
13692 unsigned long dummy;
13693 + void *stack_start;
13694
13695 if (!task)
13696 task = current;
13697 @@ -167,10 +167,10 @@ void dump_trace(struct task_struct *task
13698 * current stack address. If the stacks consist of nested
13699 * exceptions
13700 */
13701 - tinfo = task_thread_info(task);
13702 for (;;) {
13703 char *id;
13704 unsigned long *estack_end;
13705 +
13706 estack_end = in_exception_stack(cpu, (unsigned long)stack,
13707 &used, &id);
13708
13709 @@ -178,7 +178,7 @@ void dump_trace(struct task_struct *task
13710 if (ops->stack(data, id) < 0)
13711 break;
13712
13713 - bp = ops->walk_stack(tinfo, stack, bp, ops,
13714 + bp = ops->walk_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
13715 data, estack_end, &graph);
13716 ops->stack(data, "<EOE>");
13717 /*
13718 @@ -197,7 +197,7 @@ void dump_trace(struct task_struct *task
13719 if (in_irq_stack(stack, irq_stack, irq_stack_end)) {
13720 if (ops->stack(data, "IRQ") < 0)
13721 break;
13722 - bp = ops->walk_stack(tinfo, stack, bp,
13723 + bp = ops->walk_stack(task, irq_stack, stack, bp,
13724 ops, data, irq_stack_end, &graph);
13725 /*
13726 * We link to the next stack (which would be
13727 @@ -218,7 +218,8 @@ void dump_trace(struct task_struct *task
13728 /*
13729 * This handles the process stack:
13730 */
13731 - bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
13732 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13733 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13734 put_cpu();
13735 }
13736 EXPORT_SYMBOL(dump_trace);
13737 diff -urNp linux-2.6.39.3/arch/x86/kernel/dumpstack.c linux-2.6.39.3/arch/x86/kernel/dumpstack.c
13738 --- linux-2.6.39.3/arch/x86/kernel/dumpstack.c 2011-05-19 00:06:34.000000000 -0400
13739 +++ linux-2.6.39.3/arch/x86/kernel/dumpstack.c 2011-05-22 19:41:32.000000000 -0400
13740 @@ -2,6 +2,9 @@
13741 * Copyright (C) 1991, 1992 Linus Torvalds
13742 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
13743 */
13744 +#ifdef CONFIG_GRKERNSEC_HIDESYM
13745 +#define __INCLUDED_BY_HIDESYM 1
13746 +#endif
13747 #include <linux/kallsyms.h>
13748 #include <linux/kprobes.h>
13749 #include <linux/uaccess.h>
13750 @@ -35,9 +38,8 @@ void printk_address(unsigned long addres
13751 static void
13752 print_ftrace_graph_addr(unsigned long addr, void *data,
13753 const struct stacktrace_ops *ops,
13754 - struct thread_info *tinfo, int *graph)
13755 + struct task_struct *task, int *graph)
13756 {
13757 - struct task_struct *task = tinfo->task;
13758 unsigned long ret_addr;
13759 int index = task->curr_ret_stack;
13760
13761 @@ -58,7 +60,7 @@ print_ftrace_graph_addr(unsigned long ad
13762 static inline void
13763 print_ftrace_graph_addr(unsigned long addr, void *data,
13764 const struct stacktrace_ops *ops,
13765 - struct thread_info *tinfo, int *graph)
13766 + struct task_struct *task, int *graph)
13767 { }
13768 #endif
13769
13770 @@ -69,10 +71,8 @@ print_ftrace_graph_addr(unsigned long ad
13771 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
13772 */
13773
13774 -static inline int valid_stack_ptr(struct thread_info *tinfo,
13775 - void *p, unsigned int size, void *end)
13776 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
13777 {
13778 - void *t = tinfo;
13779 if (end) {
13780 if (p < end && p >= (end-THREAD_SIZE))
13781 return 1;
13782 @@ -83,14 +83,14 @@ static inline int valid_stack_ptr(struct
13783 }
13784
13785 unsigned long
13786 -print_context_stack(struct thread_info *tinfo,
13787 +print_context_stack(struct task_struct *task, void *stack_start,
13788 unsigned long *stack, unsigned long bp,
13789 const struct stacktrace_ops *ops, void *data,
13790 unsigned long *end, int *graph)
13791 {
13792 struct stack_frame *frame = (struct stack_frame *)bp;
13793
13794 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
13795 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
13796 unsigned long addr;
13797
13798 addr = *stack;
13799 @@ -102,7 +102,7 @@ print_context_stack(struct thread_info *
13800 } else {
13801 ops->address(data, addr, 0);
13802 }
13803 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
13804 + print_ftrace_graph_addr(addr, data, ops, task, graph);
13805 }
13806 stack++;
13807 }
13808 @@ -111,7 +111,7 @@ print_context_stack(struct thread_info *
13809 EXPORT_SYMBOL_GPL(print_context_stack);
13810
13811 unsigned long
13812 -print_context_stack_bp(struct thread_info *tinfo,
13813 +print_context_stack_bp(struct task_struct *task, void *stack_start,
13814 unsigned long *stack, unsigned long bp,
13815 const struct stacktrace_ops *ops, void *data,
13816 unsigned long *end, int *graph)
13817 @@ -119,7 +119,7 @@ print_context_stack_bp(struct thread_inf
13818 struct stack_frame *frame = (struct stack_frame *)bp;
13819 unsigned long *ret_addr = &frame->return_address;
13820
13821 - while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
13822 + while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
13823 unsigned long addr = *ret_addr;
13824
13825 if (!__kernel_text_address(addr))
13826 @@ -128,7 +128,7 @@ print_context_stack_bp(struct thread_inf
13827 ops->address(data, addr, 1);
13828 frame = frame->next_frame;
13829 ret_addr = &frame->return_address;
13830 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
13831 + print_ftrace_graph_addr(addr, data, ops, task, graph);
13832 }
13833
13834 return (unsigned long)frame;
13835 @@ -202,7 +202,7 @@ void dump_stack(void)
13836
13837 bp = stack_frame(current, NULL);
13838 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
13839 - current->pid, current->comm, print_tainted(),
13840 + task_pid_nr(current), current->comm, print_tainted(),
13841 init_utsname()->release,
13842 (int)strcspn(init_utsname()->version, " "),
13843 init_utsname()->version);
13844 @@ -238,6 +238,8 @@ unsigned __kprobes long oops_begin(void)
13845 }
13846 EXPORT_SYMBOL_GPL(oops_begin);
13847
13848 +extern void gr_handle_kernel_exploit(void);
13849 +
13850 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
13851 {
13852 if (regs && kexec_should_crash(current))
13853 @@ -259,7 +261,10 @@ void __kprobes oops_end(unsigned long fl
13854 panic("Fatal exception in interrupt");
13855 if (panic_on_oops)
13856 panic("Fatal exception");
13857 - do_exit(signr);
13858 +
13859 + gr_handle_kernel_exploit();
13860 +
13861 + do_group_exit(signr);
13862 }
13863
13864 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
13865 @@ -286,7 +291,7 @@ int __kprobes __die(const char *str, str
13866
13867 show_registers(regs);
13868 #ifdef CONFIG_X86_32
13869 - if (user_mode_vm(regs)) {
13870 + if (user_mode(regs)) {
13871 sp = regs->sp;
13872 ss = regs->ss & 0xffff;
13873 } else {
13874 @@ -314,7 +319,7 @@ void die(const char *str, struct pt_regs
13875 unsigned long flags = oops_begin();
13876 int sig = SIGSEGV;
13877
13878 - if (!user_mode_vm(regs))
13879 + if (!user_mode(regs))
13880 report_bug(regs->ip, regs);
13881
13882 if (__die(str, regs, err))
13883 diff -urNp linux-2.6.39.3/arch/x86/kernel/early_printk.c linux-2.6.39.3/arch/x86/kernel/early_printk.c
13884 --- linux-2.6.39.3/arch/x86/kernel/early_printk.c 2011-05-19 00:06:34.000000000 -0400
13885 +++ linux-2.6.39.3/arch/x86/kernel/early_printk.c 2011-05-22 19:36:30.000000000 -0400
13886 @@ -7,6 +7,7 @@
13887 #include <linux/pci_regs.h>
13888 #include <linux/pci_ids.h>
13889 #include <linux/errno.h>
13890 +#include <linux/sched.h>
13891 #include <asm/io.h>
13892 #include <asm/processor.h>
13893 #include <asm/fcntl.h>
13894 @@ -179,6 +180,8 @@ asmlinkage void early_printk(const char
13895 int n;
13896 va_list ap;
13897
13898 + pax_track_stack();
13899 +
13900 va_start(ap, fmt);
13901 n = vscnprintf(buf, sizeof(buf), fmt, ap);
13902 early_console->write(early_console, buf, n);
13903 diff -urNp linux-2.6.39.3/arch/x86/kernel/entry_32.S linux-2.6.39.3/arch/x86/kernel/entry_32.S
13904 --- linux-2.6.39.3/arch/x86/kernel/entry_32.S 2011-05-19 00:06:34.000000000 -0400
13905 +++ linux-2.6.39.3/arch/x86/kernel/entry_32.S 2011-05-23 17:07:00.000000000 -0400
13906 @@ -185,13 +185,146 @@
13907 /*CFI_REL_OFFSET gs, PT_GS*/
13908 .endm
13909 .macro SET_KERNEL_GS reg
13910 +
13911 +#ifdef CONFIG_CC_STACKPROTECTOR
13912 movl $(__KERNEL_STACK_CANARY), \reg
13913 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
13914 + movl $(__USER_DS), \reg
13915 +#else
13916 + xorl \reg, \reg
13917 +#endif
13918 +
13919 movl \reg, %gs
13920 .endm
13921
13922 #endif /* CONFIG_X86_32_LAZY_GS */
13923
13924 -.macro SAVE_ALL
13925 +.macro pax_enter_kernel
13926 +#ifdef CONFIG_PAX_KERNEXEC
13927 + call pax_enter_kernel
13928 +#endif
13929 +.endm
13930 +
13931 +.macro pax_exit_kernel
13932 +#ifdef CONFIG_PAX_KERNEXEC
13933 + call pax_exit_kernel
13934 +#endif
13935 +.endm
13936 +
13937 +#ifdef CONFIG_PAX_KERNEXEC
13938 +ENTRY(pax_enter_kernel)
13939 +#ifdef CONFIG_PARAVIRT
13940 + pushl %eax
13941 + pushl %ecx
13942 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
13943 + mov %eax, %esi
13944 +#else
13945 + mov %cr0, %esi
13946 +#endif
13947 + bts $16, %esi
13948 + jnc 1f
13949 + mov %cs, %esi
13950 + cmp $__KERNEL_CS, %esi
13951 + jz 3f
13952 + ljmp $__KERNEL_CS, $3f
13953 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
13954 +2:
13955 +#ifdef CONFIG_PARAVIRT
13956 + mov %esi, %eax
13957 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
13958 +#else
13959 + mov %esi, %cr0
13960 +#endif
13961 +3:
13962 +#ifdef CONFIG_PARAVIRT
13963 + popl %ecx
13964 + popl %eax
13965 +#endif
13966 + ret
13967 +ENDPROC(pax_enter_kernel)
13968 +
13969 +ENTRY(pax_exit_kernel)
13970 +#ifdef CONFIG_PARAVIRT
13971 + pushl %eax
13972 + pushl %ecx
13973 +#endif
13974 + mov %cs, %esi
13975 + cmp $__KERNEXEC_KERNEL_CS, %esi
13976 + jnz 2f
13977 +#ifdef CONFIG_PARAVIRT
13978 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
13979 + mov %eax, %esi
13980 +#else
13981 + mov %cr0, %esi
13982 +#endif
13983 + btr $16, %esi
13984 + ljmp $__KERNEL_CS, $1f
13985 +1:
13986 +#ifdef CONFIG_PARAVIRT
13987 + mov %esi, %eax
13988 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
13989 +#else
13990 + mov %esi, %cr0
13991 +#endif
13992 +2:
13993 +#ifdef CONFIG_PARAVIRT
13994 + popl %ecx
13995 + popl %eax
13996 +#endif
13997 + ret
13998 +ENDPROC(pax_exit_kernel)
13999 +#endif
14000 +
14001 +.macro pax_erase_kstack
14002 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14003 + call pax_erase_kstack
14004 +#endif
14005 +.endm
14006 +
14007 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14008 +/*
14009 + * ebp: thread_info
14010 + * ecx, edx: can be clobbered
14011 + */
14012 +ENTRY(pax_erase_kstack)
14013 + pushl %edi
14014 + pushl %eax
14015 +
14016 + mov TI_lowest_stack(%ebp), %edi
14017 + mov $-0xBEEF, %eax
14018 + std
14019 +
14020 +1: mov %edi, %ecx
14021 + and $THREAD_SIZE_asm - 1, %ecx
14022 + shr $2, %ecx
14023 + repne scasl
14024 + jecxz 2f
14025 +
14026 + cmp $2*16, %ecx
14027 + jc 2f
14028 +
14029 + mov $2*16, %ecx
14030 + repe scasl
14031 + jecxz 2f
14032 + jne 1b
14033 +
14034 +2: cld
14035 + mov %esp, %ecx
14036 + sub %edi, %ecx
14037 + shr $2, %ecx
14038 + rep stosl
14039 +
14040 + mov TI_task_thread_sp0(%ebp), %edi
14041 + sub $128, %edi
14042 + mov %edi, TI_lowest_stack(%ebp)
14043 +
14044 + popl %eax
14045 + popl %edi
14046 + ret
14047 +ENDPROC(pax_erase_kstack)
14048 +#endif
14049 +
14050 +.macro __SAVE_ALL _DS
14051 cld
14052 PUSH_GS
14053 pushl_cfi %fs
14054 @@ -214,7 +347,7 @@
14055 CFI_REL_OFFSET ecx, 0
14056 pushl_cfi %ebx
14057 CFI_REL_OFFSET ebx, 0
14058 - movl $(__USER_DS), %edx
14059 + movl $\_DS, %edx
14060 movl %edx, %ds
14061 movl %edx, %es
14062 movl $(__KERNEL_PERCPU), %edx
14063 @@ -222,6 +355,15 @@
14064 SET_KERNEL_GS %edx
14065 .endm
14066
14067 +.macro SAVE_ALL
14068 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
14069 + __SAVE_ALL __KERNEL_DS
14070 + pax_enter_kernel
14071 +#else
14072 + __SAVE_ALL __USER_DS
14073 +#endif
14074 +.endm
14075 +
14076 .macro RESTORE_INT_REGS
14077 popl_cfi %ebx
14078 CFI_RESTORE ebx
14079 @@ -332,7 +474,15 @@ check_userspace:
14080 movb PT_CS(%esp), %al
14081 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
14082 cmpl $USER_RPL, %eax
14083 +
14084 +#ifdef CONFIG_PAX_KERNEXEC
14085 + jae resume_userspace
14086 +
14087 + PAX_EXIT_KERNEL
14088 + jmp resume_kernel
14089 +#else
14090 jb resume_kernel # not returning to v8086 or userspace
14091 +#endif
14092
14093 ENTRY(resume_userspace)
14094 LOCKDEP_SYS_EXIT
14095 @@ -344,7 +494,7 @@ ENTRY(resume_userspace)
14096 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
14097 # int/exception return?
14098 jne work_pending
14099 - jmp restore_all
14100 + jmp restore_all_pax
14101 END(ret_from_exception)
14102
14103 #ifdef CONFIG_PREEMPT
14104 @@ -394,23 +544,34 @@ sysenter_past_esp:
14105 /*CFI_REL_OFFSET cs, 0*/
14106 /*
14107 * Push current_thread_info()->sysenter_return to the stack.
14108 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
14109 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
14110 */
14111 - pushl_cfi ((TI_sysenter_return)-THREAD_SIZE+8+4*4)(%esp)
14112 + pushl_cfi $0
14113 CFI_REL_OFFSET eip, 0
14114
14115 pushl_cfi %eax
14116 SAVE_ALL
14117 + GET_THREAD_INFO(%ebp)
14118 + movl TI_sysenter_return(%ebp),%ebp
14119 + movl %ebp,PT_EIP(%esp)
14120 ENABLE_INTERRUPTS(CLBR_NONE)
14121
14122 /*
14123 * Load the potential sixth argument from user stack.
14124 * Careful about security.
14125 */
14126 + movl PT_OLDESP(%esp),%ebp
14127 +
14128 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14129 + mov PT_OLDSS(%esp),%ds
14130 +1: movl %ds:(%ebp),%ebp
14131 + push %ss
14132 + pop %ds
14133 +#else
14134 cmpl $__PAGE_OFFSET-3,%ebp
14135 jae syscall_fault
14136 1: movl (%ebp),%ebp
14137 +#endif
14138 +
14139 movl %ebp,PT_EBP(%esp)
14140 .section __ex_table,"a"
14141 .align 4
14142 @@ -433,12 +594,23 @@ sysenter_do_call:
14143 testl $_TIF_ALLWORK_MASK, %ecx
14144 jne sysexit_audit
14145 sysenter_exit:
14146 +
14147 +#ifdef CONFIG_PAX_RANDKSTACK
14148 + pushl_cfi %eax
14149 + call pax_randomize_kstack
14150 + popl_cfi %eax
14151 +#endif
14152 +
14153 + pax_erase_kstack
14154 +
14155 /* if something modifies registers it must also disable sysexit */
14156 movl PT_EIP(%esp), %edx
14157 movl PT_OLDESP(%esp), %ecx
14158 xorl %ebp,%ebp
14159 TRACE_IRQS_ON
14160 1: mov PT_FS(%esp), %fs
14161 +2: mov PT_DS(%esp), %ds
14162 +3: mov PT_ES(%esp), %es
14163 PTGS_TO_GS
14164 ENABLE_INTERRUPTS_SYSEXIT
14165
14166 @@ -455,6 +627,9 @@ sysenter_audit:
14167 movl %eax,%edx /* 2nd arg: syscall number */
14168 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
14169 call audit_syscall_entry
14170 +
14171 + pax_erase_kstack
14172 +
14173 pushl_cfi %ebx
14174 movl PT_EAX(%esp),%eax /* reload syscall number */
14175 jmp sysenter_do_call
14176 @@ -481,11 +656,17 @@ sysexit_audit:
14177
14178 CFI_ENDPROC
14179 .pushsection .fixup,"ax"
14180 -2: movl $0,PT_FS(%esp)
14181 +4: movl $0,PT_FS(%esp)
14182 + jmp 1b
14183 +5: movl $0,PT_DS(%esp)
14184 + jmp 1b
14185 +6: movl $0,PT_ES(%esp)
14186 jmp 1b
14187 .section __ex_table,"a"
14188 .align 4
14189 - .long 1b,2b
14190 + .long 1b,4b
14191 + .long 2b,5b
14192 + .long 3b,6b
14193 .popsection
14194 PTGS_TO_GS_EX
14195 ENDPROC(ia32_sysenter_target)
14196 @@ -518,6 +699,14 @@ syscall_exit:
14197 testl $_TIF_ALLWORK_MASK, %ecx # current->work
14198 jne syscall_exit_work
14199
14200 +restore_all_pax:
14201 +
14202 +#ifdef CONFIG_PAX_RANDKSTACK
14203 + call pax_randomize_kstack
14204 +#endif
14205 +
14206 + pax_erase_kstack
14207 +
14208 restore_all:
14209 TRACE_IRQS_IRET
14210 restore_all_notrace:
14211 @@ -577,14 +766,21 @@ ldt_ss:
14212 * compensating for the offset by changing to the ESPFIX segment with
14213 * a base address that matches for the difference.
14214 */
14215 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
14216 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
14217 mov %esp, %edx /* load kernel esp */
14218 mov PT_OLDESP(%esp), %eax /* load userspace esp */
14219 mov %dx, %ax /* eax: new kernel esp */
14220 sub %eax, %edx /* offset (low word is 0) */
14221 +#ifdef CONFIG_SMP
14222 + movl PER_CPU_VAR(cpu_number), %ebx
14223 + shll $PAGE_SHIFT_asm, %ebx
14224 + addl $cpu_gdt_table, %ebx
14225 +#else
14226 + movl $cpu_gdt_table, %ebx
14227 +#endif
14228 shr $16, %edx
14229 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
14230 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
14231 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
14232 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
14233 pushl_cfi $__ESPFIX_SS
14234 pushl_cfi %eax /* new kernel esp */
14235 /* Disable interrupts, but do not irqtrace this section: we
14236 @@ -613,29 +809,23 @@ work_resched:
14237 movl TI_flags(%ebp), %ecx
14238 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
14239 # than syscall tracing?
14240 - jz restore_all
14241 + jz restore_all_pax
14242 testb $_TIF_NEED_RESCHED, %cl
14243 jnz work_resched
14244
14245 work_notifysig: # deal with pending signals and
14246 # notify-resume requests
14247 + movl %esp, %eax
14248 #ifdef CONFIG_VM86
14249 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
14250 - movl %esp, %eax
14251 - jne work_notifysig_v86 # returning to kernel-space or
14252 + jz 1f # returning to kernel-space or
14253 # vm86-space
14254 - xorl %edx, %edx
14255 - call do_notify_resume
14256 - jmp resume_userspace_sig
14257
14258 - ALIGN
14259 -work_notifysig_v86:
14260 pushl_cfi %ecx # save ti_flags for do_notify_resume
14261 call save_v86_state # %eax contains pt_regs pointer
14262 popl_cfi %ecx
14263 movl %eax, %esp
14264 -#else
14265 - movl %esp, %eax
14266 +1:
14267 #endif
14268 xorl %edx, %edx
14269 call do_notify_resume
14270 @@ -648,6 +838,9 @@ syscall_trace_entry:
14271 movl $-ENOSYS,PT_EAX(%esp)
14272 movl %esp, %eax
14273 call syscall_trace_enter
14274 +
14275 + pax_erase_kstack
14276 +
14277 /* What it returned is what we'll actually use. */
14278 cmpl $(nr_syscalls), %eax
14279 jnae syscall_call
14280 @@ -670,6 +863,10 @@ END(syscall_exit_work)
14281
14282 RING0_INT_FRAME # can't unwind into user space anyway
14283 syscall_fault:
14284 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14285 + push %ss
14286 + pop %ds
14287 +#endif
14288 GET_THREAD_INFO(%ebp)
14289 movl $-EFAULT,PT_EAX(%esp)
14290 jmp resume_userspace
14291 @@ -752,6 +949,36 @@ ptregs_clone:
14292 CFI_ENDPROC
14293 ENDPROC(ptregs_clone)
14294
14295 + ALIGN;
14296 +ENTRY(kernel_execve)
14297 + CFI_STARTPROC
14298 + pushl_cfi %ebp
14299 + sub $PT_OLDSS+4,%esp
14300 + pushl_cfi %edi
14301 + pushl_cfi %ecx
14302 + pushl_cfi %eax
14303 + lea 3*4(%esp),%edi
14304 + mov $PT_OLDSS/4+1,%ecx
14305 + xorl %eax,%eax
14306 + rep stosl
14307 + popl_cfi %eax
14308 + popl_cfi %ecx
14309 + popl_cfi %edi
14310 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
14311 + pushl_cfi %esp
14312 + call sys_execve
14313 + add $4,%esp
14314 + CFI_ADJUST_CFA_OFFSET -4
14315 + GET_THREAD_INFO(%ebp)
14316 + test %eax,%eax
14317 + jz syscall_exit
14318 + add $PT_OLDSS+4,%esp
14319 + CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
14320 + popl_cfi %ebp
14321 + ret
14322 + CFI_ENDPROC
14323 +ENDPROC(kernel_execve)
14324 +
14325 .macro FIXUP_ESPFIX_STACK
14326 /*
14327 * Switch back for ESPFIX stack to the normal zerobased stack
14328 @@ -761,8 +988,15 @@ ENDPROC(ptregs_clone)
14329 * normal stack and adjusts ESP with the matching offset.
14330 */
14331 /* fixup the stack */
14332 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
14333 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
14334 +#ifdef CONFIG_SMP
14335 + movl PER_CPU_VAR(cpu_number), %ebx
14336 + shll $PAGE_SHIFT_asm, %ebx
14337 + addl $cpu_gdt_table, %ebx
14338 +#else
14339 + movl $cpu_gdt_table, %ebx
14340 +#endif
14341 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
14342 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
14343 shl $16, %eax
14344 addl %esp, %eax /* the adjusted stack pointer */
14345 pushl_cfi $__KERNEL_DS
14346 @@ -1213,7 +1447,6 @@ return_to_handler:
14347 jmp *%ecx
14348 #endif
14349
14350 -.section .rodata,"a"
14351 #include "syscall_table_32.S"
14352
14353 syscall_table_size=(.-sys_call_table)
14354 @@ -1259,9 +1492,12 @@ error_code:
14355 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
14356 REG_TO_PTGS %ecx
14357 SET_KERNEL_GS %ecx
14358 - movl $(__USER_DS), %ecx
14359 + movl $(__KERNEL_DS), %ecx
14360 movl %ecx, %ds
14361 movl %ecx, %es
14362 +
14363 + pax_enter_kernel
14364 +
14365 TRACE_IRQS_OFF
14366 movl %esp,%eax # pt_regs pointer
14367 call *%edi
14368 @@ -1346,6 +1582,9 @@ nmi_stack_correct:
14369 xorl %edx,%edx # zero error code
14370 movl %esp,%eax # pt_regs pointer
14371 call do_nmi
14372 +
14373 + pax_exit_kernel
14374 +
14375 jmp restore_all_notrace
14376 CFI_ENDPROC
14377
14378 @@ -1382,6 +1621,9 @@ nmi_espfix_stack:
14379 FIXUP_ESPFIX_STACK # %eax == %esp
14380 xorl %edx,%edx # zero error code
14381 call do_nmi
14382 +
14383 + pax_exit_kernel
14384 +
14385 RESTORE_REGS
14386 lss 12+4(%esp), %esp # back to espfix stack
14387 CFI_ADJUST_CFA_OFFSET -24
14388 diff -urNp linux-2.6.39.3/arch/x86/kernel/entry_64.S linux-2.6.39.3/arch/x86/kernel/entry_64.S
14389 --- linux-2.6.39.3/arch/x86/kernel/entry_64.S 2011-05-19 00:06:34.000000000 -0400
14390 +++ linux-2.6.39.3/arch/x86/kernel/entry_64.S 2011-05-23 17:10:49.000000000 -0400
14391 @@ -53,6 +53,7 @@
14392 #include <asm/paravirt.h>
14393 #include <asm/ftrace.h>
14394 #include <asm/percpu.h>
14395 +#include <asm/pgtable.h>
14396
14397 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
14398 #include <linux/elf-em.h>
14399 @@ -176,6 +177,259 @@ ENTRY(native_usergs_sysret64)
14400 ENDPROC(native_usergs_sysret64)
14401 #endif /* CONFIG_PARAVIRT */
14402
14403 + .macro ljmpq sel, off
14404 +#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
14405 + .byte 0x48; ljmp *1234f(%rip)
14406 + .pushsection .rodata
14407 + .align 16
14408 + 1234: .quad \off; .word \sel
14409 + .popsection
14410 +#else
14411 + pushq $\sel
14412 + pushq $\off
14413 + lretq
14414 +#endif
14415 + .endm
14416 +
14417 + .macro pax_enter_kernel
14418 +#ifdef CONFIG_PAX_KERNEXEC
14419 + call pax_enter_kernel
14420 +#endif
14421 + .endm
14422 +
14423 + .macro pax_exit_kernel
14424 +#ifdef CONFIG_PAX_KERNEXEC
14425 + call pax_exit_kernel
14426 +#endif
14427 + .endm
14428 +
14429 +#ifdef CONFIG_PAX_KERNEXEC
14430 +ENTRY(pax_enter_kernel)
14431 + pushq %rdi
14432 +
14433 +#ifdef CONFIG_PARAVIRT
14434 + PV_SAVE_REGS(CLBR_RDI)
14435 +#endif
14436 +
14437 + GET_CR0_INTO_RDI
14438 + bts $16,%rdi
14439 + jnc 1f
14440 + mov %cs,%edi
14441 + cmp $__KERNEL_CS,%edi
14442 + jz 3f
14443 + ljmpq __KERNEL_CS,3f
14444 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
14445 +2: SET_RDI_INTO_CR0
14446 +3:
14447 +
14448 +#ifdef CONFIG_PARAVIRT
14449 + PV_RESTORE_REGS(CLBR_RDI)
14450 +#endif
14451 +
14452 + popq %rdi
14453 + retq
14454 +ENDPROC(pax_enter_kernel)
14455 +
14456 +ENTRY(pax_exit_kernel)
14457 + pushq %rdi
14458 +
14459 +#ifdef CONFIG_PARAVIRT
14460 + PV_SAVE_REGS(CLBR_RDI)
14461 +#endif
14462 +
14463 + mov %cs,%rdi
14464 + cmp $__KERNEXEC_KERNEL_CS,%edi
14465 + jnz 2f
14466 + GET_CR0_INTO_RDI
14467 + btr $16,%rdi
14468 + ljmpq __KERNEL_CS,1f
14469 +1: SET_RDI_INTO_CR0
14470 +2:
14471 +
14472 +#ifdef CONFIG_PARAVIRT
14473 + PV_RESTORE_REGS(CLBR_RDI);
14474 +#endif
14475 +
14476 + popq %rdi
14477 + retq
14478 +ENDPROC(pax_exit_kernel)
14479 +#endif
14480 +
14481 + .macro pax_enter_kernel_user
14482 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14483 + call pax_enter_kernel_user
14484 +#endif
14485 + .endm
14486 +
14487 + .macro pax_exit_kernel_user
14488 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14489 + call pax_exit_kernel_user
14490 +#endif
14491 +#ifdef CONFIG_PAX_RANDKSTACK
14492 + push %rax
14493 + call pax_randomize_kstack
14494 + pop %rax
14495 +#endif
14496 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14497 + call pax_erase_kstack
14498 +#endif
14499 + .endm
14500 +
14501 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14502 +ENTRY(pax_enter_kernel_user)
14503 + pushq %rdi
14504 + pushq %rbx
14505 +
14506 +#ifdef CONFIG_PARAVIRT
14507 + PV_SAVE_REGS(CLBR_RDI)
14508 +#endif
14509 +
14510 + GET_CR3_INTO_RDI
14511 + mov %rdi,%rbx
14512 + add $__START_KERNEL_map,%rbx
14513 + sub phys_base(%rip),%rbx
14514 +
14515 +#ifdef CONFIG_PARAVIRT
14516 + pushq %rdi
14517 + cmpl $0, pv_info+PARAVIRT_enabled
14518 + jz 1f
14519 + i = 0
14520 + .rept USER_PGD_PTRS
14521 + mov i*8(%rbx),%rsi
14522 + mov $0,%sil
14523 + lea i*8(%rbx),%rdi
14524 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
14525 + i = i + 1
14526 + .endr
14527 + jmp 2f
14528 +1:
14529 +#endif
14530 +
14531 + i = 0
14532 + .rept USER_PGD_PTRS
14533 + movb $0,i*8(%rbx)
14534 + i = i + 1
14535 + .endr
14536 +
14537 +#ifdef CONFIG_PARAVIRT
14538 +2: popq %rdi
14539 +#endif
14540 + SET_RDI_INTO_CR3
14541 +
14542 +#ifdef CONFIG_PAX_KERNEXEC
14543 + GET_CR0_INTO_RDI
14544 + bts $16,%rdi
14545 + SET_RDI_INTO_CR0
14546 +#endif
14547 +
14548 +#ifdef CONFIG_PARAVIRT
14549 + PV_RESTORE_REGS(CLBR_RDI)
14550 +#endif
14551 +
14552 + popq %rbx
14553 + popq %rdi
14554 + retq
14555 +ENDPROC(pax_enter_kernel_user)
14556 +
14557 +ENTRY(pax_exit_kernel_user)
14558 + push %rdi
14559 +
14560 +#ifdef CONFIG_PARAVIRT
14561 + pushq %rbx
14562 + PV_SAVE_REGS(CLBR_RDI)
14563 +#endif
14564 +
14565 +#ifdef CONFIG_PAX_KERNEXEC
14566 + GET_CR0_INTO_RDI
14567 + btr $16,%rdi
14568 + SET_RDI_INTO_CR0
14569 +#endif
14570 +
14571 + GET_CR3_INTO_RDI
14572 + add $__START_KERNEL_map,%rdi
14573 + sub phys_base(%rip),%rdi
14574 +
14575 +#ifdef CONFIG_PARAVIRT
14576 + cmpl $0, pv_info+PARAVIRT_enabled
14577 + jz 1f
14578 + mov %rdi,%rbx
14579 + i = 0
14580 + .rept USER_PGD_PTRS
14581 + mov i*8(%rbx),%rsi
14582 + mov $0x67,%sil
14583 + lea i*8(%rbx),%rdi
14584 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
14585 + i = i + 1
14586 + .endr
14587 + jmp 2f
14588 +1:
14589 +#endif
14590 +
14591 + i = 0
14592 + .rept USER_PGD_PTRS
14593 + movb $0x67,i*8(%rdi)
14594 + i = i + 1
14595 + .endr
14596 +
14597 +#ifdef CONFIG_PARAVIRT
14598 +2: PV_RESTORE_REGS(CLBR_RDI)
14599 + popq %rbx
14600 +#endif
14601 +
14602 + popq %rdi
14603 + retq
14604 +ENDPROC(pax_exit_kernel_user)
14605 +#endif
14606 +
14607 + .macro pax_erase_kstack
14608 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14609 + call pax_erase_kstack
14610 +#endif
14611 + .endm
14612 +
14613 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14614 +/*
14615 + * r10: thread_info
14616 + * rcx, rdx: can be clobbered
14617 + */
14618 +ENTRY(pax_erase_kstack)
14619 + pushq %rdi
14620 + pushq %rax
14621 +
14622 + GET_THREAD_INFO(%r10)
14623 + mov TI_lowest_stack(%r10), %rdi
14624 + mov $-0xBEEF, %rax
14625 + std
14626 +
14627 +1: mov %edi, %ecx
14628 + and $THREAD_SIZE_asm - 1, %ecx
14629 + shr $3, %ecx
14630 + repne scasq
14631 + jecxz 2f
14632 +
14633 + cmp $2*8, %ecx
14634 + jc 2f
14635 +
14636 + mov $2*8, %ecx
14637 + repe scasq
14638 + jecxz 2f
14639 + jne 1b
14640 +
14641 +2: cld
14642 + mov %esp, %ecx
14643 + sub %edi, %ecx
14644 + shr $3, %ecx
14645 + rep stosq
14646 +
14647 + mov TI_task_thread_sp0(%r10), %rdi
14648 + sub $256, %rdi
14649 + mov %rdi, TI_lowest_stack(%r10)
14650 +
14651 + popq %rax
14652 + popq %rdi
14653 + ret
14654 +ENDPROC(pax_erase_kstack)
14655 +#endif
14656
14657 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
14658 #ifdef CONFIG_TRACE_IRQFLAGS
14659 @@ -318,7 +572,7 @@ ENTRY(save_args)
14660 leaq -RBP+8(%rsp),%rdi /* arg1 for handler */
14661 movq_cfi rbp, 8 /* push %rbp */
14662 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
14663 - testl $3, CS(%rdi)
14664 + testb $3, CS(%rdi)
14665 je 1f
14666 SWAPGS
14667 /*
14668 @@ -409,7 +663,7 @@ ENTRY(ret_from_fork)
14669
14670 RESTORE_REST
14671
14672 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14673 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14674 je int_ret_from_sys_call
14675
14676 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
14677 @@ -455,7 +709,7 @@ END(ret_from_fork)
14678 ENTRY(system_call)
14679 CFI_STARTPROC simple
14680 CFI_SIGNAL_FRAME
14681 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
14682 + CFI_DEF_CFA rsp,0
14683 CFI_REGISTER rip,rcx
14684 /*CFI_REGISTER rflags,r11*/
14685 SWAPGS_UNSAFE_STACK
14686 @@ -468,12 +722,13 @@ ENTRY(system_call_after_swapgs)
14687
14688 movq %rsp,PER_CPU_VAR(old_rsp)
14689 movq PER_CPU_VAR(kernel_stack),%rsp
14690 + pax_enter_kernel_user
14691 /*
14692 * No need to follow this irqs off/on section - it's straight
14693 * and short:
14694 */
14695 ENABLE_INTERRUPTS(CLBR_NONE)
14696 - SAVE_ARGS 8,1
14697 + SAVE_ARGS 8*6,1
14698 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
14699 movq %rcx,RIP-ARGOFFSET(%rsp)
14700 CFI_REL_OFFSET rip,RIP-ARGOFFSET
14701 @@ -502,6 +757,7 @@ sysret_check:
14702 andl %edi,%edx
14703 jnz sysret_careful
14704 CFI_REMEMBER_STATE
14705 + pax_exit_kernel_user
14706 /*
14707 * sysretq will re-enable interrupts:
14708 */
14709 @@ -560,6 +816,9 @@ auditsys:
14710 movq %rax,%rsi /* 2nd arg: syscall number */
14711 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
14712 call audit_syscall_entry
14713 +
14714 + pax_erase_kstack
14715 +
14716 LOAD_ARGS 0 /* reload call-clobbered registers */
14717 jmp system_call_fastpath
14718
14719 @@ -590,6 +849,9 @@ tracesys:
14720 FIXUP_TOP_OF_STACK %rdi
14721 movq %rsp,%rdi
14722 call syscall_trace_enter
14723 +
14724 + pax_erase_kstack
14725 +
14726 /*
14727 * Reload arg registers from stack in case ptrace changed them.
14728 * We don't reload %rax because syscall_trace_enter() returned
14729 @@ -611,7 +873,7 @@ tracesys:
14730 GLOBAL(int_ret_from_sys_call)
14731 DISABLE_INTERRUPTS(CLBR_NONE)
14732 TRACE_IRQS_OFF
14733 - testl $3,CS-ARGOFFSET(%rsp)
14734 + testb $3,CS-ARGOFFSET(%rsp)
14735 je retint_restore_args
14736 movl $_TIF_ALLWORK_MASK,%edi
14737 /* edi: mask to check */
14738 @@ -793,6 +1055,16 @@ END(interrupt)
14739 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
14740 call save_args
14741 PARTIAL_FRAME 0
14742 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14743 + testb $3, CS(%rdi)
14744 + jnz 1f
14745 + pax_enter_kernel
14746 + jmp 2f
14747 +1: pax_enter_kernel_user
14748 +2:
14749 +#else
14750 + pax_enter_kernel
14751 +#endif
14752 call \func
14753 .endm
14754
14755 @@ -825,7 +1097,7 @@ ret_from_intr:
14756 CFI_ADJUST_CFA_OFFSET -8
14757 exit_intr:
14758 GET_THREAD_INFO(%rcx)
14759 - testl $3,CS-ARGOFFSET(%rsp)
14760 + testb $3,CS-ARGOFFSET(%rsp)
14761 je retint_kernel
14762
14763 /* Interrupt came from user space */
14764 @@ -847,12 +1119,14 @@ retint_swapgs: /* return to user-space
14765 * The iretq could re-enable interrupts:
14766 */
14767 DISABLE_INTERRUPTS(CLBR_ANY)
14768 + pax_exit_kernel_user
14769 TRACE_IRQS_IRETQ
14770 SWAPGS
14771 jmp restore_args
14772
14773 retint_restore_args: /* return to kernel space */
14774 DISABLE_INTERRUPTS(CLBR_ANY)
14775 + pax_exit_kernel
14776 /*
14777 * The iretq could re-enable interrupts:
14778 */
14779 @@ -1027,6 +1301,16 @@ ENTRY(\sym)
14780 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14781 call error_entry
14782 DEFAULT_FRAME 0
14783 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14784 + testb $3, CS(%rsp)
14785 + jnz 1f
14786 + pax_enter_kernel
14787 + jmp 2f
14788 +1: pax_enter_kernel_user
14789 +2:
14790 +#else
14791 + pax_enter_kernel
14792 +#endif
14793 movq %rsp,%rdi /* pt_regs pointer */
14794 xorl %esi,%esi /* no error code */
14795 call \do_sym
14796 @@ -1044,6 +1328,16 @@ ENTRY(\sym)
14797 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14798 call save_paranoid
14799 TRACE_IRQS_OFF
14800 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14801 + testb $3, CS(%rsp)
14802 + jnz 1f
14803 + pax_enter_kernel
14804 + jmp 2f
14805 +1: pax_enter_kernel_user
14806 +2:
14807 +#else
14808 + pax_enter_kernel
14809 +#endif
14810 movq %rsp,%rdi /* pt_regs pointer */
14811 xorl %esi,%esi /* no error code */
14812 call \do_sym
14813 @@ -1052,7 +1346,7 @@ ENTRY(\sym)
14814 END(\sym)
14815 .endm
14816
14817 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
14818 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
14819 .macro paranoidzeroentry_ist sym do_sym ist
14820 ENTRY(\sym)
14821 INTR_FRAME
14822 @@ -1062,8 +1356,24 @@ ENTRY(\sym)
14823 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14824 call save_paranoid
14825 TRACE_IRQS_OFF
14826 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14827 + testb $3, CS(%rsp)
14828 + jnz 1f
14829 + pax_enter_kernel
14830 + jmp 2f
14831 +1: pax_enter_kernel_user
14832 +2:
14833 +#else
14834 + pax_enter_kernel
14835 +#endif
14836 movq %rsp,%rdi /* pt_regs pointer */
14837 xorl %esi,%esi /* no error code */
14838 +#ifdef CONFIG_SMP
14839 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
14840 + lea init_tss(%r12), %r12
14841 +#else
14842 + lea init_tss(%rip), %r12
14843 +#endif
14844 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
14845 call \do_sym
14846 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
14847 @@ -1080,6 +1390,16 @@ ENTRY(\sym)
14848 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14849 call error_entry
14850 DEFAULT_FRAME 0
14851 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14852 + testb $3, CS(%rsp)
14853 + jnz 1f
14854 + pax_enter_kernel
14855 + jmp 2f
14856 +1: pax_enter_kernel_user
14857 +2:
14858 +#else
14859 + pax_enter_kernel
14860 +#endif
14861 movq %rsp,%rdi /* pt_regs pointer */
14862 movq ORIG_RAX(%rsp),%rsi /* get error code */
14863 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14864 @@ -1099,6 +1419,16 @@ ENTRY(\sym)
14865 call save_paranoid
14866 DEFAULT_FRAME 0
14867 TRACE_IRQS_OFF
14868 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14869 + testb $3, CS(%rsp)
14870 + jnz 1f
14871 + pax_enter_kernel
14872 + jmp 2f
14873 +1: pax_enter_kernel_user
14874 +2:
14875 +#else
14876 + pax_enter_kernel
14877 +#endif
14878 movq %rsp,%rdi /* pt_regs pointer */
14879 movq ORIG_RAX(%rsp),%rsi /* get error code */
14880 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14881 @@ -1361,14 +1691,27 @@ ENTRY(paranoid_exit)
14882 TRACE_IRQS_OFF
14883 testl %ebx,%ebx /* swapgs needed? */
14884 jnz paranoid_restore
14885 - testl $3,CS(%rsp)
14886 + testb $3,CS(%rsp)
14887 jnz paranoid_userspace
14888 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14889 + pax_exit_kernel
14890 + TRACE_IRQS_IRETQ 0
14891 + SWAPGS_UNSAFE_STACK
14892 + RESTORE_ALL 8
14893 + jmp irq_return
14894 +#endif
14895 paranoid_swapgs:
14896 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14897 + pax_exit_kernel_user
14898 +#else
14899 + pax_exit_kernel
14900 +#endif
14901 TRACE_IRQS_IRETQ 0
14902 SWAPGS_UNSAFE_STACK
14903 RESTORE_ALL 8
14904 jmp irq_return
14905 paranoid_restore:
14906 + pax_exit_kernel
14907 TRACE_IRQS_IRETQ 0
14908 RESTORE_ALL 8
14909 jmp irq_return
14910 @@ -1426,7 +1769,7 @@ ENTRY(error_entry)
14911 movq_cfi r14, R14+8
14912 movq_cfi r15, R15+8
14913 xorl %ebx,%ebx
14914 - testl $3,CS+8(%rsp)
14915 + testb $3,CS+8(%rsp)
14916 je error_kernelspace
14917 error_swapgs:
14918 SWAPGS
14919 @@ -1490,6 +1833,16 @@ ENTRY(nmi)
14920 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14921 call save_paranoid
14922 DEFAULT_FRAME 0
14923 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14924 + testb $3, CS(%rsp)
14925 + jnz 1f
14926 + pax_enter_kernel
14927 + jmp 2f
14928 +1: pax_enter_kernel_user
14929 +2:
14930 +#else
14931 + pax_enter_kernel
14932 +#endif
14933 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
14934 movq %rsp,%rdi
14935 movq $-1,%rsi
14936 @@ -1500,11 +1853,25 @@ ENTRY(nmi)
14937 DISABLE_INTERRUPTS(CLBR_NONE)
14938 testl %ebx,%ebx /* swapgs needed? */
14939 jnz nmi_restore
14940 - testl $3,CS(%rsp)
14941 + testb $3,CS(%rsp)
14942 jnz nmi_userspace
14943 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14944 + pax_exit_kernel
14945 + SWAPGS_UNSAFE_STACK
14946 + RESTORE_ALL 8
14947 + jmp irq_return
14948 +#endif
14949 nmi_swapgs:
14950 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14951 + pax_exit_kernel_user
14952 +#else
14953 + pax_exit_kernel
14954 +#endif
14955 SWAPGS_UNSAFE_STACK
14956 + RESTORE_ALL 8
14957 + jmp irq_return
14958 nmi_restore:
14959 + pax_exit_kernel
14960 RESTORE_ALL 8
14961 jmp irq_return
14962 nmi_userspace:
14963 diff -urNp linux-2.6.39.3/arch/x86/kernel/ftrace.c linux-2.6.39.3/arch/x86/kernel/ftrace.c
14964 --- linux-2.6.39.3/arch/x86/kernel/ftrace.c 2011-05-19 00:06:34.000000000 -0400
14965 +++ linux-2.6.39.3/arch/x86/kernel/ftrace.c 2011-05-22 19:36:30.000000000 -0400
14966 @@ -126,7 +126,7 @@ static void *mod_code_ip; /* holds the
14967 static void *mod_code_newcode; /* holds the text to write to the IP */
14968
14969 static unsigned nmi_wait_count;
14970 -static atomic_t nmi_update_count = ATOMIC_INIT(0);
14971 +static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
14972
14973 int ftrace_arch_read_dyn_info(char *buf, int size)
14974 {
14975 @@ -134,7 +134,7 @@ int ftrace_arch_read_dyn_info(char *buf,
14976
14977 r = snprintf(buf, size, "%u %u",
14978 nmi_wait_count,
14979 - atomic_read(&nmi_update_count));
14980 + atomic_read_unchecked(&nmi_update_count));
14981 return r;
14982 }
14983
14984 @@ -177,8 +177,10 @@ void ftrace_nmi_enter(void)
14985
14986 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
14987 smp_rmb();
14988 + pax_open_kernel();
14989 ftrace_mod_code();
14990 - atomic_inc(&nmi_update_count);
14991 + pax_close_kernel();
14992 + atomic_inc_unchecked(&nmi_update_count);
14993 }
14994 /* Must have previous changes seen before executions */
14995 smp_mb();
14996 @@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, uns
14997 {
14998 unsigned char replaced[MCOUNT_INSN_SIZE];
14999
15000 + ip = ktla_ktva(ip);
15001 +
15002 /*
15003 * Note: Due to modules and __init, code can
15004 * disappear and change, we need to protect against faulting
15005 @@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_fun
15006 unsigned char old[MCOUNT_INSN_SIZE], *new;
15007 int ret;
15008
15009 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
15010 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
15011 new = ftrace_call_replace(ip, (unsigned long)func);
15012 ret = ftrace_modify_code(ip, old, new);
15013
15014 @@ -353,6 +357,8 @@ static int ftrace_mod_jmp(unsigned long
15015 {
15016 unsigned char code[MCOUNT_INSN_SIZE];
15017
15018 + ip = ktla_ktva(ip);
15019 +
15020 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
15021 return -EFAULT;
15022
15023 diff -urNp linux-2.6.39.3/arch/x86/kernel/head32.c linux-2.6.39.3/arch/x86/kernel/head32.c
15024 --- linux-2.6.39.3/arch/x86/kernel/head32.c 2011-05-19 00:06:34.000000000 -0400
15025 +++ linux-2.6.39.3/arch/x86/kernel/head32.c 2011-05-22 19:36:30.000000000 -0400
15026 @@ -19,6 +19,7 @@
15027 #include <asm/io_apic.h>
15028 #include <asm/bios_ebda.h>
15029 #include <asm/tlbflush.h>
15030 +#include <asm/boot.h>
15031
15032 static void __init i386_default_early_setup(void)
15033 {
15034 @@ -34,7 +35,7 @@ void __init i386_start_kernel(void)
15035 {
15036 memblock_init();
15037
15038 - memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
15039 + memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
15040
15041 #ifdef CONFIG_BLK_DEV_INITRD
15042 /* Reserve INITRD */
15043 diff -urNp linux-2.6.39.3/arch/x86/kernel/head_32.S linux-2.6.39.3/arch/x86/kernel/head_32.S
15044 --- linux-2.6.39.3/arch/x86/kernel/head_32.S 2011-05-19 00:06:34.000000000 -0400
15045 +++ linux-2.6.39.3/arch/x86/kernel/head_32.S 2011-07-06 20:00:13.000000000 -0400
15046 @@ -25,6 +25,12 @@
15047 /* Physical address */
15048 #define pa(X) ((X) - __PAGE_OFFSET)
15049
15050 +#ifdef CONFIG_PAX_KERNEXEC
15051 +#define ta(X) (X)
15052 +#else
15053 +#define ta(X) ((X) - __PAGE_OFFSET)
15054 +#endif
15055 +
15056 /*
15057 * References to members of the new_cpu_data structure.
15058 */
15059 @@ -54,11 +60,7 @@
15060 * and small than max_low_pfn, otherwise will waste some page table entries
15061 */
15062
15063 -#if PTRS_PER_PMD > 1
15064 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
15065 -#else
15066 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
15067 -#endif
15068 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
15069
15070 /* Number of possible pages in the lowmem region */
15071 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
15072 @@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
15073 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
15074
15075 /*
15076 + * Real beginning of normal "text" segment
15077 + */
15078 +ENTRY(stext)
15079 +ENTRY(_stext)
15080 +
15081 +/*
15082 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
15083 * %esi points to the real-mode code as a 32-bit pointer.
15084 * CS and DS must be 4 GB flat segments, but we don't depend on
15085 @@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
15086 * can.
15087 */
15088 __HEAD
15089 +
15090 +#ifdef CONFIG_PAX_KERNEXEC
15091 + jmp startup_32
15092 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
15093 +.fill PAGE_SIZE-5,1,0xcc
15094 +#endif
15095 +
15096 ENTRY(startup_32)
15097 movl pa(stack_start),%ecx
15098
15099 @@ -105,6 +120,57 @@ ENTRY(startup_32)
15100 2:
15101 leal -__PAGE_OFFSET(%ecx),%esp
15102
15103 +#ifdef CONFIG_SMP
15104 + movl $pa(cpu_gdt_table),%edi
15105 + movl $__per_cpu_load,%eax
15106 + movw %ax,__KERNEL_PERCPU + 2(%edi)
15107 + rorl $16,%eax
15108 + movb %al,__KERNEL_PERCPU + 4(%edi)
15109 + movb %ah,__KERNEL_PERCPU + 7(%edi)
15110 + movl $__per_cpu_end - 1,%eax
15111 + subl $__per_cpu_start,%eax
15112 + movw %ax,__KERNEL_PERCPU + 0(%edi)
15113 +#endif
15114 +
15115 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15116 + movl $NR_CPUS,%ecx
15117 + movl $pa(cpu_gdt_table),%edi
15118 +1:
15119 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
15120 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
15121 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
15122 + addl $PAGE_SIZE_asm,%edi
15123 + loop 1b
15124 +#endif
15125 +
15126 +#ifdef CONFIG_PAX_KERNEXEC
15127 + movl $pa(boot_gdt),%edi
15128 + movl $__LOAD_PHYSICAL_ADDR,%eax
15129 + movw %ax,__BOOT_CS + 2(%edi)
15130 + rorl $16,%eax
15131 + movb %al,__BOOT_CS + 4(%edi)
15132 + movb %ah,__BOOT_CS + 7(%edi)
15133 + rorl $16,%eax
15134 +
15135 + ljmp $(__BOOT_CS),$1f
15136 +1:
15137 +
15138 + movl $NR_CPUS,%ecx
15139 + movl $pa(cpu_gdt_table),%edi
15140 + addl $__PAGE_OFFSET,%eax
15141 +1:
15142 + movw %ax,__KERNEL_CS + 2(%edi)
15143 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
15144 + rorl $16,%eax
15145 + movb %al,__KERNEL_CS + 4(%edi)
15146 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
15147 + movb %ah,__KERNEL_CS + 7(%edi)
15148 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
15149 + rorl $16,%eax
15150 + addl $PAGE_SIZE_asm,%edi
15151 + loop 1b
15152 +#endif
15153 +
15154 /*
15155 * Clear BSS first so that there are no surprises...
15156 */
15157 @@ -195,8 +261,11 @@ ENTRY(startup_32)
15158 movl %eax, pa(max_pfn_mapped)
15159
15160 /* Do early initialization of the fixmap area */
15161 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
15162 - movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
15163 +#ifdef CONFIG_COMPAT_VDSO
15164 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
15165 +#else
15166 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
15167 +#endif
15168 #else /* Not PAE */
15169
15170 page_pde_offset = (__PAGE_OFFSET >> 20);
15171 @@ -226,8 +295,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
15172 movl %eax, pa(max_pfn_mapped)
15173
15174 /* Do early initialization of the fixmap area */
15175 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
15176 - movl %eax,pa(initial_page_table+0xffc)
15177 +#ifdef CONFIG_COMPAT_VDSO
15178 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
15179 +#else
15180 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
15181 +#endif
15182 #endif
15183
15184 #ifdef CONFIG_PARAVIRT
15185 @@ -241,9 +313,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
15186 cmpl $num_subarch_entries, %eax
15187 jae bad_subarch
15188
15189 - movl pa(subarch_entries)(,%eax,4), %eax
15190 - subl $__PAGE_OFFSET, %eax
15191 - jmp *%eax
15192 + jmp *pa(subarch_entries)(,%eax,4)
15193
15194 bad_subarch:
15195 WEAK(lguest_entry)
15196 @@ -255,10 +325,10 @@ WEAK(xen_entry)
15197 __INITDATA
15198
15199 subarch_entries:
15200 - .long default_entry /* normal x86/PC */
15201 - .long lguest_entry /* lguest hypervisor */
15202 - .long xen_entry /* Xen hypervisor */
15203 - .long default_entry /* Moorestown MID */
15204 + .long ta(default_entry) /* normal x86/PC */
15205 + .long ta(lguest_entry) /* lguest hypervisor */
15206 + .long ta(xen_entry) /* Xen hypervisor */
15207 + .long ta(default_entry) /* Moorestown MID */
15208 num_subarch_entries = (. - subarch_entries) / 4
15209 .previous
15210 #else
15211 @@ -312,6 +382,7 @@ default_entry:
15212 orl %edx,%eax
15213 movl %eax,%cr4
15214
15215 +#ifdef CONFIG_X86_PAE
15216 testb $X86_CR4_PAE, %al # check if PAE is enabled
15217 jz 6f
15218
15219 @@ -340,6 +411,9 @@ default_entry:
15220 /* Make changes effective */
15221 wrmsr
15222
15223 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
15224 +#endif
15225 +
15226 6:
15227
15228 /*
15229 @@ -443,7 +517,7 @@ is386: movl $2,%ecx # set MP
15230 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
15231 movl %eax,%ss # after changing gdt.
15232
15233 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
15234 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
15235 movl %eax,%ds
15236 movl %eax,%es
15237
15238 @@ -457,15 +531,22 @@ is386: movl $2,%ecx # set MP
15239 */
15240 cmpb $0,ready
15241 jne 1f
15242 - movl $gdt_page,%eax
15243 + movl $cpu_gdt_table,%eax
15244 movl $stack_canary,%ecx
15245 +#ifdef CONFIG_SMP
15246 + addl $__per_cpu_load,%ecx
15247 +#endif
15248 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
15249 shrl $16, %ecx
15250 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
15251 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
15252 1:
15253 -#endif
15254 movl $(__KERNEL_STACK_CANARY),%eax
15255 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
15256 + movl $(__USER_DS),%eax
15257 +#else
15258 + xorl %eax,%eax
15259 +#endif
15260 movl %eax,%gs
15261
15262 xorl %eax,%eax # Clear LDT
15263 @@ -558,22 +639,22 @@ early_page_fault:
15264 jmp early_fault
15265
15266 early_fault:
15267 - cld
15268 #ifdef CONFIG_PRINTK
15269 + cmpl $1,%ss:early_recursion_flag
15270 + je hlt_loop
15271 + incl %ss:early_recursion_flag
15272 + cld
15273 pusha
15274 movl $(__KERNEL_DS),%eax
15275 movl %eax,%ds
15276 movl %eax,%es
15277 - cmpl $2,early_recursion_flag
15278 - je hlt_loop
15279 - incl early_recursion_flag
15280 movl %cr2,%eax
15281 pushl %eax
15282 pushl %edx /* trapno */
15283 pushl $fault_msg
15284 call printk
15285 +; call dump_stack
15286 #endif
15287 - call dump_stack
15288 hlt_loop:
15289 hlt
15290 jmp hlt_loop
15291 @@ -581,8 +662,11 @@ hlt_loop:
15292 /* This is the default interrupt "handler" :-) */
15293 ALIGN
15294 ignore_int:
15295 - cld
15296 #ifdef CONFIG_PRINTK
15297 + cmpl $2,%ss:early_recursion_flag
15298 + je hlt_loop
15299 + incl %ss:early_recursion_flag
15300 + cld
15301 pushl %eax
15302 pushl %ecx
15303 pushl %edx
15304 @@ -591,9 +675,6 @@ ignore_int:
15305 movl $(__KERNEL_DS),%eax
15306 movl %eax,%ds
15307 movl %eax,%es
15308 - cmpl $2,early_recursion_flag
15309 - je hlt_loop
15310 - incl early_recursion_flag
15311 pushl 16(%esp)
15312 pushl 24(%esp)
15313 pushl 32(%esp)
15314 @@ -622,29 +703,43 @@ ENTRY(initial_code)
15315 /*
15316 * BSS section
15317 */
15318 -__PAGE_ALIGNED_BSS
15319 - .align PAGE_SIZE
15320 #ifdef CONFIG_X86_PAE
15321 +.section .initial_pg_pmd,"a",@progbits
15322 initial_pg_pmd:
15323 .fill 1024*KPMDS,4,0
15324 #else
15325 +.section .initial_page_table,"a",@progbits
15326 ENTRY(initial_page_table)
15327 .fill 1024,4,0
15328 #endif
15329 +.section .initial_pg_fixmap,"a",@progbits
15330 initial_pg_fixmap:
15331 .fill 1024,4,0
15332 +.section .empty_zero_page,"a",@progbits
15333 ENTRY(empty_zero_page)
15334 .fill 4096,1,0
15335 +.section .swapper_pg_dir,"a",@progbits
15336 ENTRY(swapper_pg_dir)
15337 +#ifdef CONFIG_X86_PAE
15338 + .fill 4,8,0
15339 +#else
15340 .fill 1024,4,0
15341 +#endif
15342 +
15343 +/*
15344 + * The IDT has to be page-aligned to simplify the Pentium
15345 + * F0 0F bug workaround.. We have a special link segment
15346 + * for this.
15347 + */
15348 +.section .idt,"a",@progbits
15349 +ENTRY(idt_table)
15350 + .fill 256,8,0
15351
15352 /*
15353 * This starts the data section.
15354 */
15355 #ifdef CONFIG_X86_PAE
15356 -__PAGE_ALIGNED_DATA
15357 - /* Page-aligned for the benefit of paravirt? */
15358 - .align PAGE_SIZE
15359 +.section .initial_page_table,"a",@progbits
15360 ENTRY(initial_page_table)
15361 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
15362 # if KPMDS == 3
15363 @@ -663,18 +758,27 @@ ENTRY(initial_page_table)
15364 # error "Kernel PMDs should be 1, 2 or 3"
15365 # endif
15366 .align PAGE_SIZE /* needs to be page-sized too */
15367 +
15368 +#ifdef CONFIG_PAX_PER_CPU_PGD
15369 +ENTRY(cpu_pgd)
15370 + .rept NR_CPUS
15371 + .fill 4,8,0
15372 + .endr
15373 +#endif
15374 +
15375 #endif
15376
15377 .data
15378 .balign 4
15379 ENTRY(stack_start)
15380 - .long init_thread_union+THREAD_SIZE
15381 + .long init_thread_union+THREAD_SIZE-8
15382 +
15383 +ready: .byte 0
15384
15385 +.section .rodata,"a",@progbits
15386 early_recursion_flag:
15387 .long 0
15388
15389 -ready: .byte 0
15390 -
15391 int_msg:
15392 .asciz "Unknown interrupt or fault at: %p %p %p\n"
15393
15394 @@ -707,7 +811,7 @@ fault_msg:
15395 .word 0 # 32 bit align gdt_desc.address
15396 boot_gdt_descr:
15397 .word __BOOT_DS+7
15398 - .long boot_gdt - __PAGE_OFFSET
15399 + .long pa(boot_gdt)
15400
15401 .word 0 # 32-bit align idt_desc.address
15402 idt_descr:
15403 @@ -718,7 +822,7 @@ idt_descr:
15404 .word 0 # 32 bit align gdt_desc.address
15405 ENTRY(early_gdt_descr)
15406 .word GDT_ENTRIES*8-1
15407 - .long gdt_page /* Overwritten for secondary CPUs */
15408 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
15409
15410 /*
15411 * The boot_gdt must mirror the equivalent in setup.S and is
15412 @@ -727,5 +831,65 @@ ENTRY(early_gdt_descr)
15413 .align L1_CACHE_BYTES
15414 ENTRY(boot_gdt)
15415 .fill GDT_ENTRY_BOOT_CS,8,0
15416 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
15417 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
15418 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
15419 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
15420 +
15421 + .align PAGE_SIZE_asm
15422 +ENTRY(cpu_gdt_table)
15423 + .rept NR_CPUS
15424 + .quad 0x0000000000000000 /* NULL descriptor */
15425 + .quad 0x0000000000000000 /* 0x0b reserved */
15426 + .quad 0x0000000000000000 /* 0x13 reserved */
15427 + .quad 0x0000000000000000 /* 0x1b reserved */
15428 +
15429 +#ifdef CONFIG_PAX_KERNEXEC
15430 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
15431 +#else
15432 + .quad 0x0000000000000000 /* 0x20 unused */
15433 +#endif
15434 +
15435 + .quad 0x0000000000000000 /* 0x28 unused */
15436 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
15437 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
15438 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
15439 + .quad 0x0000000000000000 /* 0x4b reserved */
15440 + .quad 0x0000000000000000 /* 0x53 reserved */
15441 + .quad 0x0000000000000000 /* 0x5b reserved */
15442 +
15443 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
15444 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
15445 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
15446 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
15447 +
15448 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
15449 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
15450 +
15451 + /*
15452 + * Segments used for calling PnP BIOS have byte granularity.
15453 + * The code segments and data segments have fixed 64k limits,
15454 + * the transfer segment sizes are set at run time.
15455 + */
15456 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
15457 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
15458 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
15459 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
15460 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
15461 +
15462 + /*
15463 + * The APM segments have byte granularity and their bases
15464 + * are set at run time. All have 64k limits.
15465 + */
15466 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
15467 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
15468 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
15469 +
15470 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
15471 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
15472 + .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
15473 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
15474 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
15475 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
15476 +
15477 + /* Be sure this is zeroed to avoid false validations in Xen */
15478 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
15479 + .endr
15480 diff -urNp linux-2.6.39.3/arch/x86/kernel/head_64.S linux-2.6.39.3/arch/x86/kernel/head_64.S
15481 --- linux-2.6.39.3/arch/x86/kernel/head_64.S 2011-05-19 00:06:34.000000000 -0400
15482 +++ linux-2.6.39.3/arch/x86/kernel/head_64.S 2011-05-22 19:36:30.000000000 -0400
15483 @@ -19,6 +19,7 @@
15484 #include <asm/cache.h>
15485 #include <asm/processor-flags.h>
15486 #include <asm/percpu.h>
15487 +#include <asm/cpufeature.h>
15488
15489 #ifdef CONFIG_PARAVIRT
15490 #include <asm/asm-offsets.h>
15491 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
15492 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
15493 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
15494 L3_START_KERNEL = pud_index(__START_KERNEL_map)
15495 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
15496 +L3_VMALLOC_START = pud_index(VMALLOC_START)
15497 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
15498 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
15499
15500 .text
15501 __HEAD
15502 @@ -85,35 +90,22 @@ startup_64:
15503 */
15504 addq %rbp, init_level4_pgt + 0(%rip)
15505 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
15506 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
15507 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
15508 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
15509
15510 addq %rbp, level3_ident_pgt + 0(%rip)
15511 +#ifndef CONFIG_XEN
15512 + addq %rbp, level3_ident_pgt + 8(%rip)
15513 +#endif
15514
15515 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
15516 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
15517 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
15518
15519 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
15520 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
15521 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
15522
15523 - /* Add an Identity mapping if I am above 1G */
15524 - leaq _text(%rip), %rdi
15525 - andq $PMD_PAGE_MASK, %rdi
15526 -
15527 - movq %rdi, %rax
15528 - shrq $PUD_SHIFT, %rax
15529 - andq $(PTRS_PER_PUD - 1), %rax
15530 - jz ident_complete
15531 -
15532 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
15533 - leaq level3_ident_pgt(%rip), %rbx
15534 - movq %rdx, 0(%rbx, %rax, 8)
15535 -
15536 - movq %rdi, %rax
15537 - shrq $PMD_SHIFT, %rax
15538 - andq $(PTRS_PER_PMD - 1), %rax
15539 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
15540 - leaq level2_spare_pgt(%rip), %rbx
15541 - movq %rdx, 0(%rbx, %rax, 8)
15542 -ident_complete:
15543 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
15544 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
15545
15546 /*
15547 * Fixup the kernel text+data virtual addresses. Note that
15548 @@ -160,8 +152,8 @@ ENTRY(secondary_startup_64)
15549 * after the boot processor executes this code.
15550 */
15551
15552 - /* Enable PAE mode and PGE */
15553 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
15554 + /* Enable PAE mode and PSE/PGE */
15555 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
15556 movq %rax, %cr4
15557
15558 /* Setup early boot stage 4 level pagetables. */
15559 @@ -183,9 +175,14 @@ ENTRY(secondary_startup_64)
15560 movl $MSR_EFER, %ecx
15561 rdmsr
15562 btsl $_EFER_SCE, %eax /* Enable System Call */
15563 - btl $20,%edi /* No Execute supported? */
15564 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
15565 jnc 1f
15566 btsl $_EFER_NX, %eax
15567 + leaq init_level4_pgt(%rip), %rdi
15568 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
15569 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
15570 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
15571 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
15572 1: wrmsr /* Make changes effective */
15573
15574 /* Setup cr0 */
15575 @@ -269,7 +266,7 @@ ENTRY(secondary_startup_64)
15576 bad_address:
15577 jmp bad_address
15578
15579 - .section ".init.text","ax"
15580 + __INIT
15581 #ifdef CONFIG_EARLY_PRINTK
15582 .globl early_idt_handlers
15583 early_idt_handlers:
15584 @@ -314,18 +311,23 @@ ENTRY(early_idt_handler)
15585 #endif /* EARLY_PRINTK */
15586 1: hlt
15587 jmp 1b
15588 + .previous
15589
15590 #ifdef CONFIG_EARLY_PRINTK
15591 + __INITDATA
15592 early_recursion_flag:
15593 .long 0
15594 + .previous
15595
15596 + .section .rodata,"a",@progbits
15597 early_idt_msg:
15598 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
15599 early_idt_ripmsg:
15600 .asciz "RIP %s\n"
15601 -#endif /* CONFIG_EARLY_PRINTK */
15602 .previous
15603 +#endif /* CONFIG_EARLY_PRINTK */
15604
15605 + .section .rodata,"a",@progbits
15606 #define NEXT_PAGE(name) \
15607 .balign PAGE_SIZE; \
15608 ENTRY(name)
15609 @@ -338,7 +340,6 @@ ENTRY(name)
15610 i = i + 1 ; \
15611 .endr
15612
15613 - .data
15614 /*
15615 * This default setting generates an ident mapping at address 0x100000
15616 * and a mapping for the kernel that precisely maps virtual address
15617 @@ -349,13 +350,36 @@ NEXT_PAGE(init_level4_pgt)
15618 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15619 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
15620 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15621 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
15622 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
15623 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
15624 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
15625 .org init_level4_pgt + L4_START_KERNEL*8, 0
15626 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
15627 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
15628
15629 +#ifdef CONFIG_PAX_PER_CPU_PGD
15630 +NEXT_PAGE(cpu_pgd)
15631 + .rept NR_CPUS
15632 + .fill 512,8,0
15633 + .endr
15634 +#endif
15635 +
15636 NEXT_PAGE(level3_ident_pgt)
15637 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15638 +#ifdef CONFIG_XEN
15639 .fill 511,8,0
15640 +#else
15641 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
15642 + .fill 510,8,0
15643 +#endif
15644 +
15645 +NEXT_PAGE(level3_vmalloc_pgt)
15646 + .fill 512,8,0
15647 +
15648 +NEXT_PAGE(level3_vmemmap_pgt)
15649 + .fill L3_VMEMMAP_START,8,0
15650 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
15651
15652 NEXT_PAGE(level3_kernel_pgt)
15653 .fill L3_START_KERNEL,8,0
15654 @@ -363,20 +387,23 @@ NEXT_PAGE(level3_kernel_pgt)
15655 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
15656 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
15657
15658 +NEXT_PAGE(level2_vmemmap_pgt)
15659 + .fill 512,8,0
15660 +
15661 NEXT_PAGE(level2_fixmap_pgt)
15662 - .fill 506,8,0
15663 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
15664 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
15665 - .fill 5,8,0
15666 + .fill 507,8,0
15667 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
15668 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
15669 + .fill 4,8,0
15670
15671 -NEXT_PAGE(level1_fixmap_pgt)
15672 +NEXT_PAGE(level1_vsyscall_pgt)
15673 .fill 512,8,0
15674
15675 -NEXT_PAGE(level2_ident_pgt)
15676 - /* Since I easily can, map the first 1G.
15677 + /* Since I easily can, map the first 2G.
15678 * Don't set NX because code runs from these pages.
15679 */
15680 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
15681 +NEXT_PAGE(level2_ident_pgt)
15682 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
15683
15684 NEXT_PAGE(level2_kernel_pgt)
15685 /*
15686 @@ -389,33 +416,55 @@ NEXT_PAGE(level2_kernel_pgt)
15687 * If you want to increase this then increase MODULES_VADDR
15688 * too.)
15689 */
15690 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
15691 - KERNEL_IMAGE_SIZE/PMD_SIZE)
15692 -
15693 -NEXT_PAGE(level2_spare_pgt)
15694 - .fill 512, 8, 0
15695 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
15696
15697 #undef PMDS
15698 #undef NEXT_PAGE
15699
15700 - .data
15701 + .align PAGE_SIZE
15702 +ENTRY(cpu_gdt_table)
15703 + .rept NR_CPUS
15704 + .quad 0x0000000000000000 /* NULL descriptor */
15705 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
15706 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
15707 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
15708 + .quad 0x00cffb000000ffff /* __USER32_CS */
15709 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
15710 + .quad 0x00affb000000ffff /* __USER_CS */
15711 +
15712 +#ifdef CONFIG_PAX_KERNEXEC
15713 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
15714 +#else
15715 + .quad 0x0 /* unused */
15716 +#endif
15717 +
15718 + .quad 0,0 /* TSS */
15719 + .quad 0,0 /* LDT */
15720 + .quad 0,0,0 /* three TLS descriptors */
15721 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
15722 + /* asm/segment.h:GDT_ENTRIES must match this */
15723 +
15724 + /* zero the remaining page */
15725 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
15726 + .endr
15727 +
15728 .align 16
15729 .globl early_gdt_descr
15730 early_gdt_descr:
15731 .word GDT_ENTRIES*8-1
15732 early_gdt_descr_base:
15733 - .quad INIT_PER_CPU_VAR(gdt_page)
15734 + .quad cpu_gdt_table
15735
15736 ENTRY(phys_base)
15737 /* This must match the first entry in level2_kernel_pgt */
15738 .quad 0x0000000000000000
15739
15740 #include "../../x86/xen/xen-head.S"
15741 -
15742 - .section .bss, "aw", @nobits
15743 +
15744 + .section .rodata,"a",@progbits
15745 .align L1_CACHE_BYTES
15746 ENTRY(idt_table)
15747 - .skip IDT_ENTRIES * 16
15748 + .fill 512,8,0
15749
15750 __PAGE_ALIGNED_BSS
15751 .align PAGE_SIZE
15752 diff -urNp linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c
15753 --- linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c 2011-05-19 00:06:34.000000000 -0400
15754 +++ linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c 2011-05-22 19:36:30.000000000 -0400
15755 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
15756 EXPORT_SYMBOL(cmpxchg8b_emu);
15757 #endif
15758
15759 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
15760 +
15761 /* Networking helper routines. */
15762 EXPORT_SYMBOL(csum_partial_copy_generic);
15763 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
15764 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
15765
15766 EXPORT_SYMBOL(__get_user_1);
15767 EXPORT_SYMBOL(__get_user_2);
15768 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
15769
15770 EXPORT_SYMBOL(csum_partial);
15771 EXPORT_SYMBOL(empty_zero_page);
15772 +
15773 +#ifdef CONFIG_PAX_KERNEXEC
15774 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
15775 +#endif
15776 diff -urNp linux-2.6.39.3/arch/x86/kernel/i8259.c linux-2.6.39.3/arch/x86/kernel/i8259.c
15777 --- linux-2.6.39.3/arch/x86/kernel/i8259.c 2011-05-19 00:06:34.000000000 -0400
15778 +++ linux-2.6.39.3/arch/x86/kernel/i8259.c 2011-05-22 19:36:30.000000000 -0400
15779 @@ -210,7 +210,7 @@ spurious_8259A_irq:
15780 "spurious 8259A interrupt: IRQ%d.\n", irq);
15781 spurious_irq_mask |= irqmask;
15782 }
15783 - atomic_inc(&irq_err_count);
15784 + atomic_inc_unchecked(&irq_err_count);
15785 /*
15786 * Theoretically we do not have to handle this IRQ,
15787 * but in Linux this does not cause problems and is
15788 diff -urNp linux-2.6.39.3/arch/x86/kernel/init_task.c linux-2.6.39.3/arch/x86/kernel/init_task.c
15789 --- linux-2.6.39.3/arch/x86/kernel/init_task.c 2011-05-19 00:06:34.000000000 -0400
15790 +++ linux-2.6.39.3/arch/x86/kernel/init_task.c 2011-05-22 19:36:30.000000000 -0400
15791 @@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
15792 * way process stacks are handled. This is done by having a special
15793 * "init_task" linker map entry..
15794 */
15795 -union thread_union init_thread_union __init_task_data =
15796 - { INIT_THREAD_INFO(init_task) };
15797 +union thread_union init_thread_union __init_task_data;
15798
15799 /*
15800 * Initial task structure.
15801 @@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
15802 * section. Since TSS's are completely CPU-local, we want them
15803 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
15804 */
15805 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
15806 -
15807 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
15808 +EXPORT_SYMBOL(init_tss);
15809 diff -urNp linux-2.6.39.3/arch/x86/kernel/ioport.c linux-2.6.39.3/arch/x86/kernel/ioport.c
15810 --- linux-2.6.39.3/arch/x86/kernel/ioport.c 2011-05-19 00:06:34.000000000 -0400
15811 +++ linux-2.6.39.3/arch/x86/kernel/ioport.c 2011-05-22 19:41:32.000000000 -0400
15812 @@ -6,6 +6,7 @@
15813 #include <linux/sched.h>
15814 #include <linux/kernel.h>
15815 #include <linux/capability.h>
15816 +#include <linux/security.h>
15817 #include <linux/errno.h>
15818 #include <linux/types.h>
15819 #include <linux/ioport.h>
15820 @@ -28,6 +29,12 @@ asmlinkage long sys_ioperm(unsigned long
15821
15822 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
15823 return -EINVAL;
15824 +#ifdef CONFIG_GRKERNSEC_IO
15825 + if (turn_on && grsec_disable_privio) {
15826 + gr_handle_ioperm();
15827 + return -EPERM;
15828 + }
15829 +#endif
15830 if (turn_on && !capable(CAP_SYS_RAWIO))
15831 return -EPERM;
15832
15833 @@ -54,7 +61,7 @@ asmlinkage long sys_ioperm(unsigned long
15834 * because the ->io_bitmap_max value must match the bitmap
15835 * contents:
15836 */
15837 - tss = &per_cpu(init_tss, get_cpu());
15838 + tss = init_tss + get_cpu();
15839
15840 if (turn_on)
15841 bitmap_clear(t->io_bitmap_ptr, from, num);
15842 @@ -102,6 +109,12 @@ long sys_iopl(unsigned int level, struct
15843 return -EINVAL;
15844 /* Trying to gain more privileges? */
15845 if (level > old) {
15846 +#ifdef CONFIG_GRKERNSEC_IO
15847 + if (grsec_disable_privio) {
15848 + gr_handle_iopl();
15849 + return -EPERM;
15850 + }
15851 +#endif
15852 if (!capable(CAP_SYS_RAWIO))
15853 return -EPERM;
15854 }
15855 diff -urNp linux-2.6.39.3/arch/x86/kernel/irq_32.c linux-2.6.39.3/arch/x86/kernel/irq_32.c
15856 --- linux-2.6.39.3/arch/x86/kernel/irq_32.c 2011-05-19 00:06:34.000000000 -0400
15857 +++ linux-2.6.39.3/arch/x86/kernel/irq_32.c 2011-07-06 20:00:13.000000000 -0400
15858 @@ -36,7 +36,7 @@ static int check_stack_overflow(void)
15859 __asm__ __volatile__("andl %%esp,%0" :
15860 "=r" (sp) : "0" (THREAD_SIZE - 1));
15861
15862 - return sp < (sizeof(struct thread_info) + STACK_WARN);
15863 + return sp < STACK_WARN;
15864 }
15865
15866 static void print_stack_overflow(void)
15867 @@ -54,8 +54,8 @@ static inline void print_stack_overflow(
15868 * per-CPU IRQ handling contexts (thread information and stack)
15869 */
15870 union irq_ctx {
15871 - struct thread_info tinfo;
15872 - u32 stack[THREAD_SIZE/sizeof(u32)];
15873 + unsigned long previous_esp;
15874 + u32 stack[THREAD_SIZE/sizeof(u32)];
15875 } __attribute__((aligned(THREAD_SIZE)));
15876
15877 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
15878 @@ -75,10 +75,9 @@ static void call_on_stack(void *func, vo
15879 static inline int
15880 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
15881 {
15882 - union irq_ctx *curctx, *irqctx;
15883 + union irq_ctx *irqctx;
15884 u32 *isp, arg1, arg2;
15885
15886 - curctx = (union irq_ctx *) current_thread_info();
15887 irqctx = __this_cpu_read(hardirq_ctx);
15888
15889 /*
15890 @@ -87,21 +86,16 @@ execute_on_irq_stack(int overflow, struc
15891 * handler) we can't do that and just have to keep using the
15892 * current stack (which is the irq stack already after all)
15893 */
15894 - if (unlikely(curctx == irqctx))
15895 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
15896 return 0;
15897
15898 /* build the stack frame on the IRQ stack */
15899 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15900 - irqctx->tinfo.task = curctx->tinfo.task;
15901 - irqctx->tinfo.previous_esp = current_stack_pointer;
15902 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15903 + irqctx->previous_esp = current_stack_pointer;
15904
15905 - /*
15906 - * Copy the softirq bits in preempt_count so that the
15907 - * softirq checks work in the hardirq context.
15908 - */
15909 - irqctx->tinfo.preempt_count =
15910 - (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
15911 - (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
15912 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15913 + __set_fs(MAKE_MM_SEG(0));
15914 +#endif
15915
15916 if (unlikely(overflow))
15917 call_on_stack(print_stack_overflow, isp);
15918 @@ -113,6 +107,11 @@ execute_on_irq_stack(int overflow, struc
15919 : "0" (irq), "1" (desc), "2" (isp),
15920 "D" (desc->handle_irq)
15921 : "memory", "cc", "ecx");
15922 +
15923 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15924 + __set_fs(current_thread_info()->addr_limit);
15925 +#endif
15926 +
15927 return 1;
15928 }
15929
15930 @@ -121,29 +120,11 @@ execute_on_irq_stack(int overflow, struc
15931 */
15932 void __cpuinit irq_ctx_init(int cpu)
15933 {
15934 - union irq_ctx *irqctx;
15935 -
15936 if (per_cpu(hardirq_ctx, cpu))
15937 return;
15938
15939 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
15940 - THREAD_FLAGS,
15941 - THREAD_ORDER));
15942 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
15943 - irqctx->tinfo.cpu = cpu;
15944 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
15945 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15946 -
15947 - per_cpu(hardirq_ctx, cpu) = irqctx;
15948 -
15949 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
15950 - THREAD_FLAGS,
15951 - THREAD_ORDER));
15952 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
15953 - irqctx->tinfo.cpu = cpu;
15954 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15955 -
15956 - per_cpu(softirq_ctx, cpu) = irqctx;
15957 + per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
15958 + per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
15959
15960 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
15961 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
15962 @@ -152,7 +133,6 @@ void __cpuinit irq_ctx_init(int cpu)
15963 asmlinkage void do_softirq(void)
15964 {
15965 unsigned long flags;
15966 - struct thread_info *curctx;
15967 union irq_ctx *irqctx;
15968 u32 *isp;
15969
15970 @@ -162,15 +142,22 @@ asmlinkage void do_softirq(void)
15971 local_irq_save(flags);
15972
15973 if (local_softirq_pending()) {
15974 - curctx = current_thread_info();
15975 irqctx = __this_cpu_read(softirq_ctx);
15976 - irqctx->tinfo.task = curctx->task;
15977 - irqctx->tinfo.previous_esp = current_stack_pointer;
15978 + irqctx->previous_esp = current_stack_pointer;
15979
15980 /* build the stack frame on the softirq stack */
15981 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15982 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15983 +
15984 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15985 + __set_fs(MAKE_MM_SEG(0));
15986 +#endif
15987
15988 call_on_stack(__do_softirq, isp);
15989 +
15990 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15991 + __set_fs(current_thread_info()->addr_limit);
15992 +#endif
15993 +
15994 /*
15995 * Shouldn't happen, we returned above if in_interrupt():
15996 */
15997 diff -urNp linux-2.6.39.3/arch/x86/kernel/irq.c linux-2.6.39.3/arch/x86/kernel/irq.c
15998 --- linux-2.6.39.3/arch/x86/kernel/irq.c 2011-05-19 00:06:34.000000000 -0400
15999 +++ linux-2.6.39.3/arch/x86/kernel/irq.c 2011-05-22 19:36:30.000000000 -0400
16000 @@ -17,7 +17,7 @@
16001 #include <asm/mce.h>
16002 #include <asm/hw_irq.h>
16003
16004 -atomic_t irq_err_count;
16005 +atomic_unchecked_t irq_err_count;
16006
16007 /* Function pointer for generic interrupt vector handling */
16008 void (*x86_platform_ipi_callback)(void) = NULL;
16009 @@ -116,9 +116,9 @@ int arch_show_interrupts(struct seq_file
16010 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
16011 seq_printf(p, " Machine check polls\n");
16012 #endif
16013 - seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
16014 + seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
16015 #if defined(CONFIG_X86_IO_APIC)
16016 - seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
16017 + seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
16018 #endif
16019 return 0;
16020 }
16021 @@ -158,10 +158,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
16022
16023 u64 arch_irq_stat(void)
16024 {
16025 - u64 sum = atomic_read(&irq_err_count);
16026 + u64 sum = atomic_read_unchecked(&irq_err_count);
16027
16028 #ifdef CONFIG_X86_IO_APIC
16029 - sum += atomic_read(&irq_mis_count);
16030 + sum += atomic_read_unchecked(&irq_mis_count);
16031 #endif
16032 return sum;
16033 }
16034 diff -urNp linux-2.6.39.3/arch/x86/kernel/kgdb.c linux-2.6.39.3/arch/x86/kernel/kgdb.c
16035 --- linux-2.6.39.3/arch/x86/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
16036 +++ linux-2.6.39.3/arch/x86/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
16037 @@ -124,11 +124,11 @@ char *dbg_get_reg(int regno, void *mem,
16038 #ifdef CONFIG_X86_32
16039 switch (regno) {
16040 case GDB_SS:
16041 - if (!user_mode_vm(regs))
16042 + if (!user_mode(regs))
16043 *(unsigned long *)mem = __KERNEL_DS;
16044 break;
16045 case GDB_SP:
16046 - if (!user_mode_vm(regs))
16047 + if (!user_mode(regs))
16048 *(unsigned long *)mem = kernel_stack_pointer(regs);
16049 break;
16050 case GDB_GS:
16051 @@ -473,12 +473,12 @@ int kgdb_arch_handle_exception(int e_vec
16052 case 'k':
16053 /* clear the trace bit */
16054 linux_regs->flags &= ~X86_EFLAGS_TF;
16055 - atomic_set(&kgdb_cpu_doing_single_step, -1);
16056 + atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
16057
16058 /* set the trace bit if we're stepping */
16059 if (remcomInBuffer[0] == 's') {
16060 linux_regs->flags |= X86_EFLAGS_TF;
16061 - atomic_set(&kgdb_cpu_doing_single_step,
16062 + atomic_set_unchecked(&kgdb_cpu_doing_single_step,
16063 raw_smp_processor_id());
16064 }
16065
16066 @@ -534,7 +534,7 @@ static int __kgdb_notify(struct die_args
16067 return NOTIFY_DONE;
16068
16069 case DIE_DEBUG:
16070 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
16071 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
16072 if (user_mode(regs))
16073 return single_step_cont(regs, args);
16074 break;
16075 @@ -710,7 +710,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
16076 regs->ip = ip;
16077 }
16078
16079 -struct kgdb_arch arch_kgdb_ops = {
16080 +const struct kgdb_arch arch_kgdb_ops = {
16081 /* Breakpoint instruction: */
16082 .gdb_bpt_instr = { 0xcc },
16083 .flags = KGDB_HW_BREAKPOINT,
16084 diff -urNp linux-2.6.39.3/arch/x86/kernel/kprobes.c linux-2.6.39.3/arch/x86/kernel/kprobes.c
16085 --- linux-2.6.39.3/arch/x86/kernel/kprobes.c 2011-05-19 00:06:34.000000000 -0400
16086 +++ linux-2.6.39.3/arch/x86/kernel/kprobes.c 2011-05-22 19:36:30.000000000 -0400
16087 @@ -115,8 +115,11 @@ static void __kprobes __synthesize_relat
16088 } __attribute__((packed)) *insn;
16089
16090 insn = (struct __arch_relative_insn *)from;
16091 +
16092 + pax_open_kernel();
16093 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
16094 insn->op = op;
16095 + pax_close_kernel();
16096 }
16097
16098 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
16099 @@ -153,7 +156,7 @@ static int __kprobes can_boost(kprobe_op
16100 kprobe_opcode_t opcode;
16101 kprobe_opcode_t *orig_opcodes = opcodes;
16102
16103 - if (search_exception_tables((unsigned long)opcodes))
16104 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
16105 return 0; /* Page fault may occur on this address. */
16106
16107 retry:
16108 @@ -314,7 +317,9 @@ static int __kprobes __copy_instruction(
16109 }
16110 }
16111 insn_get_length(&insn);
16112 + pax_open_kernel();
16113 memcpy(dest, insn.kaddr, insn.length);
16114 + pax_close_kernel();
16115
16116 #ifdef CONFIG_X86_64
16117 if (insn_rip_relative(&insn)) {
16118 @@ -338,7 +343,9 @@ static int __kprobes __copy_instruction(
16119 (u8 *) dest;
16120 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
16121 disp = (u8 *) dest + insn_offset_displacement(&insn);
16122 + pax_open_kernel();
16123 *(s32 *) disp = (s32) newdisp;
16124 + pax_close_kernel();
16125 }
16126 #endif
16127 return insn.length;
16128 @@ -352,12 +359,12 @@ static void __kprobes arch_copy_kprobe(s
16129 */
16130 __copy_instruction(p->ainsn.insn, p->addr, 0);
16131
16132 - if (can_boost(p->addr))
16133 + if (can_boost(ktla_ktva(p->addr)))
16134 p->ainsn.boostable = 0;
16135 else
16136 p->ainsn.boostable = -1;
16137
16138 - p->opcode = *p->addr;
16139 + p->opcode = *(ktla_ktva(p->addr));
16140 }
16141
16142 int __kprobes arch_prepare_kprobe(struct kprobe *p)
16143 @@ -474,7 +481,7 @@ static void __kprobes setup_singlestep(s
16144 * nor set current_kprobe, because it doesn't use single
16145 * stepping.
16146 */
16147 - regs->ip = (unsigned long)p->ainsn.insn;
16148 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
16149 preempt_enable_no_resched();
16150 return;
16151 }
16152 @@ -493,7 +500,7 @@ static void __kprobes setup_singlestep(s
16153 if (p->opcode == BREAKPOINT_INSTRUCTION)
16154 regs->ip = (unsigned long)p->addr;
16155 else
16156 - regs->ip = (unsigned long)p->ainsn.insn;
16157 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
16158 }
16159
16160 /*
16161 @@ -572,7 +579,7 @@ static int __kprobes kprobe_handler(stru
16162 setup_singlestep(p, regs, kcb, 0);
16163 return 1;
16164 }
16165 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
16166 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
16167 /*
16168 * The breakpoint instruction was removed right
16169 * after we hit it. Another cpu has removed
16170 @@ -817,7 +824,7 @@ static void __kprobes resume_execution(s
16171 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
16172 {
16173 unsigned long *tos = stack_addr(regs);
16174 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
16175 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
16176 unsigned long orig_ip = (unsigned long)p->addr;
16177 kprobe_opcode_t *insn = p->ainsn.insn;
16178
16179 @@ -999,7 +1006,7 @@ int __kprobes kprobe_exceptions_notify(s
16180 struct die_args *args = data;
16181 int ret = NOTIFY_DONE;
16182
16183 - if (args->regs && user_mode_vm(args->regs))
16184 + if (args->regs && user_mode(args->regs))
16185 return ret;
16186
16187 switch (val) {
16188 @@ -1381,7 +1388,7 @@ int __kprobes arch_prepare_optimized_kpr
16189 * Verify if the address gap is in 2GB range, because this uses
16190 * a relative jump.
16191 */
16192 - rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
16193 + rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
16194 if (abs(rel) > 0x7fffffff)
16195 return -ERANGE;
16196
16197 @@ -1402,11 +1409,11 @@ int __kprobes arch_prepare_optimized_kpr
16198 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
16199
16200 /* Set probe function call */
16201 - synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
16202 + synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
16203
16204 /* Set returning jmp instruction at the tail of out-of-line buffer */
16205 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
16206 - (u8 *)op->kp.addr + op->optinsn.size);
16207 + (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
16208
16209 flush_icache_range((unsigned long) buf,
16210 (unsigned long) buf + TMPL_END_IDX +
16211 @@ -1428,7 +1435,7 @@ static void __kprobes setup_optimize_kpr
16212 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
16213
16214 /* Backup instructions which will be replaced by jump address */
16215 - memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
16216 + memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
16217 RELATIVE_ADDR_SIZE);
16218
16219 insn_buf[0] = RELATIVEJUMP_OPCODE;
16220 diff -urNp linux-2.6.39.3/arch/x86/kernel/ldt.c linux-2.6.39.3/arch/x86/kernel/ldt.c
16221 --- linux-2.6.39.3/arch/x86/kernel/ldt.c 2011-05-19 00:06:34.000000000 -0400
16222 +++ linux-2.6.39.3/arch/x86/kernel/ldt.c 2011-05-22 19:36:30.000000000 -0400
16223 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
16224 if (reload) {
16225 #ifdef CONFIG_SMP
16226 preempt_disable();
16227 - load_LDT(pc);
16228 + load_LDT_nolock(pc);
16229 if (!cpumask_equal(mm_cpumask(current->mm),
16230 cpumask_of(smp_processor_id())))
16231 smp_call_function(flush_ldt, current->mm, 1);
16232 preempt_enable();
16233 #else
16234 - load_LDT(pc);
16235 + load_LDT_nolock(pc);
16236 #endif
16237 }
16238 if (oldsize) {
16239 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
16240 return err;
16241
16242 for (i = 0; i < old->size; i++)
16243 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
16244 + write_ldt_entry(new->ldt, i, old->ldt + i);
16245 return 0;
16246 }
16247
16248 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
16249 retval = copy_ldt(&mm->context, &old_mm->context);
16250 mutex_unlock(&old_mm->context.lock);
16251 }
16252 +
16253 + if (tsk == current) {
16254 + mm->context.vdso = 0;
16255 +
16256 +#ifdef CONFIG_X86_32
16257 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16258 + mm->context.user_cs_base = 0UL;
16259 + mm->context.user_cs_limit = ~0UL;
16260 +
16261 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
16262 + cpus_clear(mm->context.cpu_user_cs_mask);
16263 +#endif
16264 +
16265 +#endif
16266 +#endif
16267 +
16268 + }
16269 +
16270 return retval;
16271 }
16272
16273 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
16274 }
16275 }
16276
16277 +#ifdef CONFIG_PAX_SEGMEXEC
16278 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
16279 + error = -EINVAL;
16280 + goto out_unlock;
16281 + }
16282 +#endif
16283 +
16284 fill_ldt(&ldt, &ldt_info);
16285 if (oldmode)
16286 ldt.avl = 0;
16287 diff -urNp linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c
16288 --- linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c 2011-05-19 00:06:34.000000000 -0400
16289 +++ linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c 2011-05-22 19:36:30.000000000 -0400
16290 @@ -27,7 +27,7 @@
16291 #include <asm/cacheflush.h>
16292 #include <asm/debugreg.h>
16293
16294 -static void set_idt(void *newidt, __u16 limit)
16295 +static void set_idt(struct desc_struct *newidt, __u16 limit)
16296 {
16297 struct desc_ptr curidt;
16298
16299 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
16300 }
16301
16302
16303 -static void set_gdt(void *newgdt, __u16 limit)
16304 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
16305 {
16306 struct desc_ptr curgdt;
16307
16308 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
16309 }
16310
16311 control_page = page_address(image->control_code_page);
16312 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
16313 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
16314
16315 relocate_kernel_ptr = control_page;
16316 page_list[PA_CONTROL_PAGE] = __pa(control_page);
16317 diff -urNp linux-2.6.39.3/arch/x86/kernel/microcode_amd.c linux-2.6.39.3/arch/x86/kernel/microcode_amd.c
16318 --- linux-2.6.39.3/arch/x86/kernel/microcode_amd.c 2011-05-19 00:06:34.000000000 -0400
16319 +++ linux-2.6.39.3/arch/x86/kernel/microcode_amd.c 2011-05-22 19:36:30.000000000 -0400
16320 @@ -339,7 +339,7 @@ static void microcode_fini_cpu_amd(int c
16321 uci->mc = NULL;
16322 }
16323
16324 -static struct microcode_ops microcode_amd_ops = {
16325 +static const struct microcode_ops microcode_amd_ops = {
16326 .request_microcode_user = request_microcode_user,
16327 .request_microcode_fw = request_microcode_amd,
16328 .collect_cpu_info = collect_cpu_info_amd,
16329 @@ -347,7 +347,7 @@ static struct microcode_ops microcode_am
16330 .microcode_fini_cpu = microcode_fini_cpu_amd,
16331 };
16332
16333 -struct microcode_ops * __init init_amd_microcode(void)
16334 +const struct microcode_ops * __init init_amd_microcode(void)
16335 {
16336 return &microcode_amd_ops;
16337 }
16338 diff -urNp linux-2.6.39.3/arch/x86/kernel/microcode_core.c linux-2.6.39.3/arch/x86/kernel/microcode_core.c
16339 --- linux-2.6.39.3/arch/x86/kernel/microcode_core.c 2011-05-19 00:06:34.000000000 -0400
16340 +++ linux-2.6.39.3/arch/x86/kernel/microcode_core.c 2011-05-22 19:36:30.000000000 -0400
16341 @@ -93,7 +93,7 @@ MODULE_LICENSE("GPL");
16342
16343 #define MICROCODE_VERSION "2.00"
16344
16345 -static struct microcode_ops *microcode_ops;
16346 +static const struct microcode_ops *microcode_ops;
16347
16348 /*
16349 * Synchronization.
16350 diff -urNp linux-2.6.39.3/arch/x86/kernel/microcode_intel.c linux-2.6.39.3/arch/x86/kernel/microcode_intel.c
16351 --- linux-2.6.39.3/arch/x86/kernel/microcode_intel.c 2011-05-19 00:06:34.000000000 -0400
16352 +++ linux-2.6.39.3/arch/x86/kernel/microcode_intel.c 2011-05-22 19:36:30.000000000 -0400
16353 @@ -440,13 +440,13 @@ static enum ucode_state request_microcod
16354
16355 static int get_ucode_user(void *to, const void *from, size_t n)
16356 {
16357 - return copy_from_user(to, from, n);
16358 + return copy_from_user(to, (__force const void __user *)from, n);
16359 }
16360
16361 static enum ucode_state
16362 request_microcode_user(int cpu, const void __user *buf, size_t size)
16363 {
16364 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
16365 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
16366 }
16367
16368 static void microcode_fini_cpu(int cpu)
16369 @@ -457,7 +457,7 @@ static void microcode_fini_cpu(int cpu)
16370 uci->mc = NULL;
16371 }
16372
16373 -static struct microcode_ops microcode_intel_ops = {
16374 +static const struct microcode_ops microcode_intel_ops = {
16375 .request_microcode_user = request_microcode_user,
16376 .request_microcode_fw = request_microcode_fw,
16377 .collect_cpu_info = collect_cpu_info,
16378 @@ -465,7 +465,7 @@ static struct microcode_ops microcode_in
16379 .microcode_fini_cpu = microcode_fini_cpu,
16380 };
16381
16382 -struct microcode_ops * __init init_intel_microcode(void)
16383 +const struct microcode_ops * __init init_intel_microcode(void)
16384 {
16385 return &microcode_intel_ops;
16386 }
16387 diff -urNp linux-2.6.39.3/arch/x86/kernel/module.c linux-2.6.39.3/arch/x86/kernel/module.c
16388 --- linux-2.6.39.3/arch/x86/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
16389 +++ linux-2.6.39.3/arch/x86/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
16390 @@ -35,21 +35,66 @@
16391 #define DEBUGP(fmt...)
16392 #endif
16393
16394 -void *module_alloc(unsigned long size)
16395 +static inline void *__module_alloc(unsigned long size, pgprot_t prot)
16396 {
16397 if (PAGE_ALIGN(size) > MODULES_LEN)
16398 return NULL;
16399 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
16400 - GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
16401 + GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot,
16402 -1, __builtin_return_address(0));
16403 }
16404
16405 +void *module_alloc(unsigned long size)
16406 +{
16407 +
16408 +#ifdef CONFIG_PAX_KERNEXEC
16409 + return __module_alloc(size, PAGE_KERNEL);
16410 +#else
16411 + return __module_alloc(size, PAGE_KERNEL_EXEC);
16412 +#endif
16413 +
16414 +}
16415 +
16416 /* Free memory returned from module_alloc */
16417 void module_free(struct module *mod, void *module_region)
16418 {
16419 vfree(module_region);
16420 }
16421
16422 +#ifdef CONFIG_PAX_KERNEXEC
16423 +#ifdef CONFIG_X86_32
16424 +void *module_alloc_exec(unsigned long size)
16425 +{
16426 + struct vm_struct *area;
16427 +
16428 + if (size == 0)
16429 + return NULL;
16430 +
16431 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
16432 + return area ? area->addr : NULL;
16433 +}
16434 +EXPORT_SYMBOL(module_alloc_exec);
16435 +
16436 +void module_free_exec(struct module *mod, void *module_region)
16437 +{
16438 + vunmap(module_region);
16439 +}
16440 +EXPORT_SYMBOL(module_free_exec);
16441 +#else
16442 +void module_free_exec(struct module *mod, void *module_region)
16443 +{
16444 + module_free(mod, module_region);
16445 +}
16446 +EXPORT_SYMBOL(module_free_exec);
16447 +
16448 +void *module_alloc_exec(unsigned long size)
16449 +{
16450 + return __module_alloc(size, PAGE_KERNEL_RX);
16451 +}
16452 +EXPORT_SYMBOL(module_alloc_exec);
16453 +#endif
16454 +#endif
16455 +
16456 /* We don't need anything special. */
16457 int module_frob_arch_sections(Elf_Ehdr *hdr,
16458 Elf_Shdr *sechdrs,
16459 @@ -69,14 +114,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
16460 unsigned int i;
16461 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
16462 Elf32_Sym *sym;
16463 - uint32_t *location;
16464 + uint32_t *plocation, location;
16465
16466 DEBUGP("Applying relocate section %u to %u\n", relsec,
16467 sechdrs[relsec].sh_info);
16468 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
16469 /* This is where to make the change */
16470 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
16471 - + rel[i].r_offset;
16472 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
16473 + location = (uint32_t)plocation;
16474 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
16475 + plocation = ktla_ktva((void *)plocation);
16476 /* This is the symbol it is referring to. Note that all
16477 undefined symbols have been resolved. */
16478 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
16479 @@ -85,11 +132,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
16480 switch (ELF32_R_TYPE(rel[i].r_info)) {
16481 case R_386_32:
16482 /* We add the value into the location given */
16483 - *location += sym->st_value;
16484 + pax_open_kernel();
16485 + *plocation += sym->st_value;
16486 + pax_close_kernel();
16487 break;
16488 case R_386_PC32:
16489 /* Add the value, subtract its postition */
16490 - *location += sym->st_value - (uint32_t)location;
16491 + pax_open_kernel();
16492 + *plocation += sym->st_value - location;
16493 + pax_close_kernel();
16494 break;
16495 default:
16496 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
16497 @@ -145,21 +196,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
16498 case R_X86_64_NONE:
16499 break;
16500 case R_X86_64_64:
16501 + pax_open_kernel();
16502 *(u64 *)loc = val;
16503 + pax_close_kernel();
16504 break;
16505 case R_X86_64_32:
16506 + pax_open_kernel();
16507 *(u32 *)loc = val;
16508 + pax_close_kernel();
16509 if (val != *(u32 *)loc)
16510 goto overflow;
16511 break;
16512 case R_X86_64_32S:
16513 + pax_open_kernel();
16514 *(s32 *)loc = val;
16515 + pax_close_kernel();
16516 if ((s64)val != *(s32 *)loc)
16517 goto overflow;
16518 break;
16519 case R_X86_64_PC32:
16520 val -= (u64)loc;
16521 + pax_open_kernel();
16522 *(u32 *)loc = val;
16523 + pax_close_kernel();
16524 +
16525 #if 0
16526 if ((s64)val != *(s32 *)loc)
16527 goto overflow;
16528 diff -urNp linux-2.6.39.3/arch/x86/kernel/paravirt.c linux-2.6.39.3/arch/x86/kernel/paravirt.c
16529 --- linux-2.6.39.3/arch/x86/kernel/paravirt.c 2011-05-19 00:06:34.000000000 -0400
16530 +++ linux-2.6.39.3/arch/x86/kernel/paravirt.c 2011-05-22 19:36:30.000000000 -0400
16531 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
16532 * corresponding structure. */
16533 static void *get_call_destination(u8 type)
16534 {
16535 - struct paravirt_patch_template tmpl = {
16536 + const struct paravirt_patch_template tmpl = {
16537 .pv_init_ops = pv_init_ops,
16538 .pv_time_ops = pv_time_ops,
16539 .pv_cpu_ops = pv_cpu_ops,
16540 @@ -133,6 +133,9 @@ static void *get_call_destination(u8 typ
16541 .pv_lock_ops = pv_lock_ops,
16542 #endif
16543 };
16544 +
16545 + pax_track_stack();
16546 +
16547 return *((void **)&tmpl + type);
16548 }
16549
16550 @@ -145,14 +148,14 @@ unsigned paravirt_patch_default(u8 type,
16551 if (opfunc == NULL)
16552 /* If there's no function, patch it with a ud2a (BUG) */
16553 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
16554 - else if (opfunc == _paravirt_nop)
16555 + else if (opfunc == (void *)_paravirt_nop)
16556 /* If the operation is a nop, then nop the callsite */
16557 ret = paravirt_patch_nop();
16558
16559 /* identity functions just return their single argument */
16560 - else if (opfunc == _paravirt_ident_32)
16561 + else if (opfunc == (void *)_paravirt_ident_32)
16562 ret = paravirt_patch_ident_32(insnbuf, len);
16563 - else if (opfunc == _paravirt_ident_64)
16564 + else if (opfunc == (void *)_paravirt_ident_64)
16565 ret = paravirt_patch_ident_64(insnbuf, len);
16566
16567 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
16568 @@ -178,7 +181,7 @@ unsigned paravirt_patch_insns(void *insn
16569 if (insn_len > len || start == NULL)
16570 insn_len = len;
16571 else
16572 - memcpy(insnbuf, start, insn_len);
16573 + memcpy(insnbuf, ktla_ktva(start), insn_len);
16574
16575 return insn_len;
16576 }
16577 @@ -294,22 +297,22 @@ void arch_flush_lazy_mmu_mode(void)
16578 preempt_enable();
16579 }
16580
16581 -struct pv_info pv_info = {
16582 +struct pv_info pv_info __read_only = {
16583 .name = "bare hardware",
16584 .paravirt_enabled = 0,
16585 .kernel_rpl = 0,
16586 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
16587 };
16588
16589 -struct pv_init_ops pv_init_ops = {
16590 +struct pv_init_ops pv_init_ops __read_only = {
16591 .patch = native_patch,
16592 };
16593
16594 -struct pv_time_ops pv_time_ops = {
16595 +struct pv_time_ops pv_time_ops __read_only = {
16596 .sched_clock = native_sched_clock,
16597 };
16598
16599 -struct pv_irq_ops pv_irq_ops = {
16600 +struct pv_irq_ops pv_irq_ops __read_only = {
16601 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
16602 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
16603 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
16604 @@ -321,7 +324,7 @@ struct pv_irq_ops pv_irq_ops = {
16605 #endif
16606 };
16607
16608 -struct pv_cpu_ops pv_cpu_ops = {
16609 +struct pv_cpu_ops pv_cpu_ops __read_only = {
16610 .cpuid = native_cpuid,
16611 .get_debugreg = native_get_debugreg,
16612 .set_debugreg = native_set_debugreg,
16613 @@ -382,7 +385,7 @@ struct pv_cpu_ops pv_cpu_ops = {
16614 .end_context_switch = paravirt_nop,
16615 };
16616
16617 -struct pv_apic_ops pv_apic_ops = {
16618 +struct pv_apic_ops pv_apic_ops __read_only = {
16619 #ifdef CONFIG_X86_LOCAL_APIC
16620 .startup_ipi_hook = paravirt_nop,
16621 #endif
16622 @@ -396,7 +399,7 @@ struct pv_apic_ops pv_apic_ops = {
16623 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
16624 #endif
16625
16626 -struct pv_mmu_ops pv_mmu_ops = {
16627 +struct pv_mmu_ops pv_mmu_ops __read_only = {
16628
16629 .read_cr2 = native_read_cr2,
16630 .write_cr2 = native_write_cr2,
16631 @@ -465,6 +468,12 @@ struct pv_mmu_ops pv_mmu_ops = {
16632 },
16633
16634 .set_fixmap = native_set_fixmap,
16635 +
16636 +#ifdef CONFIG_PAX_KERNEXEC
16637 + .pax_open_kernel = native_pax_open_kernel,
16638 + .pax_close_kernel = native_pax_close_kernel,
16639 +#endif
16640 +
16641 };
16642
16643 EXPORT_SYMBOL_GPL(pv_time_ops);
16644 diff -urNp linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c
16645 --- linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c 2011-05-19 00:06:34.000000000 -0400
16646 +++ linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c 2011-05-22 19:36:30.000000000 -0400
16647 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
16648 arch_spin_lock(lock);
16649 }
16650
16651 -struct pv_lock_ops pv_lock_ops = {
16652 +struct pv_lock_ops pv_lock_ops __read_only = {
16653 #ifdef CONFIG_SMP
16654 .spin_is_locked = __ticket_spin_is_locked,
16655 .spin_is_contended = __ticket_spin_is_contended,
16656 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c
16657 --- linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c 2011-05-19 00:06:34.000000000 -0400
16658 +++ linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c 2011-05-22 19:36:30.000000000 -0400
16659 @@ -179,13 +179,13 @@ static void calioc2_dump_error_regs(stru
16660 static void calgary_init_bitmap_from_tce_table(struct iommu_table *tbl);
16661 static void get_tce_space_from_tar(void);
16662
16663 -static struct cal_chipset_ops calgary_chip_ops = {
16664 +static const struct cal_chipset_ops calgary_chip_ops = {
16665 .handle_quirks = calgary_handle_quirks,
16666 .tce_cache_blast = calgary_tce_cache_blast,
16667 .dump_error_regs = calgary_dump_error_regs
16668 };
16669
16670 -static struct cal_chipset_ops calioc2_chip_ops = {
16671 +static const struct cal_chipset_ops calioc2_chip_ops = {
16672 .handle_quirks = calioc2_handle_quirks,
16673 .tce_cache_blast = calioc2_tce_cache_blast,
16674 .dump_error_regs = calioc2_dump_error_regs
16675 @@ -476,7 +476,7 @@ static void calgary_free_coherent(struct
16676 free_pages((unsigned long)vaddr, get_order(size));
16677 }
16678
16679 -static struct dma_map_ops calgary_dma_ops = {
16680 +static const struct dma_map_ops calgary_dma_ops = {
16681 .alloc_coherent = calgary_alloc_coherent,
16682 .free_coherent = calgary_free_coherent,
16683 .map_sg = calgary_map_sg,
16684 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-dma.c linux-2.6.39.3/arch/x86/kernel/pci-dma.c
16685 --- linux-2.6.39.3/arch/x86/kernel/pci-dma.c 2011-05-19 00:06:34.000000000 -0400
16686 +++ linux-2.6.39.3/arch/x86/kernel/pci-dma.c 2011-05-22 19:36:30.000000000 -0400
16687 @@ -16,7 +16,7 @@
16688
16689 static int forbid_dac __read_mostly;
16690
16691 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
16692 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
16693 EXPORT_SYMBOL(dma_ops);
16694
16695 static int iommu_sac_force __read_mostly;
16696 @@ -250,7 +250,7 @@ early_param("iommu", iommu_setup);
16697
16698 int dma_supported(struct device *dev, u64 mask)
16699 {
16700 - struct dma_map_ops *ops = get_dma_ops(dev);
16701 + const struct dma_map_ops *ops = get_dma_ops(dev);
16702
16703 #ifdef CONFIG_PCI
16704 if (mask > 0xffffffff && forbid_dac > 0) {
16705 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c
16706 --- linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c 2011-05-19 00:06:34.000000000 -0400
16707 +++ linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c 2011-05-22 19:36:30.000000000 -0400
16708 @@ -695,7 +695,7 @@ static __init int init_amd_gatt(struct a
16709 return -1;
16710 }
16711
16712 -static struct dma_map_ops gart_dma_ops = {
16713 +static const struct dma_map_ops gart_dma_ops = {
16714 .map_sg = gart_map_sg,
16715 .unmap_sg = gart_unmap_sg,
16716 .map_page = gart_map_page,
16717 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c
16718 --- linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c 2011-05-19 00:06:34.000000000 -0400
16719 +++ linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c 2011-05-22 19:36:30.000000000 -0400
16720 @@ -2,7 +2,7 @@
16721 #include <asm/iommu_table.h>
16722 #include <linux/string.h>
16723 #include <linux/kallsyms.h>
16724 -
16725 +#include <linux/sched.h>
16726
16727 #define DEBUG 1
16728
16729 @@ -53,6 +53,8 @@ void __init check_iommu_entries(struct i
16730 char sym_p[KSYM_SYMBOL_LEN];
16731 char sym_q[KSYM_SYMBOL_LEN];
16732
16733 + pax_track_stack();
16734 +
16735 /* Simple cyclic dependency checker. */
16736 for (p = start; p < finish; p++) {
16737 q = find_dependents_of(start, finish, p);
16738 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-nommu.c linux-2.6.39.3/arch/x86/kernel/pci-nommu.c
16739 --- linux-2.6.39.3/arch/x86/kernel/pci-nommu.c 2011-05-19 00:06:34.000000000 -0400
16740 +++ linux-2.6.39.3/arch/x86/kernel/pci-nommu.c 2011-05-22 19:36:30.000000000 -0400
16741 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
16742 flush_write_buffers();
16743 }
16744
16745 -struct dma_map_ops nommu_dma_ops = {
16746 +const struct dma_map_ops nommu_dma_ops = {
16747 .alloc_coherent = dma_generic_alloc_coherent,
16748 .free_coherent = nommu_free_coherent,
16749 .map_sg = nommu_map_sg,
16750 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c
16751 --- linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c 2011-05-19 00:06:34.000000000 -0400
16752 +++ linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c 2011-05-22 19:36:30.000000000 -0400
16753 @@ -26,7 +26,7 @@ static void *x86_swiotlb_alloc_coherent(
16754 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
16755 }
16756
16757 -static struct dma_map_ops swiotlb_dma_ops = {
16758 +static const struct dma_map_ops swiotlb_dma_ops = {
16759 .mapping_error = swiotlb_dma_mapping_error,
16760 .alloc_coherent = x86_swiotlb_alloc_coherent,
16761 .free_coherent = swiotlb_free_coherent,
16762 diff -urNp linux-2.6.39.3/arch/x86/kernel/process_32.c linux-2.6.39.3/arch/x86/kernel/process_32.c
16763 --- linux-2.6.39.3/arch/x86/kernel/process_32.c 2011-06-25 12:55:22.000000000 -0400
16764 +++ linux-2.6.39.3/arch/x86/kernel/process_32.c 2011-06-25 13:00:25.000000000 -0400
16765 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
16766 unsigned long thread_saved_pc(struct task_struct *tsk)
16767 {
16768 return ((unsigned long *)tsk->thread.sp)[3];
16769 +//XXX return tsk->thread.eip;
16770 }
16771
16772 #ifndef CONFIG_SMP
16773 @@ -126,15 +127,14 @@ void __show_regs(struct pt_regs *regs, i
16774 unsigned long sp;
16775 unsigned short ss, gs;
16776
16777 - if (user_mode_vm(regs)) {
16778 + if (user_mode(regs)) {
16779 sp = regs->sp;
16780 ss = regs->ss & 0xffff;
16781 - gs = get_user_gs(regs);
16782 } else {
16783 sp = kernel_stack_pointer(regs);
16784 savesegment(ss, ss);
16785 - savesegment(gs, gs);
16786 }
16787 + gs = get_user_gs(regs);
16788
16789 show_regs_common();
16790
16791 @@ -196,13 +196,14 @@ int copy_thread(unsigned long clone_flag
16792 struct task_struct *tsk;
16793 int err;
16794
16795 - childregs = task_pt_regs(p);
16796 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
16797 *childregs = *regs;
16798 childregs->ax = 0;
16799 childregs->sp = sp;
16800
16801 p->thread.sp = (unsigned long) childregs;
16802 p->thread.sp0 = (unsigned long) (childregs+1);
16803 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16804
16805 p->thread.ip = (unsigned long) ret_from_fork;
16806
16807 @@ -292,7 +293,7 @@ __switch_to(struct task_struct *prev_p,
16808 struct thread_struct *prev = &prev_p->thread,
16809 *next = &next_p->thread;
16810 int cpu = smp_processor_id();
16811 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16812 + struct tss_struct *tss = init_tss + cpu;
16813 bool preload_fpu;
16814
16815 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
16816 @@ -327,6 +328,10 @@ __switch_to(struct task_struct *prev_p,
16817 */
16818 lazy_save_gs(prev->gs);
16819
16820 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16821 + __set_fs(task_thread_info(next_p)->addr_limit);
16822 +#endif
16823 +
16824 /*
16825 * Load the per-thread Thread-Local Storage descriptor.
16826 */
16827 @@ -362,6 +367,9 @@ __switch_to(struct task_struct *prev_p,
16828 */
16829 arch_end_context_switch(next_p);
16830
16831 + percpu_write(current_task, next_p);
16832 + percpu_write(current_tinfo, &next_p->tinfo);
16833 +
16834 if (preload_fpu)
16835 __math_state_restore();
16836
16837 @@ -371,8 +379,6 @@ __switch_to(struct task_struct *prev_p,
16838 if (prev->gs | next->gs)
16839 lazy_load_gs(next->gs);
16840
16841 - percpu_write(current_task, next_p);
16842 -
16843 return prev_p;
16844 }
16845
16846 @@ -402,4 +408,3 @@ unsigned long get_wchan(struct task_stru
16847 } while (count++ < 16);
16848 return 0;
16849 }
16850 -
16851 diff -urNp linux-2.6.39.3/arch/x86/kernel/process_64.c linux-2.6.39.3/arch/x86/kernel/process_64.c
16852 --- linux-2.6.39.3/arch/x86/kernel/process_64.c 2011-06-25 12:55:22.000000000 -0400
16853 +++ linux-2.6.39.3/arch/x86/kernel/process_64.c 2011-06-25 13:00:25.000000000 -0400
16854 @@ -87,7 +87,7 @@ static void __exit_idle(void)
16855 void exit_idle(void)
16856 {
16857 /* idle loop has pid 0 */
16858 - if (current->pid)
16859 + if (task_pid_nr(current))
16860 return;
16861 __exit_idle();
16862 }
16863 @@ -260,8 +260,7 @@ int copy_thread(unsigned long clone_flag
16864 struct pt_regs *childregs;
16865 struct task_struct *me = current;
16866
16867 - childregs = ((struct pt_regs *)
16868 - (THREAD_SIZE + task_stack_page(p))) - 1;
16869 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
16870 *childregs = *regs;
16871
16872 childregs->ax = 0;
16873 @@ -273,6 +272,7 @@ int copy_thread(unsigned long clone_flag
16874 p->thread.sp = (unsigned long) childregs;
16875 p->thread.sp0 = (unsigned long) (childregs+1);
16876 p->thread.usersp = me->thread.usersp;
16877 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16878
16879 set_tsk_thread_flag(p, TIF_FORK);
16880
16881 @@ -375,7 +375,7 @@ __switch_to(struct task_struct *prev_p,
16882 struct thread_struct *prev = &prev_p->thread;
16883 struct thread_struct *next = &next_p->thread;
16884 int cpu = smp_processor_id();
16885 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16886 + struct tss_struct *tss = init_tss + cpu;
16887 unsigned fsindex, gsindex;
16888 bool preload_fpu;
16889
16890 @@ -471,10 +471,9 @@ __switch_to(struct task_struct *prev_p,
16891 prev->usersp = percpu_read(old_rsp);
16892 percpu_write(old_rsp, next->usersp);
16893 percpu_write(current_task, next_p);
16894 + percpu_write(current_tinfo, &next_p->tinfo);
16895
16896 - percpu_write(kernel_stack,
16897 - (unsigned long)task_stack_page(next_p) +
16898 - THREAD_SIZE - KERNEL_STACK_OFFSET);
16899 + percpu_write(kernel_stack, next->sp0);
16900
16901 /*
16902 * Now maybe reload the debug registers and handle I/O bitmaps
16903 @@ -536,12 +535,11 @@ unsigned long get_wchan(struct task_stru
16904 if (!p || p == current || p->state == TASK_RUNNING)
16905 return 0;
16906 stack = (unsigned long)task_stack_page(p);
16907 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
16908 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
16909 return 0;
16910 fp = *(u64 *)(p->thread.sp);
16911 do {
16912 - if (fp < (unsigned long)stack ||
16913 - fp >= (unsigned long)stack+THREAD_SIZE)
16914 + if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
16915 return 0;
16916 ip = *(u64 *)(fp+8);
16917 if (!in_sched_functions(ip))
16918 diff -urNp linux-2.6.39.3/arch/x86/kernel/process.c linux-2.6.39.3/arch/x86/kernel/process.c
16919 --- linux-2.6.39.3/arch/x86/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
16920 +++ linux-2.6.39.3/arch/x86/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
16921 @@ -48,16 +48,33 @@ void free_thread_xstate(struct task_stru
16922
16923 void free_thread_info(struct thread_info *ti)
16924 {
16925 - free_thread_xstate(ti->task);
16926 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
16927 }
16928
16929 +static struct kmem_cache *task_struct_cachep;
16930 +
16931 void arch_task_cache_init(void)
16932 {
16933 - task_xstate_cachep =
16934 - kmem_cache_create("task_xstate", xstate_size,
16935 + /* create a slab on which task_structs can be allocated */
16936 + task_struct_cachep =
16937 + kmem_cache_create("task_struct", sizeof(struct task_struct),
16938 + ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
16939 +
16940 + task_xstate_cachep =
16941 + kmem_cache_create("task_xstate", xstate_size,
16942 __alignof__(union thread_xstate),
16943 - SLAB_PANIC | SLAB_NOTRACK, NULL);
16944 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
16945 +}
16946 +
16947 +struct task_struct *alloc_task_struct_node(int node)
16948 +{
16949 + return kmem_cache_alloc_node(task_struct_cachep, GFP_KERNEL, node);
16950 +}
16951 +
16952 +void free_task_struct(struct task_struct *task)
16953 +{
16954 + free_thread_xstate(task);
16955 + kmem_cache_free(task_struct_cachep, task);
16956 }
16957
16958 /*
16959 @@ -70,7 +87,7 @@ void exit_thread(void)
16960 unsigned long *bp = t->io_bitmap_ptr;
16961
16962 if (bp) {
16963 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
16964 + struct tss_struct *tss = init_tss + get_cpu();
16965
16966 t->io_bitmap_ptr = NULL;
16967 clear_thread_flag(TIF_IO_BITMAP);
16968 @@ -106,7 +123,7 @@ void show_regs_common(void)
16969
16970 printk(KERN_CONT "\n");
16971 printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s",
16972 - current->pid, current->comm, print_tainted(),
16973 + task_pid_nr(current), current->comm, print_tainted(),
16974 init_utsname()->release,
16975 (int)strcspn(init_utsname()->version, " "),
16976 init_utsname()->version);
16977 @@ -120,6 +137,9 @@ void flush_thread(void)
16978 {
16979 struct task_struct *tsk = current;
16980
16981 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
16982 + loadsegment(gs, 0);
16983 +#endif
16984 flush_ptrace_hw_breakpoint(tsk);
16985 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
16986 /*
16987 @@ -282,10 +302,10 @@ int kernel_thread(int (*fn)(void *), voi
16988 regs.di = (unsigned long) arg;
16989
16990 #ifdef CONFIG_X86_32
16991 - regs.ds = __USER_DS;
16992 - regs.es = __USER_DS;
16993 + regs.ds = __KERNEL_DS;
16994 + regs.es = __KERNEL_DS;
16995 regs.fs = __KERNEL_PERCPU;
16996 - regs.gs = __KERNEL_STACK_CANARY;
16997 + savesegment(gs, regs.gs);
16998 #else
16999 regs.ss = __KERNEL_DS;
17000 #endif
17001 @@ -401,7 +421,7 @@ void default_idle(void)
17002 EXPORT_SYMBOL(default_idle);
17003 #endif
17004
17005 -void stop_this_cpu(void *dummy)
17006 +__noreturn void stop_this_cpu(void *dummy)
17007 {
17008 local_irq_disable();
17009 /*
17010 @@ -665,16 +685,34 @@ static int __init idle_setup(char *str)
17011 }
17012 early_param("idle", idle_setup);
17013
17014 -unsigned long arch_align_stack(unsigned long sp)
17015 +#ifdef CONFIG_PAX_RANDKSTACK
17016 +asmlinkage void pax_randomize_kstack(void)
17017 {
17018 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
17019 - sp -= get_random_int() % 8192;
17020 - return sp & ~0xf;
17021 -}
17022 + struct thread_struct *thread = &current->thread;
17023 + unsigned long time;
17024
17025 -unsigned long arch_randomize_brk(struct mm_struct *mm)
17026 -{
17027 - unsigned long range_end = mm->brk + 0x02000000;
17028 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
17029 -}
17030 + if (!randomize_va_space)
17031 + return;
17032 +
17033 + rdtscl(time);
17034 +
17035 + /* P4 seems to return a 0 LSB, ignore it */
17036 +#ifdef CONFIG_MPENTIUM4
17037 + time &= 0x3EUL;
17038 + time <<= 2;
17039 +#elif defined(CONFIG_X86_64)
17040 + time &= 0xFUL;
17041 + time <<= 4;
17042 +#else
17043 + time &= 0x1FUL;
17044 + time <<= 3;
17045 +#endif
17046 +
17047 + thread->sp0 ^= time;
17048 + load_sp0(init_tss + smp_processor_id(), thread);
17049
17050 +#ifdef CONFIG_X86_64
17051 + percpu_write(kernel_stack, thread->sp0);
17052 +#endif
17053 +}
17054 +#endif
17055 diff -urNp linux-2.6.39.3/arch/x86/kernel/ptrace.c linux-2.6.39.3/arch/x86/kernel/ptrace.c
17056 --- linux-2.6.39.3/arch/x86/kernel/ptrace.c 2011-05-19 00:06:34.000000000 -0400
17057 +++ linux-2.6.39.3/arch/x86/kernel/ptrace.c 2011-05-22 19:36:30.000000000 -0400
17058 @@ -821,7 +821,7 @@ long arch_ptrace(struct task_struct *chi
17059 unsigned long addr, unsigned long data)
17060 {
17061 int ret;
17062 - unsigned long __user *datap = (unsigned long __user *)data;
17063 + unsigned long __user *datap = (__force unsigned long __user *)data;
17064
17065 switch (request) {
17066 /* read the word at location addr in the USER area. */
17067 @@ -906,14 +906,14 @@ long arch_ptrace(struct task_struct *chi
17068 if ((int) addr < 0)
17069 return -EIO;
17070 ret = do_get_thread_area(child, addr,
17071 - (struct user_desc __user *)data);
17072 + (__force struct user_desc __user *) data);
17073 break;
17074
17075 case PTRACE_SET_THREAD_AREA:
17076 if ((int) addr < 0)
17077 return -EIO;
17078 ret = do_set_thread_area(child, addr,
17079 - (struct user_desc __user *)data, 0);
17080 + (__force struct user_desc __user *) data, 0);
17081 break;
17082 #endif
17083
17084 @@ -1330,7 +1330,7 @@ static void fill_sigtrap_info(struct tas
17085 memset(info, 0, sizeof(*info));
17086 info->si_signo = SIGTRAP;
17087 info->si_code = si_code;
17088 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
17089 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
17090 }
17091
17092 void user_single_step_siginfo(struct task_struct *tsk,
17093 @@ -1363,7 +1363,7 @@ void send_sigtrap(struct task_struct *ts
17094 * We must return the syscall number to actually look up in the table.
17095 * This can be -1L to skip running any syscall at all.
17096 */
17097 -asmregparm long syscall_trace_enter(struct pt_regs *regs)
17098 +long syscall_trace_enter(struct pt_regs *regs)
17099 {
17100 long ret = 0;
17101
17102 @@ -1408,7 +1408,7 @@ asmregparm long syscall_trace_enter(stru
17103 return ret ?: regs->orig_ax;
17104 }
17105
17106 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
17107 +void syscall_trace_leave(struct pt_regs *regs)
17108 {
17109 bool step;
17110
17111 diff -urNp linux-2.6.39.3/arch/x86/kernel/pvclock.c linux-2.6.39.3/arch/x86/kernel/pvclock.c
17112 --- linux-2.6.39.3/arch/x86/kernel/pvclock.c 2011-05-19 00:06:34.000000000 -0400
17113 +++ linux-2.6.39.3/arch/x86/kernel/pvclock.c 2011-05-22 19:36:30.000000000 -0400
17114 @@ -81,11 +81,11 @@ unsigned long pvclock_tsc_khz(struct pvc
17115 return pv_tsc_khz;
17116 }
17117
17118 -static atomic64_t last_value = ATOMIC64_INIT(0);
17119 +static atomic64_unchecked_t last_value = ATOMIC64_INIT(0);
17120
17121 void pvclock_resume(void)
17122 {
17123 - atomic64_set(&last_value, 0);
17124 + atomic64_set_unchecked(&last_value, 0);
17125 }
17126
17127 cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
17128 @@ -121,11 +121,11 @@ cycle_t pvclock_clocksource_read(struct
17129 * updating at the same time, and one of them could be slightly behind,
17130 * making the assumption that last_value always go forward fail to hold.
17131 */
17132 - last = atomic64_read(&last_value);
17133 + last = atomic64_read_unchecked(&last_value);
17134 do {
17135 if (ret < last)
17136 return last;
17137 - last = atomic64_cmpxchg(&last_value, last, ret);
17138 + last = atomic64_cmpxchg_unchecked(&last_value, last, ret);
17139 } while (unlikely(last != ret));
17140
17141 return ret;
17142 diff -urNp linux-2.6.39.3/arch/x86/kernel/reboot.c linux-2.6.39.3/arch/x86/kernel/reboot.c
17143 --- linux-2.6.39.3/arch/x86/kernel/reboot.c 2011-05-19 00:06:34.000000000 -0400
17144 +++ linux-2.6.39.3/arch/x86/kernel/reboot.c 2011-05-23 17:07:00.000000000 -0400
17145 @@ -35,7 +35,7 @@ void (*pm_power_off)(void);
17146 EXPORT_SYMBOL(pm_power_off);
17147
17148 static const struct desc_ptr no_idt = {};
17149 -static int reboot_mode;
17150 +static unsigned short reboot_mode;
17151 enum reboot_type reboot_type = BOOT_KBD;
17152 int reboot_force;
17153
17154 @@ -307,13 +307,17 @@ core_initcall(reboot_init);
17155 extern const unsigned char machine_real_restart_asm[];
17156 extern const u64 machine_real_restart_gdt[3];
17157
17158 -void machine_real_restart(unsigned int type)
17159 +__noreturn void machine_real_restart(unsigned int type)
17160 {
17161 void *restart_va;
17162 unsigned long restart_pa;
17163 - void (*restart_lowmem)(unsigned int);
17164 + void (* __noreturn restart_lowmem)(unsigned int);
17165 u64 *lowmem_gdt;
17166
17167 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
17168 + struct desc_struct *gdt;
17169 +#endif
17170 +
17171 local_irq_disable();
17172
17173 /* Write zero to CMOS register number 0x0f, which the BIOS POST
17174 @@ -339,14 +343,14 @@ void machine_real_restart(unsigned int t
17175 boot)". This seems like a fairly standard thing that gets set by
17176 REBOOT.COM programs, and the previous reset routine did this
17177 too. */
17178 - *((unsigned short *)0x472) = reboot_mode;
17179 + *(unsigned short *)(__va(0x472)) = reboot_mode;
17180
17181 /* Patch the GDT in the low memory trampoline */
17182 lowmem_gdt = TRAMPOLINE_SYM(machine_real_restart_gdt);
17183
17184 restart_va = TRAMPOLINE_SYM(machine_real_restart_asm);
17185 restart_pa = virt_to_phys(restart_va);
17186 - restart_lowmem = (void (*)(unsigned int))restart_pa;
17187 + restart_lowmem = (void *)restart_pa;
17188
17189 /* GDT[0]: GDT self-pointer */
17190 lowmem_gdt[0] =
17191 @@ -357,7 +361,33 @@ void machine_real_restart(unsigned int t
17192 GDT_ENTRY(0x009b, restart_pa, 0xffff);
17193
17194 /* Jump to the identity-mapped low memory code */
17195 +
17196 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
17197 + gdt = get_cpu_gdt_table(smp_processor_id());
17198 + pax_open_kernel();
17199 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17200 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
17201 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
17202 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
17203 +#endif
17204 +#ifdef CONFIG_PAX_KERNEXEC
17205 + gdt[GDT_ENTRY_KERNEL_CS].base0 = 0;
17206 + gdt[GDT_ENTRY_KERNEL_CS].base1 = 0;
17207 + gdt[GDT_ENTRY_KERNEL_CS].base2 = 0;
17208 + gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff;
17209 + gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf;
17210 + gdt[GDT_ENTRY_KERNEL_CS].g = 1;
17211 +#endif
17212 + pax_close_kernel();
17213 +#endif
17214 +
17215 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17216 + asm volatile("push %0; push %1; lret\n" : : "i" (__KERNEL_CS), "rm" (restart_lowmem), "a" (type));
17217 + unreachable();
17218 +#else
17219 restart_lowmem(type);
17220 +#endif
17221 +
17222 }
17223 #ifdef CONFIG_APM_MODULE
17224 EXPORT_SYMBOL(machine_real_restart);
17225 @@ -478,7 +508,7 @@ void __attribute__((weak)) mach_reboot_f
17226 {
17227 }
17228
17229 -static void native_machine_emergency_restart(void)
17230 +__noreturn static void native_machine_emergency_restart(void)
17231 {
17232 int i;
17233
17234 @@ -593,13 +623,13 @@ void native_machine_shutdown(void)
17235 #endif
17236 }
17237
17238 -static void __machine_emergency_restart(int emergency)
17239 +static __noreturn void __machine_emergency_restart(int emergency)
17240 {
17241 reboot_emergency = emergency;
17242 machine_ops.emergency_restart();
17243 }
17244
17245 -static void native_machine_restart(char *__unused)
17246 +static __noreturn void native_machine_restart(char *__unused)
17247 {
17248 printk("machine restart\n");
17249
17250 @@ -608,7 +638,7 @@ static void native_machine_restart(char
17251 __machine_emergency_restart(0);
17252 }
17253
17254 -static void native_machine_halt(void)
17255 +static __noreturn void native_machine_halt(void)
17256 {
17257 /* stop other cpus and apics */
17258 machine_shutdown();
17259 @@ -619,7 +649,7 @@ static void native_machine_halt(void)
17260 stop_this_cpu(NULL);
17261 }
17262
17263 -static void native_machine_power_off(void)
17264 +__noreturn static void native_machine_power_off(void)
17265 {
17266 if (pm_power_off) {
17267 if (!reboot_force)
17268 @@ -628,6 +658,7 @@ static void native_machine_power_off(voi
17269 }
17270 /* a fallback in case there is no PM info available */
17271 tboot_shutdown(TB_SHUTDOWN_HALT);
17272 + unreachable();
17273 }
17274
17275 struct machine_ops machine_ops = {
17276 diff -urNp linux-2.6.39.3/arch/x86/kernel/setup.c linux-2.6.39.3/arch/x86/kernel/setup.c
17277 --- linux-2.6.39.3/arch/x86/kernel/setup.c 2011-06-25 12:55:22.000000000 -0400
17278 +++ linux-2.6.39.3/arch/x86/kernel/setup.c 2011-06-25 13:00:25.000000000 -0400
17279 @@ -650,7 +650,7 @@ static void __init trim_bios_range(void)
17280 * area (640->1Mb) as ram even though it is not.
17281 * take them out.
17282 */
17283 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
17284 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
17285 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
17286 }
17287
17288 @@ -775,14 +775,14 @@ void __init setup_arch(char **cmdline_p)
17289
17290 if (!boot_params.hdr.root_flags)
17291 root_mountflags &= ~MS_RDONLY;
17292 - init_mm.start_code = (unsigned long) _text;
17293 - init_mm.end_code = (unsigned long) _etext;
17294 + init_mm.start_code = ktla_ktva((unsigned long) _text);
17295 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
17296 init_mm.end_data = (unsigned long) _edata;
17297 init_mm.brk = _brk_end;
17298
17299 - code_resource.start = virt_to_phys(_text);
17300 - code_resource.end = virt_to_phys(_etext)-1;
17301 - data_resource.start = virt_to_phys(_etext);
17302 + code_resource.start = virt_to_phys(ktla_ktva(_text));
17303 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
17304 + data_resource.start = virt_to_phys(_sdata);
17305 data_resource.end = virt_to_phys(_edata)-1;
17306 bss_resource.start = virt_to_phys(&__bss_start);
17307 bss_resource.end = virt_to_phys(&__bss_stop)-1;
17308 diff -urNp linux-2.6.39.3/arch/x86/kernel/setup_percpu.c linux-2.6.39.3/arch/x86/kernel/setup_percpu.c
17309 --- linux-2.6.39.3/arch/x86/kernel/setup_percpu.c 2011-05-19 00:06:34.000000000 -0400
17310 +++ linux-2.6.39.3/arch/x86/kernel/setup_percpu.c 2011-06-04 20:08:30.000000000 -0400
17311 @@ -21,19 +21,17 @@
17312 #include <asm/cpu.h>
17313 #include <asm/stackprotector.h>
17314
17315 -DEFINE_PER_CPU(int, cpu_number);
17316 +#ifdef CONFIG_SMP
17317 +DEFINE_PER_CPU(unsigned int, cpu_number);
17318 EXPORT_PER_CPU_SYMBOL(cpu_number);
17319 +#endif
17320
17321 -#ifdef CONFIG_X86_64
17322 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
17323 -#else
17324 -#define BOOT_PERCPU_OFFSET 0
17325 -#endif
17326
17327 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
17328 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
17329
17330 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
17331 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
17332 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
17333 };
17334 EXPORT_SYMBOL(__per_cpu_offset);
17335 @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
17336 {
17337 #ifdef CONFIG_X86_32
17338 struct desc_struct gdt;
17339 + unsigned long base = per_cpu_offset(cpu);
17340
17341 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
17342 - 0x2 | DESCTYPE_S, 0x8);
17343 - gdt.s = 1;
17344 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
17345 + 0x83 | DESCTYPE_S, 0xC);
17346 write_gdt_entry(get_cpu_gdt_table(cpu),
17347 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
17348 #endif
17349 @@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
17350 /* alrighty, percpu areas up and running */
17351 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
17352 for_each_possible_cpu(cpu) {
17353 +#ifdef CONFIG_CC_STACKPROTECTOR
17354 +#ifdef CONFIG_X86_32
17355 + unsigned long canary = per_cpu(stack_canary.canary, cpu);
17356 +#endif
17357 +#endif
17358 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
17359 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
17360 per_cpu(cpu_number, cpu) = cpu;
17361 @@ -247,6 +250,12 @@ void __init setup_per_cpu_areas(void)
17362 */
17363 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
17364 #endif
17365 +#ifdef CONFIG_CC_STACKPROTECTOR
17366 +#ifdef CONFIG_X86_32
17367 + if (!cpu)
17368 + per_cpu(stack_canary.canary, cpu) = canary;
17369 +#endif
17370 +#endif
17371 /*
17372 * Up to this point, the boot CPU has been using .init.data
17373 * area. Reload any changed state for the boot CPU.
17374 diff -urNp linux-2.6.39.3/arch/x86/kernel/signal.c linux-2.6.39.3/arch/x86/kernel/signal.c
17375 --- linux-2.6.39.3/arch/x86/kernel/signal.c 2011-05-19 00:06:34.000000000 -0400
17376 +++ linux-2.6.39.3/arch/x86/kernel/signal.c 2011-05-23 17:07:00.000000000 -0400
17377 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
17378 * Align the stack pointer according to the i386 ABI,
17379 * i.e. so that on function entry ((sp + 4) & 15) == 0.
17380 */
17381 - sp = ((sp + 4) & -16ul) - 4;
17382 + sp = ((sp - 12) & -16ul) - 4;
17383 #else /* !CONFIG_X86_32 */
17384 sp = round_down(sp, 16) - 8;
17385 #endif
17386 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
17387 * Return an always-bogus address instead so we will die with SIGSEGV.
17388 */
17389 if (onsigstack && !likely(on_sig_stack(sp)))
17390 - return (void __user *)-1L;
17391 + return (__force void __user *)-1L;
17392
17393 /* save i387 state */
17394 if (used_math() && save_i387_xstate(*fpstate) < 0)
17395 - return (void __user *)-1L;
17396 + return (__force void __user *)-1L;
17397
17398 return (void __user *)sp;
17399 }
17400 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
17401 }
17402
17403 if (current->mm->context.vdso)
17404 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17405 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17406 else
17407 - restorer = &frame->retcode;
17408 + restorer = (void __user *)&frame->retcode;
17409 if (ka->sa.sa_flags & SA_RESTORER)
17410 restorer = ka->sa.sa_restorer;
17411
17412 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
17413 * reasons and because gdb uses it as a signature to notice
17414 * signal handler stack frames.
17415 */
17416 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
17417 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
17418
17419 if (err)
17420 return -EFAULT;
17421 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
17422 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
17423
17424 /* Set up to return from userspace. */
17425 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17426 + if (current->mm->context.vdso)
17427 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17428 + else
17429 + restorer = (void __user *)&frame->retcode;
17430 if (ka->sa.sa_flags & SA_RESTORER)
17431 restorer = ka->sa.sa_restorer;
17432 put_user_ex(restorer, &frame->pretcode);
17433 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
17434 * reasons and because gdb uses it as a signature to notice
17435 * signal handler stack frames.
17436 */
17437 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
17438 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
17439 } put_user_catch(err);
17440
17441 if (err)
17442 @@ -773,6 +776,8 @@ static void do_signal(struct pt_regs *re
17443 int signr;
17444 sigset_t *oldset;
17445
17446 + pax_track_stack();
17447 +
17448 /*
17449 * We want the common case to go fast, which is why we may in certain
17450 * cases get here from kernel mode. Just return without doing anything
17451 @@ -780,7 +785,7 @@ static void do_signal(struct pt_regs *re
17452 * X86_32: vm86 regs switched out by assembly code before reaching
17453 * here, so testing against kernel CS suffices.
17454 */
17455 - if (!user_mode(regs))
17456 + if (!user_mode_novm(regs))
17457 return;
17458
17459 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
17460 diff -urNp linux-2.6.39.3/arch/x86/kernel/smpboot.c linux-2.6.39.3/arch/x86/kernel/smpboot.c
17461 --- linux-2.6.39.3/arch/x86/kernel/smpboot.c 2011-06-25 12:55:22.000000000 -0400
17462 +++ linux-2.6.39.3/arch/x86/kernel/smpboot.c 2011-06-25 13:00:25.000000000 -0400
17463 @@ -709,17 +709,20 @@ static int __cpuinit do_boot_cpu(int api
17464 set_idle_for_cpu(cpu, c_idle.idle);
17465 do_rest:
17466 per_cpu(current_task, cpu) = c_idle.idle;
17467 + per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
17468 #ifdef CONFIG_X86_32
17469 /* Stack for startup_32 can be just as for start_secondary onwards */
17470 irq_ctx_init(cpu);
17471 #else
17472 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
17473 initial_gs = per_cpu_offset(cpu);
17474 - per_cpu(kernel_stack, cpu) =
17475 - (unsigned long)task_stack_page(c_idle.idle) -
17476 - KERNEL_STACK_OFFSET + THREAD_SIZE;
17477 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
17478 #endif
17479 +
17480 + pax_open_kernel();
17481 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
17482 + pax_close_kernel();
17483 +
17484 initial_code = (unsigned long)start_secondary;
17485 stack_start = c_idle.idle->thread.sp;
17486
17487 @@ -861,6 +864,12 @@ int __cpuinit native_cpu_up(unsigned int
17488
17489 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
17490
17491 +#ifdef CONFIG_PAX_PER_CPU_PGD
17492 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
17493 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
17494 + KERNEL_PGD_PTRS);
17495 +#endif
17496 +
17497 err = do_boot_cpu(apicid, cpu);
17498 if (err) {
17499 pr_debug("do_boot_cpu failed %d\n", err);
17500 diff -urNp linux-2.6.39.3/arch/x86/kernel/step.c linux-2.6.39.3/arch/x86/kernel/step.c
17501 --- linux-2.6.39.3/arch/x86/kernel/step.c 2011-05-19 00:06:34.000000000 -0400
17502 +++ linux-2.6.39.3/arch/x86/kernel/step.c 2011-05-22 19:36:30.000000000 -0400
17503 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
17504 struct desc_struct *desc;
17505 unsigned long base;
17506
17507 - seg &= ~7UL;
17508 + seg >>= 3;
17509
17510 mutex_lock(&child->mm->context.lock);
17511 - if (unlikely((seg >> 3) >= child->mm->context.size))
17512 + if (unlikely(seg >= child->mm->context.size))
17513 addr = -1L; /* bogus selector, access would fault */
17514 else {
17515 desc = child->mm->context.ldt + seg;
17516 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
17517 addr += base;
17518 }
17519 mutex_unlock(&child->mm->context.lock);
17520 - }
17521 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
17522 + addr = ktla_ktva(addr);
17523
17524 return addr;
17525 }
17526 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
17527 unsigned char opcode[15];
17528 unsigned long addr = convert_ip_to_linear(child, regs);
17529
17530 + if (addr == -EINVAL)
17531 + return 0;
17532 +
17533 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
17534 for (i = 0; i < copied; i++) {
17535 switch (opcode[i]) {
17536 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
17537
17538 #ifdef CONFIG_X86_64
17539 case 0x40 ... 0x4f:
17540 - if (regs->cs != __USER_CS)
17541 + if ((regs->cs & 0xffff) != __USER_CS)
17542 /* 32-bit mode: register increment */
17543 return 0;
17544 /* 64-bit mode: REX prefix */
17545 diff -urNp linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S
17546 --- linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S 2011-05-19 00:06:34.000000000 -0400
17547 +++ linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S 2011-05-22 19:36:30.000000000 -0400
17548 @@ -1,3 +1,4 @@
17549 +.section .rodata,"a",@progbits
17550 ENTRY(sys_call_table)
17551 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
17552 .long sys_exit
17553 diff -urNp linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c
17554 --- linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c 2011-05-19 00:06:34.000000000 -0400
17555 +++ linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c 2011-05-22 19:36:30.000000000 -0400
17556 @@ -24,17 +24,224 @@
17557
17558 #include <asm/syscalls.h>
17559
17560 -/*
17561 - * Do a system call from kernel instead of calling sys_execve so we
17562 - * end up with proper pt_regs.
17563 - */
17564 -int kernel_execve(const char *filename,
17565 - const char *const argv[],
17566 - const char *const envp[])
17567 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
17568 {
17569 - long __res;
17570 - asm volatile ("int $0x80"
17571 - : "=a" (__res)
17572 - : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
17573 - return __res;
17574 + unsigned long pax_task_size = TASK_SIZE;
17575 +
17576 +#ifdef CONFIG_PAX_SEGMEXEC
17577 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
17578 + pax_task_size = SEGMEXEC_TASK_SIZE;
17579 +#endif
17580 +
17581 + if (len > pax_task_size || addr > pax_task_size - len)
17582 + return -EINVAL;
17583 +
17584 + return 0;
17585 +}
17586 +
17587 +unsigned long
17588 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
17589 + unsigned long len, unsigned long pgoff, unsigned long flags)
17590 +{
17591 + struct mm_struct *mm = current->mm;
17592 + struct vm_area_struct *vma;
17593 + unsigned long start_addr, pax_task_size = TASK_SIZE;
17594 +
17595 +#ifdef CONFIG_PAX_SEGMEXEC
17596 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17597 + pax_task_size = SEGMEXEC_TASK_SIZE;
17598 +#endif
17599 +
17600 + pax_task_size -= PAGE_SIZE;
17601 +
17602 + if (len > pax_task_size)
17603 + return -ENOMEM;
17604 +
17605 + if (flags & MAP_FIXED)
17606 + return addr;
17607 +
17608 +#ifdef CONFIG_PAX_RANDMMAP
17609 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17610 +#endif
17611 +
17612 + if (addr) {
17613 + addr = PAGE_ALIGN(addr);
17614 + if (pax_task_size - len >= addr) {
17615 + vma = find_vma(mm, addr);
17616 + if (check_heap_stack_gap(vma, addr, len))
17617 + return addr;
17618 + }
17619 + }
17620 + if (len > mm->cached_hole_size) {
17621 + start_addr = addr = mm->free_area_cache;
17622 + } else {
17623 + start_addr = addr = mm->mmap_base;
17624 + mm->cached_hole_size = 0;
17625 + }
17626 +
17627 +#ifdef CONFIG_PAX_PAGEEXEC
17628 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
17629 + start_addr = 0x00110000UL;
17630 +
17631 +#ifdef CONFIG_PAX_RANDMMAP
17632 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17633 + start_addr += mm->delta_mmap & 0x03FFF000UL;
17634 +#endif
17635 +
17636 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
17637 + start_addr = addr = mm->mmap_base;
17638 + else
17639 + addr = start_addr;
17640 + }
17641 +#endif
17642 +
17643 +full_search:
17644 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
17645 + /* At this point: (!vma || addr < vma->vm_end). */
17646 + if (pax_task_size - len < addr) {
17647 + /*
17648 + * Start a new search - just in case we missed
17649 + * some holes.
17650 + */
17651 + if (start_addr != mm->mmap_base) {
17652 + start_addr = addr = mm->mmap_base;
17653 + mm->cached_hole_size = 0;
17654 + goto full_search;
17655 + }
17656 + return -ENOMEM;
17657 + }
17658 + if (check_heap_stack_gap(vma, addr, len))
17659 + break;
17660 + if (addr + mm->cached_hole_size < vma->vm_start)
17661 + mm->cached_hole_size = vma->vm_start - addr;
17662 + addr = vma->vm_end;
17663 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
17664 + start_addr = addr = mm->mmap_base;
17665 + mm->cached_hole_size = 0;
17666 + goto full_search;
17667 + }
17668 + }
17669 +
17670 + /*
17671 + * Remember the place where we stopped the search:
17672 + */
17673 + mm->free_area_cache = addr + len;
17674 + return addr;
17675 +}
17676 +
17677 +unsigned long
17678 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
17679 + const unsigned long len, const unsigned long pgoff,
17680 + const unsigned long flags)
17681 +{
17682 + struct vm_area_struct *vma;
17683 + struct mm_struct *mm = current->mm;
17684 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
17685 +
17686 +#ifdef CONFIG_PAX_SEGMEXEC
17687 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17688 + pax_task_size = SEGMEXEC_TASK_SIZE;
17689 +#endif
17690 +
17691 + pax_task_size -= PAGE_SIZE;
17692 +
17693 + /* requested length too big for entire address space */
17694 + if (len > pax_task_size)
17695 + return -ENOMEM;
17696 +
17697 + if (flags & MAP_FIXED)
17698 + return addr;
17699 +
17700 +#ifdef CONFIG_PAX_PAGEEXEC
17701 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
17702 + goto bottomup;
17703 +#endif
17704 +
17705 +#ifdef CONFIG_PAX_RANDMMAP
17706 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17707 +#endif
17708 +
17709 + /* requesting a specific address */
17710 + if (addr) {
17711 + addr = PAGE_ALIGN(addr);
17712 + if (pax_task_size - len >= addr) {
17713 + vma = find_vma(mm, addr);
17714 + if (check_heap_stack_gap(vma, addr, len))
17715 + return addr;
17716 + }
17717 + }
17718 +
17719 + /* check if free_area_cache is useful for us */
17720 + if (len <= mm->cached_hole_size) {
17721 + mm->cached_hole_size = 0;
17722 + mm->free_area_cache = mm->mmap_base;
17723 + }
17724 +
17725 + /* either no address requested or can't fit in requested address hole */
17726 + addr = mm->free_area_cache;
17727 +
17728 + /* make sure it can fit in the remaining address space */
17729 + if (addr > len) {
17730 + vma = find_vma(mm, addr-len);
17731 + if (check_heap_stack_gap(vma, addr - len, len))
17732 + /* remember the address as a hint for next time */
17733 + return (mm->free_area_cache = addr-len);
17734 + }
17735 +
17736 + if (mm->mmap_base < len)
17737 + goto bottomup;
17738 +
17739 + addr = mm->mmap_base-len;
17740 +
17741 + do {
17742 + /*
17743 + * Lookup failure means no vma is above this address,
17744 + * else if new region fits below vma->vm_start,
17745 + * return with success:
17746 + */
17747 + vma = find_vma(mm, addr);
17748 + if (check_heap_stack_gap(vma, addr, len))
17749 + /* remember the address as a hint for next time */
17750 + return (mm->free_area_cache = addr);
17751 +
17752 + /* remember the largest hole we saw so far */
17753 + if (addr + mm->cached_hole_size < vma->vm_start)
17754 + mm->cached_hole_size = vma->vm_start - addr;
17755 +
17756 + /* try just below the current vma->vm_start */
17757 + addr = skip_heap_stack_gap(vma, len);
17758 + } while (!IS_ERR_VALUE(addr));
17759 +
17760 +bottomup:
17761 + /*
17762 + * A failed mmap() very likely causes application failure,
17763 + * so fall back to the bottom-up function here. This scenario
17764 + * can happen with large stack limits and large mmap()
17765 + * allocations.
17766 + */
17767 +
17768 +#ifdef CONFIG_PAX_SEGMEXEC
17769 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17770 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
17771 + else
17772 +#endif
17773 +
17774 + mm->mmap_base = TASK_UNMAPPED_BASE;
17775 +
17776 +#ifdef CONFIG_PAX_RANDMMAP
17777 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17778 + mm->mmap_base += mm->delta_mmap;
17779 +#endif
17780 +
17781 + mm->free_area_cache = mm->mmap_base;
17782 + mm->cached_hole_size = ~0UL;
17783 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17784 + /*
17785 + * Restore the topdown base:
17786 + */
17787 + mm->mmap_base = base;
17788 + mm->free_area_cache = base;
17789 + mm->cached_hole_size = ~0UL;
17790 +
17791 + return addr;
17792 }
17793 diff -urNp linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c
17794 --- linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c 2011-05-19 00:06:34.000000000 -0400
17795 +++ linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c 2011-05-22 19:36:30.000000000 -0400
17796 @@ -32,8 +32,8 @@ out:
17797 return error;
17798 }
17799
17800 -static void find_start_end(unsigned long flags, unsigned long *begin,
17801 - unsigned long *end)
17802 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
17803 + unsigned long *begin, unsigned long *end)
17804 {
17805 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
17806 unsigned long new_begin;
17807 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
17808 *begin = new_begin;
17809 }
17810 } else {
17811 - *begin = TASK_UNMAPPED_BASE;
17812 + *begin = mm->mmap_base;
17813 *end = TASK_SIZE;
17814 }
17815 }
17816 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
17817 if (flags & MAP_FIXED)
17818 return addr;
17819
17820 - find_start_end(flags, &begin, &end);
17821 + find_start_end(mm, flags, &begin, &end);
17822
17823 if (len > end)
17824 return -ENOMEM;
17825
17826 +#ifdef CONFIG_PAX_RANDMMAP
17827 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17828 +#endif
17829 +
17830 if (addr) {
17831 addr = PAGE_ALIGN(addr);
17832 vma = find_vma(mm, addr);
17833 - if (end - len >= addr &&
17834 - (!vma || addr + len <= vma->vm_start))
17835 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
17836 return addr;
17837 }
17838 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
17839 @@ -106,7 +109,7 @@ full_search:
17840 }
17841 return -ENOMEM;
17842 }
17843 - if (!vma || addr + len <= vma->vm_start) {
17844 + if (check_heap_stack_gap(vma, addr, len)) {
17845 /*
17846 * Remember the place where we stopped the search:
17847 */
17848 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
17849 {
17850 struct vm_area_struct *vma;
17851 struct mm_struct *mm = current->mm;
17852 - unsigned long addr = addr0;
17853 + unsigned long base = mm->mmap_base, addr = addr0;
17854
17855 /* requested length too big for entire address space */
17856 if (len > TASK_SIZE)
17857 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
17858 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
17859 goto bottomup;
17860
17861 +#ifdef CONFIG_PAX_RANDMMAP
17862 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17863 +#endif
17864 +
17865 /* requesting a specific address */
17866 if (addr) {
17867 addr = PAGE_ALIGN(addr);
17868 - vma = find_vma(mm, addr);
17869 - if (TASK_SIZE - len >= addr &&
17870 - (!vma || addr + len <= vma->vm_start))
17871 - return addr;
17872 + if (TASK_SIZE - len >= addr) {
17873 + vma = find_vma(mm, addr);
17874 + if (check_heap_stack_gap(vma, addr, len))
17875 + return addr;
17876 + }
17877 }
17878
17879 /* check if free_area_cache is useful for us */
17880 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
17881 /* make sure it can fit in the remaining address space */
17882 if (addr > len) {
17883 vma = find_vma(mm, addr-len);
17884 - if (!vma || addr <= vma->vm_start)
17885 + if (check_heap_stack_gap(vma, addr - len, len))
17886 /* remember the address as a hint for next time */
17887 return mm->free_area_cache = addr-len;
17888 }
17889 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
17890 * return with success:
17891 */
17892 vma = find_vma(mm, addr);
17893 - if (!vma || addr+len <= vma->vm_start)
17894 + if (check_heap_stack_gap(vma, addr, len))
17895 /* remember the address as a hint for next time */
17896 return mm->free_area_cache = addr;
17897
17898 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
17899 mm->cached_hole_size = vma->vm_start - addr;
17900
17901 /* try just below the current vma->vm_start */
17902 - addr = vma->vm_start-len;
17903 - } while (len < vma->vm_start);
17904 + addr = skip_heap_stack_gap(vma, len);
17905 + } while (!IS_ERR_VALUE(addr));
17906
17907 bottomup:
17908 /*
17909 @@ -198,13 +206,21 @@ bottomup:
17910 * can happen with large stack limits and large mmap()
17911 * allocations.
17912 */
17913 + mm->mmap_base = TASK_UNMAPPED_BASE;
17914 +
17915 +#ifdef CONFIG_PAX_RANDMMAP
17916 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17917 + mm->mmap_base += mm->delta_mmap;
17918 +#endif
17919 +
17920 + mm->free_area_cache = mm->mmap_base;
17921 mm->cached_hole_size = ~0UL;
17922 - mm->free_area_cache = TASK_UNMAPPED_BASE;
17923 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17924 /*
17925 * Restore the topdown base:
17926 */
17927 - mm->free_area_cache = mm->mmap_base;
17928 + mm->mmap_base = base;
17929 + mm->free_area_cache = base;
17930 mm->cached_hole_size = ~0UL;
17931
17932 return addr;
17933 diff -urNp linux-2.6.39.3/arch/x86/kernel/tboot.c linux-2.6.39.3/arch/x86/kernel/tboot.c
17934 --- linux-2.6.39.3/arch/x86/kernel/tboot.c 2011-05-19 00:06:34.000000000 -0400
17935 +++ linux-2.6.39.3/arch/x86/kernel/tboot.c 2011-05-22 19:36:30.000000000 -0400
17936 @@ -218,7 +218,7 @@ static int tboot_setup_sleep(void)
17937
17938 void tboot_shutdown(u32 shutdown_type)
17939 {
17940 - void (*shutdown)(void);
17941 + void (* __noreturn shutdown)(void);
17942
17943 if (!tboot_enabled())
17944 return;
17945 @@ -240,7 +240,7 @@ void tboot_shutdown(u32 shutdown_type)
17946
17947 switch_to_tboot_pt();
17948
17949 - shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
17950 + shutdown = (void *)tboot->shutdown_entry;
17951 shutdown();
17952
17953 /* should not reach here */
17954 @@ -297,7 +297,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
17955 tboot_shutdown(acpi_shutdown_map[sleep_state]);
17956 }
17957
17958 -static atomic_t ap_wfs_count;
17959 +static atomic_unchecked_t ap_wfs_count;
17960
17961 static int tboot_wait_for_aps(int num_aps)
17962 {
17963 @@ -321,9 +321,9 @@ static int __cpuinit tboot_cpu_callback(
17964 {
17965 switch (action) {
17966 case CPU_DYING:
17967 - atomic_inc(&ap_wfs_count);
17968 + atomic_inc_unchecked(&ap_wfs_count);
17969 if (num_online_cpus() == 1)
17970 - if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
17971 + if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
17972 return NOTIFY_BAD;
17973 break;
17974 }
17975 @@ -342,7 +342,7 @@ static __init int tboot_late_init(void)
17976
17977 tboot_create_trampoline();
17978
17979 - atomic_set(&ap_wfs_count, 0);
17980 + atomic_set_unchecked(&ap_wfs_count, 0);
17981 register_hotcpu_notifier(&tboot_cpu_notifier);
17982 return 0;
17983 }
17984 diff -urNp linux-2.6.39.3/arch/x86/kernel/time.c linux-2.6.39.3/arch/x86/kernel/time.c
17985 --- linux-2.6.39.3/arch/x86/kernel/time.c 2011-05-19 00:06:34.000000000 -0400
17986 +++ linux-2.6.39.3/arch/x86/kernel/time.c 2011-05-22 19:36:30.000000000 -0400
17987 @@ -22,17 +22,13 @@
17988 #include <asm/hpet.h>
17989 #include <asm/time.h>
17990
17991 -#ifdef CONFIG_X86_64
17992 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
17993 -#endif
17994 -
17995 unsigned long profile_pc(struct pt_regs *regs)
17996 {
17997 unsigned long pc = instruction_pointer(regs);
17998
17999 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
18000 + if (!user_mode(regs) && in_lock_functions(pc)) {
18001 #ifdef CONFIG_FRAME_POINTER
18002 - return *(unsigned long *)(regs->bp + sizeof(long));
18003 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
18004 #else
18005 unsigned long *sp =
18006 (unsigned long *)kernel_stack_pointer(regs);
18007 @@ -41,11 +37,17 @@ unsigned long profile_pc(struct pt_regs
18008 * or above a saved flags. Eflags has bits 22-31 zero,
18009 * kernel addresses don't.
18010 */
18011 +
18012 +#ifdef CONFIG_PAX_KERNEXEC
18013 + return ktla_ktva(sp[0]);
18014 +#else
18015 if (sp[0] >> 22)
18016 return sp[0];
18017 if (sp[1] >> 22)
18018 return sp[1];
18019 #endif
18020 +
18021 +#endif
18022 }
18023 return pc;
18024 }
18025 diff -urNp linux-2.6.39.3/arch/x86/kernel/tls.c linux-2.6.39.3/arch/x86/kernel/tls.c
18026 --- linux-2.6.39.3/arch/x86/kernel/tls.c 2011-05-19 00:06:34.000000000 -0400
18027 +++ linux-2.6.39.3/arch/x86/kernel/tls.c 2011-05-22 19:36:30.000000000 -0400
18028 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
18029 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
18030 return -EINVAL;
18031
18032 +#ifdef CONFIG_PAX_SEGMEXEC
18033 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
18034 + return -EINVAL;
18035 +#endif
18036 +
18037 set_tls_desc(p, idx, &info, 1);
18038
18039 return 0;
18040 diff -urNp linux-2.6.39.3/arch/x86/kernel/trampoline_32.S linux-2.6.39.3/arch/x86/kernel/trampoline_32.S
18041 --- linux-2.6.39.3/arch/x86/kernel/trampoline_32.S 2011-05-19 00:06:34.000000000 -0400
18042 +++ linux-2.6.39.3/arch/x86/kernel/trampoline_32.S 2011-05-22 19:36:30.000000000 -0400
18043 @@ -32,6 +32,12 @@
18044 #include <asm/segment.h>
18045 #include <asm/page_types.h>
18046
18047 +#ifdef CONFIG_PAX_KERNEXEC
18048 +#define ta(X) (X)
18049 +#else
18050 +#define ta(X) ((X) - __PAGE_OFFSET)
18051 +#endif
18052 +
18053 #ifdef CONFIG_SMP
18054
18055 .section ".x86_trampoline","a"
18056 @@ -62,7 +68,7 @@ r_base = .
18057 inc %ax # protected mode (PE) bit
18058 lmsw %ax # into protected mode
18059 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
18060 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
18061 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
18062
18063 # These need to be in the same 64K segment as the above;
18064 # hence we don't use the boot_gdt_descr defined in head.S
18065 diff -urNp linux-2.6.39.3/arch/x86/kernel/trampoline_64.S linux-2.6.39.3/arch/x86/kernel/trampoline_64.S
18066 --- linux-2.6.39.3/arch/x86/kernel/trampoline_64.S 2011-05-19 00:06:34.000000000 -0400
18067 +++ linux-2.6.39.3/arch/x86/kernel/trampoline_64.S 2011-05-22 19:36:30.000000000 -0400
18068 @@ -90,7 +90,7 @@ startup_32:
18069 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
18070 movl %eax, %ds
18071
18072 - movl $X86_CR4_PAE, %eax
18073 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
18074 movl %eax, %cr4 # Enable PAE mode
18075
18076 # Setup trampoline 4 level pagetables
18077 @@ -138,7 +138,7 @@ tidt:
18078 # so the kernel can live anywhere
18079 .balign 4
18080 tgdt:
18081 - .short tgdt_end - tgdt # gdt limit
18082 + .short tgdt_end - tgdt - 1 # gdt limit
18083 .long tgdt - r_base
18084 .short 0
18085 .quad 0x00cf9b000000ffff # __KERNEL32_CS
18086 diff -urNp linux-2.6.39.3/arch/x86/kernel/traps.c linux-2.6.39.3/arch/x86/kernel/traps.c
18087 --- linux-2.6.39.3/arch/x86/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
18088 +++ linux-2.6.39.3/arch/x86/kernel/traps.c 2011-07-06 20:00:13.000000000 -0400
18089 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
18090
18091 /* Do we ignore FPU interrupts ? */
18092 char ignore_fpu_irq;
18093 -
18094 -/*
18095 - * The IDT has to be page-aligned to simplify the Pentium
18096 - * F0 0F bug workaround.
18097 - */
18098 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
18099 #endif
18100
18101 DECLARE_BITMAP(used_vectors, NR_VECTORS);
18102 @@ -117,13 +111,13 @@ static inline void preempt_conditional_c
18103 }
18104
18105 static void __kprobes
18106 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
18107 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
18108 long error_code, siginfo_t *info)
18109 {
18110 struct task_struct *tsk = current;
18111
18112 #ifdef CONFIG_X86_32
18113 - if (regs->flags & X86_VM_MASK) {
18114 + if (v8086_mode(regs)) {
18115 /*
18116 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
18117 * On nmi (interrupt 2), do_trap should not be called.
18118 @@ -134,7 +128,7 @@ do_trap(int trapnr, int signr, char *str
18119 }
18120 #endif
18121
18122 - if (!user_mode(regs))
18123 + if (!user_mode_novm(regs))
18124 goto kernel_trap;
18125
18126 #ifdef CONFIG_X86_32
18127 @@ -157,7 +151,7 @@ trap_signal:
18128 printk_ratelimit()) {
18129 printk(KERN_INFO
18130 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
18131 - tsk->comm, tsk->pid, str,
18132 + tsk->comm, task_pid_nr(tsk), str,
18133 regs->ip, regs->sp, error_code);
18134 print_vma_addr(" in ", regs->ip);
18135 printk("\n");
18136 @@ -174,8 +168,20 @@ kernel_trap:
18137 if (!fixup_exception(regs)) {
18138 tsk->thread.error_code = error_code;
18139 tsk->thread.trap_no = trapnr;
18140 +
18141 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18142 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
18143 + str = "PAX: suspicious stack segment fault";
18144 +#endif
18145 +
18146 die(str, regs, error_code);
18147 }
18148 +
18149 +#ifdef CONFIG_PAX_REFCOUNT
18150 + if (trapnr == 4)
18151 + pax_report_refcount_overflow(regs);
18152 +#endif
18153 +
18154 return;
18155
18156 #ifdef CONFIG_X86_32
18157 @@ -264,14 +270,30 @@ do_general_protection(struct pt_regs *re
18158 conditional_sti(regs);
18159
18160 #ifdef CONFIG_X86_32
18161 - if (regs->flags & X86_VM_MASK)
18162 + if (v8086_mode(regs))
18163 goto gp_in_vm86;
18164 #endif
18165
18166 tsk = current;
18167 - if (!user_mode(regs))
18168 + if (!user_mode_novm(regs))
18169 goto gp_in_kernel;
18170
18171 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
18172 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
18173 + struct mm_struct *mm = tsk->mm;
18174 + unsigned long limit;
18175 +
18176 + down_write(&mm->mmap_sem);
18177 + limit = mm->context.user_cs_limit;
18178 + if (limit < TASK_SIZE) {
18179 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
18180 + up_write(&mm->mmap_sem);
18181 + return;
18182 + }
18183 + up_write(&mm->mmap_sem);
18184 + }
18185 +#endif
18186 +
18187 tsk->thread.error_code = error_code;
18188 tsk->thread.trap_no = 13;
18189
18190 @@ -304,6 +326,13 @@ gp_in_kernel:
18191 if (notify_die(DIE_GPF, "general protection fault", regs,
18192 error_code, 13, SIGSEGV) == NOTIFY_STOP)
18193 return;
18194 +
18195 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18196 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
18197 + die("PAX: suspicious general protection fault", regs, error_code);
18198 + else
18199 +#endif
18200 +
18201 die("general protection fault", regs, error_code);
18202 }
18203
18204 @@ -433,6 +462,17 @@ static notrace __kprobes void default_do
18205 dotraplinkage notrace __kprobes void
18206 do_nmi(struct pt_regs *regs, long error_code)
18207 {
18208 +
18209 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18210 + if (!user_mode(regs)) {
18211 + unsigned long cs = regs->cs & 0xFFFF;
18212 + unsigned long ip = ktva_ktla(regs->ip);
18213 +
18214 + if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
18215 + regs->ip = ip;
18216 + }
18217 +#endif
18218 +
18219 nmi_enter();
18220
18221 inc_irq_stat(__nmi_count);
18222 @@ -569,7 +609,7 @@ dotraplinkage void __kprobes do_debug(st
18223 /* It's safe to allow irq's after DR6 has been saved */
18224 preempt_conditional_sti(regs);
18225
18226 - if (regs->flags & X86_VM_MASK) {
18227 + if (v8086_mode(regs)) {
18228 handle_vm86_trap((struct kernel_vm86_regs *) regs,
18229 error_code, 1);
18230 preempt_conditional_cli(regs);
18231 @@ -583,7 +623,7 @@ dotraplinkage void __kprobes do_debug(st
18232 * We already checked v86 mode above, so we can check for kernel mode
18233 * by just checking the CPL of CS.
18234 */
18235 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
18236 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
18237 tsk->thread.debugreg6 &= ~DR_STEP;
18238 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
18239 regs->flags &= ~X86_EFLAGS_TF;
18240 @@ -612,7 +652,7 @@ void math_error(struct pt_regs *regs, in
18241 return;
18242 conditional_sti(regs);
18243
18244 - if (!user_mode_vm(regs))
18245 + if (!user_mode(regs))
18246 {
18247 if (!fixup_exception(regs)) {
18248 task->thread.error_code = error_code;
18249 @@ -723,7 +763,7 @@ asmlinkage void __attribute__((weak)) sm
18250 void __math_state_restore(void)
18251 {
18252 struct thread_info *thread = current_thread_info();
18253 - struct task_struct *tsk = thread->task;
18254 + struct task_struct *tsk = current;
18255
18256 /*
18257 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
18258 @@ -750,8 +790,7 @@ void __math_state_restore(void)
18259 */
18260 asmlinkage void math_state_restore(void)
18261 {
18262 - struct thread_info *thread = current_thread_info();
18263 - struct task_struct *tsk = thread->task;
18264 + struct task_struct *tsk = current;
18265
18266 if (!tsk_used_math(tsk)) {
18267 local_irq_enable();
18268 diff -urNp linux-2.6.39.3/arch/x86/kernel/verify_cpu.S linux-2.6.39.3/arch/x86/kernel/verify_cpu.S
18269 --- linux-2.6.39.3/arch/x86/kernel/verify_cpu.S 2011-05-19 00:06:34.000000000 -0400
18270 +++ linux-2.6.39.3/arch/x86/kernel/verify_cpu.S 2011-07-01 18:28:04.000000000 -0400
18271 @@ -20,6 +20,7 @@
18272 * arch/x86/boot/compressed/head_64.S: Boot cpu verification
18273 * arch/x86/kernel/trampoline_64.S: secondary processor verification
18274 * arch/x86/kernel/head_32.S: processor startup
18275 + * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
18276 *
18277 * verify_cpu, returns the status of longmode and SSE in register %eax.
18278 * 0: Success 1: Failure
18279 diff -urNp linux-2.6.39.3/arch/x86/kernel/vm86_32.c linux-2.6.39.3/arch/x86/kernel/vm86_32.c
18280 --- linux-2.6.39.3/arch/x86/kernel/vm86_32.c 2011-05-19 00:06:34.000000000 -0400
18281 +++ linux-2.6.39.3/arch/x86/kernel/vm86_32.c 2011-05-22 19:41:32.000000000 -0400
18282 @@ -41,6 +41,7 @@
18283 #include <linux/ptrace.h>
18284 #include <linux/audit.h>
18285 #include <linux/stddef.h>
18286 +#include <linux/grsecurity.h>
18287
18288 #include <asm/uaccess.h>
18289 #include <asm/io.h>
18290 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
18291 do_exit(SIGSEGV);
18292 }
18293
18294 - tss = &per_cpu(init_tss, get_cpu());
18295 + tss = init_tss + get_cpu();
18296 current->thread.sp0 = current->thread.saved_sp0;
18297 current->thread.sysenter_cs = __KERNEL_CS;
18298 load_sp0(tss, &current->thread);
18299 @@ -208,6 +209,13 @@ int sys_vm86old(struct vm86_struct __use
18300 struct task_struct *tsk;
18301 int tmp, ret = -EPERM;
18302
18303 +#ifdef CONFIG_GRKERNSEC_VM86
18304 + if (!capable(CAP_SYS_RAWIO)) {
18305 + gr_handle_vm86();
18306 + goto out;
18307 + }
18308 +#endif
18309 +
18310 tsk = current;
18311 if (tsk->thread.saved_sp0)
18312 goto out;
18313 @@ -238,6 +246,14 @@ int sys_vm86(unsigned long cmd, unsigned
18314 int tmp, ret;
18315 struct vm86plus_struct __user *v86;
18316
18317 +#ifdef CONFIG_GRKERNSEC_VM86
18318 + if (!capable(CAP_SYS_RAWIO)) {
18319 + gr_handle_vm86();
18320 + ret = -EPERM;
18321 + goto out;
18322 + }
18323 +#endif
18324 +
18325 tsk = current;
18326 switch (cmd) {
18327 case VM86_REQUEST_IRQ:
18328 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
18329 tsk->thread.saved_fs = info->regs32->fs;
18330 tsk->thread.saved_gs = get_user_gs(info->regs32);
18331
18332 - tss = &per_cpu(init_tss, get_cpu());
18333 + tss = init_tss + get_cpu();
18334 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
18335 if (cpu_has_sep)
18336 tsk->thread.sysenter_cs = 0;
18337 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
18338 goto cannot_handle;
18339 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
18340 goto cannot_handle;
18341 - intr_ptr = (unsigned long __user *) (i << 2);
18342 + intr_ptr = (__force unsigned long __user *) (i << 2);
18343 if (get_user(segoffs, intr_ptr))
18344 goto cannot_handle;
18345 if ((segoffs >> 16) == BIOSSEG)
18346 diff -urNp linux-2.6.39.3/arch/x86/kernel/vmlinux.lds.S linux-2.6.39.3/arch/x86/kernel/vmlinux.lds.S
18347 --- linux-2.6.39.3/arch/x86/kernel/vmlinux.lds.S 2011-05-19 00:06:34.000000000 -0400
18348 +++ linux-2.6.39.3/arch/x86/kernel/vmlinux.lds.S 2011-05-22 19:36:30.000000000 -0400
18349 @@ -26,6 +26,13 @@
18350 #include <asm/page_types.h>
18351 #include <asm/cache.h>
18352 #include <asm/boot.h>
18353 +#include <asm/segment.h>
18354 +
18355 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18356 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
18357 +#else
18358 +#define __KERNEL_TEXT_OFFSET 0
18359 +#endif
18360
18361 #undef i386 /* in case the preprocessor is a 32bit one */
18362
18363 @@ -34,11 +41,9 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
18364 #ifdef CONFIG_X86_32
18365 OUTPUT_ARCH(i386)
18366 ENTRY(phys_startup_32)
18367 -jiffies = jiffies_64;
18368 #else
18369 OUTPUT_ARCH(i386:x86-64)
18370 ENTRY(phys_startup_64)
18371 -jiffies_64 = jiffies;
18372 #endif
18373
18374 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
18375 @@ -69,31 +74,46 @@ jiffies_64 = jiffies;
18376
18377 PHDRS {
18378 text PT_LOAD FLAGS(5); /* R_E */
18379 +#ifdef CONFIG_X86_32
18380 + module PT_LOAD FLAGS(5); /* R_E */
18381 +#endif
18382 +#ifdef CONFIG_XEN
18383 + rodata PT_LOAD FLAGS(5); /* R_E */
18384 +#else
18385 + rodata PT_LOAD FLAGS(4); /* R__ */
18386 +#endif
18387 data PT_LOAD FLAGS(6); /* RW_ */
18388 #ifdef CONFIG_X86_64
18389 user PT_LOAD FLAGS(5); /* R_E */
18390 +#endif
18391 + init.begin PT_LOAD FLAGS(6); /* RW_ */
18392 #ifdef CONFIG_SMP
18393 percpu PT_LOAD FLAGS(6); /* RW_ */
18394 #endif
18395 + text.init PT_LOAD FLAGS(5); /* R_E */
18396 + text.exit PT_LOAD FLAGS(5); /* R_E */
18397 init PT_LOAD FLAGS(7); /* RWE */
18398 -#endif
18399 note PT_NOTE FLAGS(0); /* ___ */
18400 }
18401
18402 SECTIONS
18403 {
18404 #ifdef CONFIG_X86_32
18405 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
18406 - phys_startup_32 = startup_32 - LOAD_OFFSET;
18407 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
18408 #else
18409 - . = __START_KERNEL;
18410 - phys_startup_64 = startup_64 - LOAD_OFFSET;
18411 + . = __START_KERNEL;
18412 #endif
18413
18414 /* Text and read-only data */
18415 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
18416 - _text = .;
18417 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18418 /* bootstrapping code */
18419 +#ifdef CONFIG_X86_32
18420 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18421 +#else
18422 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18423 +#endif
18424 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18425 + _text = .;
18426 HEAD_TEXT
18427 #ifdef CONFIG_X86_32
18428 . = ALIGN(PAGE_SIZE);
18429 @@ -109,13 +129,47 @@ SECTIONS
18430 IRQENTRY_TEXT
18431 *(.fixup)
18432 *(.gnu.warning)
18433 - /* End of text section */
18434 - _etext = .;
18435 } :text = 0x9090
18436
18437 - NOTES :text :note
18438 + . += __KERNEL_TEXT_OFFSET;
18439 +
18440 +#ifdef CONFIG_X86_32
18441 + . = ALIGN(PAGE_SIZE);
18442 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
18443 +
18444 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
18445 + MODULES_EXEC_VADDR = .;
18446 + BYTE(0)
18447 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
18448 + . = ALIGN(HPAGE_SIZE);
18449 + MODULES_EXEC_END = . - 1;
18450 +#endif
18451 +
18452 + } :module
18453 +#endif
18454 +
18455 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
18456 + /* End of text section */
18457 + _etext = . - __KERNEL_TEXT_OFFSET;
18458 + }
18459
18460 - EXCEPTION_TABLE(16) :text = 0x9090
18461 +#ifdef CONFIG_X86_32
18462 + . = ALIGN(PAGE_SIZE);
18463 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
18464 + *(.idt)
18465 + . = ALIGN(PAGE_SIZE);
18466 + *(.empty_zero_page)
18467 + *(.initial_pg_fixmap)
18468 + *(.initial_pg_pmd)
18469 + *(.initial_page_table)
18470 + *(.swapper_pg_dir)
18471 + } :rodata
18472 +#endif
18473 +
18474 + . = ALIGN(PAGE_SIZE);
18475 + NOTES :rodata :note
18476 +
18477 + EXCEPTION_TABLE(16) :rodata
18478
18479 #if defined(CONFIG_DEBUG_RODATA)
18480 /* .text should occupy whole number of pages */
18481 @@ -127,16 +181,20 @@ SECTIONS
18482
18483 /* Data */
18484 .data : AT(ADDR(.data) - LOAD_OFFSET) {
18485 +
18486 +#ifdef CONFIG_PAX_KERNEXEC
18487 + . = ALIGN(HPAGE_SIZE);
18488 +#else
18489 + . = ALIGN(PAGE_SIZE);
18490 +#endif
18491 +
18492 /* Start of data section */
18493 _sdata = .;
18494
18495 /* init_task */
18496 INIT_TASK_DATA(THREAD_SIZE)
18497
18498 -#ifdef CONFIG_X86_32
18499 - /* 32 bit has nosave before _edata */
18500 NOSAVE_DATA
18501 -#endif
18502
18503 PAGE_ALIGNED_DATA(PAGE_SIZE)
18504
18505 @@ -145,6 +203,8 @@ SECTIONS
18506 DATA_DATA
18507 CONSTRUCTORS
18508
18509 + jiffies = jiffies_64;
18510 +
18511 /* rarely changed data like cpu maps */
18512 READ_MOSTLY_DATA(INTERNODE_CACHE_BYTES)
18513
18514 @@ -199,12 +259,6 @@ SECTIONS
18515 }
18516 vgetcpu_mode = VVIRT(.vgetcpu_mode);
18517
18518 - . = ALIGN(L1_CACHE_BYTES);
18519 - .jiffies : AT(VLOAD(.jiffies)) {
18520 - *(.jiffies)
18521 - }
18522 - jiffies = VVIRT(.jiffies);
18523 -
18524 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
18525 *(.vsyscall_3)
18526 }
18527 @@ -220,12 +274,19 @@ SECTIONS
18528 #endif /* CONFIG_X86_64 */
18529
18530 /* Init code and data - will be freed after init */
18531 - . = ALIGN(PAGE_SIZE);
18532 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
18533 + BYTE(0)
18534 +
18535 +#ifdef CONFIG_PAX_KERNEXEC
18536 + . = ALIGN(HPAGE_SIZE);
18537 +#else
18538 + . = ALIGN(PAGE_SIZE);
18539 +#endif
18540 +
18541 __init_begin = .; /* paired with __init_end */
18542 - }
18543 + } :init.begin
18544
18545 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
18546 +#ifdef CONFIG_SMP
18547 /*
18548 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
18549 * output PHDR, so the next output section - .init.text - should
18550 @@ -234,12 +295,27 @@ SECTIONS
18551 PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu)
18552 #endif
18553
18554 - INIT_TEXT_SECTION(PAGE_SIZE)
18555 -#ifdef CONFIG_X86_64
18556 - :init
18557 -#endif
18558 + . = ALIGN(PAGE_SIZE);
18559 + init_begin = .;
18560 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
18561 + VMLINUX_SYMBOL(_sinittext) = .;
18562 + INIT_TEXT
18563 + VMLINUX_SYMBOL(_einittext) = .;
18564 + . = ALIGN(PAGE_SIZE);
18565 + } :text.init
18566
18567 - INIT_DATA_SECTION(16)
18568 + /*
18569 + * .exit.text is discard at runtime, not link time, to deal with
18570 + * references from .altinstructions and .eh_frame
18571 + */
18572 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18573 + EXIT_TEXT
18574 + . = ALIGN(16);
18575 + } :text.exit
18576 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
18577 +
18578 + . = ALIGN(PAGE_SIZE);
18579 + INIT_DATA_SECTION(16) :init
18580
18581 /*
18582 * Code and data for a variety of lowlevel trampolines, to be
18583 @@ -306,19 +382,12 @@ SECTIONS
18584 }
18585
18586 . = ALIGN(8);
18587 - /*
18588 - * .exit.text is discard at runtime, not link time, to deal with
18589 - * references from .altinstructions and .eh_frame
18590 - */
18591 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
18592 - EXIT_TEXT
18593 - }
18594
18595 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
18596 EXIT_DATA
18597 }
18598
18599 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
18600 +#ifndef CONFIG_SMP
18601 PERCPU(INTERNODE_CACHE_BYTES, PAGE_SIZE)
18602 #endif
18603
18604 @@ -337,16 +406,10 @@ SECTIONS
18605 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
18606 __smp_locks = .;
18607 *(.smp_locks)
18608 - . = ALIGN(PAGE_SIZE);
18609 __smp_locks_end = .;
18610 + . = ALIGN(PAGE_SIZE);
18611 }
18612
18613 -#ifdef CONFIG_X86_64
18614 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
18615 - NOSAVE_DATA
18616 - }
18617 -#endif
18618 -
18619 /* BSS */
18620 . = ALIGN(PAGE_SIZE);
18621 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
18622 @@ -362,6 +425,7 @@ SECTIONS
18623 __brk_base = .;
18624 . += 64 * 1024; /* 64k alignment slop space */
18625 *(.brk_reservation) /* areas brk users have reserved */
18626 + . = ALIGN(HPAGE_SIZE);
18627 __brk_limit = .;
18628 }
18629
18630 @@ -388,13 +452,12 @@ SECTIONS
18631 * for the boot processor.
18632 */
18633 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
18634 -INIT_PER_CPU(gdt_page);
18635 INIT_PER_CPU(irq_stack_union);
18636
18637 /*
18638 * Build-time check on the image size:
18639 */
18640 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
18641 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
18642 "kernel image bigger than KERNEL_IMAGE_SIZE");
18643
18644 #ifdef CONFIG_SMP
18645 diff -urNp linux-2.6.39.3/arch/x86/kernel/vsyscall_64.c linux-2.6.39.3/arch/x86/kernel/vsyscall_64.c
18646 --- linux-2.6.39.3/arch/x86/kernel/vsyscall_64.c 2011-05-19 00:06:34.000000000 -0400
18647 +++ linux-2.6.39.3/arch/x86/kernel/vsyscall_64.c 2011-05-22 19:36:30.000000000 -0400
18648 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
18649
18650 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
18651 /* copy vsyscall data */
18652 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
18653 vsyscall_gtod_data.clock.vread = clock->vread;
18654 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
18655 vsyscall_gtod_data.clock.mask = clock->mask;
18656 @@ -208,7 +209,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
18657 We do this here because otherwise user space would do it on
18658 its own in a likely inferior way (no access to jiffies).
18659 If you don't like it pass NULL. */
18660 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
18661 + if (tcache && tcache->blob[0] == (j = jiffies)) {
18662 p = tcache->blob[1];
18663 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
18664 /* Load per CPU data from RDTSCP */
18665 diff -urNp linux-2.6.39.3/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.39.3/arch/x86/kernel/x8664_ksyms_64.c
18666 --- linux-2.6.39.3/arch/x86/kernel/x8664_ksyms_64.c 2011-05-19 00:06:34.000000000 -0400
18667 +++ linux-2.6.39.3/arch/x86/kernel/x8664_ksyms_64.c 2011-05-22 19:36:30.000000000 -0400
18668 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
18669 EXPORT_SYMBOL(copy_user_generic_string);
18670 EXPORT_SYMBOL(copy_user_generic_unrolled);
18671 EXPORT_SYMBOL(__copy_user_nocache);
18672 -EXPORT_SYMBOL(_copy_from_user);
18673 -EXPORT_SYMBOL(_copy_to_user);
18674
18675 EXPORT_SYMBOL(copy_page);
18676 EXPORT_SYMBOL(clear_page);
18677 diff -urNp linux-2.6.39.3/arch/x86/kernel/xsave.c linux-2.6.39.3/arch/x86/kernel/xsave.c
18678 --- linux-2.6.39.3/arch/x86/kernel/xsave.c 2011-05-19 00:06:34.000000000 -0400
18679 +++ linux-2.6.39.3/arch/x86/kernel/xsave.c 2011-05-22 19:36:30.000000000 -0400
18680 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
18681 fx_sw_user->xstate_size > fx_sw_user->extended_size)
18682 return -EINVAL;
18683
18684 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
18685 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
18686 fx_sw_user->extended_size -
18687 FP_XSTATE_MAGIC2_SIZE));
18688 if (err)
18689 @@ -267,7 +267,7 @@ fx_only:
18690 * the other extended state.
18691 */
18692 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
18693 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
18694 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
18695 }
18696
18697 /*
18698 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
18699 if (use_xsave())
18700 err = restore_user_xstate(buf);
18701 else
18702 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
18703 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
18704 buf);
18705 if (unlikely(err)) {
18706 /*
18707 diff -urNp linux-2.6.39.3/arch/x86/kvm/emulate.c linux-2.6.39.3/arch/x86/kvm/emulate.c
18708 --- linux-2.6.39.3/arch/x86/kvm/emulate.c 2011-05-19 00:06:34.000000000 -0400
18709 +++ linux-2.6.39.3/arch/x86/kvm/emulate.c 2011-05-22 19:36:30.000000000 -0400
18710 @@ -89,7 +89,7 @@
18711 #define Src2ImmByte (2<<29)
18712 #define Src2One (3<<29)
18713 #define Src2Imm (4<<29)
18714 -#define Src2Mask (7<<29)
18715 +#define Src2Mask (7U<<29)
18716
18717 #define X2(x...) x, x
18718 #define X3(x...) X2(x), x
18719 @@ -190,6 +190,7 @@ struct group_dual {
18720
18721 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
18722 do { \
18723 + unsigned long _tmp; \
18724 __asm__ __volatile__ ( \
18725 _PRE_EFLAGS("0", "4", "2") \
18726 _op _suffix " %"_x"3,%1; " \
18727 @@ -203,8 +204,6 @@ struct group_dual {
18728 /* Raw emulation: instruction has two explicit operands. */
18729 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
18730 do { \
18731 - unsigned long _tmp; \
18732 - \
18733 switch ((_dst).bytes) { \
18734 case 2: \
18735 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
18736 @@ -220,7 +219,6 @@ struct group_dual {
18737
18738 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
18739 do { \
18740 - unsigned long _tmp; \
18741 switch ((_dst).bytes) { \
18742 case 1: \
18743 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
18744 diff -urNp linux-2.6.39.3/arch/x86/kvm/lapic.c linux-2.6.39.3/arch/x86/kvm/lapic.c
18745 --- linux-2.6.39.3/arch/x86/kvm/lapic.c 2011-05-19 00:06:34.000000000 -0400
18746 +++ linux-2.6.39.3/arch/x86/kvm/lapic.c 2011-05-22 19:36:30.000000000 -0400
18747 @@ -53,7 +53,7 @@
18748 #define APIC_BUS_CYCLE_NS 1
18749
18750 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
18751 -#define apic_debug(fmt, arg...)
18752 +#define apic_debug(fmt, arg...) do {} while (0)
18753
18754 #define APIC_LVT_NUM 6
18755 /* 14 is the version for Xeon and Pentium 8.4.8*/
18756 diff -urNp linux-2.6.39.3/arch/x86/kvm/mmu.c linux-2.6.39.3/arch/x86/kvm/mmu.c
18757 --- linux-2.6.39.3/arch/x86/kvm/mmu.c 2011-05-19 00:06:34.000000000 -0400
18758 +++ linux-2.6.39.3/arch/x86/kvm/mmu.c 2011-05-22 19:36:30.000000000 -0400
18759 @@ -3240,7 +3240,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
18760
18761 pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
18762
18763 - invlpg_counter = atomic_read(&vcpu->kvm->arch.invlpg_counter);
18764 + invlpg_counter = atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter);
18765
18766 /*
18767 * Assume that the pte write on a page table of the same type
18768 @@ -3275,7 +3275,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
18769 smp_rmb();
18770
18771 spin_lock(&vcpu->kvm->mmu_lock);
18772 - if (atomic_read(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
18773 + if (atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
18774 gentry = 0;
18775 kvm_mmu_free_some_pages(vcpu);
18776 ++vcpu->kvm->stat.mmu_pte_write;
18777 diff -urNp linux-2.6.39.3/arch/x86/kvm/paging_tmpl.h linux-2.6.39.3/arch/x86/kvm/paging_tmpl.h
18778 --- linux-2.6.39.3/arch/x86/kvm/paging_tmpl.h 2011-05-19 00:06:34.000000000 -0400
18779 +++ linux-2.6.39.3/arch/x86/kvm/paging_tmpl.h 2011-05-22 19:36:30.000000000 -0400
18780 @@ -552,6 +552,8 @@ static int FNAME(page_fault)(struct kvm_
18781 unsigned long mmu_seq;
18782 bool map_writable;
18783
18784 + pax_track_stack();
18785 +
18786 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
18787
18788 r = mmu_topup_memory_caches(vcpu);
18789 @@ -672,7 +674,7 @@ static void FNAME(invlpg)(struct kvm_vcp
18790 if (need_flush)
18791 kvm_flush_remote_tlbs(vcpu->kvm);
18792
18793 - atomic_inc(&vcpu->kvm->arch.invlpg_counter);
18794 + atomic_inc_unchecked(&vcpu->kvm->arch.invlpg_counter);
18795
18796 spin_unlock(&vcpu->kvm->mmu_lock);
18797
18798 diff -urNp linux-2.6.39.3/arch/x86/kvm/svm.c linux-2.6.39.3/arch/x86/kvm/svm.c
18799 --- linux-2.6.39.3/arch/x86/kvm/svm.c 2011-05-19 00:06:34.000000000 -0400
18800 +++ linux-2.6.39.3/arch/x86/kvm/svm.c 2011-05-22 19:36:30.000000000 -0400
18801 @@ -3278,7 +3278,11 @@ static void reload_tss(struct kvm_vcpu *
18802 int cpu = raw_smp_processor_id();
18803
18804 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
18805 +
18806 + pax_open_kernel();
18807 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
18808 + pax_close_kernel();
18809 +
18810 load_TR_desc();
18811 }
18812
18813 @@ -3656,6 +3660,10 @@ static void svm_vcpu_run(struct kvm_vcpu
18814 #endif
18815 #endif
18816
18817 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18818 + __set_fs(current_thread_info()->addr_limit);
18819 +#endif
18820 +
18821 reload_tss(vcpu);
18822
18823 local_irq_disable();
18824 @@ -3871,7 +3879,7 @@ static void svm_fpu_deactivate(struct kv
18825 update_cr0_intercept(svm);
18826 }
18827
18828 -static struct kvm_x86_ops svm_x86_ops = {
18829 +static const struct kvm_x86_ops svm_x86_ops = {
18830 .cpu_has_kvm_support = has_svm,
18831 .disabled_by_bios = is_disabled,
18832 .hardware_setup = svm_hardware_setup,
18833 diff -urNp linux-2.6.39.3/arch/x86/kvm/vmx.c linux-2.6.39.3/arch/x86/kvm/vmx.c
18834 --- linux-2.6.39.3/arch/x86/kvm/vmx.c 2011-05-19 00:06:34.000000000 -0400
18835 +++ linux-2.6.39.3/arch/x86/kvm/vmx.c 2011-05-22 19:36:30.000000000 -0400
18836 @@ -725,7 +725,11 @@ static void reload_tss(void)
18837 struct desc_struct *descs;
18838
18839 descs = (void *)gdt->address;
18840 +
18841 + pax_open_kernel();
18842 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
18843 + pax_close_kernel();
18844 +
18845 load_TR_desc();
18846 }
18847
18848 @@ -1648,8 +1652,11 @@ static __init int hardware_setup(void)
18849 if (!cpu_has_vmx_flexpriority())
18850 flexpriority_enabled = 0;
18851
18852 - if (!cpu_has_vmx_tpr_shadow())
18853 - kvm_x86_ops->update_cr8_intercept = NULL;
18854 + if (!cpu_has_vmx_tpr_shadow()) {
18855 + pax_open_kernel();
18856 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
18857 + pax_close_kernel();
18858 + }
18859
18860 if (enable_ept && !cpu_has_vmx_ept_2m_page())
18861 kvm_disable_largepages();
18862 @@ -2693,7 +2700,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
18863 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
18864
18865 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
18866 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
18867 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
18868 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
18869 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
18870 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
18871 @@ -4068,6 +4075,12 @@ static void __noclone vmx_vcpu_run(struc
18872 "jmp .Lkvm_vmx_return \n\t"
18873 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
18874 ".Lkvm_vmx_return: "
18875 +
18876 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18877 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
18878 + ".Lkvm_vmx_return2: "
18879 +#endif
18880 +
18881 /* Save guest registers, load host registers, keep flags */
18882 "mov %0, %c[wordsize](%%"R"sp) \n\t"
18883 "pop %0 \n\t"
18884 @@ -4116,6 +4129,11 @@ static void __noclone vmx_vcpu_run(struc
18885 #endif
18886 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
18887 [wordsize]"i"(sizeof(ulong))
18888 +
18889 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18890 + ,[cs]"i"(__KERNEL_CS)
18891 +#endif
18892 +
18893 : "cc", "memory"
18894 , R"ax", R"bx", R"di", R"si"
18895 #ifdef CONFIG_X86_64
18896 @@ -4130,7 +4148,16 @@ static void __noclone vmx_vcpu_run(struc
18897
18898 vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
18899
18900 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
18901 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
18902 +
18903 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18904 + loadsegment(fs, __KERNEL_PERCPU);
18905 +#endif
18906 +
18907 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18908 + __set_fs(current_thread_info()->addr_limit);
18909 +#endif
18910 +
18911 vmx->launched = 1;
18912
18913 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
18914 @@ -4368,7 +4395,7 @@ static void vmx_set_supported_cpuid(u32
18915 {
18916 }
18917
18918 -static struct kvm_x86_ops vmx_x86_ops = {
18919 +static const struct kvm_x86_ops vmx_x86_ops = {
18920 .cpu_has_kvm_support = cpu_has_kvm_support,
18921 .disabled_by_bios = vmx_disabled_by_bios,
18922 .hardware_setup = hardware_setup,
18923 diff -urNp linux-2.6.39.3/arch/x86/kvm/x86.c linux-2.6.39.3/arch/x86/kvm/x86.c
18924 --- linux-2.6.39.3/arch/x86/kvm/x86.c 2011-05-19 00:06:34.000000000 -0400
18925 +++ linux-2.6.39.3/arch/x86/kvm/x86.c 2011-05-22 19:36:30.000000000 -0400
18926 @@ -94,7 +94,7 @@ static void update_cr8_intercept(struct
18927 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
18928 struct kvm_cpuid_entry2 __user *entries);
18929
18930 -struct kvm_x86_ops *kvm_x86_ops;
18931 +const struct kvm_x86_ops *kvm_x86_ops;
18932 EXPORT_SYMBOL_GPL(kvm_x86_ops);
18933
18934 int ignore_msrs = 0;
18935 @@ -2050,6 +2050,8 @@ long kvm_arch_dev_ioctl(struct file *fil
18936 if (n < msr_list.nmsrs)
18937 goto out;
18938 r = -EFAULT;
18939 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
18940 + goto out;
18941 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
18942 num_msrs_to_save * sizeof(u32)))
18943 goto out;
18944 @@ -2217,15 +2219,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
18945 struct kvm_cpuid2 *cpuid,
18946 struct kvm_cpuid_entry2 __user *entries)
18947 {
18948 - int r;
18949 + int r, i;
18950
18951 r = -E2BIG;
18952 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
18953 goto out;
18954 r = -EFAULT;
18955 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
18956 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
18957 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
18958 goto out;
18959 + for (i = 0; i < cpuid->nent; ++i) {
18960 + struct kvm_cpuid_entry2 cpuid_entry;
18961 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
18962 + goto out;
18963 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
18964 + }
18965 vcpu->arch.cpuid_nent = cpuid->nent;
18966 kvm_apic_set_version(vcpu);
18967 kvm_x86_ops->cpuid_update(vcpu);
18968 @@ -2240,15 +2247,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
18969 struct kvm_cpuid2 *cpuid,
18970 struct kvm_cpuid_entry2 __user *entries)
18971 {
18972 - int r;
18973 + int r, i;
18974
18975 r = -E2BIG;
18976 if (cpuid->nent < vcpu->arch.cpuid_nent)
18977 goto out;
18978 r = -EFAULT;
18979 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
18980 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
18981 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
18982 goto out;
18983 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
18984 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
18985 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
18986 + goto out;
18987 + }
18988 return 0;
18989
18990 out:
18991 @@ -2526,7 +2537,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
18992 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
18993 struct kvm_interrupt *irq)
18994 {
18995 - if (irq->irq < 0 || irq->irq >= 256)
18996 + if (irq->irq >= 256)
18997 return -EINVAL;
18998 if (irqchip_in_kernel(vcpu->kvm))
18999 return -ENXIO;
19000 @@ -4672,7 +4683,7 @@ static unsigned long kvm_get_guest_ip(vo
19001 return ip;
19002 }
19003
19004 -static struct perf_guest_info_callbacks kvm_guest_cbs = {
19005 +static const struct perf_guest_info_callbacks kvm_guest_cbs = {
19006 .is_in_guest = kvm_is_in_guest,
19007 .is_user_mode = kvm_is_user_mode,
19008 .get_guest_ip = kvm_get_guest_ip,
19009 @@ -4690,10 +4701,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
19010 }
19011 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
19012
19013 -int kvm_arch_init(void *opaque)
19014 +int kvm_arch_init(const void *opaque)
19015 {
19016 int r;
19017 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
19018 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
19019
19020 if (kvm_x86_ops) {
19021 printk(KERN_ERR "kvm: already loaded the other module\n");
19022 diff -urNp linux-2.6.39.3/arch/x86/lib/atomic64_32.c linux-2.6.39.3/arch/x86/lib/atomic64_32.c
19023 --- linux-2.6.39.3/arch/x86/lib/atomic64_32.c 2011-05-19 00:06:34.000000000 -0400
19024 +++ linux-2.6.39.3/arch/x86/lib/atomic64_32.c 2011-05-22 19:36:30.000000000 -0400
19025 @@ -8,18 +8,30 @@
19026
19027 long long atomic64_read_cx8(long long, const atomic64_t *v);
19028 EXPORT_SYMBOL(atomic64_read_cx8);
19029 +long long atomic64_read_unchecked_cx8(long long, const atomic64_unchecked_t *v);
19030 +EXPORT_SYMBOL(atomic64_read_unchecked_cx8);
19031 long long atomic64_set_cx8(long long, const atomic64_t *v);
19032 EXPORT_SYMBOL(atomic64_set_cx8);
19033 +long long atomic64_set_unchecked_cx8(long long, const atomic64_unchecked_t *v);
19034 +EXPORT_SYMBOL(atomic64_set_unchecked_cx8);
19035 long long atomic64_xchg_cx8(long long, unsigned high);
19036 EXPORT_SYMBOL(atomic64_xchg_cx8);
19037 long long atomic64_add_return_cx8(long long a, atomic64_t *v);
19038 EXPORT_SYMBOL(atomic64_add_return_cx8);
19039 +long long atomic64_add_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
19040 +EXPORT_SYMBOL(atomic64_add_return_unchecked_cx8);
19041 long long atomic64_sub_return_cx8(long long a, atomic64_t *v);
19042 EXPORT_SYMBOL(atomic64_sub_return_cx8);
19043 +long long atomic64_sub_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
19044 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_cx8);
19045 long long atomic64_inc_return_cx8(long long a, atomic64_t *v);
19046 EXPORT_SYMBOL(atomic64_inc_return_cx8);
19047 +long long atomic64_inc_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
19048 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_cx8);
19049 long long atomic64_dec_return_cx8(long long a, atomic64_t *v);
19050 EXPORT_SYMBOL(atomic64_dec_return_cx8);
19051 +long long atomic64_dec_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
19052 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_cx8);
19053 long long atomic64_dec_if_positive_cx8(atomic64_t *v);
19054 EXPORT_SYMBOL(atomic64_dec_if_positive_cx8);
19055 int atomic64_inc_not_zero_cx8(atomic64_t *v);
19056 @@ -30,26 +42,46 @@ EXPORT_SYMBOL(atomic64_add_unless_cx8);
19057 #ifndef CONFIG_X86_CMPXCHG64
19058 long long atomic64_read_386(long long, const atomic64_t *v);
19059 EXPORT_SYMBOL(atomic64_read_386);
19060 +long long atomic64_read_unchecked_386(long long, const atomic64_unchecked_t *v);
19061 +EXPORT_SYMBOL(atomic64_read_unchecked_386);
19062 long long atomic64_set_386(long long, const atomic64_t *v);
19063 EXPORT_SYMBOL(atomic64_set_386);
19064 +long long atomic64_set_unchecked_386(long long, const atomic64_unchecked_t *v);
19065 +EXPORT_SYMBOL(atomic64_set_unchecked_386);
19066 long long atomic64_xchg_386(long long, unsigned high);
19067 EXPORT_SYMBOL(atomic64_xchg_386);
19068 long long atomic64_add_return_386(long long a, atomic64_t *v);
19069 EXPORT_SYMBOL(atomic64_add_return_386);
19070 +long long atomic64_add_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19071 +EXPORT_SYMBOL(atomic64_add_return_unchecked_386);
19072 long long atomic64_sub_return_386(long long a, atomic64_t *v);
19073 EXPORT_SYMBOL(atomic64_sub_return_386);
19074 +long long atomic64_sub_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19075 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_386);
19076 long long atomic64_inc_return_386(long long a, atomic64_t *v);
19077 EXPORT_SYMBOL(atomic64_inc_return_386);
19078 +long long atomic64_inc_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19079 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_386);
19080 long long atomic64_dec_return_386(long long a, atomic64_t *v);
19081 EXPORT_SYMBOL(atomic64_dec_return_386);
19082 +long long atomic64_dec_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19083 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_386);
19084 long long atomic64_add_386(long long a, atomic64_t *v);
19085 EXPORT_SYMBOL(atomic64_add_386);
19086 +long long atomic64_add_unchecked_386(long long a, atomic64_unchecked_t *v);
19087 +EXPORT_SYMBOL(atomic64_add_unchecked_386);
19088 long long atomic64_sub_386(long long a, atomic64_t *v);
19089 EXPORT_SYMBOL(atomic64_sub_386);
19090 +long long atomic64_sub_unchecked_386(long long a, atomic64_unchecked_t *v);
19091 +EXPORT_SYMBOL(atomic64_sub_unchecked_386);
19092 long long atomic64_inc_386(long long a, atomic64_t *v);
19093 EXPORT_SYMBOL(atomic64_inc_386);
19094 +long long atomic64_inc_unchecked_386(long long a, atomic64_unchecked_t *v);
19095 +EXPORT_SYMBOL(atomic64_inc_unchecked_386);
19096 long long atomic64_dec_386(long long a, atomic64_t *v);
19097 EXPORT_SYMBOL(atomic64_dec_386);
19098 +long long atomic64_dec_unchecked_386(long long a, atomic64_unchecked_t *v);
19099 +EXPORT_SYMBOL(atomic64_dec_unchecked_386);
19100 long long atomic64_dec_if_positive_386(atomic64_t *v);
19101 EXPORT_SYMBOL(atomic64_dec_if_positive_386);
19102 int atomic64_inc_not_zero_386(atomic64_t *v);
19103 diff -urNp linux-2.6.39.3/arch/x86/lib/atomic64_386_32.S linux-2.6.39.3/arch/x86/lib/atomic64_386_32.S
19104 --- linux-2.6.39.3/arch/x86/lib/atomic64_386_32.S 2011-05-19 00:06:34.000000000 -0400
19105 +++ linux-2.6.39.3/arch/x86/lib/atomic64_386_32.S 2011-05-22 19:36:30.000000000 -0400
19106 @@ -48,6 +48,10 @@ BEGIN(read)
19107 movl (v), %eax
19108 movl 4(v), %edx
19109 RET_ENDP
19110 +BEGIN(read_unchecked)
19111 + movl (v), %eax
19112 + movl 4(v), %edx
19113 +RET_ENDP
19114 #undef v
19115
19116 #define v %esi
19117 @@ -55,6 +59,10 @@ BEGIN(set)
19118 movl %ebx, (v)
19119 movl %ecx, 4(v)
19120 RET_ENDP
19121 +BEGIN(set_unchecked)
19122 + movl %ebx, (v)
19123 + movl %ecx, 4(v)
19124 +RET_ENDP
19125 #undef v
19126
19127 #define v %esi
19128 @@ -70,6 +78,20 @@ RET_ENDP
19129 BEGIN(add)
19130 addl %eax, (v)
19131 adcl %edx, 4(v)
19132 +
19133 +#ifdef CONFIG_PAX_REFCOUNT
19134 + jno 0f
19135 + subl %eax, (v)
19136 + sbbl %edx, 4(v)
19137 + int $4
19138 +0:
19139 + _ASM_EXTABLE(0b, 0b)
19140 +#endif
19141 +
19142 +RET_ENDP
19143 +BEGIN(add_unchecked)
19144 + addl %eax, (v)
19145 + adcl %edx, 4(v)
19146 RET_ENDP
19147 #undef v
19148
19149 @@ -77,6 +99,24 @@ RET_ENDP
19150 BEGIN(add_return)
19151 addl (v), %eax
19152 adcl 4(v), %edx
19153 +
19154 +#ifdef CONFIG_PAX_REFCOUNT
19155 + into
19156 +1234:
19157 + _ASM_EXTABLE(1234b, 2f)
19158 +#endif
19159 +
19160 + movl %eax, (v)
19161 + movl %edx, 4(v)
19162 +
19163 +#ifdef CONFIG_PAX_REFCOUNT
19164 +2:
19165 +#endif
19166 +
19167 +RET_ENDP
19168 +BEGIN(add_return_unchecked)
19169 + addl (v), %eax
19170 + adcl 4(v), %edx
19171 movl %eax, (v)
19172 movl %edx, 4(v)
19173 RET_ENDP
19174 @@ -86,6 +126,20 @@ RET_ENDP
19175 BEGIN(sub)
19176 subl %eax, (v)
19177 sbbl %edx, 4(v)
19178 +
19179 +#ifdef CONFIG_PAX_REFCOUNT
19180 + jno 0f
19181 + addl %eax, (v)
19182 + adcl %edx, 4(v)
19183 + int $4
19184 +0:
19185 + _ASM_EXTABLE(0b, 0b)
19186 +#endif
19187 +
19188 +RET_ENDP
19189 +BEGIN(sub_unchecked)
19190 + subl %eax, (v)
19191 + sbbl %edx, 4(v)
19192 RET_ENDP
19193 #undef v
19194
19195 @@ -96,6 +150,27 @@ BEGIN(sub_return)
19196 sbbl $0, %edx
19197 addl (v), %eax
19198 adcl 4(v), %edx
19199 +
19200 +#ifdef CONFIG_PAX_REFCOUNT
19201 + into
19202 +1234:
19203 + _ASM_EXTABLE(1234b, 2f)
19204 +#endif
19205 +
19206 + movl %eax, (v)
19207 + movl %edx, 4(v)
19208 +
19209 +#ifdef CONFIG_PAX_REFCOUNT
19210 +2:
19211 +#endif
19212 +
19213 +RET_ENDP
19214 +BEGIN(sub_return_unchecked)
19215 + negl %edx
19216 + negl %eax
19217 + sbbl $0, %edx
19218 + addl (v), %eax
19219 + adcl 4(v), %edx
19220 movl %eax, (v)
19221 movl %edx, 4(v)
19222 RET_ENDP
19223 @@ -105,6 +180,20 @@ RET_ENDP
19224 BEGIN(inc)
19225 addl $1, (v)
19226 adcl $0, 4(v)
19227 +
19228 +#ifdef CONFIG_PAX_REFCOUNT
19229 + jno 0f
19230 + subl $1, (v)
19231 + sbbl $0, 4(v)
19232 + int $4
19233 +0:
19234 + _ASM_EXTABLE(0b, 0b)
19235 +#endif
19236 +
19237 +RET_ENDP
19238 +BEGIN(inc_unchecked)
19239 + addl $1, (v)
19240 + adcl $0, 4(v)
19241 RET_ENDP
19242 #undef v
19243
19244 @@ -114,6 +203,26 @@ BEGIN(inc_return)
19245 movl 4(v), %edx
19246 addl $1, %eax
19247 adcl $0, %edx
19248 +
19249 +#ifdef CONFIG_PAX_REFCOUNT
19250 + into
19251 +1234:
19252 + _ASM_EXTABLE(1234b, 2f)
19253 +#endif
19254 +
19255 + movl %eax, (v)
19256 + movl %edx, 4(v)
19257 +
19258 +#ifdef CONFIG_PAX_REFCOUNT
19259 +2:
19260 +#endif
19261 +
19262 +RET_ENDP
19263 +BEGIN(inc_return_unchecked)
19264 + movl (v), %eax
19265 + movl 4(v), %edx
19266 + addl $1, %eax
19267 + adcl $0, %edx
19268 movl %eax, (v)
19269 movl %edx, 4(v)
19270 RET_ENDP
19271 @@ -123,6 +232,20 @@ RET_ENDP
19272 BEGIN(dec)
19273 subl $1, (v)
19274 sbbl $0, 4(v)
19275 +
19276 +#ifdef CONFIG_PAX_REFCOUNT
19277 + jno 0f
19278 + addl $1, (v)
19279 + adcl $0, 4(v)
19280 + int $4
19281 +0:
19282 + _ASM_EXTABLE(0b, 0b)
19283 +#endif
19284 +
19285 +RET_ENDP
19286 +BEGIN(dec_unchecked)
19287 + subl $1, (v)
19288 + sbbl $0, 4(v)
19289 RET_ENDP
19290 #undef v
19291
19292 @@ -132,6 +255,26 @@ BEGIN(dec_return)
19293 movl 4(v), %edx
19294 subl $1, %eax
19295 sbbl $0, %edx
19296 +
19297 +#ifdef CONFIG_PAX_REFCOUNT
19298 + into
19299 +1234:
19300 + _ASM_EXTABLE(1234b, 2f)
19301 +#endif
19302 +
19303 + movl %eax, (v)
19304 + movl %edx, 4(v)
19305 +
19306 +#ifdef CONFIG_PAX_REFCOUNT
19307 +2:
19308 +#endif
19309 +
19310 +RET_ENDP
19311 +BEGIN(dec_return_unchecked)
19312 + movl (v), %eax
19313 + movl 4(v), %edx
19314 + subl $1, %eax
19315 + sbbl $0, %edx
19316 movl %eax, (v)
19317 movl %edx, 4(v)
19318 RET_ENDP
19319 @@ -143,6 +286,13 @@ BEGIN(add_unless)
19320 adcl %edx, %edi
19321 addl (v), %eax
19322 adcl 4(v), %edx
19323 +
19324 +#ifdef CONFIG_PAX_REFCOUNT
19325 + into
19326 +1234:
19327 + _ASM_EXTABLE(1234b, 2f)
19328 +#endif
19329 +
19330 cmpl %eax, %esi
19331 je 3f
19332 1:
19333 @@ -168,6 +318,13 @@ BEGIN(inc_not_zero)
19334 1:
19335 addl $1, %eax
19336 adcl $0, %edx
19337 +
19338 +#ifdef CONFIG_PAX_REFCOUNT
19339 + into
19340 +1234:
19341 + _ASM_EXTABLE(1234b, 2f)
19342 +#endif
19343 +
19344 movl %eax, (v)
19345 movl %edx, 4(v)
19346 movl $1, %eax
19347 @@ -186,6 +343,13 @@ BEGIN(dec_if_positive)
19348 movl 4(v), %edx
19349 subl $1, %eax
19350 sbbl $0, %edx
19351 +
19352 +#ifdef CONFIG_PAX_REFCOUNT
19353 + into
19354 +1234:
19355 + _ASM_EXTABLE(1234b, 1f)
19356 +#endif
19357 +
19358 js 1f
19359 movl %eax, (v)
19360 movl %edx, 4(v)
19361 diff -urNp linux-2.6.39.3/arch/x86/lib/atomic64_cx8_32.S linux-2.6.39.3/arch/x86/lib/atomic64_cx8_32.S
19362 --- linux-2.6.39.3/arch/x86/lib/atomic64_cx8_32.S 2011-05-19 00:06:34.000000000 -0400
19363 +++ linux-2.6.39.3/arch/x86/lib/atomic64_cx8_32.S 2011-05-22 19:36:30.000000000 -0400
19364 @@ -39,6 +39,14 @@ ENTRY(atomic64_read_cx8)
19365 CFI_ENDPROC
19366 ENDPROC(atomic64_read_cx8)
19367
19368 +ENTRY(atomic64_read_unchecked_cx8)
19369 + CFI_STARTPROC
19370 +
19371 + read64 %ecx
19372 + ret
19373 + CFI_ENDPROC
19374 +ENDPROC(atomic64_read_unchecked_cx8)
19375 +
19376 ENTRY(atomic64_set_cx8)
19377 CFI_STARTPROC
19378
19379 @@ -52,6 +60,19 @@ ENTRY(atomic64_set_cx8)
19380 CFI_ENDPROC
19381 ENDPROC(atomic64_set_cx8)
19382
19383 +ENTRY(atomic64_set_unchecked_cx8)
19384 + CFI_STARTPROC
19385 +
19386 +1:
19387 +/* we don't need LOCK_PREFIX since aligned 64-bit writes
19388 + * are atomic on 586 and newer */
19389 + cmpxchg8b (%esi)
19390 + jne 1b
19391 +
19392 + ret
19393 + CFI_ENDPROC
19394 +ENDPROC(atomic64_set_unchecked_cx8)
19395 +
19396 ENTRY(atomic64_xchg_cx8)
19397 CFI_STARTPROC
19398
19399 @@ -66,8 +87,8 @@ ENTRY(atomic64_xchg_cx8)
19400 CFI_ENDPROC
19401 ENDPROC(atomic64_xchg_cx8)
19402
19403 -.macro addsub_return func ins insc
19404 -ENTRY(atomic64_\func\()_return_cx8)
19405 +.macro addsub_return func ins insc unchecked=""
19406 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
19407 CFI_STARTPROC
19408 SAVE ebp
19409 SAVE ebx
19410 @@ -84,27 +105,43 @@ ENTRY(atomic64_\func\()_return_cx8)
19411 movl %edx, %ecx
19412 \ins\()l %esi, %ebx
19413 \insc\()l %edi, %ecx
19414 +
19415 +.ifb \unchecked
19416 +#ifdef CONFIG_PAX_REFCOUNT
19417 + into
19418 +2:
19419 + _ASM_EXTABLE(2b, 3f)
19420 +#endif
19421 +.endif
19422 +
19423 LOCK_PREFIX
19424 cmpxchg8b (%ebp)
19425 jne 1b
19426 -
19427 -10:
19428 movl %ebx, %eax
19429 movl %ecx, %edx
19430 +
19431 +.ifb \unchecked
19432 +#ifdef CONFIG_PAX_REFCOUNT
19433 +3:
19434 +#endif
19435 +.endif
19436 +
19437 RESTORE edi
19438 RESTORE esi
19439 RESTORE ebx
19440 RESTORE ebp
19441 ret
19442 CFI_ENDPROC
19443 -ENDPROC(atomic64_\func\()_return_cx8)
19444 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
19445 .endm
19446
19447 addsub_return add add adc
19448 addsub_return sub sub sbb
19449 +addsub_return add add adc _unchecked
19450 +addsub_return sub sub sbb _unchecked
19451
19452 -.macro incdec_return func ins insc
19453 -ENTRY(atomic64_\func\()_return_cx8)
19454 +.macro incdec_return func ins insc unchecked
19455 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
19456 CFI_STARTPROC
19457 SAVE ebx
19458
19459 @@ -114,21 +151,38 @@ ENTRY(atomic64_\func\()_return_cx8)
19460 movl %edx, %ecx
19461 \ins\()l $1, %ebx
19462 \insc\()l $0, %ecx
19463 +
19464 +.ifb \unchecked
19465 +#ifdef CONFIG_PAX_REFCOUNT
19466 + into
19467 +2:
19468 + _ASM_EXTABLE(2b, 3f)
19469 +#endif
19470 +.endif
19471 +
19472 LOCK_PREFIX
19473 cmpxchg8b (%esi)
19474 jne 1b
19475
19476 -10:
19477 movl %ebx, %eax
19478 movl %ecx, %edx
19479 +
19480 +.ifb \unchecked
19481 +#ifdef CONFIG_PAX_REFCOUNT
19482 +3:
19483 +#endif
19484 +.endif
19485 +
19486 RESTORE ebx
19487 ret
19488 CFI_ENDPROC
19489 -ENDPROC(atomic64_\func\()_return_cx8)
19490 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
19491 .endm
19492
19493 incdec_return inc add adc
19494 incdec_return dec sub sbb
19495 +incdec_return inc add adc _unchecked
19496 +incdec_return dec sub sbb _unchecked
19497
19498 ENTRY(atomic64_dec_if_positive_cx8)
19499 CFI_STARTPROC
19500 @@ -140,6 +194,13 @@ ENTRY(atomic64_dec_if_positive_cx8)
19501 movl %edx, %ecx
19502 subl $1, %ebx
19503 sbb $0, %ecx
19504 +
19505 +#ifdef CONFIG_PAX_REFCOUNT
19506 + into
19507 +1234:
19508 + _ASM_EXTABLE(1234b, 2f)
19509 +#endif
19510 +
19511 js 2f
19512 LOCK_PREFIX
19513 cmpxchg8b (%esi)
19514 @@ -174,6 +235,13 @@ ENTRY(atomic64_add_unless_cx8)
19515 movl %edx, %ecx
19516 addl %esi, %ebx
19517 adcl %edi, %ecx
19518 +
19519 +#ifdef CONFIG_PAX_REFCOUNT
19520 + into
19521 +1234:
19522 + _ASM_EXTABLE(1234b, 3f)
19523 +#endif
19524 +
19525 LOCK_PREFIX
19526 cmpxchg8b (%ebp)
19527 jne 1b
19528 @@ -206,6 +274,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
19529 movl %edx, %ecx
19530 addl $1, %ebx
19531 adcl $0, %ecx
19532 +
19533 +#ifdef CONFIG_PAX_REFCOUNT
19534 + into
19535 +1234:
19536 + _ASM_EXTABLE(1234b, 3f)
19537 +#endif
19538 +
19539 LOCK_PREFIX
19540 cmpxchg8b (%esi)
19541 jne 1b
19542 diff -urNp linux-2.6.39.3/arch/x86/lib/checksum_32.S linux-2.6.39.3/arch/x86/lib/checksum_32.S
19543 --- linux-2.6.39.3/arch/x86/lib/checksum_32.S 2011-05-19 00:06:34.000000000 -0400
19544 +++ linux-2.6.39.3/arch/x86/lib/checksum_32.S 2011-05-22 19:36:30.000000000 -0400
19545 @@ -28,7 +28,8 @@
19546 #include <linux/linkage.h>
19547 #include <asm/dwarf2.h>
19548 #include <asm/errno.h>
19549 -
19550 +#include <asm/segment.h>
19551 +
19552 /*
19553 * computes a partial checksum, e.g. for TCP/UDP fragments
19554 */
19555 @@ -296,9 +297,24 @@ unsigned int csum_partial_copy_generic (
19556
19557 #define ARGBASE 16
19558 #define FP 12
19559 -
19560 -ENTRY(csum_partial_copy_generic)
19561 +
19562 +ENTRY(csum_partial_copy_generic_to_user)
19563 CFI_STARTPROC
19564 +
19565 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19566 + pushl_cfi %gs
19567 + popl_cfi %es
19568 + jmp csum_partial_copy_generic
19569 +#endif
19570 +
19571 +ENTRY(csum_partial_copy_generic_from_user)
19572 +
19573 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19574 + pushl_cfi %gs
19575 + popl_cfi %ds
19576 +#endif
19577 +
19578 +ENTRY(csum_partial_copy_generic)
19579 subl $4,%esp
19580 CFI_ADJUST_CFA_OFFSET 4
19581 pushl_cfi %edi
19582 @@ -320,7 +336,7 @@ ENTRY(csum_partial_copy_generic)
19583 jmp 4f
19584 SRC(1: movw (%esi), %bx )
19585 addl $2, %esi
19586 -DST( movw %bx, (%edi) )
19587 +DST( movw %bx, %es:(%edi) )
19588 addl $2, %edi
19589 addw %bx, %ax
19590 adcl $0, %eax
19591 @@ -332,30 +348,30 @@ DST( movw %bx, (%edi) )
19592 SRC(1: movl (%esi), %ebx )
19593 SRC( movl 4(%esi), %edx )
19594 adcl %ebx, %eax
19595 -DST( movl %ebx, (%edi) )
19596 +DST( movl %ebx, %es:(%edi) )
19597 adcl %edx, %eax
19598 -DST( movl %edx, 4(%edi) )
19599 +DST( movl %edx, %es:4(%edi) )
19600
19601 SRC( movl 8(%esi), %ebx )
19602 SRC( movl 12(%esi), %edx )
19603 adcl %ebx, %eax
19604 -DST( movl %ebx, 8(%edi) )
19605 +DST( movl %ebx, %es:8(%edi) )
19606 adcl %edx, %eax
19607 -DST( movl %edx, 12(%edi) )
19608 +DST( movl %edx, %es:12(%edi) )
19609
19610 SRC( movl 16(%esi), %ebx )
19611 SRC( movl 20(%esi), %edx )
19612 adcl %ebx, %eax
19613 -DST( movl %ebx, 16(%edi) )
19614 +DST( movl %ebx, %es:16(%edi) )
19615 adcl %edx, %eax
19616 -DST( movl %edx, 20(%edi) )
19617 +DST( movl %edx, %es:20(%edi) )
19618
19619 SRC( movl 24(%esi), %ebx )
19620 SRC( movl 28(%esi), %edx )
19621 adcl %ebx, %eax
19622 -DST( movl %ebx, 24(%edi) )
19623 +DST( movl %ebx, %es:24(%edi) )
19624 adcl %edx, %eax
19625 -DST( movl %edx, 28(%edi) )
19626 +DST( movl %edx, %es:28(%edi) )
19627
19628 lea 32(%esi), %esi
19629 lea 32(%edi), %edi
19630 @@ -369,7 +385,7 @@ DST( movl %edx, 28(%edi) )
19631 shrl $2, %edx # This clears CF
19632 SRC(3: movl (%esi), %ebx )
19633 adcl %ebx, %eax
19634 -DST( movl %ebx, (%edi) )
19635 +DST( movl %ebx, %es:(%edi) )
19636 lea 4(%esi), %esi
19637 lea 4(%edi), %edi
19638 dec %edx
19639 @@ -381,12 +397,12 @@ DST( movl %ebx, (%edi) )
19640 jb 5f
19641 SRC( movw (%esi), %cx )
19642 leal 2(%esi), %esi
19643 -DST( movw %cx, (%edi) )
19644 +DST( movw %cx, %es:(%edi) )
19645 leal 2(%edi), %edi
19646 je 6f
19647 shll $16,%ecx
19648 SRC(5: movb (%esi), %cl )
19649 -DST( movb %cl, (%edi) )
19650 +DST( movb %cl, %es:(%edi) )
19651 6: addl %ecx, %eax
19652 adcl $0, %eax
19653 7:
19654 @@ -397,7 +413,7 @@ DST( movb %cl, (%edi) )
19655
19656 6001:
19657 movl ARGBASE+20(%esp), %ebx # src_err_ptr
19658 - movl $-EFAULT, (%ebx)
19659 + movl $-EFAULT, %ss:(%ebx)
19660
19661 # zero the complete destination - computing the rest
19662 # is too much work
19663 @@ -410,11 +426,15 @@ DST( movb %cl, (%edi) )
19664
19665 6002:
19666 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19667 - movl $-EFAULT,(%ebx)
19668 + movl $-EFAULT,%ss:(%ebx)
19669 jmp 5000b
19670
19671 .previous
19672
19673 + pushl_cfi %ss
19674 + popl_cfi %ds
19675 + pushl_cfi %ss
19676 + popl_cfi %es
19677 popl_cfi %ebx
19678 CFI_RESTORE ebx
19679 popl_cfi %esi
19680 @@ -424,26 +444,43 @@ DST( movb %cl, (%edi) )
19681 popl_cfi %ecx # equivalent to addl $4,%esp
19682 ret
19683 CFI_ENDPROC
19684 -ENDPROC(csum_partial_copy_generic)
19685 +ENDPROC(csum_partial_copy_generic_to_user)
19686
19687 #else
19688
19689 /* Version for PentiumII/PPro */
19690
19691 #define ROUND1(x) \
19692 + nop; nop; nop; \
19693 SRC(movl x(%esi), %ebx ) ; \
19694 addl %ebx, %eax ; \
19695 - DST(movl %ebx, x(%edi) ) ;
19696 + DST(movl %ebx, %es:x(%edi)) ;
19697
19698 #define ROUND(x) \
19699 + nop; nop; nop; \
19700 SRC(movl x(%esi), %ebx ) ; \
19701 adcl %ebx, %eax ; \
19702 - DST(movl %ebx, x(%edi) ) ;
19703 + DST(movl %ebx, %es:x(%edi)) ;
19704
19705 #define ARGBASE 12
19706 -
19707 -ENTRY(csum_partial_copy_generic)
19708 +
19709 +ENTRY(csum_partial_copy_generic_to_user)
19710 CFI_STARTPROC
19711 +
19712 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19713 + pushl_cfi %gs
19714 + popl_cfi %es
19715 + jmp csum_partial_copy_generic
19716 +#endif
19717 +
19718 +ENTRY(csum_partial_copy_generic_from_user)
19719 +
19720 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19721 + pushl_cfi %gs
19722 + popl_cfi %ds
19723 +#endif
19724 +
19725 +ENTRY(csum_partial_copy_generic)
19726 pushl_cfi %ebx
19727 CFI_REL_OFFSET ebx, 0
19728 pushl_cfi %edi
19729 @@ -464,7 +501,7 @@ ENTRY(csum_partial_copy_generic)
19730 subl %ebx, %edi
19731 lea -1(%esi),%edx
19732 andl $-32,%edx
19733 - lea 3f(%ebx,%ebx), %ebx
19734 + lea 3f(%ebx,%ebx,2), %ebx
19735 testl %esi, %esi
19736 jmp *%ebx
19737 1: addl $64,%esi
19738 @@ -485,19 +522,19 @@ ENTRY(csum_partial_copy_generic)
19739 jb 5f
19740 SRC( movw (%esi), %dx )
19741 leal 2(%esi), %esi
19742 -DST( movw %dx, (%edi) )
19743 +DST( movw %dx, %es:(%edi) )
19744 leal 2(%edi), %edi
19745 je 6f
19746 shll $16,%edx
19747 5:
19748 SRC( movb (%esi), %dl )
19749 -DST( movb %dl, (%edi) )
19750 +DST( movb %dl, %es:(%edi) )
19751 6: addl %edx, %eax
19752 adcl $0, %eax
19753 7:
19754 .section .fixup, "ax"
19755 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
19756 - movl $-EFAULT, (%ebx)
19757 + movl $-EFAULT, %ss:(%ebx)
19758 # zero the complete destination (computing the rest is too much work)
19759 movl ARGBASE+8(%esp),%edi # dst
19760 movl ARGBASE+12(%esp),%ecx # len
19761 @@ -505,10 +542,17 @@ DST( movb %dl, (%edi) )
19762 rep; stosb
19763 jmp 7b
19764 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19765 - movl $-EFAULT, (%ebx)
19766 + movl $-EFAULT, %ss:(%ebx)
19767 jmp 7b
19768 .previous
19769
19770 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19771 + pushl_cfi %ss
19772 + popl_cfi %ds
19773 + pushl_cfi %ss
19774 + popl_cfi %es
19775 +#endif
19776 +
19777 popl_cfi %esi
19778 CFI_RESTORE esi
19779 popl_cfi %edi
19780 @@ -517,7 +561,7 @@ DST( movb %dl, (%edi) )
19781 CFI_RESTORE ebx
19782 ret
19783 CFI_ENDPROC
19784 -ENDPROC(csum_partial_copy_generic)
19785 +ENDPROC(csum_partial_copy_generic_to_user)
19786
19787 #undef ROUND
19788 #undef ROUND1
19789 diff -urNp linux-2.6.39.3/arch/x86/lib/clear_page_64.S linux-2.6.39.3/arch/x86/lib/clear_page_64.S
19790 --- linux-2.6.39.3/arch/x86/lib/clear_page_64.S 2011-05-19 00:06:34.000000000 -0400
19791 +++ linux-2.6.39.3/arch/x86/lib/clear_page_64.S 2011-05-22 19:36:30.000000000 -0400
19792 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
19793
19794 #include <asm/cpufeature.h>
19795
19796 - .section .altinstr_replacement,"ax"
19797 + .section .altinstr_replacement,"a"
19798 1: .byte 0xeb /* jmp <disp8> */
19799 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
19800 2:
19801 diff -urNp linux-2.6.39.3/arch/x86/lib/copy_page_64.S linux-2.6.39.3/arch/x86/lib/copy_page_64.S
19802 --- linux-2.6.39.3/arch/x86/lib/copy_page_64.S 2011-05-19 00:06:34.000000000 -0400
19803 +++ linux-2.6.39.3/arch/x86/lib/copy_page_64.S 2011-05-22 19:36:30.000000000 -0400
19804 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
19805
19806 #include <asm/cpufeature.h>
19807
19808 - .section .altinstr_replacement,"ax"
19809 + .section .altinstr_replacement,"a"
19810 1: .byte 0xeb /* jmp <disp8> */
19811 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
19812 2:
19813 diff -urNp linux-2.6.39.3/arch/x86/lib/copy_user_64.S linux-2.6.39.3/arch/x86/lib/copy_user_64.S
19814 --- linux-2.6.39.3/arch/x86/lib/copy_user_64.S 2011-06-03 00:04:13.000000000 -0400
19815 +++ linux-2.6.39.3/arch/x86/lib/copy_user_64.S 2011-06-03 00:32:05.000000000 -0400
19816 @@ -15,13 +15,14 @@
19817 #include <asm/asm-offsets.h>
19818 #include <asm/thread_info.h>
19819 #include <asm/cpufeature.h>
19820 +#include <asm/pgtable.h>
19821
19822 .macro ALTERNATIVE_JUMP feature,orig,alt
19823 0:
19824 .byte 0xe9 /* 32bit jump */
19825 .long \orig-1f /* by default jump to orig */
19826 1:
19827 - .section .altinstr_replacement,"ax"
19828 + .section .altinstr_replacement,"a"
19829 2: .byte 0xe9 /* near jump with 32bit immediate */
19830 .long \alt-1b /* offset */ /* or alternatively to alt */
19831 .previous
19832 @@ -64,37 +65,13 @@
19833 #endif
19834 .endm
19835
19836 -/* Standard copy_to_user with segment limit checking */
19837 -ENTRY(_copy_to_user)
19838 - CFI_STARTPROC
19839 - GET_THREAD_INFO(%rax)
19840 - movq %rdi,%rcx
19841 - addq %rdx,%rcx
19842 - jc bad_to_user
19843 - cmpq TI_addr_limit(%rax),%rcx
19844 - ja bad_to_user
19845 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19846 - CFI_ENDPROC
19847 -ENDPROC(_copy_to_user)
19848 -
19849 -/* Standard copy_from_user with segment limit checking */
19850 -ENTRY(_copy_from_user)
19851 - CFI_STARTPROC
19852 - GET_THREAD_INFO(%rax)
19853 - movq %rsi,%rcx
19854 - addq %rdx,%rcx
19855 - jc bad_from_user
19856 - cmpq TI_addr_limit(%rax),%rcx
19857 - ja bad_from_user
19858 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19859 - CFI_ENDPROC
19860 -ENDPROC(_copy_from_user)
19861 -
19862 .section .fixup,"ax"
19863 /* must zero dest */
19864 ENTRY(bad_from_user)
19865 bad_from_user:
19866 CFI_STARTPROC
19867 + testl %edx,%edx
19868 + js bad_to_user
19869 movl %edx,%ecx
19870 xorl %eax,%eax
19871 rep
19872 diff -urNp linux-2.6.39.3/arch/x86/lib/copy_user_nocache_64.S linux-2.6.39.3/arch/x86/lib/copy_user_nocache_64.S
19873 --- linux-2.6.39.3/arch/x86/lib/copy_user_nocache_64.S 2011-05-19 00:06:34.000000000 -0400
19874 +++ linux-2.6.39.3/arch/x86/lib/copy_user_nocache_64.S 2011-05-22 19:36:30.000000000 -0400
19875 @@ -14,6 +14,7 @@
19876 #include <asm/current.h>
19877 #include <asm/asm-offsets.h>
19878 #include <asm/thread_info.h>
19879 +#include <asm/pgtable.h>
19880
19881 .macro ALIGN_DESTINATION
19882 #ifdef FIX_ALIGNMENT
19883 @@ -50,6 +51,15 @@
19884 */
19885 ENTRY(__copy_user_nocache)
19886 CFI_STARTPROC
19887 +
19888 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19889 + mov $PAX_USER_SHADOW_BASE,%rcx
19890 + cmp %rcx,%rsi
19891 + jae 1f
19892 + add %rcx,%rsi
19893 +1:
19894 +#endif
19895 +
19896 cmpl $8,%edx
19897 jb 20f /* less then 8 bytes, go to byte copy loop */
19898 ALIGN_DESTINATION
19899 diff -urNp linux-2.6.39.3/arch/x86/lib/csum-wrappers_64.c linux-2.6.39.3/arch/x86/lib/csum-wrappers_64.c
19900 --- linux-2.6.39.3/arch/x86/lib/csum-wrappers_64.c 2011-05-19 00:06:34.000000000 -0400
19901 +++ linux-2.6.39.3/arch/x86/lib/csum-wrappers_64.c 2011-05-22 19:36:30.000000000 -0400
19902 @@ -52,6 +52,12 @@ csum_partial_copy_from_user(const void _
19903 len -= 2;
19904 }
19905 }
19906 +
19907 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19908 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
19909 + src += PAX_USER_SHADOW_BASE;
19910 +#endif
19911 +
19912 isum = csum_partial_copy_generic((__force const void *)src,
19913 dst, len, isum, errp, NULL);
19914 if (unlikely(*errp))
19915 @@ -105,6 +111,12 @@ csum_partial_copy_to_user(const void *sr
19916 }
19917
19918 *errp = 0;
19919 +
19920 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19921 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
19922 + dst += PAX_USER_SHADOW_BASE;
19923 +#endif
19924 +
19925 return csum_partial_copy_generic(src, (void __force *)dst,
19926 len, isum, NULL, errp);
19927 }
19928 diff -urNp linux-2.6.39.3/arch/x86/lib/getuser.S linux-2.6.39.3/arch/x86/lib/getuser.S
19929 --- linux-2.6.39.3/arch/x86/lib/getuser.S 2011-05-19 00:06:34.000000000 -0400
19930 +++ linux-2.6.39.3/arch/x86/lib/getuser.S 2011-05-22 19:36:30.000000000 -0400
19931 @@ -33,14 +33,35 @@
19932 #include <asm/asm-offsets.h>
19933 #include <asm/thread_info.h>
19934 #include <asm/asm.h>
19935 +#include <asm/segment.h>
19936 +#include <asm/pgtable.h>
19937 +
19938 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
19939 +#define __copyuser_seg gs;
19940 +#else
19941 +#define __copyuser_seg
19942 +#endif
19943
19944 .text
19945 ENTRY(__get_user_1)
19946 CFI_STARTPROC
19947 +
19948 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19949 GET_THREAD_INFO(%_ASM_DX)
19950 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19951 jae bad_get_user
19952 -1: movzb (%_ASM_AX),%edx
19953 +
19954 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19955 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19956 + cmp %_ASM_DX,%_ASM_AX
19957 + jae 1234f
19958 + add %_ASM_DX,%_ASM_AX
19959 +1234:
19960 +#endif
19961 +
19962 +#endif
19963 +
19964 +1: __copyuser_seg movzb (%_ASM_AX),%edx
19965 xor %eax,%eax
19966 ret
19967 CFI_ENDPROC
19968 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
19969 ENTRY(__get_user_2)
19970 CFI_STARTPROC
19971 add $1,%_ASM_AX
19972 +
19973 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19974 jc bad_get_user
19975 GET_THREAD_INFO(%_ASM_DX)
19976 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19977 jae bad_get_user
19978 -2: movzwl -1(%_ASM_AX),%edx
19979 +
19980 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19981 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19982 + cmp %_ASM_DX,%_ASM_AX
19983 + jae 1234f
19984 + add %_ASM_DX,%_ASM_AX
19985 +1234:
19986 +#endif
19987 +
19988 +#endif
19989 +
19990 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
19991 xor %eax,%eax
19992 ret
19993 CFI_ENDPROC
19994 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
19995 ENTRY(__get_user_4)
19996 CFI_STARTPROC
19997 add $3,%_ASM_AX
19998 +
19999 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20000 jc bad_get_user
20001 GET_THREAD_INFO(%_ASM_DX)
20002 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20003 jae bad_get_user
20004 -3: mov -3(%_ASM_AX),%edx
20005 +
20006 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20007 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20008 + cmp %_ASM_DX,%_ASM_AX
20009 + jae 1234f
20010 + add %_ASM_DX,%_ASM_AX
20011 +1234:
20012 +#endif
20013 +
20014 +#endif
20015 +
20016 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
20017 xor %eax,%eax
20018 ret
20019 CFI_ENDPROC
20020 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
20021 GET_THREAD_INFO(%_ASM_DX)
20022 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20023 jae bad_get_user
20024 +
20025 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20026 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20027 + cmp %_ASM_DX,%_ASM_AX
20028 + jae 1234f
20029 + add %_ASM_DX,%_ASM_AX
20030 +1234:
20031 +#endif
20032 +
20033 4: movq -7(%_ASM_AX),%_ASM_DX
20034 xor %eax,%eax
20035 ret
20036 diff -urNp linux-2.6.39.3/arch/x86/lib/insn.c linux-2.6.39.3/arch/x86/lib/insn.c
20037 --- linux-2.6.39.3/arch/x86/lib/insn.c 2011-05-19 00:06:34.000000000 -0400
20038 +++ linux-2.6.39.3/arch/x86/lib/insn.c 2011-05-22 19:36:30.000000000 -0400
20039 @@ -21,6 +21,11 @@
20040 #include <linux/string.h>
20041 #include <asm/inat.h>
20042 #include <asm/insn.h>
20043 +#ifdef __KERNEL__
20044 +#include <asm/pgtable_types.h>
20045 +#else
20046 +#define ktla_ktva(addr) addr
20047 +#endif
20048
20049 #define get_next(t, insn) \
20050 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
20051 @@ -40,8 +45,8 @@
20052 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
20053 {
20054 memset(insn, 0, sizeof(*insn));
20055 - insn->kaddr = kaddr;
20056 - insn->next_byte = kaddr;
20057 + insn->kaddr = ktla_ktva(kaddr);
20058 + insn->next_byte = ktla_ktva(kaddr);
20059 insn->x86_64 = x86_64 ? 1 : 0;
20060 insn->opnd_bytes = 4;
20061 if (x86_64)
20062 diff -urNp linux-2.6.39.3/arch/x86/lib/mmx_32.c linux-2.6.39.3/arch/x86/lib/mmx_32.c
20063 --- linux-2.6.39.3/arch/x86/lib/mmx_32.c 2011-05-19 00:06:34.000000000 -0400
20064 +++ linux-2.6.39.3/arch/x86/lib/mmx_32.c 2011-05-22 19:36:30.000000000 -0400
20065 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
20066 {
20067 void *p;
20068 int i;
20069 + unsigned long cr0;
20070
20071 if (unlikely(in_interrupt()))
20072 return __memcpy(to, from, len);
20073 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
20074 kernel_fpu_begin();
20075
20076 __asm__ __volatile__ (
20077 - "1: prefetch (%0)\n" /* This set is 28 bytes */
20078 - " prefetch 64(%0)\n"
20079 - " prefetch 128(%0)\n"
20080 - " prefetch 192(%0)\n"
20081 - " prefetch 256(%0)\n"
20082 + "1: prefetch (%1)\n" /* This set is 28 bytes */
20083 + " prefetch 64(%1)\n"
20084 + " prefetch 128(%1)\n"
20085 + " prefetch 192(%1)\n"
20086 + " prefetch 256(%1)\n"
20087 "2: \n"
20088 ".section .fixup, \"ax\"\n"
20089 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20090 + "3: \n"
20091 +
20092 +#ifdef CONFIG_PAX_KERNEXEC
20093 + " movl %%cr0, %0\n"
20094 + " movl %0, %%eax\n"
20095 + " andl $0xFFFEFFFF, %%eax\n"
20096 + " movl %%eax, %%cr0\n"
20097 +#endif
20098 +
20099 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20100 +
20101 +#ifdef CONFIG_PAX_KERNEXEC
20102 + " movl %0, %%cr0\n"
20103 +#endif
20104 +
20105 " jmp 2b\n"
20106 ".previous\n"
20107 _ASM_EXTABLE(1b, 3b)
20108 - : : "r" (from));
20109 + : "=&r" (cr0) : "r" (from) : "ax");
20110
20111 for ( ; i > 5; i--) {
20112 __asm__ __volatile__ (
20113 - "1: prefetch 320(%0)\n"
20114 - "2: movq (%0), %%mm0\n"
20115 - " movq 8(%0), %%mm1\n"
20116 - " movq 16(%0), %%mm2\n"
20117 - " movq 24(%0), %%mm3\n"
20118 - " movq %%mm0, (%1)\n"
20119 - " movq %%mm1, 8(%1)\n"
20120 - " movq %%mm2, 16(%1)\n"
20121 - " movq %%mm3, 24(%1)\n"
20122 - " movq 32(%0), %%mm0\n"
20123 - " movq 40(%0), %%mm1\n"
20124 - " movq 48(%0), %%mm2\n"
20125 - " movq 56(%0), %%mm3\n"
20126 - " movq %%mm0, 32(%1)\n"
20127 - " movq %%mm1, 40(%1)\n"
20128 - " movq %%mm2, 48(%1)\n"
20129 - " movq %%mm3, 56(%1)\n"
20130 + "1: prefetch 320(%1)\n"
20131 + "2: movq (%1), %%mm0\n"
20132 + " movq 8(%1), %%mm1\n"
20133 + " movq 16(%1), %%mm2\n"
20134 + " movq 24(%1), %%mm3\n"
20135 + " movq %%mm0, (%2)\n"
20136 + " movq %%mm1, 8(%2)\n"
20137 + " movq %%mm2, 16(%2)\n"
20138 + " movq %%mm3, 24(%2)\n"
20139 + " movq 32(%1), %%mm0\n"
20140 + " movq 40(%1), %%mm1\n"
20141 + " movq 48(%1), %%mm2\n"
20142 + " movq 56(%1), %%mm3\n"
20143 + " movq %%mm0, 32(%2)\n"
20144 + " movq %%mm1, 40(%2)\n"
20145 + " movq %%mm2, 48(%2)\n"
20146 + " movq %%mm3, 56(%2)\n"
20147 ".section .fixup, \"ax\"\n"
20148 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20149 + "3:\n"
20150 +
20151 +#ifdef CONFIG_PAX_KERNEXEC
20152 + " movl %%cr0, %0\n"
20153 + " movl %0, %%eax\n"
20154 + " andl $0xFFFEFFFF, %%eax\n"
20155 + " movl %%eax, %%cr0\n"
20156 +#endif
20157 +
20158 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20159 +
20160 +#ifdef CONFIG_PAX_KERNEXEC
20161 + " movl %0, %%cr0\n"
20162 +#endif
20163 +
20164 " jmp 2b\n"
20165 ".previous\n"
20166 _ASM_EXTABLE(1b, 3b)
20167 - : : "r" (from), "r" (to) : "memory");
20168 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20169
20170 from += 64;
20171 to += 64;
20172 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
20173 static void fast_copy_page(void *to, void *from)
20174 {
20175 int i;
20176 + unsigned long cr0;
20177
20178 kernel_fpu_begin();
20179
20180 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
20181 * but that is for later. -AV
20182 */
20183 __asm__ __volatile__(
20184 - "1: prefetch (%0)\n"
20185 - " prefetch 64(%0)\n"
20186 - " prefetch 128(%0)\n"
20187 - " prefetch 192(%0)\n"
20188 - " prefetch 256(%0)\n"
20189 + "1: prefetch (%1)\n"
20190 + " prefetch 64(%1)\n"
20191 + " prefetch 128(%1)\n"
20192 + " prefetch 192(%1)\n"
20193 + " prefetch 256(%1)\n"
20194 "2: \n"
20195 ".section .fixup, \"ax\"\n"
20196 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20197 + "3: \n"
20198 +
20199 +#ifdef CONFIG_PAX_KERNEXEC
20200 + " movl %%cr0, %0\n"
20201 + " movl %0, %%eax\n"
20202 + " andl $0xFFFEFFFF, %%eax\n"
20203 + " movl %%eax, %%cr0\n"
20204 +#endif
20205 +
20206 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20207 +
20208 +#ifdef CONFIG_PAX_KERNEXEC
20209 + " movl %0, %%cr0\n"
20210 +#endif
20211 +
20212 " jmp 2b\n"
20213 ".previous\n"
20214 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
20215 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
20216
20217 for (i = 0; i < (4096-320)/64; i++) {
20218 __asm__ __volatile__ (
20219 - "1: prefetch 320(%0)\n"
20220 - "2: movq (%0), %%mm0\n"
20221 - " movntq %%mm0, (%1)\n"
20222 - " movq 8(%0), %%mm1\n"
20223 - " movntq %%mm1, 8(%1)\n"
20224 - " movq 16(%0), %%mm2\n"
20225 - " movntq %%mm2, 16(%1)\n"
20226 - " movq 24(%0), %%mm3\n"
20227 - " movntq %%mm3, 24(%1)\n"
20228 - " movq 32(%0), %%mm4\n"
20229 - " movntq %%mm4, 32(%1)\n"
20230 - " movq 40(%0), %%mm5\n"
20231 - " movntq %%mm5, 40(%1)\n"
20232 - " movq 48(%0), %%mm6\n"
20233 - " movntq %%mm6, 48(%1)\n"
20234 - " movq 56(%0), %%mm7\n"
20235 - " movntq %%mm7, 56(%1)\n"
20236 + "1: prefetch 320(%1)\n"
20237 + "2: movq (%1), %%mm0\n"
20238 + " movntq %%mm0, (%2)\n"
20239 + " movq 8(%1), %%mm1\n"
20240 + " movntq %%mm1, 8(%2)\n"
20241 + " movq 16(%1), %%mm2\n"
20242 + " movntq %%mm2, 16(%2)\n"
20243 + " movq 24(%1), %%mm3\n"
20244 + " movntq %%mm3, 24(%2)\n"
20245 + " movq 32(%1), %%mm4\n"
20246 + " movntq %%mm4, 32(%2)\n"
20247 + " movq 40(%1), %%mm5\n"
20248 + " movntq %%mm5, 40(%2)\n"
20249 + " movq 48(%1), %%mm6\n"
20250 + " movntq %%mm6, 48(%2)\n"
20251 + " movq 56(%1), %%mm7\n"
20252 + " movntq %%mm7, 56(%2)\n"
20253 ".section .fixup, \"ax\"\n"
20254 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20255 + "3:\n"
20256 +
20257 +#ifdef CONFIG_PAX_KERNEXEC
20258 + " movl %%cr0, %0\n"
20259 + " movl %0, %%eax\n"
20260 + " andl $0xFFFEFFFF, %%eax\n"
20261 + " movl %%eax, %%cr0\n"
20262 +#endif
20263 +
20264 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20265 +
20266 +#ifdef CONFIG_PAX_KERNEXEC
20267 + " movl %0, %%cr0\n"
20268 +#endif
20269 +
20270 " jmp 2b\n"
20271 ".previous\n"
20272 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
20273 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20274
20275 from += 64;
20276 to += 64;
20277 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
20278 static void fast_copy_page(void *to, void *from)
20279 {
20280 int i;
20281 + unsigned long cr0;
20282
20283 kernel_fpu_begin();
20284
20285 __asm__ __volatile__ (
20286 - "1: prefetch (%0)\n"
20287 - " prefetch 64(%0)\n"
20288 - " prefetch 128(%0)\n"
20289 - " prefetch 192(%0)\n"
20290 - " prefetch 256(%0)\n"
20291 + "1: prefetch (%1)\n"
20292 + " prefetch 64(%1)\n"
20293 + " prefetch 128(%1)\n"
20294 + " prefetch 192(%1)\n"
20295 + " prefetch 256(%1)\n"
20296 "2: \n"
20297 ".section .fixup, \"ax\"\n"
20298 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20299 + "3: \n"
20300 +
20301 +#ifdef CONFIG_PAX_KERNEXEC
20302 + " movl %%cr0, %0\n"
20303 + " movl %0, %%eax\n"
20304 + " andl $0xFFFEFFFF, %%eax\n"
20305 + " movl %%eax, %%cr0\n"
20306 +#endif
20307 +
20308 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20309 +
20310 +#ifdef CONFIG_PAX_KERNEXEC
20311 + " movl %0, %%cr0\n"
20312 +#endif
20313 +
20314 " jmp 2b\n"
20315 ".previous\n"
20316 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
20317 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
20318
20319 for (i = 0; i < 4096/64; i++) {
20320 __asm__ __volatile__ (
20321 - "1: prefetch 320(%0)\n"
20322 - "2: movq (%0), %%mm0\n"
20323 - " movq 8(%0), %%mm1\n"
20324 - " movq 16(%0), %%mm2\n"
20325 - " movq 24(%0), %%mm3\n"
20326 - " movq %%mm0, (%1)\n"
20327 - " movq %%mm1, 8(%1)\n"
20328 - " movq %%mm2, 16(%1)\n"
20329 - " movq %%mm3, 24(%1)\n"
20330 - " movq 32(%0), %%mm0\n"
20331 - " movq 40(%0), %%mm1\n"
20332 - " movq 48(%0), %%mm2\n"
20333 - " movq 56(%0), %%mm3\n"
20334 - " movq %%mm0, 32(%1)\n"
20335 - " movq %%mm1, 40(%1)\n"
20336 - " movq %%mm2, 48(%1)\n"
20337 - " movq %%mm3, 56(%1)\n"
20338 + "1: prefetch 320(%1)\n"
20339 + "2: movq (%1), %%mm0\n"
20340 + " movq 8(%1), %%mm1\n"
20341 + " movq 16(%1), %%mm2\n"
20342 + " movq 24(%1), %%mm3\n"
20343 + " movq %%mm0, (%2)\n"
20344 + " movq %%mm1, 8(%2)\n"
20345 + " movq %%mm2, 16(%2)\n"
20346 + " movq %%mm3, 24(%2)\n"
20347 + " movq 32(%1), %%mm0\n"
20348 + " movq 40(%1), %%mm1\n"
20349 + " movq 48(%1), %%mm2\n"
20350 + " movq 56(%1), %%mm3\n"
20351 + " movq %%mm0, 32(%2)\n"
20352 + " movq %%mm1, 40(%2)\n"
20353 + " movq %%mm2, 48(%2)\n"
20354 + " movq %%mm3, 56(%2)\n"
20355 ".section .fixup, \"ax\"\n"
20356 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20357 + "3:\n"
20358 +
20359 +#ifdef CONFIG_PAX_KERNEXEC
20360 + " movl %%cr0, %0\n"
20361 + " movl %0, %%eax\n"
20362 + " andl $0xFFFEFFFF, %%eax\n"
20363 + " movl %%eax, %%cr0\n"
20364 +#endif
20365 +
20366 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20367 +
20368 +#ifdef CONFIG_PAX_KERNEXEC
20369 + " movl %0, %%cr0\n"
20370 +#endif
20371 +
20372 " jmp 2b\n"
20373 ".previous\n"
20374 _ASM_EXTABLE(1b, 3b)
20375 - : : "r" (from), "r" (to) : "memory");
20376 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20377
20378 from += 64;
20379 to += 64;
20380 diff -urNp linux-2.6.39.3/arch/x86/lib/putuser.S linux-2.6.39.3/arch/x86/lib/putuser.S
20381 --- linux-2.6.39.3/arch/x86/lib/putuser.S 2011-05-19 00:06:34.000000000 -0400
20382 +++ linux-2.6.39.3/arch/x86/lib/putuser.S 2011-05-22 19:36:30.000000000 -0400
20383 @@ -15,7 +15,8 @@
20384 #include <asm/thread_info.h>
20385 #include <asm/errno.h>
20386 #include <asm/asm.h>
20387 -
20388 +#include <asm/segment.h>
20389 +#include <asm/pgtable.h>
20390
20391 /*
20392 * __put_user_X
20393 @@ -29,52 +30,119 @@
20394 * as they get called from within inline assembly.
20395 */
20396
20397 -#define ENTER CFI_STARTPROC ; \
20398 - GET_THREAD_INFO(%_ASM_BX)
20399 +#define ENTER CFI_STARTPROC
20400 #define EXIT ret ; \
20401 CFI_ENDPROC
20402
20403 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20404 +#define _DEST %_ASM_CX,%_ASM_BX
20405 +#else
20406 +#define _DEST %_ASM_CX
20407 +#endif
20408 +
20409 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
20410 +#define __copyuser_seg gs;
20411 +#else
20412 +#define __copyuser_seg
20413 +#endif
20414 +
20415 .text
20416 ENTRY(__put_user_1)
20417 ENTER
20418 +
20419 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20420 + GET_THREAD_INFO(%_ASM_BX)
20421 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
20422 jae bad_put_user
20423 -1: movb %al,(%_ASM_CX)
20424 +
20425 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20426 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20427 + cmp %_ASM_BX,%_ASM_CX
20428 + jb 1234f
20429 + xor %ebx,%ebx
20430 +1234:
20431 +#endif
20432 +
20433 +#endif
20434 +
20435 +1: __copyuser_seg movb %al,(_DEST)
20436 xor %eax,%eax
20437 EXIT
20438 ENDPROC(__put_user_1)
20439
20440 ENTRY(__put_user_2)
20441 ENTER
20442 +
20443 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20444 + GET_THREAD_INFO(%_ASM_BX)
20445 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20446 sub $1,%_ASM_BX
20447 cmp %_ASM_BX,%_ASM_CX
20448 jae bad_put_user
20449 -2: movw %ax,(%_ASM_CX)
20450 +
20451 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20452 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20453 + cmp %_ASM_BX,%_ASM_CX
20454 + jb 1234f
20455 + xor %ebx,%ebx
20456 +1234:
20457 +#endif
20458 +
20459 +#endif
20460 +
20461 +2: __copyuser_seg movw %ax,(_DEST)
20462 xor %eax,%eax
20463 EXIT
20464 ENDPROC(__put_user_2)
20465
20466 ENTRY(__put_user_4)
20467 ENTER
20468 +
20469 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20470 + GET_THREAD_INFO(%_ASM_BX)
20471 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20472 sub $3,%_ASM_BX
20473 cmp %_ASM_BX,%_ASM_CX
20474 jae bad_put_user
20475 -3: movl %eax,(%_ASM_CX)
20476 +
20477 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20478 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20479 + cmp %_ASM_BX,%_ASM_CX
20480 + jb 1234f
20481 + xor %ebx,%ebx
20482 +1234:
20483 +#endif
20484 +
20485 +#endif
20486 +
20487 +3: __copyuser_seg movl %eax,(_DEST)
20488 xor %eax,%eax
20489 EXIT
20490 ENDPROC(__put_user_4)
20491
20492 ENTRY(__put_user_8)
20493 ENTER
20494 +
20495 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20496 + GET_THREAD_INFO(%_ASM_BX)
20497 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20498 sub $7,%_ASM_BX
20499 cmp %_ASM_BX,%_ASM_CX
20500 jae bad_put_user
20501 -4: mov %_ASM_AX,(%_ASM_CX)
20502 +
20503 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20504 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20505 + cmp %_ASM_BX,%_ASM_CX
20506 + jb 1234f
20507 + xor %ebx,%ebx
20508 +1234:
20509 +#endif
20510 +
20511 +#endif
20512 +
20513 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
20514 #ifdef CONFIG_X86_32
20515 -5: movl %edx,4(%_ASM_CX)
20516 +5: __copyuser_seg movl %edx,4(_DEST)
20517 #endif
20518 xor %eax,%eax
20519 EXIT
20520 diff -urNp linux-2.6.39.3/arch/x86/lib/usercopy_32.c linux-2.6.39.3/arch/x86/lib/usercopy_32.c
20521 --- linux-2.6.39.3/arch/x86/lib/usercopy_32.c 2011-05-19 00:06:34.000000000 -0400
20522 +++ linux-2.6.39.3/arch/x86/lib/usercopy_32.c 2011-05-22 19:36:30.000000000 -0400
20523 @@ -43,7 +43,7 @@ do { \
20524 __asm__ __volatile__( \
20525 " testl %1,%1\n" \
20526 " jz 2f\n" \
20527 - "0: lodsb\n" \
20528 + "0: "__copyuser_seg"lodsb\n" \
20529 " stosb\n" \
20530 " testb %%al,%%al\n" \
20531 " jz 1f\n" \
20532 @@ -128,10 +128,12 @@ do { \
20533 int __d0; \
20534 might_fault(); \
20535 __asm__ __volatile__( \
20536 + __COPYUSER_SET_ES \
20537 "0: rep; stosl\n" \
20538 " movl %2,%0\n" \
20539 "1: rep; stosb\n" \
20540 "2:\n" \
20541 + __COPYUSER_RESTORE_ES \
20542 ".section .fixup,\"ax\"\n" \
20543 "3: lea 0(%2,%0,4),%0\n" \
20544 " jmp 2b\n" \
20545 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
20546 might_fault();
20547
20548 __asm__ __volatile__(
20549 + __COPYUSER_SET_ES
20550 " testl %0, %0\n"
20551 " jz 3f\n"
20552 " andl %0,%%ecx\n"
20553 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
20554 " subl %%ecx,%0\n"
20555 " addl %0,%%eax\n"
20556 "1:\n"
20557 + __COPYUSER_RESTORE_ES
20558 ".section .fixup,\"ax\"\n"
20559 "2: xorl %%eax,%%eax\n"
20560 " jmp 1b\n"
20561 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
20562
20563 #ifdef CONFIG_X86_INTEL_USERCOPY
20564 static unsigned long
20565 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
20566 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
20567 {
20568 int d0, d1;
20569 __asm__ __volatile__(
20570 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
20571 " .align 2,0x90\n"
20572 "3: movl 0(%4), %%eax\n"
20573 "4: movl 4(%4), %%edx\n"
20574 - "5: movl %%eax, 0(%3)\n"
20575 - "6: movl %%edx, 4(%3)\n"
20576 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
20577 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
20578 "7: movl 8(%4), %%eax\n"
20579 "8: movl 12(%4),%%edx\n"
20580 - "9: movl %%eax, 8(%3)\n"
20581 - "10: movl %%edx, 12(%3)\n"
20582 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
20583 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
20584 "11: movl 16(%4), %%eax\n"
20585 "12: movl 20(%4), %%edx\n"
20586 - "13: movl %%eax, 16(%3)\n"
20587 - "14: movl %%edx, 20(%3)\n"
20588 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
20589 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
20590 "15: movl 24(%4), %%eax\n"
20591 "16: movl 28(%4), %%edx\n"
20592 - "17: movl %%eax, 24(%3)\n"
20593 - "18: movl %%edx, 28(%3)\n"
20594 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
20595 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
20596 "19: movl 32(%4), %%eax\n"
20597 "20: movl 36(%4), %%edx\n"
20598 - "21: movl %%eax, 32(%3)\n"
20599 - "22: movl %%edx, 36(%3)\n"
20600 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
20601 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
20602 "23: movl 40(%4), %%eax\n"
20603 "24: movl 44(%4), %%edx\n"
20604 - "25: movl %%eax, 40(%3)\n"
20605 - "26: movl %%edx, 44(%3)\n"
20606 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
20607 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
20608 "27: movl 48(%4), %%eax\n"
20609 "28: movl 52(%4), %%edx\n"
20610 - "29: movl %%eax, 48(%3)\n"
20611 - "30: movl %%edx, 52(%3)\n"
20612 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
20613 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
20614 "31: movl 56(%4), %%eax\n"
20615 "32: movl 60(%4), %%edx\n"
20616 - "33: movl %%eax, 56(%3)\n"
20617 - "34: movl %%edx, 60(%3)\n"
20618 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
20619 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
20620 " addl $-64, %0\n"
20621 " addl $64, %4\n"
20622 " addl $64, %3\n"
20623 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
20624 " shrl $2, %0\n"
20625 " andl $3, %%eax\n"
20626 " cld\n"
20627 + __COPYUSER_SET_ES
20628 "99: rep; movsl\n"
20629 "36: movl %%eax, %0\n"
20630 "37: rep; movsb\n"
20631 "100:\n"
20632 + __COPYUSER_RESTORE_ES
20633 + ".section .fixup,\"ax\"\n"
20634 + "101: lea 0(%%eax,%0,4),%0\n"
20635 + " jmp 100b\n"
20636 + ".previous\n"
20637 + ".section __ex_table,\"a\"\n"
20638 + " .align 4\n"
20639 + " .long 1b,100b\n"
20640 + " .long 2b,100b\n"
20641 + " .long 3b,100b\n"
20642 + " .long 4b,100b\n"
20643 + " .long 5b,100b\n"
20644 + " .long 6b,100b\n"
20645 + " .long 7b,100b\n"
20646 + " .long 8b,100b\n"
20647 + " .long 9b,100b\n"
20648 + " .long 10b,100b\n"
20649 + " .long 11b,100b\n"
20650 + " .long 12b,100b\n"
20651 + " .long 13b,100b\n"
20652 + " .long 14b,100b\n"
20653 + " .long 15b,100b\n"
20654 + " .long 16b,100b\n"
20655 + " .long 17b,100b\n"
20656 + " .long 18b,100b\n"
20657 + " .long 19b,100b\n"
20658 + " .long 20b,100b\n"
20659 + " .long 21b,100b\n"
20660 + " .long 22b,100b\n"
20661 + " .long 23b,100b\n"
20662 + " .long 24b,100b\n"
20663 + " .long 25b,100b\n"
20664 + " .long 26b,100b\n"
20665 + " .long 27b,100b\n"
20666 + " .long 28b,100b\n"
20667 + " .long 29b,100b\n"
20668 + " .long 30b,100b\n"
20669 + " .long 31b,100b\n"
20670 + " .long 32b,100b\n"
20671 + " .long 33b,100b\n"
20672 + " .long 34b,100b\n"
20673 + " .long 35b,100b\n"
20674 + " .long 36b,100b\n"
20675 + " .long 37b,100b\n"
20676 + " .long 99b,101b\n"
20677 + ".previous"
20678 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
20679 + : "1"(to), "2"(from), "0"(size)
20680 + : "eax", "edx", "memory");
20681 + return size;
20682 +}
20683 +
20684 +static unsigned long
20685 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
20686 +{
20687 + int d0, d1;
20688 + __asm__ __volatile__(
20689 + " .align 2,0x90\n"
20690 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
20691 + " cmpl $67, %0\n"
20692 + " jbe 3f\n"
20693 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
20694 + " .align 2,0x90\n"
20695 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
20696 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
20697 + "5: movl %%eax, 0(%3)\n"
20698 + "6: movl %%edx, 4(%3)\n"
20699 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
20700 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
20701 + "9: movl %%eax, 8(%3)\n"
20702 + "10: movl %%edx, 12(%3)\n"
20703 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
20704 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
20705 + "13: movl %%eax, 16(%3)\n"
20706 + "14: movl %%edx, 20(%3)\n"
20707 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
20708 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
20709 + "17: movl %%eax, 24(%3)\n"
20710 + "18: movl %%edx, 28(%3)\n"
20711 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
20712 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
20713 + "21: movl %%eax, 32(%3)\n"
20714 + "22: movl %%edx, 36(%3)\n"
20715 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
20716 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
20717 + "25: movl %%eax, 40(%3)\n"
20718 + "26: movl %%edx, 44(%3)\n"
20719 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
20720 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
20721 + "29: movl %%eax, 48(%3)\n"
20722 + "30: movl %%edx, 52(%3)\n"
20723 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
20724 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
20725 + "33: movl %%eax, 56(%3)\n"
20726 + "34: movl %%edx, 60(%3)\n"
20727 + " addl $-64, %0\n"
20728 + " addl $64, %4\n"
20729 + " addl $64, %3\n"
20730 + " cmpl $63, %0\n"
20731 + " ja 1b\n"
20732 + "35: movl %0, %%eax\n"
20733 + " shrl $2, %0\n"
20734 + " andl $3, %%eax\n"
20735 + " cld\n"
20736 + "99: rep; "__copyuser_seg" movsl\n"
20737 + "36: movl %%eax, %0\n"
20738 + "37: rep; "__copyuser_seg" movsb\n"
20739 + "100:\n"
20740 ".section .fixup,\"ax\"\n"
20741 "101: lea 0(%%eax,%0,4),%0\n"
20742 " jmp 100b\n"
20743 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
20744 int d0, d1;
20745 __asm__ __volatile__(
20746 " .align 2,0x90\n"
20747 - "0: movl 32(%4), %%eax\n"
20748 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20749 " cmpl $67, %0\n"
20750 " jbe 2f\n"
20751 - "1: movl 64(%4), %%eax\n"
20752 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20753 " .align 2,0x90\n"
20754 - "2: movl 0(%4), %%eax\n"
20755 - "21: movl 4(%4), %%edx\n"
20756 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20757 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20758 " movl %%eax, 0(%3)\n"
20759 " movl %%edx, 4(%3)\n"
20760 - "3: movl 8(%4), %%eax\n"
20761 - "31: movl 12(%4),%%edx\n"
20762 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20763 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20764 " movl %%eax, 8(%3)\n"
20765 " movl %%edx, 12(%3)\n"
20766 - "4: movl 16(%4), %%eax\n"
20767 - "41: movl 20(%4), %%edx\n"
20768 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20769 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20770 " movl %%eax, 16(%3)\n"
20771 " movl %%edx, 20(%3)\n"
20772 - "10: movl 24(%4), %%eax\n"
20773 - "51: movl 28(%4), %%edx\n"
20774 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20775 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20776 " movl %%eax, 24(%3)\n"
20777 " movl %%edx, 28(%3)\n"
20778 - "11: movl 32(%4), %%eax\n"
20779 - "61: movl 36(%4), %%edx\n"
20780 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20781 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20782 " movl %%eax, 32(%3)\n"
20783 " movl %%edx, 36(%3)\n"
20784 - "12: movl 40(%4), %%eax\n"
20785 - "71: movl 44(%4), %%edx\n"
20786 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20787 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20788 " movl %%eax, 40(%3)\n"
20789 " movl %%edx, 44(%3)\n"
20790 - "13: movl 48(%4), %%eax\n"
20791 - "81: movl 52(%4), %%edx\n"
20792 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20793 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20794 " movl %%eax, 48(%3)\n"
20795 " movl %%edx, 52(%3)\n"
20796 - "14: movl 56(%4), %%eax\n"
20797 - "91: movl 60(%4), %%edx\n"
20798 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20799 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20800 " movl %%eax, 56(%3)\n"
20801 " movl %%edx, 60(%3)\n"
20802 " addl $-64, %0\n"
20803 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
20804 " shrl $2, %0\n"
20805 " andl $3, %%eax\n"
20806 " cld\n"
20807 - "6: rep; movsl\n"
20808 + "6: rep; "__copyuser_seg" movsl\n"
20809 " movl %%eax,%0\n"
20810 - "7: rep; movsb\n"
20811 + "7: rep; "__copyuser_seg" movsb\n"
20812 "8:\n"
20813 ".section .fixup,\"ax\"\n"
20814 "9: lea 0(%%eax,%0,4),%0\n"
20815 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
20816
20817 __asm__ __volatile__(
20818 " .align 2,0x90\n"
20819 - "0: movl 32(%4), %%eax\n"
20820 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20821 " cmpl $67, %0\n"
20822 " jbe 2f\n"
20823 - "1: movl 64(%4), %%eax\n"
20824 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20825 " .align 2,0x90\n"
20826 - "2: movl 0(%4), %%eax\n"
20827 - "21: movl 4(%4), %%edx\n"
20828 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20829 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20830 " movnti %%eax, 0(%3)\n"
20831 " movnti %%edx, 4(%3)\n"
20832 - "3: movl 8(%4), %%eax\n"
20833 - "31: movl 12(%4),%%edx\n"
20834 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20835 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20836 " movnti %%eax, 8(%3)\n"
20837 " movnti %%edx, 12(%3)\n"
20838 - "4: movl 16(%4), %%eax\n"
20839 - "41: movl 20(%4), %%edx\n"
20840 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20841 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20842 " movnti %%eax, 16(%3)\n"
20843 " movnti %%edx, 20(%3)\n"
20844 - "10: movl 24(%4), %%eax\n"
20845 - "51: movl 28(%4), %%edx\n"
20846 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20847 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20848 " movnti %%eax, 24(%3)\n"
20849 " movnti %%edx, 28(%3)\n"
20850 - "11: movl 32(%4), %%eax\n"
20851 - "61: movl 36(%4), %%edx\n"
20852 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20853 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20854 " movnti %%eax, 32(%3)\n"
20855 " movnti %%edx, 36(%3)\n"
20856 - "12: movl 40(%4), %%eax\n"
20857 - "71: movl 44(%4), %%edx\n"
20858 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20859 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20860 " movnti %%eax, 40(%3)\n"
20861 " movnti %%edx, 44(%3)\n"
20862 - "13: movl 48(%4), %%eax\n"
20863 - "81: movl 52(%4), %%edx\n"
20864 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20865 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20866 " movnti %%eax, 48(%3)\n"
20867 " movnti %%edx, 52(%3)\n"
20868 - "14: movl 56(%4), %%eax\n"
20869 - "91: movl 60(%4), %%edx\n"
20870 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20871 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20872 " movnti %%eax, 56(%3)\n"
20873 " movnti %%edx, 60(%3)\n"
20874 " addl $-64, %0\n"
20875 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
20876 " shrl $2, %0\n"
20877 " andl $3, %%eax\n"
20878 " cld\n"
20879 - "6: rep; movsl\n"
20880 + "6: rep; "__copyuser_seg" movsl\n"
20881 " movl %%eax,%0\n"
20882 - "7: rep; movsb\n"
20883 + "7: rep; "__copyuser_seg" movsb\n"
20884 "8:\n"
20885 ".section .fixup,\"ax\"\n"
20886 "9: lea 0(%%eax,%0,4),%0\n"
20887 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
20888
20889 __asm__ __volatile__(
20890 " .align 2,0x90\n"
20891 - "0: movl 32(%4), %%eax\n"
20892 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20893 " cmpl $67, %0\n"
20894 " jbe 2f\n"
20895 - "1: movl 64(%4), %%eax\n"
20896 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20897 " .align 2,0x90\n"
20898 - "2: movl 0(%4), %%eax\n"
20899 - "21: movl 4(%4), %%edx\n"
20900 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20901 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20902 " movnti %%eax, 0(%3)\n"
20903 " movnti %%edx, 4(%3)\n"
20904 - "3: movl 8(%4), %%eax\n"
20905 - "31: movl 12(%4),%%edx\n"
20906 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20907 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20908 " movnti %%eax, 8(%3)\n"
20909 " movnti %%edx, 12(%3)\n"
20910 - "4: movl 16(%4), %%eax\n"
20911 - "41: movl 20(%4), %%edx\n"
20912 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20913 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20914 " movnti %%eax, 16(%3)\n"
20915 " movnti %%edx, 20(%3)\n"
20916 - "10: movl 24(%4), %%eax\n"
20917 - "51: movl 28(%4), %%edx\n"
20918 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20919 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20920 " movnti %%eax, 24(%3)\n"
20921 " movnti %%edx, 28(%3)\n"
20922 - "11: movl 32(%4), %%eax\n"
20923 - "61: movl 36(%4), %%edx\n"
20924 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20925 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20926 " movnti %%eax, 32(%3)\n"
20927 " movnti %%edx, 36(%3)\n"
20928 - "12: movl 40(%4), %%eax\n"
20929 - "71: movl 44(%4), %%edx\n"
20930 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20931 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20932 " movnti %%eax, 40(%3)\n"
20933 " movnti %%edx, 44(%3)\n"
20934 - "13: movl 48(%4), %%eax\n"
20935 - "81: movl 52(%4), %%edx\n"
20936 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20937 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20938 " movnti %%eax, 48(%3)\n"
20939 " movnti %%edx, 52(%3)\n"
20940 - "14: movl 56(%4), %%eax\n"
20941 - "91: movl 60(%4), %%edx\n"
20942 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20943 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20944 " movnti %%eax, 56(%3)\n"
20945 " movnti %%edx, 60(%3)\n"
20946 " addl $-64, %0\n"
20947 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
20948 " shrl $2, %0\n"
20949 " andl $3, %%eax\n"
20950 " cld\n"
20951 - "6: rep; movsl\n"
20952 + "6: rep; "__copyuser_seg" movsl\n"
20953 " movl %%eax,%0\n"
20954 - "7: rep; movsb\n"
20955 + "7: rep; "__copyuser_seg" movsb\n"
20956 "8:\n"
20957 ".section .fixup,\"ax\"\n"
20958 "9: lea 0(%%eax,%0,4),%0\n"
20959 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
20960 */
20961 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
20962 unsigned long size);
20963 -unsigned long __copy_user_intel(void __user *to, const void *from,
20964 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
20965 + unsigned long size);
20966 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
20967 unsigned long size);
20968 unsigned long __copy_user_zeroing_intel_nocache(void *to,
20969 const void __user *from, unsigned long size);
20970 #endif /* CONFIG_X86_INTEL_USERCOPY */
20971
20972 /* Generic arbitrary sized copy. */
20973 -#define __copy_user(to, from, size) \
20974 +#define __copy_user(to, from, size, prefix, set, restore) \
20975 do { \
20976 int __d0, __d1, __d2; \
20977 __asm__ __volatile__( \
20978 + set \
20979 " cmp $7,%0\n" \
20980 " jbe 1f\n" \
20981 " movl %1,%0\n" \
20982 " negl %0\n" \
20983 " andl $7,%0\n" \
20984 " subl %0,%3\n" \
20985 - "4: rep; movsb\n" \
20986 + "4: rep; "prefix"movsb\n" \
20987 " movl %3,%0\n" \
20988 " shrl $2,%0\n" \
20989 " andl $3,%3\n" \
20990 " .align 2,0x90\n" \
20991 - "0: rep; movsl\n" \
20992 + "0: rep; "prefix"movsl\n" \
20993 " movl %3,%0\n" \
20994 - "1: rep; movsb\n" \
20995 + "1: rep; "prefix"movsb\n" \
20996 "2:\n" \
20997 + restore \
20998 ".section .fixup,\"ax\"\n" \
20999 "5: addl %3,%0\n" \
21000 " jmp 2b\n" \
21001 @@ -682,14 +799,14 @@ do { \
21002 " negl %0\n" \
21003 " andl $7,%0\n" \
21004 " subl %0,%3\n" \
21005 - "4: rep; movsb\n" \
21006 + "4: rep; "__copyuser_seg"movsb\n" \
21007 " movl %3,%0\n" \
21008 " shrl $2,%0\n" \
21009 " andl $3,%3\n" \
21010 " .align 2,0x90\n" \
21011 - "0: rep; movsl\n" \
21012 + "0: rep; "__copyuser_seg"movsl\n" \
21013 " movl %3,%0\n" \
21014 - "1: rep; movsb\n" \
21015 + "1: rep; "__copyuser_seg"movsb\n" \
21016 "2:\n" \
21017 ".section .fixup,\"ax\"\n" \
21018 "5: addl %3,%0\n" \
21019 @@ -775,9 +892,9 @@ survive:
21020 }
21021 #endif
21022 if (movsl_is_ok(to, from, n))
21023 - __copy_user(to, from, n);
21024 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
21025 else
21026 - n = __copy_user_intel(to, from, n);
21027 + n = __generic_copy_to_user_intel(to, from, n);
21028 return n;
21029 }
21030 EXPORT_SYMBOL(__copy_to_user_ll);
21031 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
21032 unsigned long n)
21033 {
21034 if (movsl_is_ok(to, from, n))
21035 - __copy_user(to, from, n);
21036 + __copy_user(to, from, n, __copyuser_seg, "", "");
21037 else
21038 - n = __copy_user_intel((void __user *)to,
21039 - (const void *)from, n);
21040 + n = __generic_copy_from_user_intel(to, from, n);
21041 return n;
21042 }
21043 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
21044 @@ -827,65 +943,50 @@ unsigned long __copy_from_user_ll_nocach
21045 if (n > 64 && cpu_has_xmm2)
21046 n = __copy_user_intel_nocache(to, from, n);
21047 else
21048 - __copy_user(to, from, n);
21049 + __copy_user(to, from, n, __copyuser_seg, "", "");
21050 #else
21051 - __copy_user(to, from, n);
21052 + __copy_user(to, from, n, __copyuser_seg, "", "");
21053 #endif
21054 return n;
21055 }
21056 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
21057
21058 -/**
21059 - * copy_to_user: - Copy a block of data into user space.
21060 - * @to: Destination address, in user space.
21061 - * @from: Source address, in kernel space.
21062 - * @n: Number of bytes to copy.
21063 - *
21064 - * Context: User context only. This function may sleep.
21065 - *
21066 - * Copy data from kernel space to user space.
21067 - *
21068 - * Returns number of bytes that could not be copied.
21069 - * On success, this will be zero.
21070 - */
21071 -unsigned long
21072 -copy_to_user(void __user *to, const void *from, unsigned long n)
21073 +void copy_from_user_overflow(void)
21074 {
21075 - if (access_ok(VERIFY_WRITE, to, n))
21076 - n = __copy_to_user(to, from, n);
21077 - return n;
21078 + WARN(1, "Buffer overflow detected!\n");
21079 }
21080 -EXPORT_SYMBOL(copy_to_user);
21081 +EXPORT_SYMBOL(copy_from_user_overflow);
21082
21083 -/**
21084 - * copy_from_user: - Copy a block of data from user space.
21085 - * @to: Destination address, in kernel space.
21086 - * @from: Source address, in user space.
21087 - * @n: Number of bytes to copy.
21088 - *
21089 - * Context: User context only. This function may sleep.
21090 - *
21091 - * Copy data from user space to kernel space.
21092 - *
21093 - * Returns number of bytes that could not be copied.
21094 - * On success, this will be zero.
21095 - *
21096 - * If some data could not be copied, this function will pad the copied
21097 - * data to the requested size using zero bytes.
21098 - */
21099 -unsigned long
21100 -_copy_from_user(void *to, const void __user *from, unsigned long n)
21101 +void copy_to_user_overflow(void)
21102 {
21103 - if (access_ok(VERIFY_READ, from, n))
21104 - n = __copy_from_user(to, from, n);
21105 - else
21106 - memset(to, 0, n);
21107 - return n;
21108 + WARN(1, "Buffer overflow detected!\n");
21109 }
21110 -EXPORT_SYMBOL(_copy_from_user);
21111 +EXPORT_SYMBOL(copy_to_user_overflow);
21112
21113 -void copy_from_user_overflow(void)
21114 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21115 +void __set_fs(mm_segment_t x)
21116 {
21117 - WARN(1, "Buffer overflow detected!\n");
21118 + switch (x.seg) {
21119 + case 0:
21120 + loadsegment(gs, 0);
21121 + break;
21122 + case TASK_SIZE_MAX:
21123 + loadsegment(gs, __USER_DS);
21124 + break;
21125 + case -1UL:
21126 + loadsegment(gs, __KERNEL_DS);
21127 + break;
21128 + default:
21129 + BUG();
21130 + }
21131 + return;
21132 }
21133 -EXPORT_SYMBOL(copy_from_user_overflow);
21134 +EXPORT_SYMBOL(__set_fs);
21135 +
21136 +void set_fs(mm_segment_t x)
21137 +{
21138 + current_thread_info()->addr_limit = x;
21139 + __set_fs(x);
21140 +}
21141 +EXPORT_SYMBOL(set_fs);
21142 +#endif
21143 diff -urNp linux-2.6.39.3/arch/x86/lib/usercopy_64.c linux-2.6.39.3/arch/x86/lib/usercopy_64.c
21144 --- linux-2.6.39.3/arch/x86/lib/usercopy_64.c 2011-05-19 00:06:34.000000000 -0400
21145 +++ linux-2.6.39.3/arch/x86/lib/usercopy_64.c 2011-05-22 19:36:30.000000000 -0400
21146 @@ -42,6 +42,12 @@ long
21147 __strncpy_from_user(char *dst, const char __user *src, long count)
21148 {
21149 long res;
21150 +
21151 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21152 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
21153 + src += PAX_USER_SHADOW_BASE;
21154 +#endif
21155 +
21156 __do_strncpy_from_user(dst, src, count, res);
21157 return res;
21158 }
21159 @@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
21160 {
21161 long __d0;
21162 might_fault();
21163 +
21164 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21165 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
21166 + addr += PAX_USER_SHADOW_BASE;
21167 +#endif
21168 +
21169 /* no memory constraint because it doesn't change any memory gcc knows
21170 about */
21171 asm volatile(
21172 @@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
21173
21174 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
21175 {
21176 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
21177 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
21178 +
21179 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21180 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
21181 + to += PAX_USER_SHADOW_BASE;
21182 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
21183 + from += PAX_USER_SHADOW_BASE;
21184 +#endif
21185 +
21186 return copy_user_generic((__force void *)to, (__force void *)from, len);
21187 - }
21188 - return len;
21189 + }
21190 + return len;
21191 }
21192 EXPORT_SYMBOL(copy_in_user);
21193
21194 diff -urNp linux-2.6.39.3/arch/x86/Makefile linux-2.6.39.3/arch/x86/Makefile
21195 --- linux-2.6.39.3/arch/x86/Makefile 2011-05-19 00:06:34.000000000 -0400
21196 +++ linux-2.6.39.3/arch/x86/Makefile 2011-05-22 19:36:30.000000000 -0400
21197 @@ -195,3 +195,12 @@ define archhelp
21198 echo ' FDARGS="..." arguments for the booted kernel'
21199 echo ' FDINITRD=file initrd for the booted kernel'
21200 endef
21201 +
21202 +define OLD_LD
21203 +
21204 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
21205 +*** Please upgrade your binutils to 2.18 or newer
21206 +endef
21207 +
21208 +archprepare:
21209 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
21210 diff -urNp linux-2.6.39.3/arch/x86/mm/extable.c linux-2.6.39.3/arch/x86/mm/extable.c
21211 --- linux-2.6.39.3/arch/x86/mm/extable.c 2011-05-19 00:06:34.000000000 -0400
21212 +++ linux-2.6.39.3/arch/x86/mm/extable.c 2011-05-22 19:36:30.000000000 -0400
21213 @@ -1,14 +1,71 @@
21214 #include <linux/module.h>
21215 #include <linux/spinlock.h>
21216 +#include <linux/sort.h>
21217 #include <asm/uaccess.h>
21218 +#include <asm/pgtable.h>
21219
21220 +/*
21221 + * The exception table needs to be sorted so that the binary
21222 + * search that we use to find entries in it works properly.
21223 + * This is used both for the kernel exception table and for
21224 + * the exception tables of modules that get loaded.
21225 + */
21226 +static int cmp_ex(const void *a, const void *b)
21227 +{
21228 + const struct exception_table_entry *x = a, *y = b;
21229 +
21230 + /* avoid overflow */
21231 + if (x->insn > y->insn)
21232 + return 1;
21233 + if (x->insn < y->insn)
21234 + return -1;
21235 + return 0;
21236 +}
21237 +
21238 +static void swap_ex(void *a, void *b, int size)
21239 +{
21240 + struct exception_table_entry t, *x = a, *y = b;
21241 +
21242 + t = *x;
21243 +
21244 + pax_open_kernel();
21245 + *x = *y;
21246 + *y = t;
21247 + pax_close_kernel();
21248 +}
21249 +
21250 +void sort_extable(struct exception_table_entry *start,
21251 + struct exception_table_entry *finish)
21252 +{
21253 + sort(start, finish - start, sizeof(struct exception_table_entry),
21254 + cmp_ex, swap_ex);
21255 +}
21256 +
21257 +#ifdef CONFIG_MODULES
21258 +/*
21259 + * If the exception table is sorted, any referring to the module init
21260 + * will be at the beginning or the end.
21261 + */
21262 +void trim_init_extable(struct module *m)
21263 +{
21264 + /*trim the beginning*/
21265 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
21266 + m->extable++;
21267 + m->num_exentries--;
21268 + }
21269 + /*trim the end*/
21270 + while (m->num_exentries &&
21271 + within_module_init(m->extable[m->num_exentries-1].insn, m))
21272 + m->num_exentries--;
21273 +}
21274 +#endif /* CONFIG_MODULES */
21275
21276 int fixup_exception(struct pt_regs *regs)
21277 {
21278 const struct exception_table_entry *fixup;
21279
21280 #ifdef CONFIG_PNPBIOS
21281 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
21282 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
21283 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
21284 extern u32 pnp_bios_is_utter_crap;
21285 pnp_bios_is_utter_crap = 1;
21286 diff -urNp linux-2.6.39.3/arch/x86/mm/fault.c linux-2.6.39.3/arch/x86/mm/fault.c
21287 --- linux-2.6.39.3/arch/x86/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
21288 +++ linux-2.6.39.3/arch/x86/mm/fault.c 2011-06-06 17:34:04.000000000 -0400
21289 @@ -12,10 +12,18 @@
21290 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
21291 #include <linux/perf_event.h> /* perf_sw_event */
21292 #include <linux/hugetlb.h> /* hstate_index_to_shift */
21293 +#include <linux/unistd.h>
21294 +#include <linux/compiler.h>
21295
21296 #include <asm/traps.h> /* dotraplinkage, ... */
21297 #include <asm/pgalloc.h> /* pgd_*(), ... */
21298 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
21299 +#include <asm/vsyscall.h>
21300 +#include <asm/tlbflush.h>
21301 +
21302 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21303 +#include <asm/stacktrace.h>
21304 +#endif
21305
21306 /*
21307 * Page fault error code bits:
21308 @@ -53,7 +61,7 @@ static inline int __kprobes notify_page_
21309 int ret = 0;
21310
21311 /* kprobe_running() needs smp_processor_id() */
21312 - if (kprobes_built_in() && !user_mode_vm(regs)) {
21313 + if (kprobes_built_in() && !user_mode(regs)) {
21314 preempt_disable();
21315 if (kprobe_running() && kprobe_fault_handler(regs, 14))
21316 ret = 1;
21317 @@ -114,7 +122,10 @@ check_prefetch_opcode(struct pt_regs *re
21318 return !instr_lo || (instr_lo>>1) == 1;
21319 case 0x00:
21320 /* Prefetch instruction is 0x0F0D or 0x0F18 */
21321 - if (probe_kernel_address(instr, opcode))
21322 + if (user_mode(regs)) {
21323 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
21324 + return 0;
21325 + } else if (probe_kernel_address(instr, opcode))
21326 return 0;
21327
21328 *prefetch = (instr_lo == 0xF) &&
21329 @@ -148,7 +159,10 @@ is_prefetch(struct pt_regs *regs, unsign
21330 while (instr < max_instr) {
21331 unsigned char opcode;
21332
21333 - if (probe_kernel_address(instr, opcode))
21334 + if (user_mode(regs)) {
21335 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
21336 + break;
21337 + } else if (probe_kernel_address(instr, opcode))
21338 break;
21339
21340 instr++;
21341 @@ -179,6 +193,30 @@ force_sig_info_fault(int si_signo, int s
21342 force_sig_info(si_signo, &info, tsk);
21343 }
21344
21345 +#ifdef CONFIG_PAX_EMUTRAMP
21346 +static int pax_handle_fetch_fault(struct pt_regs *regs);
21347 +#endif
21348 +
21349 +#ifdef CONFIG_PAX_PAGEEXEC
21350 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
21351 +{
21352 + pgd_t *pgd;
21353 + pud_t *pud;
21354 + pmd_t *pmd;
21355 +
21356 + pgd = pgd_offset(mm, address);
21357 + if (!pgd_present(*pgd))
21358 + return NULL;
21359 + pud = pud_offset(pgd, address);
21360 + if (!pud_present(*pud))
21361 + return NULL;
21362 + pmd = pmd_offset(pud, address);
21363 + if (!pmd_present(*pmd))
21364 + return NULL;
21365 + return pmd;
21366 +}
21367 +#endif
21368 +
21369 DEFINE_SPINLOCK(pgd_lock);
21370 LIST_HEAD(pgd_list);
21371
21372 @@ -229,10 +267,22 @@ void vmalloc_sync_all(void)
21373 for (address = VMALLOC_START & PMD_MASK;
21374 address >= TASK_SIZE && address < FIXADDR_TOP;
21375 address += PMD_SIZE) {
21376 +
21377 +#ifdef CONFIG_PAX_PER_CPU_PGD
21378 + unsigned long cpu;
21379 +#else
21380 struct page *page;
21381 +#endif
21382
21383 spin_lock(&pgd_lock);
21384 +
21385 +#ifdef CONFIG_PAX_PER_CPU_PGD
21386 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
21387 + pgd_t *pgd = get_cpu_pgd(cpu);
21388 + pmd_t *ret;
21389 +#else
21390 list_for_each_entry(page, &pgd_list, lru) {
21391 + pgd_t *pgd = page_address(page);
21392 spinlock_t *pgt_lock;
21393 pmd_t *ret;
21394
21395 @@ -240,8 +290,13 @@ void vmalloc_sync_all(void)
21396 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
21397
21398 spin_lock(pgt_lock);
21399 - ret = vmalloc_sync_one(page_address(page), address);
21400 +#endif
21401 +
21402 + ret = vmalloc_sync_one(pgd, address);
21403 +
21404 +#ifndef CONFIG_PAX_PER_CPU_PGD
21405 spin_unlock(pgt_lock);
21406 +#endif
21407
21408 if (!ret)
21409 break;
21410 @@ -275,6 +330,11 @@ static noinline __kprobes int vmalloc_fa
21411 * an interrupt in the middle of a task switch..
21412 */
21413 pgd_paddr = read_cr3();
21414 +
21415 +#ifdef CONFIG_PAX_PER_CPU_PGD
21416 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
21417 +#endif
21418 +
21419 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
21420 if (!pmd_k)
21421 return -1;
21422 @@ -370,7 +430,14 @@ static noinline __kprobes int vmalloc_fa
21423 * happen within a race in page table update. In the later
21424 * case just flush:
21425 */
21426 +
21427 +#ifdef CONFIG_PAX_PER_CPU_PGD
21428 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
21429 + pgd = pgd_offset_cpu(smp_processor_id(), address);
21430 +#else
21431 pgd = pgd_offset(current->active_mm, address);
21432 +#endif
21433 +
21434 pgd_ref = pgd_offset_k(address);
21435 if (pgd_none(*pgd_ref))
21436 return -1;
21437 @@ -532,7 +599,7 @@ static int is_errata93(struct pt_regs *r
21438 static int is_errata100(struct pt_regs *regs, unsigned long address)
21439 {
21440 #ifdef CONFIG_X86_64
21441 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
21442 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
21443 return 1;
21444 #endif
21445 return 0;
21446 @@ -559,7 +626,7 @@ static int is_f00f_bug(struct pt_regs *r
21447 }
21448
21449 static const char nx_warning[] = KERN_CRIT
21450 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
21451 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
21452
21453 static void
21454 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
21455 @@ -568,15 +635,26 @@ show_fault_oops(struct pt_regs *regs, un
21456 if (!oops_may_print())
21457 return;
21458
21459 - if (error_code & PF_INSTR) {
21460 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
21461 unsigned int level;
21462
21463 pte_t *pte = lookup_address(address, &level);
21464
21465 if (pte && pte_present(*pte) && !pte_exec(*pte))
21466 - printk(nx_warning, current_uid());
21467 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
21468 }
21469
21470 +#ifdef CONFIG_PAX_KERNEXEC
21471 + if (init_mm.start_code <= address && address < init_mm.end_code) {
21472 + if (current->signal->curr_ip)
21473 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
21474 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
21475 + else
21476 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
21477 + current->comm, task_pid_nr(current), current_uid(), current_euid());
21478 + }
21479 +#endif
21480 +
21481 printk(KERN_ALERT "BUG: unable to handle kernel ");
21482 if (address < PAGE_SIZE)
21483 printk(KERN_CONT "NULL pointer dereference");
21484 @@ -701,6 +779,68 @@ __bad_area_nosemaphore(struct pt_regs *r
21485 unsigned long address, int si_code)
21486 {
21487 struct task_struct *tsk = current;
21488 + struct mm_struct *mm = tsk->mm;
21489 +
21490 +#ifdef CONFIG_X86_64
21491 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
21492 + if (regs->ip == (unsigned long)vgettimeofday) {
21493 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
21494 + return;
21495 + } else if (regs->ip == (unsigned long)vtime) {
21496 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
21497 + return;
21498 + } else if (regs->ip == (unsigned long)vgetcpu) {
21499 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
21500 + return;
21501 + }
21502 + }
21503 +#endif
21504 +
21505 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21506 + if (mm && (error_code & PF_USER)) {
21507 + unsigned long ip = regs->ip;
21508 +
21509 + if (v8086_mode(regs))
21510 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
21511 +
21512 + /*
21513 + * It's possible to have interrupts off here:
21514 + */
21515 + local_irq_enable();
21516 +
21517 +#ifdef CONFIG_PAX_PAGEEXEC
21518 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
21519 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
21520 +
21521 +#ifdef CONFIG_PAX_EMUTRAMP
21522 + switch (pax_handle_fetch_fault(regs)) {
21523 + case 2:
21524 + return;
21525 + }
21526 +#endif
21527 +
21528 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
21529 + do_group_exit(SIGKILL);
21530 + }
21531 +#endif
21532 +
21533 +#ifdef CONFIG_PAX_SEGMEXEC
21534 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
21535 +
21536 +#ifdef CONFIG_PAX_EMUTRAMP
21537 + switch (pax_handle_fetch_fault(regs)) {
21538 + case 2:
21539 + return;
21540 + }
21541 +#endif
21542 +
21543 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
21544 + do_group_exit(SIGKILL);
21545 + }
21546 +#endif
21547 +
21548 + }
21549 +#endif
21550
21551 /* User mode accesses just cause a SIGSEGV */
21552 if (error_code & PF_USER) {
21553 @@ -855,6 +995,99 @@ static int spurious_fault_check(unsigned
21554 return 1;
21555 }
21556
21557 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
21558 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
21559 +{
21560 + pte_t *pte;
21561 + pmd_t *pmd;
21562 + spinlock_t *ptl;
21563 + unsigned char pte_mask;
21564 +
21565 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
21566 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
21567 + return 0;
21568 +
21569 + /* PaX: it's our fault, let's handle it if we can */
21570 +
21571 + /* PaX: take a look at read faults before acquiring any locks */
21572 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
21573 + /* instruction fetch attempt from a protected page in user mode */
21574 + up_read(&mm->mmap_sem);
21575 +
21576 +#ifdef CONFIG_PAX_EMUTRAMP
21577 + switch (pax_handle_fetch_fault(regs)) {
21578 + case 2:
21579 + return 1;
21580 + }
21581 +#endif
21582 +
21583 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
21584 + do_group_exit(SIGKILL);
21585 + }
21586 +
21587 + pmd = pax_get_pmd(mm, address);
21588 + if (unlikely(!pmd))
21589 + return 0;
21590 +
21591 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
21592 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
21593 + pte_unmap_unlock(pte, ptl);
21594 + return 0;
21595 + }
21596 +
21597 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
21598 + /* write attempt to a protected page in user mode */
21599 + pte_unmap_unlock(pte, ptl);
21600 + return 0;
21601 + }
21602 +
21603 +#ifdef CONFIG_SMP
21604 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
21605 +#else
21606 + if (likely(address > get_limit(regs->cs)))
21607 +#endif
21608 + {
21609 + set_pte(pte, pte_mkread(*pte));
21610 + __flush_tlb_one(address);
21611 + pte_unmap_unlock(pte, ptl);
21612 + up_read(&mm->mmap_sem);
21613 + return 1;
21614 + }
21615 +
21616 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
21617 +
21618 + /*
21619 + * PaX: fill DTLB with user rights and retry
21620 + */
21621 + __asm__ __volatile__ (
21622 + "orb %2,(%1)\n"
21623 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
21624 +/*
21625 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
21626 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
21627 + * page fault when examined during a TLB load attempt. this is true not only
21628 + * for PTEs holding a non-present entry but also present entries that will
21629 + * raise a page fault (such as those set up by PaX, or the copy-on-write
21630 + * mechanism). in effect it means that we do *not* need to flush the TLBs
21631 + * for our target pages since their PTEs are simply not in the TLBs at all.
21632 +
21633 + * the best thing in omitting it is that we gain around 15-20% speed in the
21634 + * fast path of the page fault handler and can get rid of tracing since we
21635 + * can no longer flush unintended entries.
21636 + */
21637 + "invlpg (%0)\n"
21638 +#endif
21639 + __copyuser_seg"testb $0,(%0)\n"
21640 + "xorb %3,(%1)\n"
21641 + :
21642 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
21643 + : "memory", "cc");
21644 + pte_unmap_unlock(pte, ptl);
21645 + up_read(&mm->mmap_sem);
21646 + return 1;
21647 +}
21648 +#endif
21649 +
21650 /*
21651 * Handle a spurious fault caused by a stale TLB entry.
21652 *
21653 @@ -927,6 +1160,9 @@ int show_unhandled_signals = 1;
21654 static inline int
21655 access_error(unsigned long error_code, struct vm_area_struct *vma)
21656 {
21657 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
21658 + return 1;
21659 +
21660 if (error_code & PF_WRITE) {
21661 /* write, present and write, not present: */
21662 if (unlikely(!(vma->vm_flags & VM_WRITE)))
21663 @@ -960,19 +1196,33 @@ do_page_fault(struct pt_regs *regs, unsi
21664 {
21665 struct vm_area_struct *vma;
21666 struct task_struct *tsk;
21667 - unsigned long address;
21668 struct mm_struct *mm;
21669 int fault;
21670 int write = error_code & PF_WRITE;
21671 unsigned int flags = FAULT_FLAG_ALLOW_RETRY |
21672 (write ? FAULT_FLAG_WRITE : 0);
21673
21674 + /* Get the faulting address: */
21675 + unsigned long address = read_cr2();
21676 +
21677 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21678 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
21679 + if (!search_exception_tables(regs->ip)) {
21680 + bad_area_nosemaphore(regs, error_code, address);
21681 + return;
21682 + }
21683 + if (address < PAX_USER_SHADOW_BASE) {
21684 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
21685 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
21686 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
21687 + } else
21688 + address -= PAX_USER_SHADOW_BASE;
21689 + }
21690 +#endif
21691 +
21692 tsk = current;
21693 mm = tsk->mm;
21694
21695 - /* Get the faulting address: */
21696 - address = read_cr2();
21697 -
21698 /*
21699 * Detect and handle instructions that would cause a page fault for
21700 * both a tracked kernel page and a userspace page.
21701 @@ -1032,7 +1282,7 @@ do_page_fault(struct pt_regs *regs, unsi
21702 * User-mode registers count as a user access even for any
21703 * potential system fault or CPU buglet:
21704 */
21705 - if (user_mode_vm(regs)) {
21706 + if (user_mode(regs)) {
21707 local_irq_enable();
21708 error_code |= PF_USER;
21709 } else {
21710 @@ -1087,6 +1337,11 @@ retry:
21711 might_sleep();
21712 }
21713
21714 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
21715 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
21716 + return;
21717 +#endif
21718 +
21719 vma = find_vma(mm, address);
21720 if (unlikely(!vma)) {
21721 bad_area(regs, error_code, address);
21722 @@ -1098,18 +1353,24 @@ retry:
21723 bad_area(regs, error_code, address);
21724 return;
21725 }
21726 - if (error_code & PF_USER) {
21727 - /*
21728 - * Accessing the stack below %sp is always a bug.
21729 - * The large cushion allows instructions like enter
21730 - * and pusha to work. ("enter $65535, $31" pushes
21731 - * 32 pointers and then decrements %sp by 65535.)
21732 - */
21733 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
21734 - bad_area(regs, error_code, address);
21735 - return;
21736 - }
21737 + /*
21738 + * Accessing the stack below %sp is always a bug.
21739 + * The large cushion allows instructions like enter
21740 + * and pusha to work. ("enter $65535, $31" pushes
21741 + * 32 pointers and then decrements %sp by 65535.)
21742 + */
21743 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
21744 + bad_area(regs, error_code, address);
21745 + return;
21746 }
21747 +
21748 +#ifdef CONFIG_PAX_SEGMEXEC
21749 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
21750 + bad_area(regs, error_code, address);
21751 + return;
21752 + }
21753 +#endif
21754 +
21755 if (unlikely(expand_stack(vma, address))) {
21756 bad_area(regs, error_code, address);
21757 return;
21758 @@ -1164,3 +1425,199 @@ good_area:
21759
21760 up_read(&mm->mmap_sem);
21761 }
21762 +
21763 +#ifdef CONFIG_PAX_EMUTRAMP
21764 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
21765 +{
21766 + int err;
21767 +
21768 + do { /* PaX: gcc trampoline emulation #1 */
21769 + unsigned char mov1, mov2;
21770 + unsigned short jmp;
21771 + unsigned int addr1, addr2;
21772 +
21773 +#ifdef CONFIG_X86_64
21774 + if ((regs->ip + 11) >> 32)
21775 + break;
21776 +#endif
21777 +
21778 + err = get_user(mov1, (unsigned char __user *)regs->ip);
21779 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
21780 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
21781 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
21782 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
21783 +
21784 + if (err)
21785 + break;
21786 +
21787 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
21788 + regs->cx = addr1;
21789 + regs->ax = addr2;
21790 + regs->ip = addr2;
21791 + return 2;
21792 + }
21793 + } while (0);
21794 +
21795 + do { /* PaX: gcc trampoline emulation #2 */
21796 + unsigned char mov, jmp;
21797 + unsigned int addr1, addr2;
21798 +
21799 +#ifdef CONFIG_X86_64
21800 + if ((regs->ip + 9) >> 32)
21801 + break;
21802 +#endif
21803 +
21804 + err = get_user(mov, (unsigned char __user *)regs->ip);
21805 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
21806 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
21807 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
21808 +
21809 + if (err)
21810 + break;
21811 +
21812 + if (mov == 0xB9 && jmp == 0xE9) {
21813 + regs->cx = addr1;
21814 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
21815 + return 2;
21816 + }
21817 + } while (0);
21818 +
21819 + return 1; /* PaX in action */
21820 +}
21821 +
21822 +#ifdef CONFIG_X86_64
21823 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
21824 +{
21825 + int err;
21826 +
21827 + do { /* PaX: gcc trampoline emulation #1 */
21828 + unsigned short mov1, mov2, jmp1;
21829 + unsigned char jmp2;
21830 + unsigned int addr1;
21831 + unsigned long addr2;
21832 +
21833 + err = get_user(mov1, (unsigned short __user *)regs->ip);
21834 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
21835 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
21836 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
21837 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
21838 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
21839 +
21840 + if (err)
21841 + break;
21842 +
21843 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
21844 + regs->r11 = addr1;
21845 + regs->r10 = addr2;
21846 + regs->ip = addr1;
21847 + return 2;
21848 + }
21849 + } while (0);
21850 +
21851 + do { /* PaX: gcc trampoline emulation #2 */
21852 + unsigned short mov1, mov2, jmp1;
21853 + unsigned char jmp2;
21854 + unsigned long addr1, addr2;
21855 +
21856 + err = get_user(mov1, (unsigned short __user *)regs->ip);
21857 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
21858 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
21859 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
21860 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
21861 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
21862 +
21863 + if (err)
21864 + break;
21865 +
21866 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
21867 + regs->r11 = addr1;
21868 + regs->r10 = addr2;
21869 + regs->ip = addr1;
21870 + return 2;
21871 + }
21872 + } while (0);
21873 +
21874 + return 1; /* PaX in action */
21875 +}
21876 +#endif
21877 +
21878 +/*
21879 + * PaX: decide what to do with offenders (regs->ip = fault address)
21880 + *
21881 + * returns 1 when task should be killed
21882 + * 2 when gcc trampoline was detected
21883 + */
21884 +static int pax_handle_fetch_fault(struct pt_regs *regs)
21885 +{
21886 + if (v8086_mode(regs))
21887 + return 1;
21888 +
21889 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
21890 + return 1;
21891 +
21892 +#ifdef CONFIG_X86_32
21893 + return pax_handle_fetch_fault_32(regs);
21894 +#else
21895 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
21896 + return pax_handle_fetch_fault_32(regs);
21897 + else
21898 + return pax_handle_fetch_fault_64(regs);
21899 +#endif
21900 +}
21901 +#endif
21902 +
21903 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21904 +void pax_report_insns(void *pc, void *sp)
21905 +{
21906 + long i;
21907 +
21908 + printk(KERN_ERR "PAX: bytes at PC: ");
21909 + for (i = 0; i < 20; i++) {
21910 + unsigned char c;
21911 + if (get_user(c, (__force unsigned char __user *)pc+i))
21912 + printk(KERN_CONT "?? ");
21913 + else
21914 + printk(KERN_CONT "%02x ", c);
21915 + }
21916 + printk("\n");
21917 +
21918 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
21919 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
21920 + unsigned long c;
21921 + if (get_user(c, (__force unsigned long __user *)sp+i))
21922 +#ifdef CONFIG_X86_32
21923 + printk(KERN_CONT "???????? ");
21924 +#else
21925 + printk(KERN_CONT "???????????????? ");
21926 +#endif
21927 + else
21928 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
21929 + }
21930 + printk("\n");
21931 +}
21932 +#endif
21933 +
21934 +/**
21935 + * probe_kernel_write(): safely attempt to write to a location
21936 + * @dst: address to write to
21937 + * @src: pointer to the data that shall be written
21938 + * @size: size of the data chunk
21939 + *
21940 + * Safely write to address @dst from the buffer at @src. If a kernel fault
21941 + * happens, handle that and return -EFAULT.
21942 + */
21943 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
21944 +{
21945 + long ret;
21946 + mm_segment_t old_fs = get_fs();
21947 +
21948 + set_fs(KERNEL_DS);
21949 + pagefault_disable();
21950 + pax_open_kernel();
21951 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
21952 + pax_close_kernel();
21953 + pagefault_enable();
21954 + set_fs(old_fs);
21955 +
21956 + return ret ? -EFAULT : 0;
21957 +}
21958 diff -urNp linux-2.6.39.3/arch/x86/mm/gup.c linux-2.6.39.3/arch/x86/mm/gup.c
21959 --- linux-2.6.39.3/arch/x86/mm/gup.c 2011-05-19 00:06:34.000000000 -0400
21960 +++ linux-2.6.39.3/arch/x86/mm/gup.c 2011-05-22 19:36:30.000000000 -0400
21961 @@ -263,7 +263,7 @@ int __get_user_pages_fast(unsigned long
21962 addr = start;
21963 len = (unsigned long) nr_pages << PAGE_SHIFT;
21964 end = start + len;
21965 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
21966 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
21967 (void __user *)start, len)))
21968 return 0;
21969
21970 diff -urNp linux-2.6.39.3/arch/x86/mm/highmem_32.c linux-2.6.39.3/arch/x86/mm/highmem_32.c
21971 --- linux-2.6.39.3/arch/x86/mm/highmem_32.c 2011-05-19 00:06:34.000000000 -0400
21972 +++ linux-2.6.39.3/arch/x86/mm/highmem_32.c 2011-05-22 19:36:30.000000000 -0400
21973 @@ -44,7 +44,10 @@ void *kmap_atomic_prot(struct page *page
21974 idx = type + KM_TYPE_NR*smp_processor_id();
21975 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
21976 BUG_ON(!pte_none(*(kmap_pte-idx)));
21977 +
21978 + pax_open_kernel();
21979 set_pte(kmap_pte-idx, mk_pte(page, prot));
21980 + pax_close_kernel();
21981
21982 return (void *)vaddr;
21983 }
21984 diff -urNp linux-2.6.39.3/arch/x86/mm/hugetlbpage.c linux-2.6.39.3/arch/x86/mm/hugetlbpage.c
21985 --- linux-2.6.39.3/arch/x86/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400
21986 +++ linux-2.6.39.3/arch/x86/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400
21987 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
21988 struct hstate *h = hstate_file(file);
21989 struct mm_struct *mm = current->mm;
21990 struct vm_area_struct *vma;
21991 - unsigned long start_addr;
21992 + unsigned long start_addr, pax_task_size = TASK_SIZE;
21993 +
21994 +#ifdef CONFIG_PAX_SEGMEXEC
21995 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21996 + pax_task_size = SEGMEXEC_TASK_SIZE;
21997 +#endif
21998 +
21999 + pax_task_size -= PAGE_SIZE;
22000
22001 if (len > mm->cached_hole_size) {
22002 - start_addr = mm->free_area_cache;
22003 + start_addr = mm->free_area_cache;
22004 } else {
22005 - start_addr = TASK_UNMAPPED_BASE;
22006 - mm->cached_hole_size = 0;
22007 + start_addr = mm->mmap_base;
22008 + mm->cached_hole_size = 0;
22009 }
22010
22011 full_search:
22012 @@ -280,26 +287,27 @@ full_search:
22013
22014 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
22015 /* At this point: (!vma || addr < vma->vm_end). */
22016 - if (TASK_SIZE - len < addr) {
22017 + if (pax_task_size - len < addr) {
22018 /*
22019 * Start a new search - just in case we missed
22020 * some holes.
22021 */
22022 - if (start_addr != TASK_UNMAPPED_BASE) {
22023 - start_addr = TASK_UNMAPPED_BASE;
22024 + if (start_addr != mm->mmap_base) {
22025 + start_addr = mm->mmap_base;
22026 mm->cached_hole_size = 0;
22027 goto full_search;
22028 }
22029 return -ENOMEM;
22030 }
22031 - if (!vma || addr + len <= vma->vm_start) {
22032 - mm->free_area_cache = addr + len;
22033 - return addr;
22034 - }
22035 + if (check_heap_stack_gap(vma, addr, len))
22036 + break;
22037 if (addr + mm->cached_hole_size < vma->vm_start)
22038 mm->cached_hole_size = vma->vm_start - addr;
22039 addr = ALIGN(vma->vm_end, huge_page_size(h));
22040 }
22041 +
22042 + mm->free_area_cache = addr + len;
22043 + return addr;
22044 }
22045
22046 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
22047 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
22048 {
22049 struct hstate *h = hstate_file(file);
22050 struct mm_struct *mm = current->mm;
22051 - struct vm_area_struct *vma, *prev_vma;
22052 - unsigned long base = mm->mmap_base, addr = addr0;
22053 + struct vm_area_struct *vma;
22054 + unsigned long base = mm->mmap_base, addr;
22055 unsigned long largest_hole = mm->cached_hole_size;
22056 - int first_time = 1;
22057
22058 /* don't allow allocations above current base */
22059 if (mm->free_area_cache > base)
22060 @@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmappe
22061 largest_hole = 0;
22062 mm->free_area_cache = base;
22063 }
22064 -try_again:
22065 +
22066 /* make sure it can fit in the remaining address space */
22067 if (mm->free_area_cache < len)
22068 goto fail;
22069
22070 /* either no address requested or can't fit in requested address hole */
22071 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
22072 + addr = (mm->free_area_cache - len);
22073 do {
22074 + addr &= huge_page_mask(h);
22075 + vma = find_vma(mm, addr);
22076 /*
22077 * Lookup failure means no vma is above this address,
22078 * i.e. return with success:
22079 - */
22080 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
22081 - return addr;
22082 -
22083 - /*
22084 * new region fits between prev_vma->vm_end and
22085 * vma->vm_start, use it:
22086 */
22087 - if (addr + len <= vma->vm_start &&
22088 - (!prev_vma || (addr >= prev_vma->vm_end))) {
22089 + if (check_heap_stack_gap(vma, addr, len)) {
22090 /* remember the address as a hint for next time */
22091 - mm->cached_hole_size = largest_hole;
22092 - return (mm->free_area_cache = addr);
22093 - } else {
22094 - /* pull free_area_cache down to the first hole */
22095 - if (mm->free_area_cache == vma->vm_end) {
22096 - mm->free_area_cache = vma->vm_start;
22097 - mm->cached_hole_size = largest_hole;
22098 - }
22099 + mm->cached_hole_size = largest_hole;
22100 + return (mm->free_area_cache = addr);
22101 + }
22102 + /* pull free_area_cache down to the first hole */
22103 + if (mm->free_area_cache == vma->vm_end) {
22104 + mm->free_area_cache = vma->vm_start;
22105 + mm->cached_hole_size = largest_hole;
22106 }
22107
22108 /* remember the largest hole we saw so far */
22109 if (addr + largest_hole < vma->vm_start)
22110 - largest_hole = vma->vm_start - addr;
22111 + largest_hole = vma->vm_start - addr;
22112
22113 /* try just below the current vma->vm_start */
22114 - addr = (vma->vm_start - len) & huge_page_mask(h);
22115 - } while (len <= vma->vm_start);
22116 + addr = skip_heap_stack_gap(vma, len);
22117 + } while (!IS_ERR_VALUE(addr));
22118
22119 fail:
22120 /*
22121 - * if hint left us with no space for the requested
22122 - * mapping then try again:
22123 - */
22124 - if (first_time) {
22125 - mm->free_area_cache = base;
22126 - largest_hole = 0;
22127 - first_time = 0;
22128 - goto try_again;
22129 - }
22130 - /*
22131 * A failed mmap() very likely causes application failure,
22132 * so fall back to the bottom-up function here. This scenario
22133 * can happen with large stack limits and large mmap()
22134 * allocations.
22135 */
22136 - mm->free_area_cache = TASK_UNMAPPED_BASE;
22137 +
22138 +#ifdef CONFIG_PAX_SEGMEXEC
22139 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22140 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
22141 + else
22142 +#endif
22143 +
22144 + mm->mmap_base = TASK_UNMAPPED_BASE;
22145 +
22146 +#ifdef CONFIG_PAX_RANDMMAP
22147 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22148 + mm->mmap_base += mm->delta_mmap;
22149 +#endif
22150 +
22151 + mm->free_area_cache = mm->mmap_base;
22152 mm->cached_hole_size = ~0UL;
22153 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
22154 len, pgoff, flags);
22155 @@ -386,6 +392,7 @@ fail:
22156 /*
22157 * Restore the topdown base:
22158 */
22159 + mm->mmap_base = base;
22160 mm->free_area_cache = base;
22161 mm->cached_hole_size = ~0UL;
22162
22163 @@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *f
22164 struct hstate *h = hstate_file(file);
22165 struct mm_struct *mm = current->mm;
22166 struct vm_area_struct *vma;
22167 + unsigned long pax_task_size = TASK_SIZE;
22168
22169 if (len & ~huge_page_mask(h))
22170 return -EINVAL;
22171 - if (len > TASK_SIZE)
22172 +
22173 +#ifdef CONFIG_PAX_SEGMEXEC
22174 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22175 + pax_task_size = SEGMEXEC_TASK_SIZE;
22176 +#endif
22177 +
22178 + pax_task_size -= PAGE_SIZE;
22179 +
22180 + if (len > pax_task_size)
22181 return -ENOMEM;
22182
22183 if (flags & MAP_FIXED) {
22184 @@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *f
22185 if (addr) {
22186 addr = ALIGN(addr, huge_page_size(h));
22187 vma = find_vma(mm, addr);
22188 - if (TASK_SIZE - len >= addr &&
22189 - (!vma || addr + len <= vma->vm_start))
22190 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
22191 return addr;
22192 }
22193 if (mm->get_unmapped_area == arch_get_unmapped_area)
22194 diff -urNp linux-2.6.39.3/arch/x86/mm/init_32.c linux-2.6.39.3/arch/x86/mm/init_32.c
22195 --- linux-2.6.39.3/arch/x86/mm/init_32.c 2011-05-19 00:06:34.000000000 -0400
22196 +++ linux-2.6.39.3/arch/x86/mm/init_32.c 2011-05-22 19:36:30.000000000 -0400
22197 @@ -74,36 +74,6 @@ static __init void *alloc_low_page(void)
22198 }
22199
22200 /*
22201 - * Creates a middle page table and puts a pointer to it in the
22202 - * given global directory entry. This only returns the gd entry
22203 - * in non-PAE compilation mode, since the middle layer is folded.
22204 - */
22205 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
22206 -{
22207 - pud_t *pud;
22208 - pmd_t *pmd_table;
22209 -
22210 -#ifdef CONFIG_X86_PAE
22211 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
22212 - if (after_bootmem)
22213 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
22214 - else
22215 - pmd_table = (pmd_t *)alloc_low_page();
22216 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
22217 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
22218 - pud = pud_offset(pgd, 0);
22219 - BUG_ON(pmd_table != pmd_offset(pud, 0));
22220 -
22221 - return pmd_table;
22222 - }
22223 -#endif
22224 - pud = pud_offset(pgd, 0);
22225 - pmd_table = pmd_offset(pud, 0);
22226 -
22227 - return pmd_table;
22228 -}
22229 -
22230 -/*
22231 * Create a page table and place a pointer to it in a middle page
22232 * directory entry:
22233 */
22234 @@ -123,13 +93,28 @@ static pte_t * __init one_page_table_ini
22235 page_table = (pte_t *)alloc_low_page();
22236
22237 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
22238 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22239 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
22240 +#else
22241 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
22242 +#endif
22243 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
22244 }
22245
22246 return pte_offset_kernel(pmd, 0);
22247 }
22248
22249 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
22250 +{
22251 + pud_t *pud;
22252 + pmd_t *pmd_table;
22253 +
22254 + pud = pud_offset(pgd, 0);
22255 + pmd_table = pmd_offset(pud, 0);
22256 +
22257 + return pmd_table;
22258 +}
22259 +
22260 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
22261 {
22262 int pgd_idx = pgd_index(vaddr);
22263 @@ -203,6 +188,7 @@ page_table_range_init(unsigned long star
22264 int pgd_idx, pmd_idx;
22265 unsigned long vaddr;
22266 pgd_t *pgd;
22267 + pud_t *pud;
22268 pmd_t *pmd;
22269 pte_t *pte = NULL;
22270
22271 @@ -212,8 +198,13 @@ page_table_range_init(unsigned long star
22272 pgd = pgd_base + pgd_idx;
22273
22274 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
22275 - pmd = one_md_table_init(pgd);
22276 - pmd = pmd + pmd_index(vaddr);
22277 + pud = pud_offset(pgd, vaddr);
22278 + pmd = pmd_offset(pud, vaddr);
22279 +
22280 +#ifdef CONFIG_X86_PAE
22281 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
22282 +#endif
22283 +
22284 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
22285 pmd++, pmd_idx++) {
22286 pte = page_table_kmap_check(one_page_table_init(pmd),
22287 @@ -225,11 +216,20 @@ page_table_range_init(unsigned long star
22288 }
22289 }
22290
22291 -static inline int is_kernel_text(unsigned long addr)
22292 +static inline int is_kernel_text(unsigned long start, unsigned long end)
22293 {
22294 - if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
22295 - return 1;
22296 - return 0;
22297 + if ((start > ktla_ktva((unsigned long)_etext) ||
22298 + end <= ktla_ktva((unsigned long)_stext)) &&
22299 + (start > ktla_ktva((unsigned long)_einittext) ||
22300 + end <= ktla_ktva((unsigned long)_sinittext)) &&
22301 +
22302 +#ifdef CONFIG_ACPI_SLEEP
22303 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
22304 +#endif
22305 +
22306 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
22307 + return 0;
22308 + return 1;
22309 }
22310
22311 /*
22312 @@ -246,9 +246,10 @@ kernel_physical_mapping_init(unsigned lo
22313 unsigned long last_map_addr = end;
22314 unsigned long start_pfn, end_pfn;
22315 pgd_t *pgd_base = swapper_pg_dir;
22316 - int pgd_idx, pmd_idx, pte_ofs;
22317 + unsigned int pgd_idx, pmd_idx, pte_ofs;
22318 unsigned long pfn;
22319 pgd_t *pgd;
22320 + pud_t *pud;
22321 pmd_t *pmd;
22322 pte_t *pte;
22323 unsigned pages_2m, pages_4k;
22324 @@ -281,8 +282,13 @@ repeat:
22325 pfn = start_pfn;
22326 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
22327 pgd = pgd_base + pgd_idx;
22328 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
22329 - pmd = one_md_table_init(pgd);
22330 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
22331 + pud = pud_offset(pgd, 0);
22332 + pmd = pmd_offset(pud, 0);
22333 +
22334 +#ifdef CONFIG_X86_PAE
22335 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
22336 +#endif
22337
22338 if (pfn >= end_pfn)
22339 continue;
22340 @@ -294,14 +300,13 @@ repeat:
22341 #endif
22342 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
22343 pmd++, pmd_idx++) {
22344 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
22345 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
22346
22347 /*
22348 * Map with big pages if possible, otherwise
22349 * create normal page tables:
22350 */
22351 if (use_pse) {
22352 - unsigned int addr2;
22353 pgprot_t prot = PAGE_KERNEL_LARGE;
22354 /*
22355 * first pass will use the same initial
22356 @@ -311,11 +316,7 @@ repeat:
22357 __pgprot(PTE_IDENT_ATTR |
22358 _PAGE_PSE);
22359
22360 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
22361 - PAGE_OFFSET + PAGE_SIZE-1;
22362 -
22363 - if (is_kernel_text(addr) ||
22364 - is_kernel_text(addr2))
22365 + if (is_kernel_text(address, address + PMD_SIZE))
22366 prot = PAGE_KERNEL_LARGE_EXEC;
22367
22368 pages_2m++;
22369 @@ -332,7 +333,7 @@ repeat:
22370 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
22371 pte += pte_ofs;
22372 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
22373 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
22374 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
22375 pgprot_t prot = PAGE_KERNEL;
22376 /*
22377 * first pass will use the same initial
22378 @@ -340,7 +341,7 @@ repeat:
22379 */
22380 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
22381
22382 - if (is_kernel_text(addr))
22383 + if (is_kernel_text(address, address + PAGE_SIZE))
22384 prot = PAGE_KERNEL_EXEC;
22385
22386 pages_4k++;
22387 @@ -472,7 +473,7 @@ void __init native_pagetable_setup_start
22388
22389 pud = pud_offset(pgd, va);
22390 pmd = pmd_offset(pud, va);
22391 - if (!pmd_present(*pmd))
22392 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
22393 break;
22394
22395 pte = pte_offset_kernel(pmd, va);
22396 @@ -524,12 +525,10 @@ void __init early_ioremap_page_table_ran
22397
22398 static void __init pagetable_init(void)
22399 {
22400 - pgd_t *pgd_base = swapper_pg_dir;
22401 -
22402 - permanent_kmaps_init(pgd_base);
22403 + permanent_kmaps_init(swapper_pg_dir);
22404 }
22405
22406 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
22407 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
22408 EXPORT_SYMBOL_GPL(__supported_pte_mask);
22409
22410 /* user-defined highmem size */
22411 @@ -754,6 +753,12 @@ void __init mem_init(void)
22412
22413 pci_iommu_alloc();
22414
22415 +#ifdef CONFIG_PAX_PER_CPU_PGD
22416 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
22417 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22418 + KERNEL_PGD_PTRS);
22419 +#endif
22420 +
22421 #ifdef CONFIG_FLATMEM
22422 BUG_ON(!mem_map);
22423 #endif
22424 @@ -771,7 +776,7 @@ void __init mem_init(void)
22425 set_highmem_pages_init();
22426
22427 codesize = (unsigned long) &_etext - (unsigned long) &_text;
22428 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
22429 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
22430 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
22431
22432 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
22433 @@ -812,10 +817,10 @@ void __init mem_init(void)
22434 ((unsigned long)&__init_end -
22435 (unsigned long)&__init_begin) >> 10,
22436
22437 - (unsigned long)&_etext, (unsigned long)&_edata,
22438 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
22439 + (unsigned long)&_sdata, (unsigned long)&_edata,
22440 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
22441
22442 - (unsigned long)&_text, (unsigned long)&_etext,
22443 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
22444 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
22445
22446 /*
22447 @@ -893,6 +898,7 @@ void set_kernel_text_rw(void)
22448 if (!kernel_set_to_readonly)
22449 return;
22450
22451 + start = ktla_ktva(start);
22452 pr_debug("Set kernel text: %lx - %lx for read write\n",
22453 start, start+size);
22454
22455 @@ -907,6 +913,7 @@ void set_kernel_text_ro(void)
22456 if (!kernel_set_to_readonly)
22457 return;
22458
22459 + start = ktla_ktva(start);
22460 pr_debug("Set kernel text: %lx - %lx for read only\n",
22461 start, start+size);
22462
22463 @@ -935,6 +942,7 @@ void mark_rodata_ro(void)
22464 unsigned long start = PFN_ALIGN(_text);
22465 unsigned long size = PFN_ALIGN(_etext) - start;
22466
22467 + start = ktla_ktva(start);
22468 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
22469 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
22470 size >> 10);
22471 diff -urNp linux-2.6.39.3/arch/x86/mm/init_64.c linux-2.6.39.3/arch/x86/mm/init_64.c
22472 --- linux-2.6.39.3/arch/x86/mm/init_64.c 2011-05-19 00:06:34.000000000 -0400
22473 +++ linux-2.6.39.3/arch/x86/mm/init_64.c 2011-05-22 19:36:30.000000000 -0400
22474 @@ -74,7 +74,7 @@ early_param("gbpages", parse_direct_gbpa
22475 * around without checking the pgd every time.
22476 */
22477
22478 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
22479 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
22480 EXPORT_SYMBOL_GPL(__supported_pte_mask);
22481
22482 int force_personality32;
22483 @@ -107,12 +107,22 @@ void sync_global_pgds(unsigned long star
22484
22485 for (address = start; address <= end; address += PGDIR_SIZE) {
22486 const pgd_t *pgd_ref = pgd_offset_k(address);
22487 +
22488 +#ifdef CONFIG_PAX_PER_CPU_PGD
22489 + unsigned long cpu;
22490 +#else
22491 struct page *page;
22492 +#endif
22493
22494 if (pgd_none(*pgd_ref))
22495 continue;
22496
22497 spin_lock(&pgd_lock);
22498 +
22499 +#ifdef CONFIG_PAX_PER_CPU_PGD
22500 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22501 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
22502 +#else
22503 list_for_each_entry(page, &pgd_list, lru) {
22504 pgd_t *pgd;
22505 spinlock_t *pgt_lock;
22506 @@ -121,6 +131,7 @@ void sync_global_pgds(unsigned long star
22507 /* the pgt_lock only for Xen */
22508 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
22509 spin_lock(pgt_lock);
22510 +#endif
22511
22512 if (pgd_none(*pgd))
22513 set_pgd(pgd, *pgd_ref);
22514 @@ -128,7 +139,10 @@ void sync_global_pgds(unsigned long star
22515 BUG_ON(pgd_page_vaddr(*pgd)
22516 != pgd_page_vaddr(*pgd_ref));
22517
22518 +#ifndef CONFIG_PAX_PER_CPU_PGD
22519 spin_unlock(pgt_lock);
22520 +#endif
22521 +
22522 }
22523 spin_unlock(&pgd_lock);
22524 }
22525 @@ -202,7 +216,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
22526 pmd = fill_pmd(pud, vaddr);
22527 pte = fill_pte(pmd, vaddr);
22528
22529 + pax_open_kernel();
22530 set_pte(pte, new_pte);
22531 + pax_close_kernel();
22532
22533 /*
22534 * It's enough to flush this one mapping.
22535 @@ -261,14 +277,12 @@ static void __init __init_extra_mapping(
22536 pgd = pgd_offset_k((unsigned long)__va(phys));
22537 if (pgd_none(*pgd)) {
22538 pud = (pud_t *) spp_getpage();
22539 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
22540 - _PAGE_USER));
22541 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
22542 }
22543 pud = pud_offset(pgd, (unsigned long)__va(phys));
22544 if (pud_none(*pud)) {
22545 pmd = (pmd_t *) spp_getpage();
22546 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
22547 - _PAGE_USER));
22548 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
22549 }
22550 pmd = pmd_offset(pud, phys);
22551 BUG_ON(!pmd_none(*pmd));
22552 @@ -698,6 +712,12 @@ void __init mem_init(void)
22553
22554 pci_iommu_alloc();
22555
22556 +#ifdef CONFIG_PAX_PER_CPU_PGD
22557 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
22558 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22559 + KERNEL_PGD_PTRS);
22560 +#endif
22561 +
22562 /* clear_bss() already clear the empty_zero_page */
22563
22564 reservedpages = 0;
22565 @@ -858,8 +878,8 @@ int kern_addr_valid(unsigned long addr)
22566 static struct vm_area_struct gate_vma = {
22567 .vm_start = VSYSCALL_START,
22568 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
22569 - .vm_page_prot = PAGE_READONLY_EXEC,
22570 - .vm_flags = VM_READ | VM_EXEC
22571 + .vm_page_prot = PAGE_READONLY,
22572 + .vm_flags = VM_READ
22573 };
22574
22575 struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
22576 @@ -893,7 +913,7 @@ int in_gate_area_no_mm(unsigned long add
22577
22578 const char *arch_vma_name(struct vm_area_struct *vma)
22579 {
22580 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
22581 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
22582 return "[vdso]";
22583 if (vma == &gate_vma)
22584 return "[vsyscall]";
22585 diff -urNp linux-2.6.39.3/arch/x86/mm/init.c linux-2.6.39.3/arch/x86/mm/init.c
22586 --- linux-2.6.39.3/arch/x86/mm/init.c 2011-05-19 00:06:34.000000000 -0400
22587 +++ linux-2.6.39.3/arch/x86/mm/init.c 2011-06-07 19:41:11.000000000 -0400
22588 @@ -33,7 +33,7 @@ int direct_gbpages
22589 static void __init find_early_table_space(unsigned long end, int use_pse,
22590 int use_gbpages)
22591 {
22592 - unsigned long puds, pmds, ptes, tables, start = 0, good_end = end;
22593 + unsigned long puds, pmds, ptes, tables, start = 0x100000, good_end = end;
22594 phys_addr_t base;
22595
22596 puds = (end + PUD_SIZE - 1) >> PUD_SHIFT;
22597 @@ -315,12 +315,34 @@ unsigned long __init_refok init_memory_m
22598 */
22599 int devmem_is_allowed(unsigned long pagenr)
22600 {
22601 - if (pagenr <= 256)
22602 +#ifdef CONFIG_GRKERNSEC_KMEM
22603 + /* allow BDA */
22604 + if (!pagenr)
22605 + return 1;
22606 + /* allow EBDA */
22607 + if ((0x9f000 >> PAGE_SHIFT) == pagenr)
22608 + return 1;
22609 +#else
22610 + if (!pagenr)
22611 + return 1;
22612 +#ifdef CONFIG_VM86
22613 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
22614 + return 1;
22615 +#endif
22616 +#endif
22617 +
22618 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
22619 return 1;
22620 +#ifdef CONFIG_GRKERNSEC_KMEM
22621 + /* throw out everything else below 1MB */
22622 + if (pagenr <= 256)
22623 + return 0;
22624 +#endif
22625 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
22626 return 0;
22627 if (!page_is_ram(pagenr))
22628 return 1;
22629 +
22630 return 0;
22631 }
22632
22633 @@ -375,6 +397,86 @@ void free_init_pages(char *what, unsigne
22634
22635 void free_initmem(void)
22636 {
22637 +
22638 +#ifdef CONFIG_PAX_KERNEXEC
22639 +#ifdef CONFIG_X86_32
22640 + /* PaX: limit KERNEL_CS to actual size */
22641 + unsigned long addr, limit;
22642 + struct desc_struct d;
22643 + int cpu;
22644 +
22645 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
22646 + limit = (limit - 1UL) >> PAGE_SHIFT;
22647 +
22648 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
22649 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
22650 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
22651 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
22652 + }
22653 +
22654 + /* PaX: make KERNEL_CS read-only */
22655 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
22656 + if (!paravirt_enabled())
22657 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
22658 +/*
22659 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
22660 + pgd = pgd_offset_k(addr);
22661 + pud = pud_offset(pgd, addr);
22662 + pmd = pmd_offset(pud, addr);
22663 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22664 + }
22665 +*/
22666 +#ifdef CONFIG_X86_PAE
22667 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
22668 +/*
22669 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
22670 + pgd = pgd_offset_k(addr);
22671 + pud = pud_offset(pgd, addr);
22672 + pmd = pmd_offset(pud, addr);
22673 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22674 + }
22675 +*/
22676 +#endif
22677 +
22678 +#ifdef CONFIG_MODULES
22679 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
22680 +#endif
22681 +
22682 +#else
22683 + pgd_t *pgd;
22684 + pud_t *pud;
22685 + pmd_t *pmd;
22686 + unsigned long addr, end;
22687 +
22688 + /* PaX: make kernel code/rodata read-only, rest non-executable */
22689 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
22690 + pgd = pgd_offset_k(addr);
22691 + pud = pud_offset(pgd, addr);
22692 + pmd = pmd_offset(pud, addr);
22693 + if (!pmd_present(*pmd))
22694 + continue;
22695 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
22696 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22697 + else
22698 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22699 + }
22700 +
22701 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
22702 + end = addr + KERNEL_IMAGE_SIZE;
22703 + for (; addr < end; addr += PMD_SIZE) {
22704 + pgd = pgd_offset_k(addr);
22705 + pud = pud_offset(pgd, addr);
22706 + pmd = pmd_offset(pud, addr);
22707 + if (!pmd_present(*pmd))
22708 + continue;
22709 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
22710 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22711 + }
22712 +#endif
22713 +
22714 + flush_tlb_all();
22715 +#endif
22716 +
22717 free_init_pages("unused kernel memory",
22718 (unsigned long)(&__init_begin),
22719 (unsigned long)(&__init_end));
22720 diff -urNp linux-2.6.39.3/arch/x86/mm/iomap_32.c linux-2.6.39.3/arch/x86/mm/iomap_32.c
22721 --- linux-2.6.39.3/arch/x86/mm/iomap_32.c 2011-05-19 00:06:34.000000000 -0400
22722 +++ linux-2.6.39.3/arch/x86/mm/iomap_32.c 2011-05-22 19:36:30.000000000 -0400
22723 @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
22724 type = kmap_atomic_idx_push();
22725 idx = type + KM_TYPE_NR * smp_processor_id();
22726 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
22727 +
22728 + pax_open_kernel();
22729 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
22730 + pax_close_kernel();
22731 +
22732 arch_flush_lazy_mmu_mode();
22733
22734 return (void *)vaddr;
22735 diff -urNp linux-2.6.39.3/arch/x86/mm/ioremap.c linux-2.6.39.3/arch/x86/mm/ioremap.c
22736 --- linux-2.6.39.3/arch/x86/mm/ioremap.c 2011-05-19 00:06:34.000000000 -0400
22737 +++ linux-2.6.39.3/arch/x86/mm/ioremap.c 2011-05-22 19:36:30.000000000 -0400
22738 @@ -104,7 +104,7 @@ static void __iomem *__ioremap_caller(re
22739 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
22740 int is_ram = page_is_ram(pfn);
22741
22742 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
22743 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
22744 return NULL;
22745 WARN_ON_ONCE(is_ram);
22746 }
22747 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
22748 early_param("early_ioremap_debug", early_ioremap_debug_setup);
22749
22750 static __initdata int after_paging_init;
22751 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
22752 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
22753
22754 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
22755 {
22756 @@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
22757 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
22758
22759 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
22760 - memset(bm_pte, 0, sizeof(bm_pte));
22761 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
22762 + pmd_populate_user(&init_mm, pmd, bm_pte);
22763
22764 /*
22765 * The boot-ioremap range spans multiple pmds, for which
22766 diff -urNp linux-2.6.39.3/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.39.3/arch/x86/mm/kmemcheck/kmemcheck.c
22767 --- linux-2.6.39.3/arch/x86/mm/kmemcheck/kmemcheck.c 2011-05-19 00:06:34.000000000 -0400
22768 +++ linux-2.6.39.3/arch/x86/mm/kmemcheck/kmemcheck.c 2011-05-22 19:36:30.000000000 -0400
22769 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
22770 * memory (e.g. tracked pages)? For now, we need this to avoid
22771 * invoking kmemcheck for PnP BIOS calls.
22772 */
22773 - if (regs->flags & X86_VM_MASK)
22774 + if (v8086_mode(regs))
22775 return false;
22776 - if (regs->cs != __KERNEL_CS)
22777 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
22778 return false;
22779
22780 pte = kmemcheck_pte_lookup(address);
22781 diff -urNp linux-2.6.39.3/arch/x86/mm/mmap.c linux-2.6.39.3/arch/x86/mm/mmap.c
22782 --- linux-2.6.39.3/arch/x86/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
22783 +++ linux-2.6.39.3/arch/x86/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
22784 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
22785 * Leave an at least ~128 MB hole with possible stack randomization.
22786 */
22787 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
22788 -#define MAX_GAP (TASK_SIZE/6*5)
22789 +#define MAX_GAP (pax_task_size/6*5)
22790
22791 /*
22792 * True on X86_32 or when emulating IA32 on X86_64
22793 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
22794 return rnd << PAGE_SHIFT;
22795 }
22796
22797 -static unsigned long mmap_base(void)
22798 +static unsigned long mmap_base(struct mm_struct *mm)
22799 {
22800 unsigned long gap = rlimit(RLIMIT_STACK);
22801 + unsigned long pax_task_size = TASK_SIZE;
22802 +
22803 +#ifdef CONFIG_PAX_SEGMEXEC
22804 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22805 + pax_task_size = SEGMEXEC_TASK_SIZE;
22806 +#endif
22807
22808 if (gap < MIN_GAP)
22809 gap = MIN_GAP;
22810 else if (gap > MAX_GAP)
22811 gap = MAX_GAP;
22812
22813 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
22814 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
22815 }
22816
22817 /*
22818 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
22819 * does, but not when emulating X86_32
22820 */
22821 -static unsigned long mmap_legacy_base(void)
22822 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
22823 {
22824 - if (mmap_is_ia32())
22825 + if (mmap_is_ia32()) {
22826 +
22827 +#ifdef CONFIG_PAX_SEGMEXEC
22828 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22829 + return SEGMEXEC_TASK_UNMAPPED_BASE;
22830 + else
22831 +#endif
22832 +
22833 return TASK_UNMAPPED_BASE;
22834 - else
22835 + } else
22836 return TASK_UNMAPPED_BASE + mmap_rnd();
22837 }
22838
22839 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
22840 void arch_pick_mmap_layout(struct mm_struct *mm)
22841 {
22842 if (mmap_is_legacy()) {
22843 - mm->mmap_base = mmap_legacy_base();
22844 + mm->mmap_base = mmap_legacy_base(mm);
22845 +
22846 +#ifdef CONFIG_PAX_RANDMMAP
22847 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22848 + mm->mmap_base += mm->delta_mmap;
22849 +#endif
22850 +
22851 mm->get_unmapped_area = arch_get_unmapped_area;
22852 mm->unmap_area = arch_unmap_area;
22853 } else {
22854 - mm->mmap_base = mmap_base();
22855 + mm->mmap_base = mmap_base(mm);
22856 +
22857 +#ifdef CONFIG_PAX_RANDMMAP
22858 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22859 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
22860 +#endif
22861 +
22862 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
22863 mm->unmap_area = arch_unmap_area_topdown;
22864 }
22865 diff -urNp linux-2.6.39.3/arch/x86/mm/mmio-mod.c linux-2.6.39.3/arch/x86/mm/mmio-mod.c
22866 --- linux-2.6.39.3/arch/x86/mm/mmio-mod.c 2011-05-19 00:06:34.000000000 -0400
22867 +++ linux-2.6.39.3/arch/x86/mm/mmio-mod.c 2011-07-06 20:00:13.000000000 -0400
22868 @@ -195,7 +195,7 @@ static void pre(struct kmmio_probe *p, s
22869 break;
22870 default:
22871 {
22872 - unsigned char *ip = (unsigned char *)instptr;
22873 + unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
22874 my_trace->opcode = MMIO_UNKNOWN_OP;
22875 my_trace->width = 0;
22876 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
22877 @@ -235,7 +235,7 @@ static void post(struct kmmio_probe *p,
22878 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
22879 void __iomem *addr)
22880 {
22881 - static atomic_t next_id;
22882 + static atomic_unchecked_t next_id;
22883 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
22884 /* These are page-unaligned. */
22885 struct mmiotrace_map map = {
22886 @@ -259,7 +259,7 @@ static void ioremap_trace_core(resource_
22887 .private = trace
22888 },
22889 .phys = offset,
22890 - .id = atomic_inc_return(&next_id)
22891 + .id = atomic_inc_return_unchecked(&next_id)
22892 };
22893 map.map_id = trace->id;
22894
22895 diff -urNp linux-2.6.39.3/arch/x86/mm/numa_32.c linux-2.6.39.3/arch/x86/mm/numa_32.c
22896 --- linux-2.6.39.3/arch/x86/mm/numa_32.c 2011-05-19 00:06:34.000000000 -0400
22897 +++ linux-2.6.39.3/arch/x86/mm/numa_32.c 2011-05-22 19:36:30.000000000 -0400
22898 @@ -99,7 +99,6 @@ unsigned long node_memmap_size_bytes(int
22899 }
22900 #endif
22901
22902 -extern unsigned long find_max_low_pfn(void);
22903 extern unsigned long highend_pfn, highstart_pfn;
22904
22905 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
22906 diff -urNp linux-2.6.39.3/arch/x86/mm/pageattr.c linux-2.6.39.3/arch/x86/mm/pageattr.c
22907 --- linux-2.6.39.3/arch/x86/mm/pageattr.c 2011-05-19 00:06:34.000000000 -0400
22908 +++ linux-2.6.39.3/arch/x86/mm/pageattr.c 2011-05-22 19:36:30.000000000 -0400
22909 @@ -261,7 +261,7 @@ static inline pgprot_t static_protection
22910 */
22911 #ifdef CONFIG_PCI_BIOS
22912 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
22913 - pgprot_val(forbidden) |= _PAGE_NX;
22914 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22915 #endif
22916
22917 /*
22918 @@ -269,9 +269,10 @@ static inline pgprot_t static_protection
22919 * Does not cover __inittext since that is gone later on. On
22920 * 64bit we do not enforce !NX on the low mapping
22921 */
22922 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
22923 - pgprot_val(forbidden) |= _PAGE_NX;
22924 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
22925 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22926
22927 +#ifdef CONFIG_DEBUG_RODATA
22928 /*
22929 * The .rodata section needs to be read-only. Using the pfn
22930 * catches all aliases.
22931 @@ -279,6 +280,7 @@ static inline pgprot_t static_protection
22932 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
22933 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
22934 pgprot_val(forbidden) |= _PAGE_RW;
22935 +#endif
22936
22937 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
22938 /*
22939 @@ -317,6 +319,13 @@ static inline pgprot_t static_protection
22940 }
22941 #endif
22942
22943 +#ifdef CONFIG_PAX_KERNEXEC
22944 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
22945 + pgprot_val(forbidden) |= _PAGE_RW;
22946 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22947 + }
22948 +#endif
22949 +
22950 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
22951
22952 return prot;
22953 @@ -369,23 +378,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
22954 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
22955 {
22956 /* change init_mm */
22957 + pax_open_kernel();
22958 set_pte_atomic(kpte, pte);
22959 +
22960 #ifdef CONFIG_X86_32
22961 if (!SHARED_KERNEL_PMD) {
22962 +
22963 +#ifdef CONFIG_PAX_PER_CPU_PGD
22964 + unsigned long cpu;
22965 +#else
22966 struct page *page;
22967 +#endif
22968
22969 +#ifdef CONFIG_PAX_PER_CPU_PGD
22970 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22971 + pgd_t *pgd = get_cpu_pgd(cpu);
22972 +#else
22973 list_for_each_entry(page, &pgd_list, lru) {
22974 - pgd_t *pgd;
22975 + pgd_t *pgd = (pgd_t *)page_address(page);
22976 +#endif
22977 +
22978 pud_t *pud;
22979 pmd_t *pmd;
22980
22981 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
22982 + pgd += pgd_index(address);
22983 pud = pud_offset(pgd, address);
22984 pmd = pmd_offset(pud, address);
22985 set_pte_atomic((pte_t *)pmd, pte);
22986 }
22987 }
22988 #endif
22989 + pax_close_kernel();
22990 }
22991
22992 static int
22993 diff -urNp linux-2.6.39.3/arch/x86/mm/pageattr-test.c linux-2.6.39.3/arch/x86/mm/pageattr-test.c
22994 --- linux-2.6.39.3/arch/x86/mm/pageattr-test.c 2011-05-19 00:06:34.000000000 -0400
22995 +++ linux-2.6.39.3/arch/x86/mm/pageattr-test.c 2011-05-22 19:36:30.000000000 -0400
22996 @@ -36,7 +36,7 @@ enum {
22997
22998 static int pte_testbit(pte_t pte)
22999 {
23000 - return pte_flags(pte) & _PAGE_UNUSED1;
23001 + return pte_flags(pte) & _PAGE_CPA_TEST;
23002 }
23003
23004 struct split_state {
23005 diff -urNp linux-2.6.39.3/arch/x86/mm/pat.c linux-2.6.39.3/arch/x86/mm/pat.c
23006 --- linux-2.6.39.3/arch/x86/mm/pat.c 2011-05-19 00:06:34.000000000 -0400
23007 +++ linux-2.6.39.3/arch/x86/mm/pat.c 2011-05-22 19:36:30.000000000 -0400
23008 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
23009
23010 if (!entry) {
23011 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
23012 - current->comm, current->pid, start, end);
23013 + current->comm, task_pid_nr(current), start, end);
23014 return -EINVAL;
23015 }
23016
23017 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
23018 while (cursor < to) {
23019 if (!devmem_is_allowed(pfn)) {
23020 printk(KERN_INFO
23021 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
23022 - current->comm, from, to);
23023 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
23024 + current->comm, from, to, cursor);
23025 return 0;
23026 }
23027 cursor += PAGE_SIZE;
23028 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
23029 printk(KERN_INFO
23030 "%s:%d ioremap_change_attr failed %s "
23031 "for %Lx-%Lx\n",
23032 - current->comm, current->pid,
23033 + current->comm, task_pid_nr(current),
23034 cattr_name(flags),
23035 base, (unsigned long long)(base + size));
23036 return -EINVAL;
23037 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
23038 if (want_flags != flags) {
23039 printk(KERN_WARNING
23040 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
23041 - current->comm, current->pid,
23042 + current->comm, task_pid_nr(current),
23043 cattr_name(want_flags),
23044 (unsigned long long)paddr,
23045 (unsigned long long)(paddr + size),
23046 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
23047 free_memtype(paddr, paddr + size);
23048 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
23049 " for %Lx-%Lx, got %s\n",
23050 - current->comm, current->pid,
23051 + current->comm, task_pid_nr(current),
23052 cattr_name(want_flags),
23053 (unsigned long long)paddr,
23054 (unsigned long long)(paddr + size),
23055 diff -urNp linux-2.6.39.3/arch/x86/mm/pf_in.c linux-2.6.39.3/arch/x86/mm/pf_in.c
23056 --- linux-2.6.39.3/arch/x86/mm/pf_in.c 2011-05-19 00:06:34.000000000 -0400
23057 +++ linux-2.6.39.3/arch/x86/mm/pf_in.c 2011-07-06 20:00:13.000000000 -0400
23058 @@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned l
23059 int i;
23060 enum reason_type rv = OTHERS;
23061
23062 - p = (unsigned char *)ins_addr;
23063 + p = (unsigned char *)ktla_ktva(ins_addr);
23064 p += skip_prefix(p, &prf);
23065 p += get_opcode(p, &opcode);
23066
23067 @@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(un
23068 struct prefix_bits prf;
23069 int i;
23070
23071 - p = (unsigned char *)ins_addr;
23072 + p = (unsigned char *)ktla_ktva(ins_addr);
23073 p += skip_prefix(p, &prf);
23074 p += get_opcode(p, &opcode);
23075
23076 @@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned
23077 struct prefix_bits prf;
23078 int i;
23079
23080 - p = (unsigned char *)ins_addr;
23081 + p = (unsigned char *)ktla_ktva(ins_addr);
23082 p += skip_prefix(p, &prf);
23083 p += get_opcode(p, &opcode);
23084
23085 @@ -416,7 +416,7 @@ unsigned long get_ins_reg_val(unsigned l
23086 int i;
23087 unsigned long rv;
23088
23089 - p = (unsigned char *)ins_addr;
23090 + p = (unsigned char *)ktla_ktva(ins_addr);
23091 p += skip_prefix(p, &prf);
23092 p += get_opcode(p, &opcode);
23093 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
23094 @@ -476,7 +476,7 @@ unsigned long get_ins_imm_val(unsigned l
23095 int i;
23096 unsigned long rv;
23097
23098 - p = (unsigned char *)ins_addr;
23099 + p = (unsigned char *)ktla_ktva(ins_addr);
23100 p += skip_prefix(p, &prf);
23101 p += get_opcode(p, &opcode);
23102 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
23103 diff -urNp linux-2.6.39.3/arch/x86/mm/pgtable_32.c linux-2.6.39.3/arch/x86/mm/pgtable_32.c
23104 --- linux-2.6.39.3/arch/x86/mm/pgtable_32.c 2011-05-19 00:06:34.000000000 -0400
23105 +++ linux-2.6.39.3/arch/x86/mm/pgtable_32.c 2011-05-22 19:36:30.000000000 -0400
23106 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
23107 return;
23108 }
23109 pte = pte_offset_kernel(pmd, vaddr);
23110 +
23111 + pax_open_kernel();
23112 if (pte_val(pteval))
23113 set_pte_at(&init_mm, vaddr, pte, pteval);
23114 else
23115 pte_clear(&init_mm, vaddr, pte);
23116 + pax_close_kernel();
23117
23118 /*
23119 * It's enough to flush this one mapping.
23120 diff -urNp linux-2.6.39.3/arch/x86/mm/pgtable.c linux-2.6.39.3/arch/x86/mm/pgtable.c
23121 --- linux-2.6.39.3/arch/x86/mm/pgtable.c 2011-05-19 00:06:34.000000000 -0400
23122 +++ linux-2.6.39.3/arch/x86/mm/pgtable.c 2011-05-22 19:36:30.000000000 -0400
23123 @@ -84,10 +84,52 @@ static inline void pgd_list_del(pgd_t *p
23124 list_del(&page->lru);
23125 }
23126
23127 -#define UNSHARED_PTRS_PER_PGD \
23128 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
23129 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
23130 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
23131
23132 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
23133 +{
23134 + while (count--)
23135 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
23136 +}
23137 +#endif
23138 +
23139 +#ifdef CONFIG_PAX_PER_CPU_PGD
23140 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
23141 +{
23142 + while (count--)
23143 +
23144 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
23145 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
23146 +#else
23147 + *dst++ = *src++;
23148 +#endif
23149
23150 +}
23151 +#endif
23152 +
23153 +#ifdef CONFIG_X86_64
23154 +#define pxd_t pud_t
23155 +#define pyd_t pgd_t
23156 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
23157 +#define pxd_free(mm, pud) pud_free((mm), (pud))
23158 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
23159 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
23160 +#define PYD_SIZE PGDIR_SIZE
23161 +#else
23162 +#define pxd_t pmd_t
23163 +#define pyd_t pud_t
23164 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
23165 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
23166 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
23167 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
23168 +#define PYD_SIZE PUD_SIZE
23169 +#endif
23170 +
23171 +#ifdef CONFIG_PAX_PER_CPU_PGD
23172 +static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
23173 +static inline void pgd_dtor(pgd_t *pgd) {}
23174 +#else
23175 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
23176 {
23177 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
23178 @@ -128,6 +170,7 @@ static void pgd_dtor(pgd_t *pgd)
23179 pgd_list_del(pgd);
23180 spin_unlock(&pgd_lock);
23181 }
23182 +#endif
23183
23184 /*
23185 * List of all pgd's needed for non-PAE so it can invalidate entries
23186 @@ -140,7 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
23187 * -- wli
23188 */
23189
23190 -#ifdef CONFIG_X86_PAE
23191 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
23192 /*
23193 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
23194 * updating the top-level pagetable entries to guarantee the
23195 @@ -152,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd)
23196 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
23197 * and initialize the kernel pmds here.
23198 */
23199 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
23200 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
23201
23202 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
23203 {
23204 @@ -170,36 +213,38 @@ void pud_populate(struct mm_struct *mm,
23205 */
23206 flush_tlb_mm(mm);
23207 }
23208 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
23209 +#define PREALLOCATED_PXDS USER_PGD_PTRS
23210 #else /* !CONFIG_X86_PAE */
23211
23212 /* No need to prepopulate any pagetable entries in non-PAE modes. */
23213 -#define PREALLOCATED_PMDS 0
23214 +#define PREALLOCATED_PXDS 0
23215
23216 #endif /* CONFIG_X86_PAE */
23217
23218 -static void free_pmds(pmd_t *pmds[])
23219 +static void free_pxds(pxd_t *pxds[])
23220 {
23221 int i;
23222
23223 - for(i = 0; i < PREALLOCATED_PMDS; i++)
23224 - if (pmds[i])
23225 - free_page((unsigned long)pmds[i]);
23226 + for(i = 0; i < PREALLOCATED_PXDS; i++)
23227 + if (pxds[i])
23228 + free_page((unsigned long)pxds[i]);
23229 }
23230
23231 -static int preallocate_pmds(pmd_t *pmds[])
23232 +static int preallocate_pxds(pxd_t *pxds[])
23233 {
23234 int i;
23235 bool failed = false;
23236
23237 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
23238 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
23239 - if (pmd == NULL)
23240 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
23241 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
23242 + if (pxd == NULL)
23243 failed = true;
23244 - pmds[i] = pmd;
23245 + pxds[i] = pxd;
23246 }
23247
23248 if (failed) {
23249 - free_pmds(pmds);
23250 + free_pxds(pxds);
23251 return -ENOMEM;
23252 }
23253
23254 @@ -212,51 +257,55 @@ static int preallocate_pmds(pmd_t *pmds[
23255 * preallocate which never got a corresponding vma will need to be
23256 * freed manually.
23257 */
23258 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
23259 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
23260 {
23261 int i;
23262
23263 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
23264 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
23265 pgd_t pgd = pgdp[i];
23266
23267 if (pgd_val(pgd) != 0) {
23268 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
23269 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
23270
23271 - pgdp[i] = native_make_pgd(0);
23272 + set_pgd(pgdp + i, native_make_pgd(0));
23273
23274 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
23275 - pmd_free(mm, pmd);
23276 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
23277 + pxd_free(mm, pxd);
23278 }
23279 }
23280 }
23281
23282 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
23283 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
23284 {
23285 - pud_t *pud;
23286 + pyd_t *pyd;
23287 unsigned long addr;
23288 int i;
23289
23290 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
23291 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
23292 return;
23293
23294 - pud = pud_offset(pgd, 0);
23295 +#ifdef CONFIG_X86_64
23296 + pyd = pyd_offset(mm, 0L);
23297 +#else
23298 + pyd = pyd_offset(pgd, 0L);
23299 +#endif
23300
23301 - for (addr = i = 0; i < PREALLOCATED_PMDS;
23302 - i++, pud++, addr += PUD_SIZE) {
23303 - pmd_t *pmd = pmds[i];
23304 + for (addr = i = 0; i < PREALLOCATED_PXDS;
23305 + i++, pyd++, addr += PYD_SIZE) {
23306 + pxd_t *pxd = pxds[i];
23307
23308 if (i >= KERNEL_PGD_BOUNDARY)
23309 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
23310 - sizeof(pmd_t) * PTRS_PER_PMD);
23311 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
23312 + sizeof(pxd_t) * PTRS_PER_PMD);
23313
23314 - pud_populate(mm, pud, pmd);
23315 + pyd_populate(mm, pyd, pxd);
23316 }
23317 }
23318
23319 pgd_t *pgd_alloc(struct mm_struct *mm)
23320 {
23321 pgd_t *pgd;
23322 - pmd_t *pmds[PREALLOCATED_PMDS];
23323 + pxd_t *pxds[PREALLOCATED_PXDS];
23324
23325 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
23326
23327 @@ -265,11 +314,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
23328
23329 mm->pgd = pgd;
23330
23331 - if (preallocate_pmds(pmds) != 0)
23332 + if (preallocate_pxds(pxds) != 0)
23333 goto out_free_pgd;
23334
23335 if (paravirt_pgd_alloc(mm) != 0)
23336 - goto out_free_pmds;
23337 + goto out_free_pxds;
23338
23339 /*
23340 * Make sure that pre-populating the pmds is atomic with
23341 @@ -279,14 +328,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
23342 spin_lock(&pgd_lock);
23343
23344 pgd_ctor(mm, pgd);
23345 - pgd_prepopulate_pmd(mm, pgd, pmds);
23346 + pgd_prepopulate_pxd(mm, pgd, pxds);
23347
23348 spin_unlock(&pgd_lock);
23349
23350 return pgd;
23351
23352 -out_free_pmds:
23353 - free_pmds(pmds);
23354 +out_free_pxds:
23355 + free_pxds(pxds);
23356 out_free_pgd:
23357 free_page((unsigned long)pgd);
23358 out:
23359 @@ -295,7 +344,7 @@ out:
23360
23361 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
23362 {
23363 - pgd_mop_up_pmds(mm, pgd);
23364 + pgd_mop_up_pxds(mm, pgd);
23365 pgd_dtor(pgd);
23366 paravirt_pgd_free(mm, pgd);
23367 free_page((unsigned long)pgd);
23368 diff -urNp linux-2.6.39.3/arch/x86/mm/setup_nx.c linux-2.6.39.3/arch/x86/mm/setup_nx.c
23369 --- linux-2.6.39.3/arch/x86/mm/setup_nx.c 2011-05-19 00:06:34.000000000 -0400
23370 +++ linux-2.6.39.3/arch/x86/mm/setup_nx.c 2011-05-22 19:36:30.000000000 -0400
23371 @@ -5,8 +5,10 @@
23372 #include <asm/pgtable.h>
23373 #include <asm/proto.h>
23374
23375 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
23376 static int disable_nx __cpuinitdata;
23377
23378 +#ifndef CONFIG_PAX_PAGEEXEC
23379 /*
23380 * noexec = on|off
23381 *
23382 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
23383 return 0;
23384 }
23385 early_param("noexec", noexec_setup);
23386 +#endif
23387 +
23388 +#endif
23389
23390 void __cpuinit x86_configure_nx(void)
23391 {
23392 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
23393 if (cpu_has_nx && !disable_nx)
23394 __supported_pte_mask |= _PAGE_NX;
23395 else
23396 +#endif
23397 __supported_pte_mask &= ~_PAGE_NX;
23398 }
23399
23400 diff -urNp linux-2.6.39.3/arch/x86/mm/tlb.c linux-2.6.39.3/arch/x86/mm/tlb.c
23401 --- linux-2.6.39.3/arch/x86/mm/tlb.c 2011-05-19 00:06:34.000000000 -0400
23402 +++ linux-2.6.39.3/arch/x86/mm/tlb.c 2011-05-22 19:36:30.000000000 -0400
23403 @@ -65,7 +65,11 @@ void leave_mm(int cpu)
23404 BUG();
23405 cpumask_clear_cpu(cpu,
23406 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
23407 +
23408 +#ifndef CONFIG_PAX_PER_CPU_PGD
23409 load_cr3(swapper_pg_dir);
23410 +#endif
23411 +
23412 }
23413 EXPORT_SYMBOL_GPL(leave_mm);
23414
23415 diff -urNp linux-2.6.39.3/arch/x86/oprofile/backtrace.c linux-2.6.39.3/arch/x86/oprofile/backtrace.c
23416 --- linux-2.6.39.3/arch/x86/oprofile/backtrace.c 2011-05-19 00:06:34.000000000 -0400
23417 +++ linux-2.6.39.3/arch/x86/oprofile/backtrace.c 2011-05-22 19:36:30.000000000 -0400
23418 @@ -57,7 +57,7 @@ dump_user_backtrace_32(struct stack_fram
23419 struct stack_frame_ia32 *fp;
23420
23421 /* Also check accessibility of one struct frame_head beyond */
23422 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
23423 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
23424 return NULL;
23425 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
23426 return NULL;
23427 @@ -123,7 +123,7 @@ x86_backtrace(struct pt_regs * const reg
23428 {
23429 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
23430
23431 - if (!user_mode_vm(regs)) {
23432 + if (!user_mode(regs)) {
23433 unsigned long stack = kernel_stack_pointer(regs);
23434 if (depth)
23435 dump_trace(NULL, regs, (unsigned long *)stack, 0,
23436 diff -urNp linux-2.6.39.3/arch/x86/pci/ce4100.c linux-2.6.39.3/arch/x86/pci/ce4100.c
23437 --- linux-2.6.39.3/arch/x86/pci/ce4100.c 2011-05-19 00:06:34.000000000 -0400
23438 +++ linux-2.6.39.3/arch/x86/pci/ce4100.c 2011-05-22 19:36:30.000000000 -0400
23439 @@ -302,7 +302,7 @@ static int ce4100_conf_write(unsigned in
23440 return pci_direct_conf1.write(seg, bus, devfn, reg, len, value);
23441 }
23442
23443 -struct pci_raw_ops ce4100_pci_conf = {
23444 +const struct pci_raw_ops ce4100_pci_conf = {
23445 .read = ce4100_conf_read,
23446 .write = ce4100_conf_write,
23447 };
23448 diff -urNp linux-2.6.39.3/arch/x86/pci/common.c linux-2.6.39.3/arch/x86/pci/common.c
23449 --- linux-2.6.39.3/arch/x86/pci/common.c 2011-05-19 00:06:34.000000000 -0400
23450 +++ linux-2.6.39.3/arch/x86/pci/common.c 2011-05-22 19:36:30.000000000 -0400
23451 @@ -33,8 +33,8 @@ int noioapicreroute = 1;
23452 int pcibios_last_bus = -1;
23453 unsigned long pirq_table_addr;
23454 struct pci_bus *pci_root_bus;
23455 -struct pci_raw_ops *raw_pci_ops;
23456 -struct pci_raw_ops *raw_pci_ext_ops;
23457 +const struct pci_raw_ops *raw_pci_ops;
23458 +const struct pci_raw_ops *raw_pci_ext_ops;
23459
23460 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
23461 int reg, int len, u32 *val)
23462 diff -urNp linux-2.6.39.3/arch/x86/pci/direct.c linux-2.6.39.3/arch/x86/pci/direct.c
23463 --- linux-2.6.39.3/arch/x86/pci/direct.c 2011-05-19 00:06:34.000000000 -0400
23464 +++ linux-2.6.39.3/arch/x86/pci/direct.c 2011-05-22 19:36:30.000000000 -0400
23465 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
23466
23467 #undef PCI_CONF1_ADDRESS
23468
23469 -struct pci_raw_ops pci_direct_conf1 = {
23470 +const struct pci_raw_ops pci_direct_conf1 = {
23471 .read = pci_conf1_read,
23472 .write = pci_conf1_write,
23473 };
23474 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
23475
23476 #undef PCI_CONF2_ADDRESS
23477
23478 -struct pci_raw_ops pci_direct_conf2 = {
23479 +const struct pci_raw_ops pci_direct_conf2 = {
23480 .read = pci_conf2_read,
23481 .write = pci_conf2_write,
23482 };
23483 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
23484 * This should be close to trivial, but it isn't, because there are buggy
23485 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
23486 */
23487 -static int __init pci_sanity_check(struct pci_raw_ops *o)
23488 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
23489 {
23490 u32 x = 0;
23491 int year, devfn;
23492 diff -urNp linux-2.6.39.3/arch/x86/pci/fixup.c linux-2.6.39.3/arch/x86/pci/fixup.c
23493 --- linux-2.6.39.3/arch/x86/pci/fixup.c 2011-05-19 00:06:34.000000000 -0400
23494 +++ linux-2.6.39.3/arch/x86/pci/fixup.c 2011-05-22 19:36:30.000000000 -0400
23495 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
23496 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
23497 },
23498 },
23499 - { }
23500 + {}
23501 };
23502
23503 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
23504 diff -urNp linux-2.6.39.3/arch/x86/pci/mmconfig_32.c linux-2.6.39.3/arch/x86/pci/mmconfig_32.c
23505 --- linux-2.6.39.3/arch/x86/pci/mmconfig_32.c 2011-05-19 00:06:34.000000000 -0400
23506 +++ linux-2.6.39.3/arch/x86/pci/mmconfig_32.c 2011-05-22 19:36:30.000000000 -0400
23507 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
23508 return 0;
23509 }
23510
23511 -static struct pci_raw_ops pci_mmcfg = {
23512 +static const struct pci_raw_ops pci_mmcfg = {
23513 .read = pci_mmcfg_read,
23514 .write = pci_mmcfg_write,
23515 };
23516 diff -urNp linux-2.6.39.3/arch/x86/pci/mmconfig_64.c linux-2.6.39.3/arch/x86/pci/mmconfig_64.c
23517 --- linux-2.6.39.3/arch/x86/pci/mmconfig_64.c 2011-05-19 00:06:34.000000000 -0400
23518 +++ linux-2.6.39.3/arch/x86/pci/mmconfig_64.c 2011-05-22 19:36:30.000000000 -0400
23519 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
23520 return 0;
23521 }
23522
23523 -static struct pci_raw_ops pci_mmcfg = {
23524 +static const struct pci_raw_ops pci_mmcfg = {
23525 .read = pci_mmcfg_read,
23526 .write = pci_mmcfg_write,
23527 };
23528 diff -urNp linux-2.6.39.3/arch/x86/pci/mrst.c linux-2.6.39.3/arch/x86/pci/mrst.c
23529 --- linux-2.6.39.3/arch/x86/pci/mrst.c 2011-05-19 00:06:34.000000000 -0400
23530 +++ linux-2.6.39.3/arch/x86/pci/mrst.c 2011-05-22 19:36:30.000000000 -0400
23531 @@ -218,7 +218,7 @@ static int mrst_pci_irq_enable(struct pc
23532 return 0;
23533 }
23534
23535 -struct pci_ops pci_mrst_ops = {
23536 +const struct pci_ops pci_mrst_ops = {
23537 .read = pci_read,
23538 .write = pci_write,
23539 };
23540 diff -urNp linux-2.6.39.3/arch/x86/pci/numaq_32.c linux-2.6.39.3/arch/x86/pci/numaq_32.c
23541 --- linux-2.6.39.3/arch/x86/pci/numaq_32.c 2011-05-19 00:06:34.000000000 -0400
23542 +++ linux-2.6.39.3/arch/x86/pci/numaq_32.c 2011-05-22 19:36:30.000000000 -0400
23543 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
23544
23545 #undef PCI_CONF1_MQ_ADDRESS
23546
23547 -static struct pci_raw_ops pci_direct_conf1_mq = {
23548 +static const struct pci_raw_ops pci_direct_conf1_mq = {
23549 .read = pci_conf1_mq_read,
23550 .write = pci_conf1_mq_write
23551 };
23552 diff -urNp linux-2.6.39.3/arch/x86/pci/olpc.c linux-2.6.39.3/arch/x86/pci/olpc.c
23553 --- linux-2.6.39.3/arch/x86/pci/olpc.c 2011-05-19 00:06:34.000000000 -0400
23554 +++ linux-2.6.39.3/arch/x86/pci/olpc.c 2011-05-22 19:36:30.000000000 -0400
23555 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
23556 return 0;
23557 }
23558
23559 -static struct pci_raw_ops pci_olpc_conf = {
23560 +static const struct pci_raw_ops pci_olpc_conf = {
23561 .read = pci_olpc_read,
23562 .write = pci_olpc_write,
23563 };
23564 diff -urNp linux-2.6.39.3/arch/x86/pci/pcbios.c linux-2.6.39.3/arch/x86/pci/pcbios.c
23565 --- linux-2.6.39.3/arch/x86/pci/pcbios.c 2011-05-19 00:06:34.000000000 -0400
23566 +++ linux-2.6.39.3/arch/x86/pci/pcbios.c 2011-05-22 19:36:30.000000000 -0400
23567 @@ -79,50 +79,93 @@ union bios32 {
23568 static struct {
23569 unsigned long address;
23570 unsigned short segment;
23571 -} bios32_indirect = { 0, __KERNEL_CS };
23572 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
23573
23574 /*
23575 * Returns the entry point for the given service, NULL on error
23576 */
23577
23578 -static unsigned long bios32_service(unsigned long service)
23579 +static unsigned long __devinit bios32_service(unsigned long service)
23580 {
23581 unsigned char return_code; /* %al */
23582 unsigned long address; /* %ebx */
23583 unsigned long length; /* %ecx */
23584 unsigned long entry; /* %edx */
23585 unsigned long flags;
23586 + struct desc_struct d, *gdt;
23587
23588 local_irq_save(flags);
23589 - __asm__("lcall *(%%edi); cld"
23590 +
23591 + gdt = get_cpu_gdt_table(smp_processor_id());
23592 +
23593 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
23594 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23595 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
23596 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23597 +
23598 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
23599 : "=a" (return_code),
23600 "=b" (address),
23601 "=c" (length),
23602 "=d" (entry)
23603 : "0" (service),
23604 "1" (0),
23605 - "D" (&bios32_indirect));
23606 + "D" (&bios32_indirect),
23607 + "r"(__PCIBIOS_DS)
23608 + : "memory");
23609 +
23610 + pax_open_kernel();
23611 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
23612 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
23613 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
23614 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
23615 + pax_close_kernel();
23616 +
23617 local_irq_restore(flags);
23618
23619 switch (return_code) {
23620 - case 0:
23621 - return address + entry;
23622 - case 0x80: /* Not present */
23623 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23624 - return 0;
23625 - default: /* Shouldn't happen */
23626 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23627 - service, return_code);
23628 + case 0: {
23629 + int cpu;
23630 + unsigned char flags;
23631 +
23632 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
23633 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
23634 + printk(KERN_WARNING "bios32_service: not valid\n");
23635 return 0;
23636 + }
23637 + address = address + PAGE_OFFSET;
23638 + length += 16UL; /* some BIOSs underreport this... */
23639 + flags = 4;
23640 + if (length >= 64*1024*1024) {
23641 + length >>= PAGE_SHIFT;
23642 + flags |= 8;
23643 + }
23644 +
23645 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
23646 + gdt = get_cpu_gdt_table(cpu);
23647 + pack_descriptor(&d, address, length, 0x9b, flags);
23648 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23649 + pack_descriptor(&d, address, length, 0x93, flags);
23650 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23651 + }
23652 + return entry;
23653 + }
23654 + case 0x80: /* Not present */
23655 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23656 + return 0;
23657 + default: /* Shouldn't happen */
23658 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23659 + service, return_code);
23660 + return 0;
23661 }
23662 }
23663
23664 static struct {
23665 unsigned long address;
23666 unsigned short segment;
23667 -} pci_indirect = { 0, __KERNEL_CS };
23668 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
23669
23670 -static int pci_bios_present;
23671 +static int pci_bios_present __read_only;
23672
23673 static int __devinit check_pcibios(void)
23674 {
23675 @@ -131,11 +174,13 @@ static int __devinit check_pcibios(void)
23676 unsigned long flags, pcibios_entry;
23677
23678 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
23679 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
23680 + pci_indirect.address = pcibios_entry;
23681
23682 local_irq_save(flags);
23683 - __asm__(
23684 - "lcall *(%%edi); cld\n\t"
23685 + __asm__("movw %w6, %%ds\n\t"
23686 + "lcall *%%ss:(%%edi); cld\n\t"
23687 + "push %%ss\n\t"
23688 + "pop %%ds\n\t"
23689 "jc 1f\n\t"
23690 "xor %%ah, %%ah\n"
23691 "1:"
23692 @@ -144,7 +189,8 @@ static int __devinit check_pcibios(void)
23693 "=b" (ebx),
23694 "=c" (ecx)
23695 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
23696 - "D" (&pci_indirect)
23697 + "D" (&pci_indirect),
23698 + "r" (__PCIBIOS_DS)
23699 : "memory");
23700 local_irq_restore(flags);
23701
23702 @@ -188,7 +234,10 @@ static int pci_bios_read(unsigned int se
23703
23704 switch (len) {
23705 case 1:
23706 - __asm__("lcall *(%%esi); cld\n\t"
23707 + __asm__("movw %w6, %%ds\n\t"
23708 + "lcall *%%ss:(%%esi); cld\n\t"
23709 + "push %%ss\n\t"
23710 + "pop %%ds\n\t"
23711 "jc 1f\n\t"
23712 "xor %%ah, %%ah\n"
23713 "1:"
23714 @@ -197,7 +246,8 @@ static int pci_bios_read(unsigned int se
23715 : "1" (PCIBIOS_READ_CONFIG_BYTE),
23716 "b" (bx),
23717 "D" ((long)reg),
23718 - "S" (&pci_indirect));
23719 + "S" (&pci_indirect),
23720 + "r" (__PCIBIOS_DS));
23721 /*
23722 * Zero-extend the result beyond 8 bits, do not trust the
23723 * BIOS having done it:
23724 @@ -205,7 +255,10 @@ static int pci_bios_read(unsigned int se
23725 *value &= 0xff;
23726 break;
23727 case 2:
23728 - __asm__("lcall *(%%esi); cld\n\t"
23729 + __asm__("movw %w6, %%ds\n\t"
23730 + "lcall *%%ss:(%%esi); cld\n\t"
23731 + "push %%ss\n\t"
23732 + "pop %%ds\n\t"
23733 "jc 1f\n\t"
23734 "xor %%ah, %%ah\n"
23735 "1:"
23736 @@ -214,7 +267,8 @@ static int pci_bios_read(unsigned int se
23737 : "1" (PCIBIOS_READ_CONFIG_WORD),
23738 "b" (bx),
23739 "D" ((long)reg),
23740 - "S" (&pci_indirect));
23741 + "S" (&pci_indirect),
23742 + "r" (__PCIBIOS_DS));
23743 /*
23744 * Zero-extend the result beyond 16 bits, do not trust the
23745 * BIOS having done it:
23746 @@ -222,7 +276,10 @@ static int pci_bios_read(unsigned int se
23747 *value &= 0xffff;
23748 break;
23749 case 4:
23750 - __asm__("lcall *(%%esi); cld\n\t"
23751 + __asm__("movw %w6, %%ds\n\t"
23752 + "lcall *%%ss:(%%esi); cld\n\t"
23753 + "push %%ss\n\t"
23754 + "pop %%ds\n\t"
23755 "jc 1f\n\t"
23756 "xor %%ah, %%ah\n"
23757 "1:"
23758 @@ -231,7 +288,8 @@ static int pci_bios_read(unsigned int se
23759 : "1" (PCIBIOS_READ_CONFIG_DWORD),
23760 "b" (bx),
23761 "D" ((long)reg),
23762 - "S" (&pci_indirect));
23763 + "S" (&pci_indirect),
23764 + "r" (__PCIBIOS_DS));
23765 break;
23766 }
23767
23768 @@ -254,7 +312,10 @@ static int pci_bios_write(unsigned int s
23769
23770 switch (len) {
23771 case 1:
23772 - __asm__("lcall *(%%esi); cld\n\t"
23773 + __asm__("movw %w6, %%ds\n\t"
23774 + "lcall *%%ss:(%%esi); cld\n\t"
23775 + "push %%ss\n\t"
23776 + "pop %%ds\n\t"
23777 "jc 1f\n\t"
23778 "xor %%ah, %%ah\n"
23779 "1:"
23780 @@ -263,10 +324,14 @@ static int pci_bios_write(unsigned int s
23781 "c" (value),
23782 "b" (bx),
23783 "D" ((long)reg),
23784 - "S" (&pci_indirect));
23785 + "S" (&pci_indirect),
23786 + "r" (__PCIBIOS_DS));
23787 break;
23788 case 2:
23789 - __asm__("lcall *(%%esi); cld\n\t"
23790 + __asm__("movw %w6, %%ds\n\t"
23791 + "lcall *%%ss:(%%esi); cld\n\t"
23792 + "push %%ss\n\t"
23793 + "pop %%ds\n\t"
23794 "jc 1f\n\t"
23795 "xor %%ah, %%ah\n"
23796 "1:"
23797 @@ -275,10 +340,14 @@ static int pci_bios_write(unsigned int s
23798 "c" (value),
23799 "b" (bx),
23800 "D" ((long)reg),
23801 - "S" (&pci_indirect));
23802 + "S" (&pci_indirect),
23803 + "r" (__PCIBIOS_DS));
23804 break;
23805 case 4:
23806 - __asm__("lcall *(%%esi); cld\n\t"
23807 + __asm__("movw %w6, %%ds\n\t"
23808 + "lcall *%%ss:(%%esi); cld\n\t"
23809 + "push %%ss\n\t"
23810 + "pop %%ds\n\t"
23811 "jc 1f\n\t"
23812 "xor %%ah, %%ah\n"
23813 "1:"
23814 @@ -287,7 +356,8 @@ static int pci_bios_write(unsigned int s
23815 "c" (value),
23816 "b" (bx),
23817 "D" ((long)reg),
23818 - "S" (&pci_indirect));
23819 + "S" (&pci_indirect),
23820 + "r" (__PCIBIOS_DS));
23821 break;
23822 }
23823
23824 @@ -301,7 +371,7 @@ static int pci_bios_write(unsigned int s
23825 * Function table for BIOS32 access
23826 */
23827
23828 -static struct pci_raw_ops pci_bios_access = {
23829 +static const struct pci_raw_ops pci_bios_access = {
23830 .read = pci_bios_read,
23831 .write = pci_bios_write
23832 };
23833 @@ -310,7 +380,7 @@ static struct pci_raw_ops pci_bios_acces
23834 * Try to find PCI BIOS.
23835 */
23836
23837 -static struct pci_raw_ops * __devinit pci_find_bios(void)
23838 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
23839 {
23840 union bios32 *check;
23841 unsigned char sum;
23842 @@ -392,10 +462,13 @@ struct irq_routing_table * pcibios_get_i
23843
23844 DBG("PCI: Fetching IRQ routing table... ");
23845 __asm__("push %%es\n\t"
23846 + "movw %w8, %%ds\n\t"
23847 "push %%ds\n\t"
23848 "pop %%es\n\t"
23849 - "lcall *(%%esi); cld\n\t"
23850 + "lcall *%%ss:(%%esi); cld\n\t"
23851 "pop %%es\n\t"
23852 + "push %%ss\n\t"
23853 + "pop %%ds\n"
23854 "jc 1f\n\t"
23855 "xor %%ah, %%ah\n"
23856 "1:"
23857 @@ -406,7 +479,8 @@ struct irq_routing_table * pcibios_get_i
23858 "1" (0),
23859 "D" ((long) &opt),
23860 "S" (&pci_indirect),
23861 - "m" (opt)
23862 + "m" (opt),
23863 + "r" (__PCIBIOS_DS)
23864 : "memory");
23865 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
23866 if (ret & 0xff00)
23867 @@ -430,7 +504,10 @@ int pcibios_set_irq_routing(struct pci_d
23868 {
23869 int ret;
23870
23871 - __asm__("lcall *(%%esi); cld\n\t"
23872 + __asm__("movw %w5, %%ds\n\t"
23873 + "lcall *%%ss:(%%esi); cld\n\t"
23874 + "push %%ss\n\t"
23875 + "pop %%ds\n"
23876 "jc 1f\n\t"
23877 "xor %%ah, %%ah\n"
23878 "1:"
23879 @@ -438,7 +515,8 @@ int pcibios_set_irq_routing(struct pci_d
23880 : "0" (PCIBIOS_SET_PCI_HW_INT),
23881 "b" ((dev->bus->number << 8) | dev->devfn),
23882 "c" ((irq << 8) | (pin + 10)),
23883 - "S" (&pci_indirect));
23884 + "S" (&pci_indirect),
23885 + "r" (__PCIBIOS_DS));
23886 return !(ret & 0xff00);
23887 }
23888 EXPORT_SYMBOL(pcibios_set_irq_routing);
23889 diff -urNp linux-2.6.39.3/arch/x86/pci/xen.c linux-2.6.39.3/arch/x86/pci/xen.c
23890 --- linux-2.6.39.3/arch/x86/pci/xen.c 2011-07-09 09:18:51.000000000 -0400
23891 +++ linux-2.6.39.3/arch/x86/pci/xen.c 2011-07-09 09:19:18.000000000 -0400
23892 @@ -62,7 +62,7 @@ static int acpi_register_gsi_xen_hvm(str
23893 #include <linux/msi.h>
23894 #include <asm/msidef.h>
23895
23896 -struct xen_pci_frontend_ops *xen_pci_frontend;
23897 +const struct xen_pci_frontend_ops *xen_pci_frontend;
23898 EXPORT_SYMBOL_GPL(xen_pci_frontend);
23899
23900 #define XEN_PIRQ_MSI_DATA (MSI_DATA_TRIGGER_EDGE | \
23901 diff -urNp linux-2.6.39.3/arch/x86/platform/efi/efi_32.c linux-2.6.39.3/arch/x86/platform/efi/efi_32.c
23902 --- linux-2.6.39.3/arch/x86/platform/efi/efi_32.c 2011-05-19 00:06:34.000000000 -0400
23903 +++ linux-2.6.39.3/arch/x86/platform/efi/efi_32.c 2011-05-22 19:36:30.000000000 -0400
23904 @@ -38,70 +38,37 @@
23905 */
23906
23907 static unsigned long efi_rt_eflags;
23908 -static pgd_t efi_bak_pg_dir_pointer[2];
23909 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
23910
23911 -void efi_call_phys_prelog(void)
23912 +void __init efi_call_phys_prelog(void)
23913 {
23914 - unsigned long cr4;
23915 - unsigned long temp;
23916 struct desc_ptr gdt_descr;
23917
23918 local_irq_save(efi_rt_eflags);
23919
23920 - /*
23921 - * If I don't have PAE, I should just duplicate two entries in page
23922 - * directory. If I have PAE, I just need to duplicate one entry in
23923 - * page directory.
23924 - */
23925 - cr4 = read_cr4_safe();
23926 -
23927 - if (cr4 & X86_CR4_PAE) {
23928 - efi_bak_pg_dir_pointer[0].pgd =
23929 - swapper_pg_dir[pgd_index(0)].pgd;
23930 - swapper_pg_dir[0].pgd =
23931 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
23932 - } else {
23933 - efi_bak_pg_dir_pointer[0].pgd =
23934 - swapper_pg_dir[pgd_index(0)].pgd;
23935 - efi_bak_pg_dir_pointer[1].pgd =
23936 - swapper_pg_dir[pgd_index(0x400000)].pgd;
23937 - swapper_pg_dir[pgd_index(0)].pgd =
23938 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
23939 - temp = PAGE_OFFSET + 0x400000;
23940 - swapper_pg_dir[pgd_index(0x400000)].pgd =
23941 - swapper_pg_dir[pgd_index(temp)].pgd;
23942 - }
23943 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
23944 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
23945 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
23946
23947 /*
23948 * After the lock is released, the original page table is restored.
23949 */
23950 __flush_tlb_all();
23951
23952 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
23953 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
23954 gdt_descr.size = GDT_SIZE - 1;
23955 load_gdt(&gdt_descr);
23956 }
23957
23958 -void efi_call_phys_epilog(void)
23959 +void __init efi_call_phys_epilog(void)
23960 {
23961 - unsigned long cr4;
23962 struct desc_ptr gdt_descr;
23963
23964 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
23965 + gdt_descr.address = get_cpu_gdt_table(0);
23966 gdt_descr.size = GDT_SIZE - 1;
23967 load_gdt(&gdt_descr);
23968
23969 - cr4 = read_cr4_safe();
23970 -
23971 - if (cr4 & X86_CR4_PAE) {
23972 - swapper_pg_dir[pgd_index(0)].pgd =
23973 - efi_bak_pg_dir_pointer[0].pgd;
23974 - } else {
23975 - swapper_pg_dir[pgd_index(0)].pgd =
23976 - efi_bak_pg_dir_pointer[0].pgd;
23977 - swapper_pg_dir[pgd_index(0x400000)].pgd =
23978 - efi_bak_pg_dir_pointer[1].pgd;
23979 - }
23980 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
23981
23982 /*
23983 * After the lock is released, the original page table is restored.
23984 diff -urNp linux-2.6.39.3/arch/x86/platform/efi/efi_stub_32.S linux-2.6.39.3/arch/x86/platform/efi/efi_stub_32.S
23985 --- linux-2.6.39.3/arch/x86/platform/efi/efi_stub_32.S 2011-05-19 00:06:34.000000000 -0400
23986 +++ linux-2.6.39.3/arch/x86/platform/efi/efi_stub_32.S 2011-05-22 19:36:30.000000000 -0400
23987 @@ -6,6 +6,7 @@
23988 */
23989
23990 #include <linux/linkage.h>
23991 +#include <linux/init.h>
23992 #include <asm/page_types.h>
23993
23994 /*
23995 @@ -20,7 +21,7 @@
23996 * service functions will comply with gcc calling convention, too.
23997 */
23998
23999 -.text
24000 +__INIT
24001 ENTRY(efi_call_phys)
24002 /*
24003 * 0. The function can only be called in Linux kernel. So CS has been
24004 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
24005 * The mapping of lower virtual memory has been created in prelog and
24006 * epilog.
24007 */
24008 - movl $1f, %edx
24009 - subl $__PAGE_OFFSET, %edx
24010 - jmp *%edx
24011 + jmp 1f-__PAGE_OFFSET
24012 1:
24013
24014 /*
24015 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
24016 * parameter 2, ..., param n. To make things easy, we save the return
24017 * address of efi_call_phys in a global variable.
24018 */
24019 - popl %edx
24020 - movl %edx, saved_return_addr
24021 - /* get the function pointer into ECX*/
24022 - popl %ecx
24023 - movl %ecx, efi_rt_function_ptr
24024 - movl $2f, %edx
24025 - subl $__PAGE_OFFSET, %edx
24026 - pushl %edx
24027 + popl (saved_return_addr)
24028 + popl (efi_rt_function_ptr)
24029
24030 /*
24031 * 3. Clear PG bit in %CR0.
24032 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
24033 /*
24034 * 5. Call the physical function.
24035 */
24036 - jmp *%ecx
24037 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
24038
24039 -2:
24040 /*
24041 * 6. After EFI runtime service returns, control will return to
24042 * following instruction. We'd better readjust stack pointer first.
24043 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
24044 movl %cr0, %edx
24045 orl $0x80000000, %edx
24046 movl %edx, %cr0
24047 - jmp 1f
24048 -1:
24049 +
24050 /*
24051 * 8. Now restore the virtual mode from flat mode by
24052 * adding EIP with PAGE_OFFSET.
24053 */
24054 - movl $1f, %edx
24055 - jmp *%edx
24056 + jmp 1f+__PAGE_OFFSET
24057 1:
24058
24059 /*
24060 * 9. Balance the stack. And because EAX contain the return value,
24061 * we'd better not clobber it.
24062 */
24063 - leal efi_rt_function_ptr, %edx
24064 - movl (%edx), %ecx
24065 - pushl %ecx
24066 + pushl (efi_rt_function_ptr)
24067
24068 /*
24069 - * 10. Push the saved return address onto the stack and return.
24070 + * 10. Return to the saved return address.
24071 */
24072 - leal saved_return_addr, %edx
24073 - movl (%edx), %ecx
24074 - pushl %ecx
24075 - ret
24076 + jmpl *(saved_return_addr)
24077 ENDPROC(efi_call_phys)
24078 .previous
24079
24080 -.data
24081 +__INITDATA
24082 saved_return_addr:
24083 .long 0
24084 efi_rt_function_ptr:
24085 diff -urNp linux-2.6.39.3/arch/x86/platform/olpc/olpc_dt.c linux-2.6.39.3/arch/x86/platform/olpc/olpc_dt.c
24086 --- linux-2.6.39.3/arch/x86/platform/olpc/olpc_dt.c 2011-05-19 00:06:34.000000000 -0400
24087 +++ linux-2.6.39.3/arch/x86/platform/olpc/olpc_dt.c 2011-05-22 19:36:30.000000000 -0400
24088 @@ -154,7 +154,7 @@ void * __init prom_early_alloc(unsigned
24089 return res;
24090 }
24091
24092 -static struct of_pdt_ops prom_olpc_ops __initdata = {
24093 +static const struct of_pdt_ops prom_olpc_ops = {
24094 .nextprop = olpc_dt_nextprop,
24095 .getproplen = olpc_dt_getproplen,
24096 .getproperty = olpc_dt_getproperty,
24097 diff -urNp linux-2.6.39.3/arch/x86/platform/uv/tlb_uv.c linux-2.6.39.3/arch/x86/platform/uv/tlb_uv.c
24098 --- linux-2.6.39.3/arch/x86/platform/uv/tlb_uv.c 2011-05-19 00:06:34.000000000 -0400
24099 +++ linux-2.6.39.3/arch/x86/platform/uv/tlb_uv.c 2011-05-22 19:36:30.000000000 -0400
24100 @@ -342,6 +342,8 @@ static void uv_reset_with_ipi(struct bau
24101 cpumask_t mask;
24102 struct reset_args reset_args;
24103
24104 + pax_track_stack();
24105 +
24106 reset_args.sender = sender;
24107
24108 cpus_clear(mask);
24109 diff -urNp linux-2.6.39.3/arch/x86/power/cpu.c linux-2.6.39.3/arch/x86/power/cpu.c
24110 --- linux-2.6.39.3/arch/x86/power/cpu.c 2011-05-19 00:06:34.000000000 -0400
24111 +++ linux-2.6.39.3/arch/x86/power/cpu.c 2011-05-22 19:36:30.000000000 -0400
24112 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
24113 static void fix_processor_context(void)
24114 {
24115 int cpu = smp_processor_id();
24116 - struct tss_struct *t = &per_cpu(init_tss, cpu);
24117 + struct tss_struct *t = init_tss + cpu;
24118
24119 set_tss_desc(cpu, t); /*
24120 * This just modifies memory; should not be
24121 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
24122 */
24123
24124 #ifdef CONFIG_X86_64
24125 + pax_open_kernel();
24126 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
24127 + pax_close_kernel();
24128
24129 syscall_init(); /* This sets MSR_*STAR and related */
24130 #endif
24131 diff -urNp linux-2.6.39.3/arch/x86/vdso/Makefile linux-2.6.39.3/arch/x86/vdso/Makefile
24132 --- linux-2.6.39.3/arch/x86/vdso/Makefile 2011-05-19 00:06:34.000000000 -0400
24133 +++ linux-2.6.39.3/arch/x86/vdso/Makefile 2011-05-22 19:36:30.000000000 -0400
24134 @@ -123,7 +123,7 @@ quiet_cmd_vdso = VDSO $@
24135 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
24136 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
24137
24138 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
24139 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
24140 GCOV_PROFILE := n
24141
24142 #
24143 diff -urNp linux-2.6.39.3/arch/x86/vdso/vclock_gettime.c linux-2.6.39.3/arch/x86/vdso/vclock_gettime.c
24144 --- linux-2.6.39.3/arch/x86/vdso/vclock_gettime.c 2011-05-19 00:06:34.000000000 -0400
24145 +++ linux-2.6.39.3/arch/x86/vdso/vclock_gettime.c 2011-05-22 19:36:30.000000000 -0400
24146 @@ -22,24 +22,48 @@
24147 #include <asm/hpet.h>
24148 #include <asm/unistd.h>
24149 #include <asm/io.h>
24150 +#include <asm/fixmap.h>
24151 #include "vextern.h"
24152
24153 #define gtod vdso_vsyscall_gtod_data
24154
24155 +notrace noinline long __vdso_fallback_time(long *t)
24156 +{
24157 + long secs;
24158 + asm volatile("syscall"
24159 + : "=a" (secs)
24160 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
24161 + return secs;
24162 +}
24163 +
24164 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
24165 {
24166 long ret;
24167 asm("syscall" : "=a" (ret) :
24168 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
24169 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
24170 return ret;
24171 }
24172
24173 +notrace static inline cycle_t __vdso_vread_hpet(void)
24174 +{
24175 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
24176 +}
24177 +
24178 +notrace static inline cycle_t __vdso_vread_tsc(void)
24179 +{
24180 + cycle_t ret = (cycle_t)vget_cycles();
24181 +
24182 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
24183 +}
24184 +
24185 notrace static inline long vgetns(void)
24186 {
24187 long v;
24188 - cycles_t (*vread)(void);
24189 - vread = gtod->clock.vread;
24190 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
24191 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
24192 + v = __vdso_vread_tsc();
24193 + else
24194 + v = __vdso_vread_hpet();
24195 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
24196 return (v * gtod->clock.mult) >> gtod->clock.shift;
24197 }
24198
24199 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
24200
24201 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
24202 {
24203 - if (likely(gtod->sysctl_enabled))
24204 + if (likely(gtod->sysctl_enabled &&
24205 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
24206 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
24207 switch (clock) {
24208 case CLOCK_REALTIME:
24209 if (likely(gtod->clock.vread))
24210 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
24211 int clock_gettime(clockid_t, struct timespec *)
24212 __attribute__((weak, alias("__vdso_clock_gettime")));
24213
24214 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
24215 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
24216 {
24217 long ret;
24218 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
24219 + asm("syscall" : "=a" (ret) :
24220 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
24221 + return ret;
24222 +}
24223 +
24224 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
24225 +{
24226 + if (likely(gtod->sysctl_enabled &&
24227 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
24228 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
24229 + {
24230 if (likely(tv != NULL)) {
24231 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
24232 offsetof(struct timespec, tv_nsec) ||
24233 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
24234 }
24235 return 0;
24236 }
24237 - asm("syscall" : "=a" (ret) :
24238 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
24239 - return ret;
24240 + return __vdso_fallback_gettimeofday(tv, tz);
24241 }
24242 int gettimeofday(struct timeval *, struct timezone *)
24243 __attribute__((weak, alias("__vdso_gettimeofday")));
24244 diff -urNp linux-2.6.39.3/arch/x86/vdso/vdso32-setup.c linux-2.6.39.3/arch/x86/vdso/vdso32-setup.c
24245 --- linux-2.6.39.3/arch/x86/vdso/vdso32-setup.c 2011-05-19 00:06:34.000000000 -0400
24246 +++ linux-2.6.39.3/arch/x86/vdso/vdso32-setup.c 2011-05-22 19:36:30.000000000 -0400
24247 @@ -25,6 +25,7 @@
24248 #include <asm/tlbflush.h>
24249 #include <asm/vdso.h>
24250 #include <asm/proto.h>
24251 +#include <asm/mman.h>
24252
24253 enum {
24254 VDSO_DISABLED = 0,
24255 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
24256 void enable_sep_cpu(void)
24257 {
24258 int cpu = get_cpu();
24259 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
24260 + struct tss_struct *tss = init_tss + cpu;
24261
24262 if (!boot_cpu_has(X86_FEATURE_SEP)) {
24263 put_cpu();
24264 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
24265 gate_vma.vm_start = FIXADDR_USER_START;
24266 gate_vma.vm_end = FIXADDR_USER_END;
24267 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
24268 - gate_vma.vm_page_prot = __P101;
24269 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
24270 /*
24271 * Make sure the vDSO gets into every core dump.
24272 * Dumping its contents makes post-mortem fully interpretable later
24273 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
24274 if (compat)
24275 addr = VDSO_HIGH_BASE;
24276 else {
24277 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
24278 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
24279 if (IS_ERR_VALUE(addr)) {
24280 ret = addr;
24281 goto up_fail;
24282 }
24283 }
24284
24285 - current->mm->context.vdso = (void *)addr;
24286 + current->mm->context.vdso = addr;
24287
24288 if (compat_uses_vma || !compat) {
24289 /*
24290 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
24291 }
24292
24293 current_thread_info()->sysenter_return =
24294 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
24295 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
24296
24297 up_fail:
24298 if (ret)
24299 - current->mm->context.vdso = NULL;
24300 + current->mm->context.vdso = 0;
24301
24302 up_write(&mm->mmap_sem);
24303
24304 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
24305
24306 const char *arch_vma_name(struct vm_area_struct *vma)
24307 {
24308 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
24309 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
24310 return "[vdso]";
24311 +
24312 +#ifdef CONFIG_PAX_SEGMEXEC
24313 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
24314 + return "[vdso]";
24315 +#endif
24316 +
24317 return NULL;
24318 }
24319
24320 @@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
24321 * Check to see if the corresponding task was created in compat vdso
24322 * mode.
24323 */
24324 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
24325 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
24326 return &gate_vma;
24327 return NULL;
24328 }
24329 diff -urNp linux-2.6.39.3/arch/x86/vdso/vdso.lds.S linux-2.6.39.3/arch/x86/vdso/vdso.lds.S
24330 --- linux-2.6.39.3/arch/x86/vdso/vdso.lds.S 2011-05-19 00:06:34.000000000 -0400
24331 +++ linux-2.6.39.3/arch/x86/vdso/vdso.lds.S 2011-06-06 17:34:26.000000000 -0400
24332 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
24333 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
24334 #include "vextern.h"
24335 #undef VEXTERN
24336 +
24337 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
24338 +VEXTERN(fallback_gettimeofday)
24339 +VEXTERN(fallback_time)
24340 +VEXTERN(getcpu)
24341 +#undef VEXTERN
24342 diff -urNp linux-2.6.39.3/arch/x86/vdso/vextern.h linux-2.6.39.3/arch/x86/vdso/vextern.h
24343 --- linux-2.6.39.3/arch/x86/vdso/vextern.h 2011-05-19 00:06:34.000000000 -0400
24344 +++ linux-2.6.39.3/arch/x86/vdso/vextern.h 2011-05-22 19:36:30.000000000 -0400
24345 @@ -11,6 +11,5 @@
24346 put into vextern.h and be referenced as a pointer with vdso prefix.
24347 The main kernel later fills in the values. */
24348
24349 -VEXTERN(jiffies)
24350 VEXTERN(vgetcpu_mode)
24351 VEXTERN(vsyscall_gtod_data)
24352 diff -urNp linux-2.6.39.3/arch/x86/vdso/vma.c linux-2.6.39.3/arch/x86/vdso/vma.c
24353 --- linux-2.6.39.3/arch/x86/vdso/vma.c 2011-05-19 00:06:34.000000000 -0400
24354 +++ linux-2.6.39.3/arch/x86/vdso/vma.c 2011-05-22 19:36:30.000000000 -0400
24355 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
24356 if (!vbase)
24357 goto oom;
24358
24359 - if (memcmp(vbase, "\177ELF", 4)) {
24360 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
24361 printk("VDSO: I'm broken; not ELF\n");
24362 vdso_enabled = 0;
24363 }
24364 @@ -118,7 +118,7 @@ int arch_setup_additional_pages(struct l
24365 goto up_fail;
24366 }
24367
24368 - current->mm->context.vdso = (void *)addr;
24369 + current->mm->context.vdso = addr;
24370
24371 ret = install_special_mapping(mm, addr, vdso_size,
24372 VM_READ|VM_EXEC|
24373 @@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
24374 VM_ALWAYSDUMP,
24375 vdso_pages);
24376 if (ret) {
24377 - current->mm->context.vdso = NULL;
24378 + current->mm->context.vdso = 0;
24379 goto up_fail;
24380 }
24381
24382 @@ -134,10 +134,3 @@ up_fail:
24383 up_write(&mm->mmap_sem);
24384 return ret;
24385 }
24386 -
24387 -static __init int vdso_setup(char *s)
24388 -{
24389 - vdso_enabled = simple_strtoul(s, NULL, 0);
24390 - return 0;
24391 -}
24392 -__setup("vdso=", vdso_setup);
24393 diff -urNp linux-2.6.39.3/arch/x86/xen/enlighten.c linux-2.6.39.3/arch/x86/xen/enlighten.c
24394 --- linux-2.6.39.3/arch/x86/xen/enlighten.c 2011-05-19 00:06:34.000000000 -0400
24395 +++ linux-2.6.39.3/arch/x86/xen/enlighten.c 2011-05-22 19:36:30.000000000 -0400
24396 @@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
24397
24398 struct shared_info xen_dummy_shared_info;
24399
24400 -void *xen_initial_gdt;
24401 -
24402 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
24403 __read_mostly int xen_have_vector_callback;
24404 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
24405 @@ -1010,7 +1008,7 @@ static const struct pv_apic_ops xen_apic
24406 #endif
24407 };
24408
24409 -static void xen_reboot(int reason)
24410 +static __noreturn void xen_reboot(int reason)
24411 {
24412 struct sched_shutdown r = { .reason = reason };
24413
24414 @@ -1018,17 +1016,17 @@ static void xen_reboot(int reason)
24415 BUG();
24416 }
24417
24418 -static void xen_restart(char *msg)
24419 +static __noreturn void xen_restart(char *msg)
24420 {
24421 xen_reboot(SHUTDOWN_reboot);
24422 }
24423
24424 -static void xen_emergency_restart(void)
24425 +static __noreturn void xen_emergency_restart(void)
24426 {
24427 xen_reboot(SHUTDOWN_reboot);
24428 }
24429
24430 -static void xen_machine_halt(void)
24431 +static __noreturn void xen_machine_halt(void)
24432 {
24433 xen_reboot(SHUTDOWN_poweroff);
24434 }
24435 @@ -1127,7 +1125,17 @@ asmlinkage void __init xen_start_kernel(
24436 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
24437
24438 /* Work out if we support NX */
24439 - x86_configure_nx();
24440 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
24441 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
24442 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
24443 + unsigned l, h;
24444 +
24445 + __supported_pte_mask |= _PAGE_NX;
24446 + rdmsr(MSR_EFER, l, h);
24447 + l |= EFER_NX;
24448 + wrmsr(MSR_EFER, l, h);
24449 + }
24450 +#endif
24451
24452 xen_setup_features();
24453
24454 @@ -1158,13 +1166,6 @@ asmlinkage void __init xen_start_kernel(
24455
24456 machine_ops = xen_machine_ops;
24457
24458 - /*
24459 - * The only reliable way to retain the initial address of the
24460 - * percpu gdt_page is to remember it here, so we can go and
24461 - * mark it RW later, when the initial percpu area is freed.
24462 - */
24463 - xen_initial_gdt = &per_cpu(gdt_page, 0);
24464 -
24465 xen_smp_init();
24466
24467 #ifdef CONFIG_ACPI_NUMA
24468 diff -urNp linux-2.6.39.3/arch/x86/xen/mmu.c linux-2.6.39.3/arch/x86/xen/mmu.c
24469 --- linux-2.6.39.3/arch/x86/xen/mmu.c 2011-07-09 09:18:51.000000000 -0400
24470 +++ linux-2.6.39.3/arch/x86/xen/mmu.c 2011-07-09 09:19:18.000000000 -0400
24471 @@ -1801,6 +1801,8 @@ __init pgd_t *xen_setup_kernel_pagetable
24472 convert_pfn_mfn(init_level4_pgt);
24473 convert_pfn_mfn(level3_ident_pgt);
24474 convert_pfn_mfn(level3_kernel_pgt);
24475 + convert_pfn_mfn(level3_vmalloc_pgt);
24476 + convert_pfn_mfn(level3_vmemmap_pgt);
24477
24478 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
24479 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
24480 @@ -1819,7 +1821,10 @@ __init pgd_t *xen_setup_kernel_pagetable
24481 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
24482 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
24483 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
24484 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
24485 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
24486 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
24487 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
24488 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
24489 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
24490
24491 diff -urNp linux-2.6.39.3/arch/x86/xen/pci-swiotlb-xen.c linux-2.6.39.3/arch/x86/xen/pci-swiotlb-xen.c
24492 --- linux-2.6.39.3/arch/x86/xen/pci-swiotlb-xen.c 2011-05-19 00:06:34.000000000 -0400
24493 +++ linux-2.6.39.3/arch/x86/xen/pci-swiotlb-xen.c 2011-05-22 19:36:30.000000000 -0400
24494 @@ -10,7 +10,7 @@
24495
24496 int xen_swiotlb __read_mostly;
24497
24498 -static struct dma_map_ops xen_swiotlb_dma_ops = {
24499 +static const struct dma_map_ops xen_swiotlb_dma_ops = {
24500 .mapping_error = xen_swiotlb_dma_mapping_error,
24501 .alloc_coherent = xen_swiotlb_alloc_coherent,
24502 .free_coherent = xen_swiotlb_free_coherent,
24503 diff -urNp linux-2.6.39.3/arch/x86/xen/smp.c linux-2.6.39.3/arch/x86/xen/smp.c
24504 --- linux-2.6.39.3/arch/x86/xen/smp.c 2011-07-09 09:18:51.000000000 -0400
24505 +++ linux-2.6.39.3/arch/x86/xen/smp.c 2011-07-09 09:19:18.000000000 -0400
24506 @@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
24507 {
24508 BUG_ON(smp_processor_id() != 0);
24509 native_smp_prepare_boot_cpu();
24510 -
24511 - /* We've switched to the "real" per-cpu gdt, so make sure the
24512 - old memory can be recycled */
24513 - make_lowmem_page_readwrite(xen_initial_gdt);
24514 -
24515 xen_filter_cpu_maps();
24516 xen_setup_vcpu_info_placement();
24517 }
24518 @@ -266,12 +261,12 @@ cpu_initialize_context(unsigned int cpu,
24519 gdt = get_cpu_gdt_table(cpu);
24520
24521 ctxt->flags = VGCF_IN_KERNEL;
24522 - ctxt->user_regs.ds = __USER_DS;
24523 - ctxt->user_regs.es = __USER_DS;
24524 + ctxt->user_regs.ds = __KERNEL_DS;
24525 + ctxt->user_regs.es = __KERNEL_DS;
24526 ctxt->user_regs.ss = __KERNEL_DS;
24527 #ifdef CONFIG_X86_32
24528 ctxt->user_regs.fs = __KERNEL_PERCPU;
24529 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
24530 + savesegment(gs, ctxt->user_regs.gs);
24531 #else
24532 ctxt->gs_base_kernel = per_cpu_offset(cpu);
24533 #endif
24534 @@ -322,13 +317,12 @@ static int __cpuinit xen_cpu_up(unsigned
24535 int rc;
24536
24537 per_cpu(current_task, cpu) = idle;
24538 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
24539 #ifdef CONFIG_X86_32
24540 irq_ctx_init(cpu);
24541 #else
24542 clear_tsk_thread_flag(idle, TIF_FORK);
24543 - per_cpu(kernel_stack, cpu) =
24544 - (unsigned long)task_stack_page(idle) -
24545 - KERNEL_STACK_OFFSET + THREAD_SIZE;
24546 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
24547 #endif
24548 xen_setup_runstate_info(cpu);
24549 xen_setup_timer(cpu);
24550 diff -urNp linux-2.6.39.3/arch/x86/xen/xen-asm_32.S linux-2.6.39.3/arch/x86/xen/xen-asm_32.S
24551 --- linux-2.6.39.3/arch/x86/xen/xen-asm_32.S 2011-05-19 00:06:34.000000000 -0400
24552 +++ linux-2.6.39.3/arch/x86/xen/xen-asm_32.S 2011-05-22 19:36:30.000000000 -0400
24553 @@ -83,14 +83,14 @@ ENTRY(xen_iret)
24554 ESP_OFFSET=4 # bytes pushed onto stack
24555
24556 /*
24557 - * Store vcpu_info pointer for easy access. Do it this way to
24558 - * avoid having to reload %fs
24559 + * Store vcpu_info pointer for easy access.
24560 */
24561 #ifdef CONFIG_SMP
24562 - GET_THREAD_INFO(%eax)
24563 - movl TI_cpu(%eax), %eax
24564 - movl __per_cpu_offset(,%eax,4), %eax
24565 - mov xen_vcpu(%eax), %eax
24566 + push %fs
24567 + mov $(__KERNEL_PERCPU), %eax
24568 + mov %eax, %fs
24569 + mov PER_CPU_VAR(xen_vcpu), %eax
24570 + pop %fs
24571 #else
24572 movl xen_vcpu, %eax
24573 #endif
24574 diff -urNp linux-2.6.39.3/arch/x86/xen/xen-head.S linux-2.6.39.3/arch/x86/xen/xen-head.S
24575 --- linux-2.6.39.3/arch/x86/xen/xen-head.S 2011-05-19 00:06:34.000000000 -0400
24576 +++ linux-2.6.39.3/arch/x86/xen/xen-head.S 2011-05-22 19:36:30.000000000 -0400
24577 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
24578 #ifdef CONFIG_X86_32
24579 mov %esi,xen_start_info
24580 mov $init_thread_union+THREAD_SIZE,%esp
24581 +#ifdef CONFIG_SMP
24582 + movl $cpu_gdt_table,%edi
24583 + movl $__per_cpu_load,%eax
24584 + movw %ax,__KERNEL_PERCPU + 2(%edi)
24585 + rorl $16,%eax
24586 + movb %al,__KERNEL_PERCPU + 4(%edi)
24587 + movb %ah,__KERNEL_PERCPU + 7(%edi)
24588 + movl $__per_cpu_end - 1,%eax
24589 + subl $__per_cpu_start,%eax
24590 + movw %ax,__KERNEL_PERCPU + 0(%edi)
24591 +#endif
24592 #else
24593 mov %rsi,xen_start_info
24594 mov $init_thread_union+THREAD_SIZE,%rsp
24595 diff -urNp linux-2.6.39.3/arch/x86/xen/xen-ops.h linux-2.6.39.3/arch/x86/xen/xen-ops.h
24596 --- linux-2.6.39.3/arch/x86/xen/xen-ops.h 2011-05-19 00:06:34.000000000 -0400
24597 +++ linux-2.6.39.3/arch/x86/xen/xen-ops.h 2011-05-22 19:36:30.000000000 -0400
24598 @@ -10,8 +10,6 @@
24599 extern const char xen_hypervisor_callback[];
24600 extern const char xen_failsafe_callback[];
24601
24602 -extern void *xen_initial_gdt;
24603 -
24604 struct trap_info;
24605 void xen_copy_trap_info(struct trap_info *traps);
24606
24607 diff -urNp linux-2.6.39.3/block/blk-iopoll.c linux-2.6.39.3/block/blk-iopoll.c
24608 --- linux-2.6.39.3/block/blk-iopoll.c 2011-05-19 00:06:34.000000000 -0400
24609 +++ linux-2.6.39.3/block/blk-iopoll.c 2011-05-22 19:36:30.000000000 -0400
24610 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
24611 }
24612 EXPORT_SYMBOL(blk_iopoll_complete);
24613
24614 -static void blk_iopoll_softirq(struct softirq_action *h)
24615 +static void blk_iopoll_softirq(void)
24616 {
24617 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
24618 int rearm = 0, budget = blk_iopoll_budget;
24619 diff -urNp linux-2.6.39.3/block/blk-map.c linux-2.6.39.3/block/blk-map.c
24620 --- linux-2.6.39.3/block/blk-map.c 2011-05-19 00:06:34.000000000 -0400
24621 +++ linux-2.6.39.3/block/blk-map.c 2011-05-22 19:36:30.000000000 -0400
24622 @@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
24623 if (!len || !kbuf)
24624 return -EINVAL;
24625
24626 - do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
24627 + do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
24628 if (do_copy)
24629 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
24630 else
24631 diff -urNp linux-2.6.39.3/block/blk-softirq.c linux-2.6.39.3/block/blk-softirq.c
24632 --- linux-2.6.39.3/block/blk-softirq.c 2011-05-19 00:06:34.000000000 -0400
24633 +++ linux-2.6.39.3/block/blk-softirq.c 2011-05-22 19:36:30.000000000 -0400
24634 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
24635 * Softirq action handler - move entries to local list and loop over them
24636 * while passing them to the queue registered handler.
24637 */
24638 -static void blk_done_softirq(struct softirq_action *h)
24639 +static void blk_done_softirq(void)
24640 {
24641 struct list_head *cpu_list, local_list;
24642
24643 diff -urNp linux-2.6.39.3/block/bsg.c linux-2.6.39.3/block/bsg.c
24644 --- linux-2.6.39.3/block/bsg.c 2011-05-19 00:06:34.000000000 -0400
24645 +++ linux-2.6.39.3/block/bsg.c 2011-05-22 19:36:30.000000000 -0400
24646 @@ -176,16 +176,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
24647 struct sg_io_v4 *hdr, struct bsg_device *bd,
24648 fmode_t has_write_perm)
24649 {
24650 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24651 + unsigned char *cmdptr;
24652 +
24653 if (hdr->request_len > BLK_MAX_CDB) {
24654 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
24655 if (!rq->cmd)
24656 return -ENOMEM;
24657 - }
24658 + cmdptr = rq->cmd;
24659 + } else
24660 + cmdptr = tmpcmd;
24661
24662 - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
24663 + if (copy_from_user(cmdptr, (void *)(unsigned long)hdr->request,
24664 hdr->request_len))
24665 return -EFAULT;
24666
24667 + if (cmdptr != rq->cmd)
24668 + memcpy(rq->cmd, cmdptr, hdr->request_len);
24669 +
24670 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
24671 if (blk_verify_command(rq->cmd, has_write_perm))
24672 return -EPERM;
24673 diff -urNp linux-2.6.39.3/block/scsi_ioctl.c linux-2.6.39.3/block/scsi_ioctl.c
24674 --- linux-2.6.39.3/block/scsi_ioctl.c 2011-05-19 00:06:34.000000000 -0400
24675 +++ linux-2.6.39.3/block/scsi_ioctl.c 2011-05-22 19:36:30.000000000 -0400
24676 @@ -222,8 +222,20 @@ EXPORT_SYMBOL(blk_verify_command);
24677 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
24678 struct sg_io_hdr *hdr, fmode_t mode)
24679 {
24680 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
24681 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24682 + unsigned char *cmdptr;
24683 +
24684 + if (rq->cmd != rq->__cmd)
24685 + cmdptr = rq->cmd;
24686 + else
24687 + cmdptr = tmpcmd;
24688 +
24689 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
24690 return -EFAULT;
24691 +
24692 + if (cmdptr != rq->cmd)
24693 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
24694 +
24695 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
24696 return -EPERM;
24697
24698 @@ -432,6 +444,8 @@ int sg_scsi_ioctl(struct request_queue *
24699 int err;
24700 unsigned int in_len, out_len, bytes, opcode, cmdlen;
24701 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
24702 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24703 + unsigned char *cmdptr;
24704
24705 if (!sic)
24706 return -EINVAL;
24707 @@ -465,9 +479,18 @@ int sg_scsi_ioctl(struct request_queue *
24708 */
24709 err = -EFAULT;
24710 rq->cmd_len = cmdlen;
24711 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
24712 +
24713 + if (rq->cmd != rq->__cmd)
24714 + cmdptr = rq->cmd;
24715 + else
24716 + cmdptr = tmpcmd;
24717 +
24718 + if (copy_from_user(cmdptr, sic->data, cmdlen))
24719 goto error;
24720
24721 + if (rq->cmd != cmdptr)
24722 + memcpy(rq->cmd, cmdptr, cmdlen);
24723 +
24724 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
24725 goto error;
24726
24727 diff -urNp linux-2.6.39.3/crypto/gf128mul.c linux-2.6.39.3/crypto/gf128mul.c
24728 --- linux-2.6.39.3/crypto/gf128mul.c 2011-05-19 00:06:34.000000000 -0400
24729 +++ linux-2.6.39.3/crypto/gf128mul.c 2011-07-06 20:00:14.000000000 -0400
24730 @@ -182,7 +182,7 @@ void gf128mul_lle(be128 *r, const be128
24731 for (i = 0; i < 7; ++i)
24732 gf128mul_x_lle(&p[i + 1], &p[i]);
24733
24734 - memset(r, 0, sizeof(r));
24735 + memset(r, 0, sizeof(*r));
24736 for (i = 0;;) {
24737 u8 ch = ((u8 *)b)[15 - i];
24738
24739 @@ -220,7 +220,7 @@ void gf128mul_bbe(be128 *r, const be128
24740 for (i = 0; i < 7; ++i)
24741 gf128mul_x_bbe(&p[i + 1], &p[i]);
24742
24743 - memset(r, 0, sizeof(r));
24744 + memset(r, 0, sizeof(*r));
24745 for (i = 0;;) {
24746 u8 ch = ((u8 *)b)[i];
24747
24748 diff -urNp linux-2.6.39.3/crypto/serpent.c linux-2.6.39.3/crypto/serpent.c
24749 --- linux-2.6.39.3/crypto/serpent.c 2011-05-19 00:06:34.000000000 -0400
24750 +++ linux-2.6.39.3/crypto/serpent.c 2011-05-22 19:36:30.000000000 -0400
24751 @@ -224,6 +224,8 @@ static int serpent_setkey(struct crypto_
24752 u32 r0,r1,r2,r3,r4;
24753 int i;
24754
24755 + pax_track_stack();
24756 +
24757 /* Copy key, add padding */
24758
24759 for (i = 0; i < keylen; ++i)
24760 diff -urNp linux-2.6.39.3/Documentation/dontdiff linux-2.6.39.3/Documentation/dontdiff
24761 --- linux-2.6.39.3/Documentation/dontdiff 2011-05-19 00:06:34.000000000 -0400
24762 +++ linux-2.6.39.3/Documentation/dontdiff 2011-05-22 19:36:30.000000000 -0400
24763 @@ -1,13 +1,16 @@
24764 *.a
24765 *.aux
24766 *.bin
24767 +*.cis
24768 *.cpio
24769 *.csp
24770 +*.dbg
24771 *.dsp
24772 *.dvi
24773 *.elf
24774 *.eps
24775 *.fw
24776 +*.gcno
24777 *.gen.S
24778 *.gif
24779 *.grep
24780 @@ -38,8 +41,10 @@
24781 *.tab.h
24782 *.tex
24783 *.ver
24784 +*.vim
24785 *.xml
24786 *_MODULES
24787 +*_reg_safe.h
24788 *_vga16.c
24789 *~
24790 *.9
24791 @@ -49,11 +54,16 @@
24792 53c700_d.h
24793 CVS
24794 ChangeSet
24795 +GPATH
24796 +GRTAGS
24797 +GSYMS
24798 +GTAGS
24799 Image
24800 Kerntypes
24801 Module.markers
24802 Module.symvers
24803 PENDING
24804 +PERF*
24805 SCCS
24806 System.map*
24807 TAGS
24808 @@ -80,8 +90,11 @@ btfixupprep
24809 build
24810 bvmlinux
24811 bzImage*
24812 +capability_names.h
24813 capflags.c
24814 classlist.h*
24815 +clut_vga16.c
24816 +common-cmds.h
24817 comp*.log
24818 compile.h*
24819 conf
24820 @@ -106,16 +119,19 @@ fore200e_mkfirm
24821 fore200e_pca_fw.c*
24822 gconf
24823 gen-devlist
24824 +gen-kdb_cmds.c
24825 gen_crc32table
24826 gen_init_cpio
24827 generated
24828 genheaders
24829 genksyms
24830 *_gray256.c
24831 +hash
24832 ihex2fw
24833 ikconfig.h*
24834 inat-tables.c
24835 initramfs_data.cpio
24836 +initramfs_data.cpio.bz2
24837 initramfs_data.cpio.gz
24838 initramfs_list
24839 int16.c
24840 @@ -125,7 +141,6 @@ int32.c
24841 int4.c
24842 int8.c
24843 kallsyms
24844 -kconfig
24845 keywords.c
24846 ksym.c*
24847 ksym.h*
24848 @@ -149,7 +164,9 @@ mkboot
24849 mkbugboot
24850 mkcpustr
24851 mkdep
24852 +mkpiggy
24853 mkprep
24854 +mkregtable
24855 mktables
24856 mktree
24857 modpost
24858 @@ -165,6 +182,7 @@ parse.h
24859 patches*
24860 pca200e.bin
24861 pca200e_ecd.bin2
24862 +perf-archive
24863 piggy.gz
24864 piggyback
24865 piggy.S
24866 @@ -180,7 +198,9 @@ r600_reg_safe.h
24867 raid6altivec*.c
24868 raid6int*.c
24869 raid6tables.c
24870 +regdb.c
24871 relocs
24872 +rlim_names.h
24873 rn50_reg_safe.h
24874 rs600_reg_safe.h
24875 rv515_reg_safe.h
24876 @@ -189,6 +209,7 @@ setup
24877 setup.bin
24878 setup.elf
24879 sImage
24880 +slabinfo
24881 sm_tbl*
24882 split-include
24883 syscalltab.h
24884 @@ -213,13 +234,17 @@ version.h*
24885 vmlinux
24886 vmlinux-*
24887 vmlinux.aout
24888 +vmlinux.bin.all
24889 +vmlinux.bin.bz2
24890 vmlinux.lds
24891 +vmlinux.relocs
24892 voffset.h
24893 vsyscall.lds
24894 vsyscall_32.lds
24895 wanxlfw.inc
24896 uImage
24897 unifdef
24898 +utsrelease.h
24899 wakeup.bin
24900 wakeup.elf
24901 wakeup.lds
24902 diff -urNp linux-2.6.39.3/Documentation/filesystems/configfs/configfs_example_macros.c linux-2.6.39.3/Documentation/filesystems/configfs/configfs_example_macros.c
24903 --- linux-2.6.39.3/Documentation/filesystems/configfs/configfs_example_macros.c 2011-05-19 00:06:34.000000000 -0400
24904 +++ linux-2.6.39.3/Documentation/filesystems/configfs/configfs_example_macros.c 2011-05-22 19:36:30.000000000 -0400
24905 @@ -368,7 +368,7 @@ static struct configfs_item_operations g
24906 * Note that, since no extra work is required on ->drop_item(),
24907 * no ->drop_item() is provided.
24908 */
24909 -static struct configfs_group_operations group_children_group_ops = {
24910 +static const struct configfs_group_operations group_children_group_ops = {
24911 .make_group = group_children_make_group,
24912 };
24913
24914 diff -urNp linux-2.6.39.3/Documentation/filesystems/sysfs.txt linux-2.6.39.3/Documentation/filesystems/sysfs.txt
24915 --- linux-2.6.39.3/Documentation/filesystems/sysfs.txt 2011-05-19 00:06:34.000000000 -0400
24916 +++ linux-2.6.39.3/Documentation/filesystems/sysfs.txt 2011-05-22 19:36:30.000000000 -0400
24917 @@ -125,8 +125,8 @@ set of sysfs operations for forwarding r
24918 show and store methods of the attribute owners.
24919
24920 struct sysfs_ops {
24921 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
24922 - ssize_t (*store)(struct kobject *, struct attribute *, const char *, size_t);
24923 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
24924 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *, size_t);
24925 };
24926
24927 [ Subsystems should have already defined a struct kobj_type as a
24928 diff -urNp linux-2.6.39.3/Documentation/kernel-parameters.txt linux-2.6.39.3/Documentation/kernel-parameters.txt
24929 --- linux-2.6.39.3/Documentation/kernel-parameters.txt 2011-06-25 12:55:22.000000000 -0400
24930 +++ linux-2.6.39.3/Documentation/kernel-parameters.txt 2011-06-25 13:00:25.000000000 -0400
24931 @@ -1879,6 +1879,13 @@ bytes respectively. Such letter suffixes
24932 the specified number of seconds. This is to be used if
24933 your oopses keep scrolling off the screen.
24934
24935 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
24936 + virtualization environments that don't cope well with the
24937 + expand down segment used by UDEREF on X86-32 or the frequent
24938 + page table updates on X86-64.
24939 +
24940 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
24941 +
24942 pcbit= [HW,ISDN]
24943
24944 pcd. [PARIDE]
24945 diff -urNp linux-2.6.39.3/drivers/acpi/acpi_ipmi.c linux-2.6.39.3/drivers/acpi/acpi_ipmi.c
24946 --- linux-2.6.39.3/drivers/acpi/acpi_ipmi.c 2011-05-19 00:06:34.000000000 -0400
24947 +++ linux-2.6.39.3/drivers/acpi/acpi_ipmi.c 2011-05-22 19:36:30.000000000 -0400
24948 @@ -70,7 +70,7 @@ struct acpi_ipmi_device {
24949 struct ipmi_driver_data {
24950 struct list_head ipmi_devices;
24951 struct ipmi_smi_watcher bmc_events;
24952 - struct ipmi_user_hndl ipmi_hndlrs;
24953 + const struct ipmi_user_hndl ipmi_hndlrs;
24954 struct mutex ipmi_lock;
24955 };
24956
24957 diff -urNp linux-2.6.39.3/drivers/acpi/apei/cper.c linux-2.6.39.3/drivers/acpi/apei/cper.c
24958 --- linux-2.6.39.3/drivers/acpi/apei/cper.c 2011-05-19 00:06:34.000000000 -0400
24959 +++ linux-2.6.39.3/drivers/acpi/apei/cper.c 2011-05-22 19:36:30.000000000 -0400
24960 @@ -38,12 +38,12 @@
24961 */
24962 u64 cper_next_record_id(void)
24963 {
24964 - static atomic64_t seq;
24965 + static atomic64_unchecked_t seq;
24966
24967 - if (!atomic64_read(&seq))
24968 - atomic64_set(&seq, ((u64)get_seconds()) << 32);
24969 + if (!atomic64_read_unchecked(&seq))
24970 + atomic64_set_unchecked(&seq, ((u64)get_seconds()) << 32);
24971
24972 - return atomic64_inc_return(&seq);
24973 + return atomic64_inc_return_unchecked(&seq);
24974 }
24975 EXPORT_SYMBOL_GPL(cper_next_record_id);
24976
24977 diff -urNp linux-2.6.39.3/drivers/acpi/battery.c linux-2.6.39.3/drivers/acpi/battery.c
24978 --- linux-2.6.39.3/drivers/acpi/battery.c 2011-05-19 00:06:34.000000000 -0400
24979 +++ linux-2.6.39.3/drivers/acpi/battery.c 2011-05-22 19:36:30.000000000 -0400
24980 @@ -864,7 +864,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
24981 }
24982
24983 static struct battery_file {
24984 - struct file_operations ops;
24985 + const struct file_operations ops;
24986 mode_t mode;
24987 const char *name;
24988 } acpi_battery_file[] = {
24989 diff -urNp linux-2.6.39.3/drivers/acpi/dock.c linux-2.6.39.3/drivers/acpi/dock.c
24990 --- linux-2.6.39.3/drivers/acpi/dock.c 2011-05-19 00:06:34.000000000 -0400
24991 +++ linux-2.6.39.3/drivers/acpi/dock.c 2011-05-22 19:36:30.000000000 -0400
24992 @@ -77,7 +77,7 @@ struct dock_dependent_device {
24993 struct list_head list;
24994 struct list_head hotplug_list;
24995 acpi_handle handle;
24996 - struct acpi_dock_ops *ops;
24997 + const struct acpi_dock_ops *ops;
24998 void *context;
24999 };
25000
25001 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
25002 * the dock driver after _DCK is executed.
25003 */
25004 int
25005 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
25006 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
25007 void *context)
25008 {
25009 struct dock_dependent_device *dd;
25010 diff -urNp linux-2.6.39.3/drivers/acpi/ec_sys.c linux-2.6.39.3/drivers/acpi/ec_sys.c
25011 --- linux-2.6.39.3/drivers/acpi/ec_sys.c 2011-05-19 00:06:34.000000000 -0400
25012 +++ linux-2.6.39.3/drivers/acpi/ec_sys.c 2011-05-22 19:36:30.000000000 -0400
25013 @@ -92,7 +92,7 @@ static ssize_t acpi_ec_write_io(struct f
25014 return count;
25015 }
25016
25017 -static struct file_operations acpi_ec_io_ops = {
25018 +static const struct file_operations acpi_ec_io_ops = {
25019 .owner = THIS_MODULE,
25020 .open = acpi_ec_open_io,
25021 .read = acpi_ec_read_io,
25022 diff -urNp linux-2.6.39.3/drivers/acpi/fan.c linux-2.6.39.3/drivers/acpi/fan.c
25023 --- linux-2.6.39.3/drivers/acpi/fan.c 2011-05-19 00:06:34.000000000 -0400
25024 +++ linux-2.6.39.3/drivers/acpi/fan.c 2011-05-22 19:36:30.000000000 -0400
25025 @@ -110,7 +110,7 @@ fan_set_cur_state(struct thermal_cooling
25026 return result;
25027 }
25028
25029 -static struct thermal_cooling_device_ops fan_cooling_ops = {
25030 +static const struct thermal_cooling_device_ops fan_cooling_ops = {
25031 .get_max_state = fan_get_max_state,
25032 .get_cur_state = fan_get_cur_state,
25033 .set_cur_state = fan_set_cur_state,
25034 diff -urNp linux-2.6.39.3/drivers/acpi/power_meter.c linux-2.6.39.3/drivers/acpi/power_meter.c
25035 --- linux-2.6.39.3/drivers/acpi/power_meter.c 2011-05-19 00:06:34.000000000 -0400
25036 +++ linux-2.6.39.3/drivers/acpi/power_meter.c 2011-05-22 19:36:30.000000000 -0400
25037 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
25038 return res;
25039
25040 temp /= 1000;
25041 - if (temp < 0)
25042 - return -EINVAL;
25043
25044 mutex_lock(&resource->lock);
25045 resource->trip[attr->index - 7] = temp;
25046 diff -urNp linux-2.6.39.3/drivers/acpi/proc.c linux-2.6.39.3/drivers/acpi/proc.c
25047 --- linux-2.6.39.3/drivers/acpi/proc.c 2011-05-19 00:06:34.000000000 -0400
25048 +++ linux-2.6.39.3/drivers/acpi/proc.c 2011-05-22 19:36:30.000000000 -0400
25049 @@ -342,19 +342,13 @@ acpi_system_write_wakeup_device(struct f
25050 size_t count, loff_t * ppos)
25051 {
25052 struct list_head *node, *next;
25053 - char strbuf[5];
25054 - char str[5] = "";
25055 - unsigned int len = count;
25056 -
25057 - if (len > 4)
25058 - len = 4;
25059 - if (len < 0)
25060 - return -EFAULT;
25061 + char strbuf[5] = {0};
25062
25063 - if (copy_from_user(strbuf, buffer, len))
25064 + if (count > 4)
25065 + count = 4;
25066 + if (copy_from_user(strbuf, buffer, count))
25067 return -EFAULT;
25068 - strbuf[len] = '\0';
25069 - sscanf(strbuf, "%s", str);
25070 + strbuf[count] = '\0';
25071
25072 mutex_lock(&acpi_device_lock);
25073 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
25074 @@ -363,7 +357,7 @@ acpi_system_write_wakeup_device(struct f
25075 if (!dev->wakeup.flags.valid)
25076 continue;
25077
25078 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
25079 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
25080 if (device_can_wakeup(&dev->dev)) {
25081 bool enable = !device_may_wakeup(&dev->dev);
25082 device_set_wakeup_enable(&dev->dev, enable);
25083 diff -urNp linux-2.6.39.3/drivers/acpi/processor_driver.c linux-2.6.39.3/drivers/acpi/processor_driver.c
25084 --- linux-2.6.39.3/drivers/acpi/processor_driver.c 2011-05-19 00:06:34.000000000 -0400
25085 +++ linux-2.6.39.3/drivers/acpi/processor_driver.c 2011-05-22 19:36:30.000000000 -0400
25086 @@ -473,7 +473,7 @@ static int __cpuinit acpi_processor_add(
25087 return 0;
25088 #endif
25089
25090 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
25091 + BUG_ON(pr->id >= nr_cpu_ids);
25092
25093 /*
25094 * Buggy BIOS check
25095 diff -urNp linux-2.6.39.3/drivers/acpi/processor_idle.c linux-2.6.39.3/drivers/acpi/processor_idle.c
25096 --- linux-2.6.39.3/drivers/acpi/processor_idle.c 2011-05-19 00:06:34.000000000 -0400
25097 +++ linux-2.6.39.3/drivers/acpi/processor_idle.c 2011-05-22 19:36:30.000000000 -0400
25098 @@ -121,7 +121,7 @@ static struct dmi_system_id __cpuinitdat
25099 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
25100 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
25101 (void *)1},
25102 - {},
25103 + {}
25104 };
25105
25106
25107 diff -urNp linux-2.6.39.3/drivers/acpi/processor_thermal.c linux-2.6.39.3/drivers/acpi/processor_thermal.c
25108 --- linux-2.6.39.3/drivers/acpi/processor_thermal.c 2011-05-19 00:06:34.000000000 -0400
25109 +++ linux-2.6.39.3/drivers/acpi/processor_thermal.c 2011-05-22 19:36:30.000000000 -0400
25110 @@ -244,7 +244,7 @@ processor_set_cur_state(struct thermal_c
25111 return result;
25112 }
25113
25114 -struct thermal_cooling_device_ops processor_cooling_ops = {
25115 +const struct thermal_cooling_device_ops processor_cooling_ops = {
25116 .get_max_state = processor_get_max_state,
25117 .get_cur_state = processor_get_cur_state,
25118 .set_cur_state = processor_set_cur_state,
25119 diff -urNp linux-2.6.39.3/drivers/acpi/sysfs.c linux-2.6.39.3/drivers/acpi/sysfs.c
25120 --- linux-2.6.39.3/drivers/acpi/sysfs.c 2011-05-19 00:06:34.000000000 -0400
25121 +++ linux-2.6.39.3/drivers/acpi/sysfs.c 2011-05-22 19:36:30.000000000 -0400
25122 @@ -149,12 +149,12 @@ static int param_get_debug_level(char *b
25123 return result;
25124 }
25125
25126 -static struct kernel_param_ops param_ops_debug_layer = {
25127 +static const struct kernel_param_ops param_ops_debug_layer = {
25128 .set = param_set_uint,
25129 .get = param_get_debug_layer,
25130 };
25131
25132 -static struct kernel_param_ops param_ops_debug_level = {
25133 +static const struct kernel_param_ops param_ops_debug_level = {
25134 .set = param_set_uint,
25135 .get = param_get_debug_level,
25136 };
25137 diff -urNp linux-2.6.39.3/drivers/acpi/thermal.c linux-2.6.39.3/drivers/acpi/thermal.c
25138 --- linux-2.6.39.3/drivers/acpi/thermal.c 2011-05-19 00:06:34.000000000 -0400
25139 +++ linux-2.6.39.3/drivers/acpi/thermal.c 2011-05-22 19:36:30.000000000 -0400
25140 @@ -812,7 +812,7 @@ acpi_thermal_unbind_cooling_device(struc
25141 thermal_zone_unbind_cooling_device);
25142 }
25143
25144 -static struct thermal_zone_device_ops acpi_thermal_zone_ops = {
25145 +static const struct thermal_zone_device_ops acpi_thermal_zone_ops = {
25146 .bind = acpi_thermal_bind_cooling_device,
25147 .unbind = acpi_thermal_unbind_cooling_device,
25148 .get_temp = thermal_get_temp,
25149 diff -urNp linux-2.6.39.3/drivers/acpi/video.c linux-2.6.39.3/drivers/acpi/video.c
25150 --- linux-2.6.39.3/drivers/acpi/video.c 2011-05-19 00:06:34.000000000 -0400
25151 +++ linux-2.6.39.3/drivers/acpi/video.c 2011-05-22 19:36:30.000000000 -0400
25152 @@ -308,7 +308,7 @@ video_set_cur_state(struct thermal_cooli
25153 return acpi_video_device_lcd_set_level(video, level);
25154 }
25155
25156 -static struct thermal_cooling_device_ops video_cooling_ops = {
25157 +static const struct thermal_cooling_device_ops video_cooling_ops = {
25158 .get_max_state = video_get_max_state,
25159 .get_cur_state = video_get_cur_state,
25160 .set_cur_state = video_set_cur_state,
25161 diff -urNp linux-2.6.39.3/drivers/ata/acard-ahci.c linux-2.6.39.3/drivers/ata/acard-ahci.c
25162 --- linux-2.6.39.3/drivers/ata/acard-ahci.c 2011-05-19 00:06:34.000000000 -0400
25163 +++ linux-2.6.39.3/drivers/ata/acard-ahci.c 2011-05-22 19:36:30.000000000 -0400
25164 @@ -87,7 +87,7 @@ static struct scsi_host_template acard_a
25165 AHCI_SHT("acard-ahci"),
25166 };
25167
25168 -static struct ata_port_operations acard_ops = {
25169 +static const struct ata_port_operations acard_ops = {
25170 .inherits = &ahci_ops,
25171 .qc_prep = acard_ahci_qc_prep,
25172 .qc_fill_rtf = acard_ahci_qc_fill_rtf,
25173 diff -urNp linux-2.6.39.3/drivers/ata/ahci.c linux-2.6.39.3/drivers/ata/ahci.c
25174 --- linux-2.6.39.3/drivers/ata/ahci.c 2011-05-19 00:06:34.000000000 -0400
25175 +++ linux-2.6.39.3/drivers/ata/ahci.c 2011-05-22 19:36:30.000000000 -0400
25176 @@ -94,17 +94,17 @@ static struct scsi_host_template ahci_sh
25177 AHCI_SHT("ahci"),
25178 };
25179
25180 -static struct ata_port_operations ahci_vt8251_ops = {
25181 +static const struct ata_port_operations ahci_vt8251_ops = {
25182 .inherits = &ahci_ops,
25183 .hardreset = ahci_vt8251_hardreset,
25184 };
25185
25186 -static struct ata_port_operations ahci_p5wdh_ops = {
25187 +static const struct ata_port_operations ahci_p5wdh_ops = {
25188 .inherits = &ahci_ops,
25189 .hardreset = ahci_p5wdh_hardreset,
25190 };
25191
25192 -static struct ata_port_operations ahci_sb600_ops = {
25193 +static const struct ata_port_operations ahci_sb600_ops = {
25194 .inherits = &ahci_ops,
25195 .softreset = ahci_sb600_softreset,
25196 .pmp_softreset = ahci_sb600_softreset,
25197 diff -urNp linux-2.6.39.3/drivers/ata/ahci.h linux-2.6.39.3/drivers/ata/ahci.h
25198 --- linux-2.6.39.3/drivers/ata/ahci.h 2011-05-19 00:06:34.000000000 -0400
25199 +++ linux-2.6.39.3/drivers/ata/ahci.h 2011-05-22 19:36:30.000000000 -0400
25200 @@ -311,7 +311,7 @@ extern struct device_attribute *ahci_sde
25201 .shost_attrs = ahci_shost_attrs, \
25202 .sdev_attrs = ahci_sdev_attrs
25203
25204 -extern struct ata_port_operations ahci_ops;
25205 +extern const struct ata_port_operations ahci_ops;
25206
25207 void ahci_fill_cmd_slot(struct ahci_port_priv *pp, unsigned int tag,
25208 u32 opts);
25209 diff -urNp linux-2.6.39.3/drivers/ata/ata_generic.c linux-2.6.39.3/drivers/ata/ata_generic.c
25210 --- linux-2.6.39.3/drivers/ata/ata_generic.c 2011-05-19 00:06:34.000000000 -0400
25211 +++ linux-2.6.39.3/drivers/ata/ata_generic.c 2011-05-22 19:36:30.000000000 -0400
25212 @@ -101,7 +101,7 @@ static struct scsi_host_template generic
25213 ATA_BMDMA_SHT(DRV_NAME),
25214 };
25215
25216 -static struct ata_port_operations generic_port_ops = {
25217 +static const struct ata_port_operations generic_port_ops = {
25218 .inherits = &ata_bmdma_port_ops,
25219 .cable_detect = ata_cable_unknown,
25220 .set_mode = generic_set_mode,
25221 diff -urNp linux-2.6.39.3/drivers/ata/ata_piix.c linux-2.6.39.3/drivers/ata/ata_piix.c
25222 --- linux-2.6.39.3/drivers/ata/ata_piix.c 2011-05-19 00:06:34.000000000 -0400
25223 +++ linux-2.6.39.3/drivers/ata/ata_piix.c 2011-05-22 19:36:30.000000000 -0400
25224 @@ -335,12 +335,12 @@ static struct scsi_host_template piix_sh
25225 ATA_BMDMA_SHT(DRV_NAME),
25226 };
25227
25228 -static struct ata_port_operations piix_sata_ops = {
25229 +static const struct ata_port_operations piix_sata_ops = {
25230 .inherits = &ata_bmdma32_port_ops,
25231 .sff_irq_check = piix_irq_check,
25232 };
25233
25234 -static struct ata_port_operations piix_pata_ops = {
25235 +static const struct ata_port_operations piix_pata_ops = {
25236 .inherits = &piix_sata_ops,
25237 .cable_detect = ata_cable_40wire,
25238 .set_piomode = piix_set_piomode,
25239 @@ -348,12 +348,12 @@ static struct ata_port_operations piix_p
25240 .prereset = piix_pata_prereset,
25241 };
25242
25243 -static struct ata_port_operations piix_vmw_ops = {
25244 +static const struct ata_port_operations piix_vmw_ops = {
25245 .inherits = &piix_pata_ops,
25246 .bmdma_status = piix_vmw_bmdma_status,
25247 };
25248
25249 -static struct ata_port_operations ich_pata_ops = {
25250 +static const struct ata_port_operations ich_pata_ops = {
25251 .inherits = &piix_pata_ops,
25252 .cable_detect = ich_pata_cable_detect,
25253 .set_dmamode = ich_set_dmamode,
25254 @@ -369,7 +369,7 @@ static struct scsi_host_template piix_si
25255 .shost_attrs = piix_sidpr_shost_attrs,
25256 };
25257
25258 -static struct ata_port_operations piix_sidpr_sata_ops = {
25259 +static const struct ata_port_operations piix_sidpr_sata_ops = {
25260 .inherits = &piix_sata_ops,
25261 .hardreset = sata_std_hardreset,
25262 .scr_read = piix_sidpr_scr_read,
25263 diff -urNp linux-2.6.39.3/drivers/ata/libahci.c linux-2.6.39.3/drivers/ata/libahci.c
25264 --- linux-2.6.39.3/drivers/ata/libahci.c 2011-05-19 00:06:34.000000000 -0400
25265 +++ linux-2.6.39.3/drivers/ata/libahci.c 2011-05-22 19:36:30.000000000 -0400
25266 @@ -141,7 +141,7 @@ struct device_attribute *ahci_sdev_attrs
25267 };
25268 EXPORT_SYMBOL_GPL(ahci_sdev_attrs);
25269
25270 -struct ata_port_operations ahci_ops = {
25271 +const struct ata_port_operations ahci_ops = {
25272 .inherits = &sata_pmp_port_ops,
25273
25274 .qc_defer = ahci_pmp_qc_defer,
25275 diff -urNp linux-2.6.39.3/drivers/ata/libata-acpi.c linux-2.6.39.3/drivers/ata/libata-acpi.c
25276 --- linux-2.6.39.3/drivers/ata/libata-acpi.c 2011-05-19 00:06:34.000000000 -0400
25277 +++ linux-2.6.39.3/drivers/ata/libata-acpi.c 2011-05-22 19:36:30.000000000 -0400
25278 @@ -218,12 +218,12 @@ static void ata_acpi_dev_uevent(acpi_han
25279 ata_acpi_uevent(dev->link->ap, dev, event);
25280 }
25281
25282 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
25283 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
25284 .handler = ata_acpi_dev_notify_dock,
25285 .uevent = ata_acpi_dev_uevent,
25286 };
25287
25288 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
25289 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
25290 .handler = ata_acpi_ap_notify_dock,
25291 .uevent = ata_acpi_ap_uevent,
25292 };
25293 diff -urNp linux-2.6.39.3/drivers/ata/libata-core.c linux-2.6.39.3/drivers/ata/libata-core.c
25294 --- linux-2.6.39.3/drivers/ata/libata-core.c 2011-05-19 00:06:34.000000000 -0400
25295 +++ linux-2.6.39.3/drivers/ata/libata-core.c 2011-05-22 19:36:30.000000000 -0400
25296 @@ -4747,7 +4747,7 @@ void ata_qc_free(struct ata_queued_cmd *
25297 struct ata_port *ap;
25298 unsigned int tag;
25299
25300 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25301 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25302 ap = qc->ap;
25303
25304 qc->flags = 0;
25305 @@ -4763,7 +4763,7 @@ void __ata_qc_complete(struct ata_queued
25306 struct ata_port *ap;
25307 struct ata_link *link;
25308
25309 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25310 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25311 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
25312 ap = qc->ap;
25313 link = qc->dev->link;
25314 @@ -5756,7 +5756,7 @@ static void ata_host_stop(struct device
25315 * LOCKING:
25316 * None.
25317 */
25318 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
25319 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
25320 {
25321 static DEFINE_SPINLOCK(lock);
25322 const struct ata_port_operations *cur;
25323 @@ -5768,6 +5768,7 @@ static void ata_finalize_port_ops(struct
25324 return;
25325
25326 spin_lock(&lock);
25327 + pax_open_kernel();
25328
25329 for (cur = ops->inherits; cur; cur = cur->inherits) {
25330 void **inherit = (void **)cur;
25331 @@ -5781,8 +5782,9 @@ static void ata_finalize_port_ops(struct
25332 if (IS_ERR(*pp))
25333 *pp = NULL;
25334
25335 - ops->inherits = NULL;
25336 + ((struct ata_port_operations *)ops)->inherits = NULL;
25337
25338 + pax_close_kernel();
25339 spin_unlock(&lock);
25340 }
25341
25342 @@ -5879,7 +5881,7 @@ int ata_host_start(struct ata_host *host
25343 */
25344 /* KILLME - the only user left is ipr */
25345 void ata_host_init(struct ata_host *host, struct device *dev,
25346 - unsigned long flags, struct ata_port_operations *ops)
25347 + unsigned long flags, const struct ata_port_operations *ops)
25348 {
25349 spin_lock_init(&host->lock);
25350 mutex_init(&host->eh_mutex);
25351 @@ -6583,7 +6585,7 @@ static void ata_dummy_error_handler(stru
25352 /* truly dummy */
25353 }
25354
25355 -struct ata_port_operations ata_dummy_port_ops = {
25356 +const struct ata_port_operations ata_dummy_port_ops = {
25357 .qc_prep = ata_noop_qc_prep,
25358 .qc_issue = ata_dummy_qc_issue,
25359 .error_handler = ata_dummy_error_handler,
25360 diff -urNp linux-2.6.39.3/drivers/ata/libata-eh.c linux-2.6.39.3/drivers/ata/libata-eh.c
25361 --- linux-2.6.39.3/drivers/ata/libata-eh.c 2011-05-19 00:06:34.000000000 -0400
25362 +++ linux-2.6.39.3/drivers/ata/libata-eh.c 2011-05-22 19:36:30.000000000 -0400
25363 @@ -2518,6 +2518,8 @@ void ata_eh_report(struct ata_port *ap)
25364 {
25365 struct ata_link *link;
25366
25367 + pax_track_stack();
25368 +
25369 ata_for_each_link(link, ap, HOST_FIRST)
25370 ata_eh_link_report(link);
25371 }
25372 @@ -3922,7 +3924,7 @@ void ata_do_eh(struct ata_port *ap, ata_
25373 */
25374 void ata_std_error_handler(struct ata_port *ap)
25375 {
25376 - struct ata_port_operations *ops = ap->ops;
25377 + const struct ata_port_operations *ops = ap->ops;
25378 ata_reset_fn_t hardreset = ops->hardreset;
25379
25380 /* ignore built-in hardreset if SCR access is not available */
25381 diff -urNp linux-2.6.39.3/drivers/ata/libata-pmp.c linux-2.6.39.3/drivers/ata/libata-pmp.c
25382 --- linux-2.6.39.3/drivers/ata/libata-pmp.c 2011-05-19 00:06:34.000000000 -0400
25383 +++ linux-2.6.39.3/drivers/ata/libata-pmp.c 2011-05-22 19:36:30.000000000 -0400
25384 @@ -912,7 +912,7 @@ static int sata_pmp_handle_link_fail(str
25385 */
25386 static int sata_pmp_eh_recover(struct ata_port *ap)
25387 {
25388 - struct ata_port_operations *ops = ap->ops;
25389 + const struct ata_port_operations *ops = ap->ops;
25390 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
25391 struct ata_link *pmp_link = &ap->link;
25392 struct ata_device *pmp_dev = pmp_link->device;
25393 diff -urNp linux-2.6.39.3/drivers/ata/pata_acpi.c linux-2.6.39.3/drivers/ata/pata_acpi.c
25394 --- linux-2.6.39.3/drivers/ata/pata_acpi.c 2011-05-19 00:06:34.000000000 -0400
25395 +++ linux-2.6.39.3/drivers/ata/pata_acpi.c 2011-05-22 19:36:30.000000000 -0400
25396 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
25397 ATA_BMDMA_SHT(DRV_NAME),
25398 };
25399
25400 -static struct ata_port_operations pacpi_ops = {
25401 +static const struct ata_port_operations pacpi_ops = {
25402 .inherits = &ata_bmdma_port_ops,
25403 .qc_issue = pacpi_qc_issue,
25404 .cable_detect = pacpi_cable_detect,
25405 diff -urNp linux-2.6.39.3/drivers/ata/pata_ali.c linux-2.6.39.3/drivers/ata/pata_ali.c
25406 --- linux-2.6.39.3/drivers/ata/pata_ali.c 2011-05-19 00:06:34.000000000 -0400
25407 +++ linux-2.6.39.3/drivers/ata/pata_ali.c 2011-05-22 19:36:30.000000000 -0400
25408 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
25409 * Port operations for PIO only ALi
25410 */
25411
25412 -static struct ata_port_operations ali_early_port_ops = {
25413 +static const struct ata_port_operations ali_early_port_ops = {
25414 .inherits = &ata_sff_port_ops,
25415 .cable_detect = ata_cable_40wire,
25416 .set_piomode = ali_set_piomode,
25417 @@ -380,7 +380,7 @@ static const struct ata_port_operations
25418 * Port operations for DMA capable ALi without cable
25419 * detect
25420 */
25421 -static struct ata_port_operations ali_20_port_ops = {
25422 +static const struct ata_port_operations ali_20_port_ops = {
25423 .inherits = &ali_dma_base_ops,
25424 .cable_detect = ata_cable_40wire,
25425 .mode_filter = ali_20_filter,
25426 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
25427 /*
25428 * Port operations for DMA capable ALi with cable detect
25429 */
25430 -static struct ata_port_operations ali_c2_port_ops = {
25431 +static const struct ata_port_operations ali_c2_port_ops = {
25432 .inherits = &ali_dma_base_ops,
25433 .check_atapi_dma = ali_check_atapi_dma,
25434 .cable_detect = ali_c2_cable_detect,
25435 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
25436 /*
25437 * Port operations for DMA capable ALi with cable detect
25438 */
25439 -static struct ata_port_operations ali_c4_port_ops = {
25440 +static const struct ata_port_operations ali_c4_port_ops = {
25441 .inherits = &ali_dma_base_ops,
25442 .check_atapi_dma = ali_check_atapi_dma,
25443 .cable_detect = ali_c2_cable_detect,
25444 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
25445 /*
25446 * Port operations for DMA capable ALi with cable detect and LBA48
25447 */
25448 -static struct ata_port_operations ali_c5_port_ops = {
25449 +static const struct ata_port_operations ali_c5_port_ops = {
25450 .inherits = &ali_dma_base_ops,
25451 .check_atapi_dma = ali_check_atapi_dma,
25452 .dev_config = ali_warn_atapi_dma,
25453 diff -urNp linux-2.6.39.3/drivers/ata/pata_amd.c linux-2.6.39.3/drivers/ata/pata_amd.c
25454 --- linux-2.6.39.3/drivers/ata/pata_amd.c 2011-05-19 00:06:34.000000000 -0400
25455 +++ linux-2.6.39.3/drivers/ata/pata_amd.c 2011-05-22 19:36:31.000000000 -0400
25456 @@ -397,28 +397,28 @@ static const struct ata_port_operations
25457 .prereset = amd_pre_reset,
25458 };
25459
25460 -static struct ata_port_operations amd33_port_ops = {
25461 +static const struct ata_port_operations amd33_port_ops = {
25462 .inherits = &amd_base_port_ops,
25463 .cable_detect = ata_cable_40wire,
25464 .set_piomode = amd33_set_piomode,
25465 .set_dmamode = amd33_set_dmamode,
25466 };
25467
25468 -static struct ata_port_operations amd66_port_ops = {
25469 +static const struct ata_port_operations amd66_port_ops = {
25470 .inherits = &amd_base_port_ops,
25471 .cable_detect = ata_cable_unknown,
25472 .set_piomode = amd66_set_piomode,
25473 .set_dmamode = amd66_set_dmamode,
25474 };
25475
25476 -static struct ata_port_operations amd100_port_ops = {
25477 +static const struct ata_port_operations amd100_port_ops = {
25478 .inherits = &amd_base_port_ops,
25479 .cable_detect = ata_cable_unknown,
25480 .set_piomode = amd100_set_piomode,
25481 .set_dmamode = amd100_set_dmamode,
25482 };
25483
25484 -static struct ata_port_operations amd133_port_ops = {
25485 +static const struct ata_port_operations amd133_port_ops = {
25486 .inherits = &amd_base_port_ops,
25487 .cable_detect = amd_cable_detect,
25488 .set_piomode = amd133_set_piomode,
25489 @@ -433,13 +433,13 @@ static const struct ata_port_operations
25490 .host_stop = nv_host_stop,
25491 };
25492
25493 -static struct ata_port_operations nv100_port_ops = {
25494 +static const struct ata_port_operations nv100_port_ops = {
25495 .inherits = &nv_base_port_ops,
25496 .set_piomode = nv100_set_piomode,
25497 .set_dmamode = nv100_set_dmamode,
25498 };
25499
25500 -static struct ata_port_operations nv133_port_ops = {
25501 +static const struct ata_port_operations nv133_port_ops = {
25502 .inherits = &nv_base_port_ops,
25503 .set_piomode = nv133_set_piomode,
25504 .set_dmamode = nv133_set_dmamode,
25505 diff -urNp linux-2.6.39.3/drivers/ata/pata_arasan_cf.c linux-2.6.39.3/drivers/ata/pata_arasan_cf.c
25506 --- linux-2.6.39.3/drivers/ata/pata_arasan_cf.c 2011-05-19 00:06:34.000000000 -0400
25507 +++ linux-2.6.39.3/drivers/ata/pata_arasan_cf.c 2011-05-22 19:36:31.000000000 -0400
25508 @@ -862,7 +862,9 @@ static int __devinit arasan_cf_probe(str
25509 /* Handle platform specific quirks */
25510 if (pdata->quirk) {
25511 if (pdata->quirk & CF_BROKEN_PIO) {
25512 - ap->ops->set_piomode = NULL;
25513 + pax_open_kernel();
25514 + *(void**)&ap->ops->set_piomode = NULL;
25515 + pax_close_kernel();
25516 ap->pio_mask = 0;
25517 }
25518 if (pdata->quirk & CF_BROKEN_MWDMA)
25519 diff -urNp linux-2.6.39.3/drivers/ata/pata_artop.c linux-2.6.39.3/drivers/ata/pata_artop.c
25520 --- linux-2.6.39.3/drivers/ata/pata_artop.c 2011-05-19 00:06:34.000000000 -0400
25521 +++ linux-2.6.39.3/drivers/ata/pata_artop.c 2011-05-22 19:36:31.000000000 -0400
25522 @@ -312,7 +312,7 @@ static struct scsi_host_template artop_s
25523 ATA_BMDMA_SHT(DRV_NAME),
25524 };
25525
25526 -static struct ata_port_operations artop6210_ops = {
25527 +static const struct ata_port_operations artop6210_ops = {
25528 .inherits = &ata_bmdma_port_ops,
25529 .cable_detect = ata_cable_40wire,
25530 .set_piomode = artop6210_set_piomode,
25531 @@ -321,7 +321,7 @@ static struct ata_port_operations artop6
25532 .qc_defer = artop6210_qc_defer,
25533 };
25534
25535 -static struct ata_port_operations artop6260_ops = {
25536 +static const struct ata_port_operations artop6260_ops = {
25537 .inherits = &ata_bmdma_port_ops,
25538 .cable_detect = artop6260_cable_detect,
25539 .set_piomode = artop6260_set_piomode,
25540 diff -urNp linux-2.6.39.3/drivers/ata/pata_at32.c linux-2.6.39.3/drivers/ata/pata_at32.c
25541 --- linux-2.6.39.3/drivers/ata/pata_at32.c 2011-05-19 00:06:34.000000000 -0400
25542 +++ linux-2.6.39.3/drivers/ata/pata_at32.c 2011-05-22 19:36:31.000000000 -0400
25543 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
25544 ATA_PIO_SHT(DRV_NAME),
25545 };
25546
25547 -static struct ata_port_operations at32_port_ops = {
25548 +static const struct ata_port_operations at32_port_ops = {
25549 .inherits = &ata_sff_port_ops,
25550 .cable_detect = ata_cable_40wire,
25551 .set_piomode = pata_at32_set_piomode,
25552 diff -urNp linux-2.6.39.3/drivers/ata/pata_at91.c linux-2.6.39.3/drivers/ata/pata_at91.c
25553 --- linux-2.6.39.3/drivers/ata/pata_at91.c 2011-05-19 00:06:34.000000000 -0400
25554 +++ linux-2.6.39.3/drivers/ata/pata_at91.c 2011-05-22 19:36:31.000000000 -0400
25555 @@ -212,7 +212,7 @@ static struct scsi_host_template pata_at
25556 ATA_PIO_SHT(DRV_NAME),
25557 };
25558
25559 -static struct ata_port_operations pata_at91_port_ops = {
25560 +static const struct ata_port_operations pata_at91_port_ops = {
25561 .inherits = &ata_sff_port_ops,
25562
25563 .sff_data_xfer = pata_at91_data_xfer_noirq,
25564 diff -urNp linux-2.6.39.3/drivers/ata/pata_atiixp.c linux-2.6.39.3/drivers/ata/pata_atiixp.c
25565 --- linux-2.6.39.3/drivers/ata/pata_atiixp.c 2011-05-19 00:06:34.000000000 -0400
25566 +++ linux-2.6.39.3/drivers/ata/pata_atiixp.c 2011-05-22 19:36:31.000000000 -0400
25567 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
25568 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25569 };
25570
25571 -static struct ata_port_operations atiixp_port_ops = {
25572 +static const struct ata_port_operations atiixp_port_ops = {
25573 .inherits = &ata_bmdma_port_ops,
25574
25575 .qc_prep = ata_bmdma_dumb_qc_prep,
25576 diff -urNp linux-2.6.39.3/drivers/ata/pata_atp867x.c linux-2.6.39.3/drivers/ata/pata_atp867x.c
25577 --- linux-2.6.39.3/drivers/ata/pata_atp867x.c 2011-05-19 00:06:34.000000000 -0400
25578 +++ linux-2.6.39.3/drivers/ata/pata_atp867x.c 2011-05-22 19:36:31.000000000 -0400
25579 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
25580 ATA_BMDMA_SHT(DRV_NAME),
25581 };
25582
25583 -static struct ata_port_operations atp867x_ops = {
25584 +static const struct ata_port_operations atp867x_ops = {
25585 .inherits = &ata_bmdma_port_ops,
25586 .cable_detect = atp867x_cable_detect,
25587 .set_piomode = atp867x_set_piomode,
25588 diff -urNp linux-2.6.39.3/drivers/ata/pata_bf54x.c linux-2.6.39.3/drivers/ata/pata_bf54x.c
25589 --- linux-2.6.39.3/drivers/ata/pata_bf54x.c 2011-05-19 00:06:34.000000000 -0400
25590 +++ linux-2.6.39.3/drivers/ata/pata_bf54x.c 2011-05-22 19:36:31.000000000 -0400
25591 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
25592 .dma_boundary = ATA_DMA_BOUNDARY,
25593 };
25594
25595 -static struct ata_port_operations bfin_pata_ops = {
25596 +static const struct ata_port_operations bfin_pata_ops = {
25597 .inherits = &ata_bmdma_port_ops,
25598
25599 .set_piomode = bfin_set_piomode,
25600 diff -urNp linux-2.6.39.3/drivers/ata/pata_cmd640.c linux-2.6.39.3/drivers/ata/pata_cmd640.c
25601 --- linux-2.6.39.3/drivers/ata/pata_cmd640.c 2011-05-19 00:06:34.000000000 -0400
25602 +++ linux-2.6.39.3/drivers/ata/pata_cmd640.c 2011-05-22 19:36:31.000000000 -0400
25603 @@ -176,7 +176,7 @@ static struct scsi_host_template cmd640_
25604 ATA_PIO_SHT(DRV_NAME),
25605 };
25606
25607 -static struct ata_port_operations cmd640_port_ops = {
25608 +static const struct ata_port_operations cmd640_port_ops = {
25609 .inherits = &ata_sff_port_ops,
25610 /* In theory xfer_noirq is not needed once we kill the prefetcher */
25611 .sff_data_xfer = ata_sff_data_xfer_noirq,
25612 diff -urNp linux-2.6.39.3/drivers/ata/pata_cmd64x.c linux-2.6.39.3/drivers/ata/pata_cmd64x.c
25613 --- linux-2.6.39.3/drivers/ata/pata_cmd64x.c 2011-06-03 00:04:13.000000000 -0400
25614 +++ linux-2.6.39.3/drivers/ata/pata_cmd64x.c 2011-06-03 00:32:05.000000000 -0400
25615 @@ -271,18 +271,18 @@ static const struct ata_port_operations
25616 .set_dmamode = cmd64x_set_dmamode,
25617 };
25618
25619 -static struct ata_port_operations cmd64x_port_ops = {
25620 +static const struct ata_port_operations cmd64x_port_ops = {
25621 .inherits = &cmd64x_base_ops,
25622 .cable_detect = ata_cable_40wire,
25623 };
25624
25625 -static struct ata_port_operations cmd646r1_port_ops = {
25626 +static const struct ata_port_operations cmd646r1_port_ops = {
25627 .inherits = &cmd64x_base_ops,
25628 .bmdma_stop = cmd646r1_bmdma_stop,
25629 .cable_detect = ata_cable_40wire,
25630 };
25631
25632 -static struct ata_port_operations cmd648_port_ops = {
25633 +static const struct ata_port_operations cmd648_port_ops = {
25634 .inherits = &cmd64x_base_ops,
25635 .bmdma_stop = cmd648_bmdma_stop,
25636 .cable_detect = cmd648_cable_detect,
25637 diff -urNp linux-2.6.39.3/drivers/ata/pata_cs5520.c linux-2.6.39.3/drivers/ata/pata_cs5520.c
25638 --- linux-2.6.39.3/drivers/ata/pata_cs5520.c 2011-05-19 00:06:34.000000000 -0400
25639 +++ linux-2.6.39.3/drivers/ata/pata_cs5520.c 2011-05-22 19:36:31.000000000 -0400
25640 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
25641 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25642 };
25643
25644 -static struct ata_port_operations cs5520_port_ops = {
25645 +static const struct ata_port_operations cs5520_port_ops = {
25646 .inherits = &ata_bmdma_port_ops,
25647 .qc_prep = ata_bmdma_dumb_qc_prep,
25648 .cable_detect = ata_cable_40wire,
25649 diff -urNp linux-2.6.39.3/drivers/ata/pata_cs5530.c linux-2.6.39.3/drivers/ata/pata_cs5530.c
25650 --- linux-2.6.39.3/drivers/ata/pata_cs5530.c 2011-05-19 00:06:34.000000000 -0400
25651 +++ linux-2.6.39.3/drivers/ata/pata_cs5530.c 2011-05-22 19:36:31.000000000 -0400
25652 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
25653 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25654 };
25655
25656 -static struct ata_port_operations cs5530_port_ops = {
25657 +static const struct ata_port_operations cs5530_port_ops = {
25658 .inherits = &ata_bmdma_port_ops,
25659
25660 .qc_prep = ata_bmdma_dumb_qc_prep,
25661 diff -urNp linux-2.6.39.3/drivers/ata/pata_cs5535.c linux-2.6.39.3/drivers/ata/pata_cs5535.c
25662 --- linux-2.6.39.3/drivers/ata/pata_cs5535.c 2011-05-19 00:06:34.000000000 -0400
25663 +++ linux-2.6.39.3/drivers/ata/pata_cs5535.c 2011-05-22 19:36:31.000000000 -0400
25664 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
25665 ATA_BMDMA_SHT(DRV_NAME),
25666 };
25667
25668 -static struct ata_port_operations cs5535_port_ops = {
25669 +static const struct ata_port_operations cs5535_port_ops = {
25670 .inherits = &ata_bmdma_port_ops,
25671 .cable_detect = cs5535_cable_detect,
25672 .set_piomode = cs5535_set_piomode,
25673 diff -urNp linux-2.6.39.3/drivers/ata/pata_cs5536.c linux-2.6.39.3/drivers/ata/pata_cs5536.c
25674 --- linux-2.6.39.3/drivers/ata/pata_cs5536.c 2011-05-19 00:06:34.000000000 -0400
25675 +++ linux-2.6.39.3/drivers/ata/pata_cs5536.c 2011-05-22 19:36:31.000000000 -0400
25676 @@ -233,7 +233,7 @@ static struct scsi_host_template cs5536_
25677 ATA_BMDMA_SHT(DRV_NAME),
25678 };
25679
25680 -static struct ata_port_operations cs5536_port_ops = {
25681 +static const struct ata_port_operations cs5536_port_ops = {
25682 .inherits = &ata_bmdma32_port_ops,
25683 .cable_detect = cs5536_cable_detect,
25684 .set_piomode = cs5536_set_piomode,
25685 diff -urNp linux-2.6.39.3/drivers/ata/pata_cypress.c linux-2.6.39.3/drivers/ata/pata_cypress.c
25686 --- linux-2.6.39.3/drivers/ata/pata_cypress.c 2011-05-19 00:06:34.000000000 -0400
25687 +++ linux-2.6.39.3/drivers/ata/pata_cypress.c 2011-05-22 19:36:31.000000000 -0400
25688 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
25689 ATA_BMDMA_SHT(DRV_NAME),
25690 };
25691
25692 -static struct ata_port_operations cy82c693_port_ops = {
25693 +static const struct ata_port_operations cy82c693_port_ops = {
25694 .inherits = &ata_bmdma_port_ops,
25695 .cable_detect = ata_cable_40wire,
25696 .set_piomode = cy82c693_set_piomode,
25697 diff -urNp linux-2.6.39.3/drivers/ata/pata_efar.c linux-2.6.39.3/drivers/ata/pata_efar.c
25698 --- linux-2.6.39.3/drivers/ata/pata_efar.c 2011-05-19 00:06:34.000000000 -0400
25699 +++ linux-2.6.39.3/drivers/ata/pata_efar.c 2011-05-22 19:36:31.000000000 -0400
25700 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
25701 ATA_BMDMA_SHT(DRV_NAME),
25702 };
25703
25704 -static struct ata_port_operations efar_ops = {
25705 +static const struct ata_port_operations efar_ops = {
25706 .inherits = &ata_bmdma_port_ops,
25707 .cable_detect = efar_cable_detect,
25708 .set_piomode = efar_set_piomode,
25709 diff -urNp linux-2.6.39.3/drivers/ata/pata_hpt366.c linux-2.6.39.3/drivers/ata/pata_hpt366.c
25710 --- linux-2.6.39.3/drivers/ata/pata_hpt366.c 2011-05-19 00:06:34.000000000 -0400
25711 +++ linux-2.6.39.3/drivers/ata/pata_hpt366.c 2011-05-22 19:36:31.000000000 -0400
25712 @@ -276,7 +276,7 @@ static struct scsi_host_template hpt36x_
25713 * Configuration for HPT366/68
25714 */
25715
25716 -static struct ata_port_operations hpt366_port_ops = {
25717 +static const struct ata_port_operations hpt366_port_ops = {
25718 .inherits = &ata_bmdma_port_ops,
25719 .cable_detect = hpt36x_cable_detect,
25720 .mode_filter = hpt366_filter,
25721 diff -urNp linux-2.6.39.3/drivers/ata/pata_hpt37x.c linux-2.6.39.3/drivers/ata/pata_hpt37x.c
25722 --- linux-2.6.39.3/drivers/ata/pata_hpt37x.c 2011-05-19 00:06:34.000000000 -0400
25723 +++ linux-2.6.39.3/drivers/ata/pata_hpt37x.c 2011-05-22 19:36:31.000000000 -0400
25724 @@ -589,7 +589,7 @@ static struct scsi_host_template hpt37x_
25725 * Configuration for HPT370
25726 */
25727
25728 -static struct ata_port_operations hpt370_port_ops = {
25729 +static const struct ata_port_operations hpt370_port_ops = {
25730 .inherits = &ata_bmdma_port_ops,
25731
25732 .bmdma_stop = hpt370_bmdma_stop,
25733 @@ -605,7 +605,7 @@ static struct ata_port_operations hpt370
25734 * Configuration for HPT370A. Close to 370 but less filters
25735 */
25736
25737 -static struct ata_port_operations hpt370a_port_ops = {
25738 +static const struct ata_port_operations hpt370a_port_ops = {
25739 .inherits = &hpt370_port_ops,
25740 .mode_filter = hpt370a_filter,
25741 };
25742 @@ -615,7 +615,7 @@ static struct ata_port_operations hpt370
25743 * mode setting functionality.
25744 */
25745
25746 -static struct ata_port_operations hpt302_port_ops = {
25747 +static const struct ata_port_operations hpt302_port_ops = {
25748 .inherits = &ata_bmdma_port_ops,
25749
25750 .bmdma_stop = hpt37x_bmdma_stop,
25751 @@ -631,7 +631,7 @@ static struct ata_port_operations hpt302
25752 * but we have a mode filter.
25753 */
25754
25755 -static struct ata_port_operations hpt372_port_ops = {
25756 +static const struct ata_port_operations hpt372_port_ops = {
25757 .inherits = &hpt302_port_ops,
25758 .mode_filter = hpt372_filter,
25759 };
25760 @@ -641,7 +641,7 @@ static struct ata_port_operations hpt372
25761 * but we have a different cable detection procedure for function 1.
25762 */
25763
25764 -static struct ata_port_operations hpt374_fn1_port_ops = {
25765 +static const struct ata_port_operations hpt374_fn1_port_ops = {
25766 .inherits = &hpt372_port_ops,
25767 .cable_detect = hpt374_fn1_cable_detect,
25768 };
25769 diff -urNp linux-2.6.39.3/drivers/ata/pata_hpt3x2n.c linux-2.6.39.3/drivers/ata/pata_hpt3x2n.c
25770 --- linux-2.6.39.3/drivers/ata/pata_hpt3x2n.c 2011-05-19 00:06:34.000000000 -0400
25771 +++ linux-2.6.39.3/drivers/ata/pata_hpt3x2n.c 2011-05-22 19:36:31.000000000 -0400
25772 @@ -350,7 +350,7 @@ static struct scsi_host_template hpt3x2n
25773 * Configuration for HPT302N/371N.
25774 */
25775
25776 -static struct ata_port_operations hpt3xxn_port_ops = {
25777 +static const struct ata_port_operations hpt3xxn_port_ops = {
25778 .inherits = &ata_bmdma_port_ops,
25779
25780 .bmdma_stop = hpt3x2n_bmdma_stop,
25781 @@ -368,7 +368,7 @@ static struct ata_port_operations hpt3xx
25782 * Configuration for HPT372N. Same as 302N/371N but we have a mode filter.
25783 */
25784
25785 -static struct ata_port_operations hpt372n_port_ops = {
25786 +static const struct ata_port_operations hpt372n_port_ops = {
25787 .inherits = &hpt3xxn_port_ops,
25788 .mode_filter = &hpt372n_filter,
25789 };
25790 diff -urNp linux-2.6.39.3/drivers/ata/pata_hpt3x3.c linux-2.6.39.3/drivers/ata/pata_hpt3x3.c
25791 --- linux-2.6.39.3/drivers/ata/pata_hpt3x3.c 2011-05-19 00:06:34.000000000 -0400
25792 +++ linux-2.6.39.3/drivers/ata/pata_hpt3x3.c 2011-05-22 19:36:31.000000000 -0400
25793 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
25794 ATA_BMDMA_SHT(DRV_NAME),
25795 };
25796
25797 -static struct ata_port_operations hpt3x3_port_ops = {
25798 +static const struct ata_port_operations hpt3x3_port_ops = {
25799 .inherits = &ata_bmdma_port_ops,
25800 .cable_detect = ata_cable_40wire,
25801 .set_piomode = hpt3x3_set_piomode,
25802 diff -urNp linux-2.6.39.3/drivers/ata/pata_icside.c linux-2.6.39.3/drivers/ata/pata_icside.c
25803 --- linux-2.6.39.3/drivers/ata/pata_icside.c 2011-05-19 00:06:34.000000000 -0400
25804 +++ linux-2.6.39.3/drivers/ata/pata_icside.c 2011-05-22 19:36:31.000000000 -0400
25805 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
25806 }
25807 }
25808
25809 -static struct ata_port_operations pata_icside_port_ops = {
25810 +static const struct ata_port_operations pata_icside_port_ops = {
25811 .inherits = &ata_bmdma_port_ops,
25812 /* no need to build any PRD tables for DMA */
25813 .qc_prep = ata_noop_qc_prep,
25814 diff -urNp linux-2.6.39.3/drivers/ata/pata_isapnp.c linux-2.6.39.3/drivers/ata/pata_isapnp.c
25815 --- linux-2.6.39.3/drivers/ata/pata_isapnp.c 2011-05-19 00:06:34.000000000 -0400
25816 +++ linux-2.6.39.3/drivers/ata/pata_isapnp.c 2011-05-22 19:36:31.000000000 -0400
25817 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
25818 ATA_PIO_SHT(DRV_NAME),
25819 };
25820
25821 -static struct ata_port_operations isapnp_port_ops = {
25822 +static const struct ata_port_operations isapnp_port_ops = {
25823 .inherits = &ata_sff_port_ops,
25824 .cable_detect = ata_cable_40wire,
25825 };
25826
25827 -static struct ata_port_operations isapnp_noalt_port_ops = {
25828 +static const struct ata_port_operations isapnp_noalt_port_ops = {
25829 .inherits = &ata_sff_port_ops,
25830 .cable_detect = ata_cable_40wire,
25831 /* No altstatus so we don't want to use the lost interrupt poll */
25832 diff -urNp linux-2.6.39.3/drivers/ata/pata_it8213.c linux-2.6.39.3/drivers/ata/pata_it8213.c
25833 --- linux-2.6.39.3/drivers/ata/pata_it8213.c 2011-05-19 00:06:34.000000000 -0400
25834 +++ linux-2.6.39.3/drivers/ata/pata_it8213.c 2011-05-22 19:36:31.000000000 -0400
25835 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
25836 };
25837
25838
25839 -static struct ata_port_operations it8213_ops = {
25840 +static const struct ata_port_operations it8213_ops = {
25841 .inherits = &ata_bmdma_port_ops,
25842 .cable_detect = it8213_cable_detect,
25843 .set_piomode = it8213_set_piomode,
25844 diff -urNp linux-2.6.39.3/drivers/ata/pata_it821x.c linux-2.6.39.3/drivers/ata/pata_it821x.c
25845 --- linux-2.6.39.3/drivers/ata/pata_it821x.c 2011-05-19 00:06:34.000000000 -0400
25846 +++ linux-2.6.39.3/drivers/ata/pata_it821x.c 2011-05-22 19:36:31.000000000 -0400
25847 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
25848 ATA_BMDMA_SHT(DRV_NAME),
25849 };
25850
25851 -static struct ata_port_operations it821x_smart_port_ops = {
25852 +static const struct ata_port_operations it821x_smart_port_ops = {
25853 .inherits = &ata_bmdma_port_ops,
25854
25855 .check_atapi_dma= it821x_check_atapi_dma,
25856 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
25857 .port_start = it821x_port_start,
25858 };
25859
25860 -static struct ata_port_operations it821x_passthru_port_ops = {
25861 +static const struct ata_port_operations it821x_passthru_port_ops = {
25862 .inherits = &ata_bmdma_port_ops,
25863
25864 .check_atapi_dma= it821x_check_atapi_dma,
25865 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
25866 .port_start = it821x_port_start,
25867 };
25868
25869 -static struct ata_port_operations it821x_rdc_port_ops = {
25870 +static const struct ata_port_operations it821x_rdc_port_ops = {
25871 .inherits = &ata_bmdma_port_ops,
25872
25873 .check_atapi_dma= it821x_check_atapi_dma,
25874 diff -urNp linux-2.6.39.3/drivers/ata/pata_ixp4xx_cf.c linux-2.6.39.3/drivers/ata/pata_ixp4xx_cf.c
25875 --- linux-2.6.39.3/drivers/ata/pata_ixp4xx_cf.c 2011-05-19 00:06:34.000000000 -0400
25876 +++ linux-2.6.39.3/drivers/ata/pata_ixp4xx_cf.c 2011-05-22 19:36:31.000000000 -0400
25877 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
25878 ATA_PIO_SHT(DRV_NAME),
25879 };
25880
25881 -static struct ata_port_operations ixp4xx_port_ops = {
25882 +static const struct ata_port_operations ixp4xx_port_ops = {
25883 .inherits = &ata_sff_port_ops,
25884 .sff_data_xfer = ixp4xx_mmio_data_xfer,
25885 .cable_detect = ata_cable_40wire,
25886 diff -urNp linux-2.6.39.3/drivers/ata/pata_jmicron.c linux-2.6.39.3/drivers/ata/pata_jmicron.c
25887 --- linux-2.6.39.3/drivers/ata/pata_jmicron.c 2011-05-19 00:06:34.000000000 -0400
25888 +++ linux-2.6.39.3/drivers/ata/pata_jmicron.c 2011-05-22 19:36:31.000000000 -0400
25889 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
25890 ATA_BMDMA_SHT(DRV_NAME),
25891 };
25892
25893 -static struct ata_port_operations jmicron_ops = {
25894 +static const struct ata_port_operations jmicron_ops = {
25895 .inherits = &ata_bmdma_port_ops,
25896 .prereset = jmicron_pre_reset,
25897 };
25898 diff -urNp linux-2.6.39.3/drivers/ata/pata_legacy.c linux-2.6.39.3/drivers/ata/pata_legacy.c
25899 --- linux-2.6.39.3/drivers/ata/pata_legacy.c 2011-05-19 00:06:34.000000000 -0400
25900 +++ linux-2.6.39.3/drivers/ata/pata_legacy.c 2011-05-22 19:36:31.000000000 -0400
25901 @@ -116,7 +116,7 @@ struct legacy_probe {
25902
25903 struct legacy_controller {
25904 const char *name;
25905 - struct ata_port_operations *ops;
25906 + const struct ata_port_operations *ops;
25907 unsigned int pio_mask;
25908 unsigned int flags;
25909 unsigned int pflags;
25910 @@ -239,12 +239,12 @@ static const struct ata_port_operations
25911 * pio_mask as well.
25912 */
25913
25914 -static struct ata_port_operations simple_port_ops = {
25915 +static const struct ata_port_operations simple_port_ops = {
25916 .inherits = &legacy_base_port_ops,
25917 .sff_data_xfer = ata_sff_data_xfer_noirq,
25918 };
25919
25920 -static struct ata_port_operations legacy_port_ops = {
25921 +static const struct ata_port_operations legacy_port_ops = {
25922 .inherits = &legacy_base_port_ops,
25923 .sff_data_xfer = ata_sff_data_xfer_noirq,
25924 .set_mode = legacy_set_mode,
25925 @@ -340,7 +340,7 @@ static unsigned int pdc_data_xfer_vlb(st
25926 return buflen;
25927 }
25928
25929 -static struct ata_port_operations pdc20230_port_ops = {
25930 +static const struct ata_port_operations pdc20230_port_ops = {
25931 .inherits = &legacy_base_port_ops,
25932 .set_piomode = pdc20230_set_piomode,
25933 .sff_data_xfer = pdc_data_xfer_vlb,
25934 @@ -373,7 +373,7 @@ static void ht6560a_set_piomode(struct a
25935 ioread8(ap->ioaddr.status_addr);
25936 }
25937
25938 -static struct ata_port_operations ht6560a_port_ops = {
25939 +static const struct ata_port_operations ht6560a_port_ops = {
25940 .inherits = &legacy_base_port_ops,
25941 .set_piomode = ht6560a_set_piomode,
25942 };
25943 @@ -416,7 +416,7 @@ static void ht6560b_set_piomode(struct a
25944 ioread8(ap->ioaddr.status_addr);
25945 }
25946
25947 -static struct ata_port_operations ht6560b_port_ops = {
25948 +static const struct ata_port_operations ht6560b_port_ops = {
25949 .inherits = &legacy_base_port_ops,
25950 .set_piomode = ht6560b_set_piomode,
25951 };
25952 @@ -515,7 +515,7 @@ static void opti82c611a_set_piomode(stru
25953 }
25954
25955
25956 -static struct ata_port_operations opti82c611a_port_ops = {
25957 +static const struct ata_port_operations opti82c611a_port_ops = {
25958 .inherits = &legacy_base_port_ops,
25959 .set_piomode = opti82c611a_set_piomode,
25960 };
25961 @@ -625,7 +625,7 @@ static unsigned int opti82c46x_qc_issue(
25962 return ata_sff_qc_issue(qc);
25963 }
25964
25965 -static struct ata_port_operations opti82c46x_port_ops = {
25966 +static const struct ata_port_operations opti82c46x_port_ops = {
25967 .inherits = &legacy_base_port_ops,
25968 .set_piomode = opti82c46x_set_piomode,
25969 .qc_issue = opti82c46x_qc_issue,
25970 @@ -787,20 +787,20 @@ static int qdi_port(struct platform_devi
25971 return 0;
25972 }
25973
25974 -static struct ata_port_operations qdi6500_port_ops = {
25975 +static const struct ata_port_operations qdi6500_port_ops = {
25976 .inherits = &legacy_base_port_ops,
25977 .set_piomode = qdi6500_set_piomode,
25978 .qc_issue = qdi_qc_issue,
25979 .sff_data_xfer = vlb32_data_xfer,
25980 };
25981
25982 -static struct ata_port_operations qdi6580_port_ops = {
25983 +static const struct ata_port_operations qdi6580_port_ops = {
25984 .inherits = &legacy_base_port_ops,
25985 .set_piomode = qdi6580_set_piomode,
25986 .sff_data_xfer = vlb32_data_xfer,
25987 };
25988
25989 -static struct ata_port_operations qdi6580dp_port_ops = {
25990 +static const struct ata_port_operations qdi6580dp_port_ops = {
25991 .inherits = &legacy_base_port_ops,
25992 .set_piomode = qdi6580dp_set_piomode,
25993 .qc_issue = qdi_qc_issue,
25994 @@ -872,7 +872,7 @@ static int winbond_port(struct platform_
25995 return 0;
25996 }
25997
25998 -static struct ata_port_operations winbond_port_ops = {
25999 +static const struct ata_port_operations winbond_port_ops = {
26000 .inherits = &legacy_base_port_ops,
26001 .set_piomode = winbond_set_piomode,
26002 .sff_data_xfer = vlb32_data_xfer,
26003 @@ -995,7 +995,7 @@ static __init int legacy_init_one(struct
26004 int pio_modes = controller->pio_mask;
26005 unsigned long io = probe->port;
26006 u32 mask = (1 << probe->slot);
26007 - struct ata_port_operations *ops = controller->ops;
26008 + const struct ata_port_operations *ops = controller->ops;
26009 struct legacy_data *ld = &legacy_data[probe->slot];
26010 struct ata_host *host = NULL;
26011 struct ata_port *ap;
26012 diff -urNp linux-2.6.39.3/drivers/ata/pata_macio.c linux-2.6.39.3/drivers/ata/pata_macio.c
26013 --- linux-2.6.39.3/drivers/ata/pata_macio.c 2011-05-19 00:06:34.000000000 -0400
26014 +++ linux-2.6.39.3/drivers/ata/pata_macio.c 2011-05-22 19:36:31.000000000 -0400
26015 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
26016 .slave_configure = pata_macio_slave_config,
26017 };
26018
26019 -static struct ata_port_operations pata_macio_ops = {
26020 +static const struct ata_port_operations pata_macio_ops = {
26021 .inherits = &ata_bmdma_port_ops,
26022 -
26023 .freeze = pata_macio_freeze,
26024 .set_piomode = pata_macio_set_timings,
26025 .set_dmamode = pata_macio_set_timings,
26026 diff -urNp linux-2.6.39.3/drivers/ata/pata_marvell.c linux-2.6.39.3/drivers/ata/pata_marvell.c
26027 --- linux-2.6.39.3/drivers/ata/pata_marvell.c 2011-05-19 00:06:34.000000000 -0400
26028 +++ linux-2.6.39.3/drivers/ata/pata_marvell.c 2011-05-22 19:36:31.000000000 -0400
26029 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
26030 ATA_BMDMA_SHT(DRV_NAME),
26031 };
26032
26033 -static struct ata_port_operations marvell_ops = {
26034 +static const struct ata_port_operations marvell_ops = {
26035 .inherits = &ata_bmdma_port_ops,
26036 .cable_detect = marvell_cable_detect,
26037 .prereset = marvell_pre_reset,
26038 diff -urNp linux-2.6.39.3/drivers/ata/pata_mpc52xx.c linux-2.6.39.3/drivers/ata/pata_mpc52xx.c
26039 --- linux-2.6.39.3/drivers/ata/pata_mpc52xx.c 2011-05-19 00:06:34.000000000 -0400
26040 +++ linux-2.6.39.3/drivers/ata/pata_mpc52xx.c 2011-05-22 19:36:31.000000000 -0400
26041 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
26042 ATA_PIO_SHT(DRV_NAME),
26043 };
26044
26045 -static struct ata_port_operations mpc52xx_ata_port_ops = {
26046 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
26047 .inherits = &ata_bmdma_port_ops,
26048 .sff_dev_select = mpc52xx_ata_dev_select,
26049 .set_piomode = mpc52xx_ata_set_piomode,
26050 diff -urNp linux-2.6.39.3/drivers/ata/pata_mpiix.c linux-2.6.39.3/drivers/ata/pata_mpiix.c
26051 --- linux-2.6.39.3/drivers/ata/pata_mpiix.c 2011-05-19 00:06:34.000000000 -0400
26052 +++ linux-2.6.39.3/drivers/ata/pata_mpiix.c 2011-05-22 19:36:31.000000000 -0400
26053 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
26054 ATA_PIO_SHT(DRV_NAME),
26055 };
26056
26057 -static struct ata_port_operations mpiix_port_ops = {
26058 +static const struct ata_port_operations mpiix_port_ops = {
26059 .inherits = &ata_sff_port_ops,
26060 .qc_issue = mpiix_qc_issue,
26061 .cable_detect = ata_cable_40wire,
26062 diff -urNp linux-2.6.39.3/drivers/ata/pata_netcell.c linux-2.6.39.3/drivers/ata/pata_netcell.c
26063 --- linux-2.6.39.3/drivers/ata/pata_netcell.c 2011-05-19 00:06:34.000000000 -0400
26064 +++ linux-2.6.39.3/drivers/ata/pata_netcell.c 2011-05-22 19:36:31.000000000 -0400
26065 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
26066 ATA_BMDMA_SHT(DRV_NAME),
26067 };
26068
26069 -static struct ata_port_operations netcell_ops = {
26070 +static const struct ata_port_operations netcell_ops = {
26071 .inherits = &ata_bmdma_port_ops,
26072 .cable_detect = ata_cable_80wire,
26073 .read_id = netcell_read_id,
26074 diff -urNp linux-2.6.39.3/drivers/ata/pata_ninja32.c linux-2.6.39.3/drivers/ata/pata_ninja32.c
26075 --- linux-2.6.39.3/drivers/ata/pata_ninja32.c 2011-05-19 00:06:34.000000000 -0400
26076 +++ linux-2.6.39.3/drivers/ata/pata_ninja32.c 2011-05-22 19:36:31.000000000 -0400
26077 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
26078 ATA_BMDMA_SHT(DRV_NAME),
26079 };
26080
26081 -static struct ata_port_operations ninja32_port_ops = {
26082 +static const struct ata_port_operations ninja32_port_ops = {
26083 .inherits = &ata_bmdma_port_ops,
26084 .sff_dev_select = ninja32_dev_select,
26085 .cable_detect = ata_cable_40wire,
26086 diff -urNp linux-2.6.39.3/drivers/ata/pata_ns87410.c linux-2.6.39.3/drivers/ata/pata_ns87410.c
26087 --- linux-2.6.39.3/drivers/ata/pata_ns87410.c 2011-05-19 00:06:34.000000000 -0400
26088 +++ linux-2.6.39.3/drivers/ata/pata_ns87410.c 2011-05-22 19:36:31.000000000 -0400
26089 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
26090 ATA_PIO_SHT(DRV_NAME),
26091 };
26092
26093 -static struct ata_port_operations ns87410_port_ops = {
26094 +static const struct ata_port_operations ns87410_port_ops = {
26095 .inherits = &ata_sff_port_ops,
26096 .qc_issue = ns87410_qc_issue,
26097 .cable_detect = ata_cable_40wire,
26098 diff -urNp linux-2.6.39.3/drivers/ata/pata_ns87415.c linux-2.6.39.3/drivers/ata/pata_ns87415.c
26099 --- linux-2.6.39.3/drivers/ata/pata_ns87415.c 2011-05-19 00:06:34.000000000 -0400
26100 +++ linux-2.6.39.3/drivers/ata/pata_ns87415.c 2011-05-22 19:36:31.000000000 -0400
26101 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
26102 }
26103 #endif /* 87560 SuperIO Support */
26104
26105 -static struct ata_port_operations ns87415_pata_ops = {
26106 +static const struct ata_port_operations ns87415_pata_ops = {
26107 .inherits = &ata_bmdma_port_ops,
26108
26109 .check_atapi_dma = ns87415_check_atapi_dma,
26110 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
26111 };
26112
26113 #if defined(CONFIG_SUPERIO)
26114 -static struct ata_port_operations ns87560_pata_ops = {
26115 +static const struct ata_port_operations ns87560_pata_ops = {
26116 .inherits = &ns87415_pata_ops,
26117 .sff_tf_read = ns87560_tf_read,
26118 .sff_check_status = ns87560_check_status,
26119 diff -urNp linux-2.6.39.3/drivers/ata/pata_octeon_cf.c linux-2.6.39.3/drivers/ata/pata_octeon_cf.c
26120 --- linux-2.6.39.3/drivers/ata/pata_octeon_cf.c 2011-05-19 00:06:34.000000000 -0400
26121 +++ linux-2.6.39.3/drivers/ata/pata_octeon_cf.c 2011-05-22 19:36:31.000000000 -0400
26122 @@ -780,7 +780,7 @@ static unsigned int octeon_cf_qc_issue(s
26123 return 0;
26124 }
26125
26126 -static struct ata_port_operations octeon_cf_ops = {
26127 +static struct ata_port_operations octeon_cf_ops = { /* cannot be const */
26128 .inherits = &ata_sff_port_ops,
26129 .check_atapi_dma = octeon_cf_check_atapi_dma,
26130 .qc_prep = ata_noop_qc_prep,
26131 diff -urNp linux-2.6.39.3/drivers/ata/pata_oldpiix.c linux-2.6.39.3/drivers/ata/pata_oldpiix.c
26132 --- linux-2.6.39.3/drivers/ata/pata_oldpiix.c 2011-05-19 00:06:34.000000000 -0400
26133 +++ linux-2.6.39.3/drivers/ata/pata_oldpiix.c 2011-05-22 19:36:31.000000000 -0400
26134 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
26135 ATA_BMDMA_SHT(DRV_NAME),
26136 };
26137
26138 -static struct ata_port_operations oldpiix_pata_ops = {
26139 +static const struct ata_port_operations oldpiix_pata_ops = {
26140 .inherits = &ata_bmdma_port_ops,
26141 .qc_issue = oldpiix_qc_issue,
26142 .cable_detect = ata_cable_40wire,
26143 diff -urNp linux-2.6.39.3/drivers/ata/pata_opti.c linux-2.6.39.3/drivers/ata/pata_opti.c
26144 --- linux-2.6.39.3/drivers/ata/pata_opti.c 2011-05-19 00:06:34.000000000 -0400
26145 +++ linux-2.6.39.3/drivers/ata/pata_opti.c 2011-05-22 19:36:31.000000000 -0400
26146 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
26147 ATA_PIO_SHT(DRV_NAME),
26148 };
26149
26150 -static struct ata_port_operations opti_port_ops = {
26151 +static const struct ata_port_operations opti_port_ops = {
26152 .inherits = &ata_sff_port_ops,
26153 .cable_detect = ata_cable_40wire,
26154 .set_piomode = opti_set_piomode,
26155 diff -urNp linux-2.6.39.3/drivers/ata/pata_optidma.c linux-2.6.39.3/drivers/ata/pata_optidma.c
26156 --- linux-2.6.39.3/drivers/ata/pata_optidma.c 2011-05-19 00:06:34.000000000 -0400
26157 +++ linux-2.6.39.3/drivers/ata/pata_optidma.c 2011-05-22 19:36:31.000000000 -0400
26158 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
26159 ATA_BMDMA_SHT(DRV_NAME),
26160 };
26161
26162 -static struct ata_port_operations optidma_port_ops = {
26163 +static const struct ata_port_operations optidma_port_ops = {
26164 .inherits = &ata_bmdma_port_ops,
26165 .cable_detect = ata_cable_40wire,
26166 .set_piomode = optidma_set_pio_mode,
26167 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
26168 .prereset = optidma_pre_reset,
26169 };
26170
26171 -static struct ata_port_operations optiplus_port_ops = {
26172 +static const struct ata_port_operations optiplus_port_ops = {
26173 .inherits = &optidma_port_ops,
26174 .set_piomode = optiplus_set_pio_mode,
26175 .set_dmamode = optiplus_set_dma_mode,
26176 diff -urNp linux-2.6.39.3/drivers/ata/pata_palmld.c linux-2.6.39.3/drivers/ata/pata_palmld.c
26177 --- linux-2.6.39.3/drivers/ata/pata_palmld.c 2011-05-19 00:06:34.000000000 -0400
26178 +++ linux-2.6.39.3/drivers/ata/pata_palmld.c 2011-05-22 19:36:31.000000000 -0400
26179 @@ -42,7 +42,7 @@ static struct scsi_host_template palmld_
26180 ATA_PIO_SHT(DRV_NAME),
26181 };
26182
26183 -static struct ata_port_operations palmld_port_ops = {
26184 +static const struct ata_port_operations palmld_port_ops = {
26185 .inherits = &ata_sff_port_ops,
26186 .sff_data_xfer = ata_sff_data_xfer_noirq,
26187 .cable_detect = ata_cable_40wire,
26188 diff -urNp linux-2.6.39.3/drivers/ata/pata_pcmcia.c linux-2.6.39.3/drivers/ata/pata_pcmcia.c
26189 --- linux-2.6.39.3/drivers/ata/pata_pcmcia.c 2011-05-19 00:06:34.000000000 -0400
26190 +++ linux-2.6.39.3/drivers/ata/pata_pcmcia.c 2011-05-22 19:36:31.000000000 -0400
26191 @@ -151,14 +151,14 @@ static struct scsi_host_template pcmcia_
26192 ATA_PIO_SHT(DRV_NAME),
26193 };
26194
26195 -static struct ata_port_operations pcmcia_port_ops = {
26196 +static const struct ata_port_operations pcmcia_port_ops = {
26197 .inherits = &ata_sff_port_ops,
26198 .sff_data_xfer = ata_sff_data_xfer_noirq,
26199 .cable_detect = ata_cable_40wire,
26200 .set_mode = pcmcia_set_mode,
26201 };
26202
26203 -static struct ata_port_operations pcmcia_8bit_port_ops = {
26204 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
26205 .inherits = &ata_sff_port_ops,
26206 .sff_data_xfer = ata_data_xfer_8bit,
26207 .cable_detect = ata_cable_40wire,
26208 @@ -205,7 +205,7 @@ static int pcmcia_init_one(struct pcmcia
26209 unsigned long io_base, ctl_base;
26210 void __iomem *io_addr, *ctl_addr;
26211 int n_ports = 1;
26212 - struct ata_port_operations *ops = &pcmcia_port_ops;
26213 + const struct ata_port_operations *ops = &pcmcia_port_ops;
26214
26215 /* Set up attributes in order to probe card and get resources */
26216 pdev->config_flags |= CONF_ENABLE_IRQ | CONF_AUTO_SET_IO |
26217 diff -urNp linux-2.6.39.3/drivers/ata/pata_pdc2027x.c linux-2.6.39.3/drivers/ata/pata_pdc2027x.c
26218 --- linux-2.6.39.3/drivers/ata/pata_pdc2027x.c 2011-05-19 00:06:34.000000000 -0400
26219 +++ linux-2.6.39.3/drivers/ata/pata_pdc2027x.c 2011-05-22 19:36:31.000000000 -0400
26220 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
26221 ATA_BMDMA_SHT(DRV_NAME),
26222 };
26223
26224 -static struct ata_port_operations pdc2027x_pata100_ops = {
26225 +static const struct ata_port_operations pdc2027x_pata100_ops = {
26226 .inherits = &ata_bmdma_port_ops,
26227 .check_atapi_dma = pdc2027x_check_atapi_dma,
26228 .cable_detect = pdc2027x_cable_detect,
26229 .prereset = pdc2027x_prereset,
26230 };
26231
26232 -static struct ata_port_operations pdc2027x_pata133_ops = {
26233 +static const struct ata_port_operations pdc2027x_pata133_ops = {
26234 .inherits = &pdc2027x_pata100_ops,
26235 .mode_filter = pdc2027x_mode_filter,
26236 .set_piomode = pdc2027x_set_piomode,
26237 diff -urNp linux-2.6.39.3/drivers/ata/pata_pdc202xx_old.c linux-2.6.39.3/drivers/ata/pata_pdc202xx_old.c
26238 --- linux-2.6.39.3/drivers/ata/pata_pdc202xx_old.c 2011-05-19 00:06:34.000000000 -0400
26239 +++ linux-2.6.39.3/drivers/ata/pata_pdc202xx_old.c 2011-05-22 19:36:31.000000000 -0400
26240 @@ -295,7 +295,7 @@ static struct scsi_host_template pdc202x
26241 ATA_BMDMA_SHT(DRV_NAME),
26242 };
26243
26244 -static struct ata_port_operations pdc2024x_port_ops = {
26245 +static const struct ata_port_operations pdc2024x_port_ops = {
26246 .inherits = &ata_bmdma_port_ops,
26247
26248 .cable_detect = ata_cable_40wire,
26249 @@ -306,7 +306,7 @@ static struct ata_port_operations pdc202
26250 .sff_irq_check = pdc202xx_irq_check,
26251 };
26252
26253 -static struct ata_port_operations pdc2026x_port_ops = {
26254 +static const struct ata_port_operations pdc2026x_port_ops = {
26255 .inherits = &pdc2024x_port_ops,
26256
26257 .check_atapi_dma = pdc2026x_check_atapi_dma,
26258 diff -urNp linux-2.6.39.3/drivers/ata/pata_piccolo.c linux-2.6.39.3/drivers/ata/pata_piccolo.c
26259 --- linux-2.6.39.3/drivers/ata/pata_piccolo.c 2011-05-19 00:06:34.000000000 -0400
26260 +++ linux-2.6.39.3/drivers/ata/pata_piccolo.c 2011-05-22 19:36:31.000000000 -0400
26261 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
26262 ATA_BMDMA_SHT(DRV_NAME),
26263 };
26264
26265 -static struct ata_port_operations tosh_port_ops = {
26266 +static const struct ata_port_operations tosh_port_ops = {
26267 .inherits = &ata_bmdma_port_ops,
26268 .cable_detect = ata_cable_unknown,
26269 .set_piomode = tosh_set_piomode,
26270 diff -urNp linux-2.6.39.3/drivers/ata/pata_platform.c linux-2.6.39.3/drivers/ata/pata_platform.c
26271 --- linux-2.6.39.3/drivers/ata/pata_platform.c 2011-05-19 00:06:34.000000000 -0400
26272 +++ linux-2.6.39.3/drivers/ata/pata_platform.c 2011-05-22 19:36:31.000000000 -0400
26273 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
26274 ATA_PIO_SHT(DRV_NAME),
26275 };
26276
26277 -static struct ata_port_operations pata_platform_port_ops = {
26278 +static const struct ata_port_operations pata_platform_port_ops = {
26279 .inherits = &ata_sff_port_ops,
26280 .sff_data_xfer = ata_sff_data_xfer_noirq,
26281 .cable_detect = ata_cable_unknown,
26282 diff -urNp linux-2.6.39.3/drivers/ata/pata_pxa.c linux-2.6.39.3/drivers/ata/pata_pxa.c
26283 --- linux-2.6.39.3/drivers/ata/pata_pxa.c 2011-05-19 00:06:34.000000000 -0400
26284 +++ linux-2.6.39.3/drivers/ata/pata_pxa.c 2011-05-22 19:36:31.000000000 -0400
26285 @@ -198,7 +198,7 @@ static struct scsi_host_template pxa_ata
26286 ATA_BMDMA_SHT(DRV_NAME),
26287 };
26288
26289 -static struct ata_port_operations pxa_ata_port_ops = {
26290 +static const struct ata_port_operations pxa_ata_port_ops = {
26291 .inherits = &ata_bmdma_port_ops,
26292 .cable_detect = ata_cable_40wire,
26293
26294 diff -urNp linux-2.6.39.3/drivers/ata/pata_qdi.c linux-2.6.39.3/drivers/ata/pata_qdi.c
26295 --- linux-2.6.39.3/drivers/ata/pata_qdi.c 2011-05-19 00:06:34.000000000 -0400
26296 +++ linux-2.6.39.3/drivers/ata/pata_qdi.c 2011-05-22 19:36:31.000000000 -0400
26297 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
26298 ATA_PIO_SHT(DRV_NAME),
26299 };
26300
26301 -static struct ata_port_operations qdi6500_port_ops = {
26302 +static const struct ata_port_operations qdi6500_port_ops = {
26303 .inherits = &ata_sff_port_ops,
26304 .qc_issue = qdi_qc_issue,
26305 .sff_data_xfer = qdi_data_xfer,
26306 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
26307 .set_piomode = qdi6500_set_piomode,
26308 };
26309
26310 -static struct ata_port_operations qdi6580_port_ops = {
26311 +static const struct ata_port_operations qdi6580_port_ops = {
26312 .inherits = &qdi6500_port_ops,
26313 .set_piomode = qdi6580_set_piomode,
26314 };
26315 diff -urNp linux-2.6.39.3/drivers/ata/pata_radisys.c linux-2.6.39.3/drivers/ata/pata_radisys.c
26316 --- linux-2.6.39.3/drivers/ata/pata_radisys.c 2011-05-19 00:06:34.000000000 -0400
26317 +++ linux-2.6.39.3/drivers/ata/pata_radisys.c 2011-05-22 19:36:31.000000000 -0400
26318 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
26319 ATA_BMDMA_SHT(DRV_NAME),
26320 };
26321
26322 -static struct ata_port_operations radisys_pata_ops = {
26323 +static const struct ata_port_operations radisys_pata_ops = {
26324 .inherits = &ata_bmdma_port_ops,
26325 .qc_issue = radisys_qc_issue,
26326 .cable_detect = ata_cable_unknown,
26327 diff -urNp linux-2.6.39.3/drivers/ata/pata_rb532_cf.c linux-2.6.39.3/drivers/ata/pata_rb532_cf.c
26328 --- linux-2.6.39.3/drivers/ata/pata_rb532_cf.c 2011-05-19 00:06:34.000000000 -0400
26329 +++ linux-2.6.39.3/drivers/ata/pata_rb532_cf.c 2011-05-22 19:36:31.000000000 -0400
26330 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
26331 return IRQ_HANDLED;
26332 }
26333
26334 -static struct ata_port_operations rb532_pata_port_ops = {
26335 +static const struct ata_port_operations rb532_pata_port_ops = {
26336 .inherits = &ata_sff_port_ops,
26337 .sff_data_xfer = ata_sff_data_xfer32,
26338 };
26339 diff -urNp linux-2.6.39.3/drivers/ata/pata_rdc.c linux-2.6.39.3/drivers/ata/pata_rdc.c
26340 --- linux-2.6.39.3/drivers/ata/pata_rdc.c 2011-05-19 00:06:34.000000000 -0400
26341 +++ linux-2.6.39.3/drivers/ata/pata_rdc.c 2011-05-22 19:36:31.000000000 -0400
26342 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
26343 pci_write_config_byte(dev, 0x48, udma_enable);
26344 }
26345
26346 -static struct ata_port_operations rdc_pata_ops = {
26347 +static const struct ata_port_operations rdc_pata_ops = {
26348 .inherits = &ata_bmdma32_port_ops,
26349 .cable_detect = rdc_pata_cable_detect,
26350 .set_piomode = rdc_set_piomode,
26351 diff -urNp linux-2.6.39.3/drivers/ata/pata_rz1000.c linux-2.6.39.3/drivers/ata/pata_rz1000.c
26352 --- linux-2.6.39.3/drivers/ata/pata_rz1000.c 2011-05-19 00:06:34.000000000 -0400
26353 +++ linux-2.6.39.3/drivers/ata/pata_rz1000.c 2011-05-22 19:36:31.000000000 -0400
26354 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
26355 ATA_PIO_SHT(DRV_NAME),
26356 };
26357
26358 -static struct ata_port_operations rz1000_port_ops = {
26359 +static const struct ata_port_operations rz1000_port_ops = {
26360 .inherits = &ata_sff_port_ops,
26361 .cable_detect = ata_cable_40wire,
26362 .set_mode = rz1000_set_mode,
26363 diff -urNp linux-2.6.39.3/drivers/ata/pata_samsung_cf.c linux-2.6.39.3/drivers/ata/pata_samsung_cf.c
26364 --- linux-2.6.39.3/drivers/ata/pata_samsung_cf.c 2011-05-19 00:06:34.000000000 -0400
26365 +++ linux-2.6.39.3/drivers/ata/pata_samsung_cf.c 2011-05-22 19:36:31.000000000 -0400
26366 @@ -399,7 +399,7 @@ static struct scsi_host_template pata_s3
26367 ATA_PIO_SHT(DRV_NAME),
26368 };
26369
26370 -static struct ata_port_operations pata_s3c_port_ops = {
26371 +static const struct ata_port_operations pata_s3c_port_ops = {
26372 .inherits = &ata_sff_port_ops,
26373 .sff_check_status = pata_s3c_check_status,
26374 .sff_check_altstatus = pata_s3c_check_altstatus,
26375 @@ -413,7 +413,7 @@ static struct ata_port_operations pata_s
26376 .set_piomode = pata_s3c_set_piomode,
26377 };
26378
26379 -static struct ata_port_operations pata_s5p_port_ops = {
26380 +static const struct ata_port_operations pata_s5p_port_ops = {
26381 .inherits = &ata_sff_port_ops,
26382 .set_piomode = pata_s3c_set_piomode,
26383 };
26384 diff -urNp linux-2.6.39.3/drivers/ata/pata_sc1200.c linux-2.6.39.3/drivers/ata/pata_sc1200.c
26385 --- linux-2.6.39.3/drivers/ata/pata_sc1200.c 2011-05-19 00:06:34.000000000 -0400
26386 +++ linux-2.6.39.3/drivers/ata/pata_sc1200.c 2011-05-22 19:36:31.000000000 -0400
26387 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
26388 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
26389 };
26390
26391 -static struct ata_port_operations sc1200_port_ops = {
26392 +static const struct ata_port_operations sc1200_port_ops = {
26393 .inherits = &ata_bmdma_port_ops,
26394 .qc_prep = ata_bmdma_dumb_qc_prep,
26395 .qc_issue = sc1200_qc_issue,
26396 diff -urNp linux-2.6.39.3/drivers/ata/pata_scc.c linux-2.6.39.3/drivers/ata/pata_scc.c
26397 --- linux-2.6.39.3/drivers/ata/pata_scc.c 2011-05-19 00:06:34.000000000 -0400
26398 +++ linux-2.6.39.3/drivers/ata/pata_scc.c 2011-05-22 19:36:31.000000000 -0400
26399 @@ -926,7 +926,7 @@ static struct scsi_host_template scc_sht
26400 ATA_BMDMA_SHT(DRV_NAME),
26401 };
26402
26403 -static struct ata_port_operations scc_pata_ops = {
26404 +static const struct ata_port_operations scc_pata_ops = {
26405 .inherits = &ata_bmdma_port_ops,
26406
26407 .set_piomode = scc_set_piomode,
26408 diff -urNp linux-2.6.39.3/drivers/ata/pata_sch.c linux-2.6.39.3/drivers/ata/pata_sch.c
26409 --- linux-2.6.39.3/drivers/ata/pata_sch.c 2011-05-19 00:06:34.000000000 -0400
26410 +++ linux-2.6.39.3/drivers/ata/pata_sch.c 2011-05-22 19:36:31.000000000 -0400
26411 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
26412 ATA_BMDMA_SHT(DRV_NAME),
26413 };
26414
26415 -static struct ata_port_operations sch_pata_ops = {
26416 +static const struct ata_port_operations sch_pata_ops = {
26417 .inherits = &ata_bmdma_port_ops,
26418 .cable_detect = ata_cable_unknown,
26419 .set_piomode = sch_set_piomode,
26420 diff -urNp linux-2.6.39.3/drivers/ata/pata_serverworks.c linux-2.6.39.3/drivers/ata/pata_serverworks.c
26421 --- linux-2.6.39.3/drivers/ata/pata_serverworks.c 2011-05-19 00:06:34.000000000 -0400
26422 +++ linux-2.6.39.3/drivers/ata/pata_serverworks.c 2011-05-22 19:36:31.000000000 -0400
26423 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
26424 ATA_BMDMA_SHT(DRV_NAME),
26425 };
26426
26427 -static struct ata_port_operations serverworks_osb4_port_ops = {
26428 +static const struct ata_port_operations serverworks_osb4_port_ops = {
26429 .inherits = &ata_bmdma_port_ops,
26430 .cable_detect = serverworks_cable_detect,
26431 .mode_filter = serverworks_osb4_filter,
26432 @@ -308,7 +308,7 @@ static struct ata_port_operations server
26433 .set_dmamode = serverworks_set_dmamode,
26434 };
26435
26436 -static struct ata_port_operations serverworks_csb_port_ops = {
26437 +static const struct ata_port_operations serverworks_csb_port_ops = {
26438 .inherits = &serverworks_osb4_port_ops,
26439 .mode_filter = serverworks_csb_filter,
26440 };
26441 diff -urNp linux-2.6.39.3/drivers/ata/pata_sil680.c linux-2.6.39.3/drivers/ata/pata_sil680.c
26442 --- linux-2.6.39.3/drivers/ata/pata_sil680.c 2011-05-19 00:06:34.000000000 -0400
26443 +++ linux-2.6.39.3/drivers/ata/pata_sil680.c 2011-05-22 19:36:31.000000000 -0400
26444 @@ -225,8 +225,7 @@ static struct scsi_host_template sil680_
26445 ATA_BMDMA_SHT(DRV_NAME),
26446 };
26447
26448 -
26449 -static struct ata_port_operations sil680_port_ops = {
26450 +static const struct ata_port_operations sil680_port_ops = {
26451 .inherits = &ata_bmdma32_port_ops,
26452 .sff_exec_command = sil680_sff_exec_command,
26453 .sff_irq_check = sil680_sff_irq_check,
26454 diff -urNp linux-2.6.39.3/drivers/ata/pata_sis.c linux-2.6.39.3/drivers/ata/pata_sis.c
26455 --- linux-2.6.39.3/drivers/ata/pata_sis.c 2011-05-19 00:06:34.000000000 -0400
26456 +++ linux-2.6.39.3/drivers/ata/pata_sis.c 2011-05-22 19:36:31.000000000 -0400
26457 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
26458 ATA_BMDMA_SHT(DRV_NAME),
26459 };
26460
26461 -static struct ata_port_operations sis_133_for_sata_ops = {
26462 +static const struct ata_port_operations sis_133_for_sata_ops = {
26463 .inherits = &ata_bmdma_port_ops,
26464 .set_piomode = sis_133_set_piomode,
26465 .set_dmamode = sis_133_set_dmamode,
26466 .cable_detect = sis_133_cable_detect,
26467 };
26468
26469 -static struct ata_port_operations sis_base_ops = {
26470 +static const struct ata_port_operations sis_base_ops = {
26471 .inherits = &ata_bmdma_port_ops,
26472 .prereset = sis_pre_reset,
26473 };
26474
26475 -static struct ata_port_operations sis_133_ops = {
26476 +static const struct ata_port_operations sis_133_ops = {
26477 .inherits = &sis_base_ops,
26478 .set_piomode = sis_133_set_piomode,
26479 .set_dmamode = sis_133_set_dmamode,
26480 .cable_detect = sis_133_cable_detect,
26481 };
26482
26483 -static struct ata_port_operations sis_133_early_ops = {
26484 +static const struct ata_port_operations sis_133_early_ops = {
26485 .inherits = &sis_base_ops,
26486 .set_piomode = sis_100_set_piomode,
26487 .set_dmamode = sis_133_early_set_dmamode,
26488 .cable_detect = sis_66_cable_detect,
26489 };
26490
26491 -static struct ata_port_operations sis_100_ops = {
26492 +static const struct ata_port_operations sis_100_ops = {
26493 .inherits = &sis_base_ops,
26494 .set_piomode = sis_100_set_piomode,
26495 .set_dmamode = sis_100_set_dmamode,
26496 .cable_detect = sis_66_cable_detect,
26497 };
26498
26499 -static struct ata_port_operations sis_66_ops = {
26500 +static const struct ata_port_operations sis_66_ops = {
26501 .inherits = &sis_base_ops,
26502 .set_piomode = sis_old_set_piomode,
26503 .set_dmamode = sis_66_set_dmamode,
26504 .cable_detect = sis_66_cable_detect,
26505 };
26506
26507 -static struct ata_port_operations sis_old_ops = {
26508 +static const struct ata_port_operations sis_old_ops = {
26509 .inherits = &sis_base_ops,
26510 .set_piomode = sis_old_set_piomode,
26511 .set_dmamode = sis_old_set_dmamode,
26512 diff -urNp linux-2.6.39.3/drivers/ata/pata_sl82c105.c linux-2.6.39.3/drivers/ata/pata_sl82c105.c
26513 --- linux-2.6.39.3/drivers/ata/pata_sl82c105.c 2011-05-19 00:06:34.000000000 -0400
26514 +++ linux-2.6.39.3/drivers/ata/pata_sl82c105.c 2011-05-22 19:36:31.000000000 -0400
26515 @@ -241,7 +241,7 @@ static struct scsi_host_template sl82c10
26516 ATA_BMDMA_SHT(DRV_NAME),
26517 };
26518
26519 -static struct ata_port_operations sl82c105_port_ops = {
26520 +static const struct ata_port_operations sl82c105_port_ops = {
26521 .inherits = &ata_bmdma_port_ops,
26522 .qc_defer = sl82c105_qc_defer,
26523 .bmdma_start = sl82c105_bmdma_start,
26524 diff -urNp linux-2.6.39.3/drivers/ata/pata_triflex.c linux-2.6.39.3/drivers/ata/pata_triflex.c
26525 --- linux-2.6.39.3/drivers/ata/pata_triflex.c 2011-05-19 00:06:34.000000000 -0400
26526 +++ linux-2.6.39.3/drivers/ata/pata_triflex.c 2011-05-22 19:36:31.000000000 -0400
26527 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
26528 ATA_BMDMA_SHT(DRV_NAME),
26529 };
26530
26531 -static struct ata_port_operations triflex_port_ops = {
26532 +static const struct ata_port_operations triflex_port_ops = {
26533 .inherits = &ata_bmdma_port_ops,
26534 .bmdma_start = triflex_bmdma_start,
26535 .bmdma_stop = triflex_bmdma_stop,
26536 diff -urNp linux-2.6.39.3/drivers/ata/pata_via.c linux-2.6.39.3/drivers/ata/pata_via.c
26537 --- linux-2.6.39.3/drivers/ata/pata_via.c 2011-05-19 00:06:34.000000000 -0400
26538 +++ linux-2.6.39.3/drivers/ata/pata_via.c 2011-05-22 19:36:31.000000000 -0400
26539 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
26540 ATA_BMDMA_SHT(DRV_NAME),
26541 };
26542
26543 -static struct ata_port_operations via_port_ops = {
26544 +static const struct ata_port_operations via_port_ops = {
26545 .inherits = &ata_bmdma_port_ops,
26546 .cable_detect = via_cable_detect,
26547 .set_piomode = via_set_piomode,
26548 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
26549 .mode_filter = via_mode_filter,
26550 };
26551
26552 -static struct ata_port_operations via_port_ops_noirq = {
26553 +static const struct ata_port_operations via_port_ops_noirq = {
26554 .inherits = &via_port_ops,
26555 .sff_data_xfer = ata_sff_data_xfer_noirq,
26556 };
26557 diff -urNp linux-2.6.39.3/drivers/ata/pdc_adma.c linux-2.6.39.3/drivers/ata/pdc_adma.c
26558 --- linux-2.6.39.3/drivers/ata/pdc_adma.c 2011-05-19 00:06:34.000000000 -0400
26559 +++ linux-2.6.39.3/drivers/ata/pdc_adma.c 2011-05-22 19:36:31.000000000 -0400
26560 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
26561 .dma_boundary = ADMA_DMA_BOUNDARY,
26562 };
26563
26564 -static struct ata_port_operations adma_ata_ops = {
26565 +static const struct ata_port_operations adma_ata_ops = {
26566 .inherits = &ata_sff_port_ops,
26567
26568 .lost_interrupt = ATA_OP_NULL,
26569 diff -urNp linux-2.6.39.3/drivers/ata/sata_dwc_460ex.c linux-2.6.39.3/drivers/ata/sata_dwc_460ex.c
26570 --- linux-2.6.39.3/drivers/ata/sata_dwc_460ex.c 2011-05-19 00:06:34.000000000 -0400
26571 +++ linux-2.6.39.3/drivers/ata/sata_dwc_460ex.c 2011-05-22 19:36:31.000000000 -0400
26572 @@ -1598,7 +1598,7 @@ static struct scsi_host_template sata_dw
26573 .dma_boundary = ATA_DMA_BOUNDARY,
26574 };
26575
26576 -static struct ata_port_operations sata_dwc_ops = {
26577 +static const struct ata_port_operations sata_dwc_ops = {
26578 .inherits = &ata_sff_port_ops,
26579
26580 .error_handler = sata_dwc_error_handler,
26581 diff -urNp linux-2.6.39.3/drivers/ata/sata_fsl.c linux-2.6.39.3/drivers/ata/sata_fsl.c
26582 --- linux-2.6.39.3/drivers/ata/sata_fsl.c 2011-05-19 00:06:34.000000000 -0400
26583 +++ linux-2.6.39.3/drivers/ata/sata_fsl.c 2011-05-22 19:36:31.000000000 -0400
26584 @@ -1268,7 +1268,7 @@ static struct scsi_host_template sata_fs
26585 .dma_boundary = ATA_DMA_BOUNDARY,
26586 };
26587
26588 -static struct ata_port_operations sata_fsl_ops = {
26589 +static const struct ata_port_operations sata_fsl_ops = {
26590 .inherits = &sata_pmp_port_ops,
26591
26592 .qc_defer = ata_std_qc_defer,
26593 diff -urNp linux-2.6.39.3/drivers/ata/sata_inic162x.c linux-2.6.39.3/drivers/ata/sata_inic162x.c
26594 --- linux-2.6.39.3/drivers/ata/sata_inic162x.c 2011-05-19 00:06:34.000000000 -0400
26595 +++ linux-2.6.39.3/drivers/ata/sata_inic162x.c 2011-05-22 19:36:31.000000000 -0400
26596 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
26597 return 0;
26598 }
26599
26600 -static struct ata_port_operations inic_port_ops = {
26601 +static const struct ata_port_operations inic_port_ops = {
26602 .inherits = &sata_port_ops,
26603
26604 .check_atapi_dma = inic_check_atapi_dma,
26605 diff -urNp linux-2.6.39.3/drivers/ata/sata_mv.c linux-2.6.39.3/drivers/ata/sata_mv.c
26606 --- linux-2.6.39.3/drivers/ata/sata_mv.c 2011-05-19 00:06:34.000000000 -0400
26607 +++ linux-2.6.39.3/drivers/ata/sata_mv.c 2011-05-22 19:36:31.000000000 -0400
26608 @@ -662,7 +662,7 @@ static struct scsi_host_template mv6_sht
26609 .dma_boundary = MV_DMA_BOUNDARY,
26610 };
26611
26612 -static struct ata_port_operations mv5_ops = {
26613 +static const struct ata_port_operations mv5_ops = {
26614 .inherits = &ata_sff_port_ops,
26615
26616 .lost_interrupt = ATA_OP_NULL,
26617 @@ -682,7 +682,7 @@ static struct ata_port_operations mv5_op
26618 .port_stop = mv_port_stop,
26619 };
26620
26621 -static struct ata_port_operations mv6_ops = {
26622 +static const struct ata_port_operations mv6_ops = {
26623 .inherits = &ata_bmdma_port_ops,
26624
26625 .lost_interrupt = ATA_OP_NULL,
26626 @@ -716,7 +716,7 @@ static struct ata_port_operations mv6_op
26627 .port_stop = mv_port_stop,
26628 };
26629
26630 -static struct ata_port_operations mv_iie_ops = {
26631 +static const struct ata_port_operations mv_iie_ops = {
26632 .inherits = &mv6_ops,
26633 .dev_config = ATA_OP_NULL,
26634 .qc_prep = mv_qc_prep_iie,
26635 diff -urNp linux-2.6.39.3/drivers/ata/sata_nv.c linux-2.6.39.3/drivers/ata/sata_nv.c
26636 --- linux-2.6.39.3/drivers/ata/sata_nv.c 2011-05-19 00:06:34.000000000 -0400
26637 +++ linux-2.6.39.3/drivers/ata/sata_nv.c 2011-05-22 19:36:31.000000000 -0400
26638 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
26639 * cases. Define nv_hardreset() which only kicks in for post-boot
26640 * probing and use it for all variants.
26641 */
26642 -static struct ata_port_operations nv_generic_ops = {
26643 +static const struct ata_port_operations nv_generic_ops = {
26644 .inherits = &ata_bmdma_port_ops,
26645 .lost_interrupt = ATA_OP_NULL,
26646 .scr_read = nv_scr_read,
26647 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
26648 .hardreset = nv_hardreset,
26649 };
26650
26651 -static struct ata_port_operations nv_nf2_ops = {
26652 +static const struct ata_port_operations nv_nf2_ops = {
26653 .inherits = &nv_generic_ops,
26654 .freeze = nv_nf2_freeze,
26655 .thaw = nv_nf2_thaw,
26656 };
26657
26658 -static struct ata_port_operations nv_ck804_ops = {
26659 +static const struct ata_port_operations nv_ck804_ops = {
26660 .inherits = &nv_generic_ops,
26661 .freeze = nv_ck804_freeze,
26662 .thaw = nv_ck804_thaw,
26663 .host_stop = nv_ck804_host_stop,
26664 };
26665
26666 -static struct ata_port_operations nv_adma_ops = {
26667 +static const struct ata_port_operations nv_adma_ops = {
26668 .inherits = &nv_ck804_ops,
26669
26670 .check_atapi_dma = nv_adma_check_atapi_dma,
26671 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
26672 .host_stop = nv_adma_host_stop,
26673 };
26674
26675 -static struct ata_port_operations nv_swncq_ops = {
26676 +static const struct ata_port_operations nv_swncq_ops = {
26677 .inherits = &nv_generic_ops,
26678
26679 .qc_defer = ata_std_qc_defer,
26680 diff -urNp linux-2.6.39.3/drivers/ata/sata_promise.c linux-2.6.39.3/drivers/ata/sata_promise.c
26681 --- linux-2.6.39.3/drivers/ata/sata_promise.c 2011-05-19 00:06:34.000000000 -0400
26682 +++ linux-2.6.39.3/drivers/ata/sata_promise.c 2011-05-22 19:36:31.000000000 -0400
26683 @@ -194,7 +194,7 @@ static const struct ata_port_operations
26684 .error_handler = pdc_error_handler,
26685 };
26686
26687 -static struct ata_port_operations pdc_sata_ops = {
26688 +static const struct ata_port_operations pdc_sata_ops = {
26689 .inherits = &pdc_common_ops,
26690 .cable_detect = pdc_sata_cable_detect,
26691 .freeze = pdc_sata_freeze,
26692 @@ -207,14 +207,14 @@ static struct ata_port_operations pdc_sa
26693
26694 /* First-generation chips need a more restrictive ->check_atapi_dma op,
26695 and ->freeze/thaw that ignore the hotplug controls. */
26696 -static struct ata_port_operations pdc_old_sata_ops = {
26697 +static const struct ata_port_operations pdc_old_sata_ops = {
26698 .inherits = &pdc_sata_ops,
26699 .freeze = pdc_freeze,
26700 .thaw = pdc_thaw,
26701 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
26702 };
26703
26704 -static struct ata_port_operations pdc_pata_ops = {
26705 +static const struct ata_port_operations pdc_pata_ops = {
26706 .inherits = &pdc_common_ops,
26707 .cable_detect = pdc_pata_cable_detect,
26708 .freeze = pdc_freeze,
26709 diff -urNp linux-2.6.39.3/drivers/ata/sata_qstor.c linux-2.6.39.3/drivers/ata/sata_qstor.c
26710 --- linux-2.6.39.3/drivers/ata/sata_qstor.c 2011-05-19 00:06:34.000000000 -0400
26711 +++ linux-2.6.39.3/drivers/ata/sata_qstor.c 2011-05-22 19:36:31.000000000 -0400
26712 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
26713 .dma_boundary = QS_DMA_BOUNDARY,
26714 };
26715
26716 -static struct ata_port_operations qs_ata_ops = {
26717 +static const struct ata_port_operations qs_ata_ops = {
26718 .inherits = &ata_sff_port_ops,
26719
26720 .check_atapi_dma = qs_check_atapi_dma,
26721 diff -urNp linux-2.6.39.3/drivers/ata/sata_sil24.c linux-2.6.39.3/drivers/ata/sata_sil24.c
26722 --- linux-2.6.39.3/drivers/ata/sata_sil24.c 2011-05-19 00:06:34.000000000 -0400
26723 +++ linux-2.6.39.3/drivers/ata/sata_sil24.c 2011-05-22 19:36:31.000000000 -0400
26724 @@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
26725 .dma_boundary = ATA_DMA_BOUNDARY,
26726 };
26727
26728 -static struct ata_port_operations sil24_ops = {
26729 +static const struct ata_port_operations sil24_ops = {
26730 .inherits = &sata_pmp_port_ops,
26731
26732 .qc_defer = sil24_qc_defer,
26733 diff -urNp linux-2.6.39.3/drivers/ata/sata_sil.c linux-2.6.39.3/drivers/ata/sata_sil.c
26734 --- linux-2.6.39.3/drivers/ata/sata_sil.c 2011-05-19 00:06:34.000000000 -0400
26735 +++ linux-2.6.39.3/drivers/ata/sata_sil.c 2011-05-22 19:36:31.000000000 -0400
26736 @@ -181,7 +181,7 @@ static struct scsi_host_template sil_sht
26737 .sg_tablesize = ATA_MAX_PRD
26738 };
26739
26740 -static struct ata_port_operations sil_ops = {
26741 +static const struct ata_port_operations sil_ops = {
26742 .inherits = &ata_bmdma32_port_ops,
26743 .dev_config = sil_dev_config,
26744 .set_mode = sil_set_mode,
26745 diff -urNp linux-2.6.39.3/drivers/ata/sata_sis.c linux-2.6.39.3/drivers/ata/sata_sis.c
26746 --- linux-2.6.39.3/drivers/ata/sata_sis.c 2011-05-19 00:06:34.000000000 -0400
26747 +++ linux-2.6.39.3/drivers/ata/sata_sis.c 2011-05-22 19:36:31.000000000 -0400
26748 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
26749 ATA_BMDMA_SHT(DRV_NAME),
26750 };
26751
26752 -static struct ata_port_operations sis_ops = {
26753 +static const struct ata_port_operations sis_ops = {
26754 .inherits = &ata_bmdma_port_ops,
26755 .scr_read = sis_scr_read,
26756 .scr_write = sis_scr_write,
26757 diff -urNp linux-2.6.39.3/drivers/ata/sata_svw.c linux-2.6.39.3/drivers/ata/sata_svw.c
26758 --- linux-2.6.39.3/drivers/ata/sata_svw.c 2011-05-19 00:06:34.000000000 -0400
26759 +++ linux-2.6.39.3/drivers/ata/sata_svw.c 2011-05-22 19:36:31.000000000 -0400
26760 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
26761 };
26762
26763
26764 -static struct ata_port_operations k2_sata_ops = {
26765 +static const struct ata_port_operations k2_sata_ops = {
26766 .inherits = &ata_bmdma_port_ops,
26767 .sff_tf_load = k2_sata_tf_load,
26768 .sff_tf_read = k2_sata_tf_read,
26769 diff -urNp linux-2.6.39.3/drivers/ata/sata_sx4.c linux-2.6.39.3/drivers/ata/sata_sx4.c
26770 --- linux-2.6.39.3/drivers/ata/sata_sx4.c 2011-05-19 00:06:34.000000000 -0400
26771 +++ linux-2.6.39.3/drivers/ata/sata_sx4.c 2011-05-22 19:36:31.000000000 -0400
26772 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
26773 };
26774
26775 /* TODO: inherit from base port_ops after converting to new EH */
26776 -static struct ata_port_operations pdc_20621_ops = {
26777 +static const struct ata_port_operations pdc_20621_ops = {
26778 .inherits = &ata_sff_port_ops,
26779
26780 .check_atapi_dma = pdc_check_atapi_dma,
26781 diff -urNp linux-2.6.39.3/drivers/ata/sata_uli.c linux-2.6.39.3/drivers/ata/sata_uli.c
26782 --- linux-2.6.39.3/drivers/ata/sata_uli.c 2011-05-19 00:06:34.000000000 -0400
26783 +++ linux-2.6.39.3/drivers/ata/sata_uli.c 2011-05-22 19:36:31.000000000 -0400
26784 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
26785 ATA_BMDMA_SHT(DRV_NAME),
26786 };
26787
26788 -static struct ata_port_operations uli_ops = {
26789 +static const struct ata_port_operations uli_ops = {
26790 .inherits = &ata_bmdma_port_ops,
26791 .scr_read = uli_scr_read,
26792 .scr_write = uli_scr_write,
26793 diff -urNp linux-2.6.39.3/drivers/ata/sata_via.c linux-2.6.39.3/drivers/ata/sata_via.c
26794 --- linux-2.6.39.3/drivers/ata/sata_via.c 2011-05-19 00:06:34.000000000 -0400
26795 +++ linux-2.6.39.3/drivers/ata/sata_via.c 2011-05-22 19:36:31.000000000 -0400
26796 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
26797 ATA_BMDMA_SHT(DRV_NAME),
26798 };
26799
26800 -static struct ata_port_operations svia_base_ops = {
26801 +static const struct ata_port_operations svia_base_ops = {
26802 .inherits = &ata_bmdma_port_ops,
26803 .sff_tf_load = svia_tf_load,
26804 };
26805
26806 -static struct ata_port_operations vt6420_sata_ops = {
26807 +static const struct ata_port_operations vt6420_sata_ops = {
26808 .inherits = &svia_base_ops,
26809 .freeze = svia_noop_freeze,
26810 .prereset = vt6420_prereset,
26811 .bmdma_start = vt6420_bmdma_start,
26812 };
26813
26814 -static struct ata_port_operations vt6421_pata_ops = {
26815 +static const struct ata_port_operations vt6421_pata_ops = {
26816 .inherits = &svia_base_ops,
26817 .cable_detect = vt6421_pata_cable_detect,
26818 .set_piomode = vt6421_set_pio_mode,
26819 .set_dmamode = vt6421_set_dma_mode,
26820 };
26821
26822 -static struct ata_port_operations vt6421_sata_ops = {
26823 +static const struct ata_port_operations vt6421_sata_ops = {
26824 .inherits = &svia_base_ops,
26825 .scr_read = svia_scr_read,
26826 .scr_write = svia_scr_write,
26827 };
26828
26829 -static struct ata_port_operations vt8251_ops = {
26830 +static const struct ata_port_operations vt8251_ops = {
26831 .inherits = &svia_base_ops,
26832 .hardreset = sata_std_hardreset,
26833 .scr_read = vt8251_scr_read,
26834 diff -urNp linux-2.6.39.3/drivers/ata/sata_vsc.c linux-2.6.39.3/drivers/ata/sata_vsc.c
26835 --- linux-2.6.39.3/drivers/ata/sata_vsc.c 2011-05-19 00:06:34.000000000 -0400
26836 +++ linux-2.6.39.3/drivers/ata/sata_vsc.c 2011-05-22 19:36:31.000000000 -0400
26837 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
26838 };
26839
26840
26841 -static struct ata_port_operations vsc_sata_ops = {
26842 +static const struct ata_port_operations vsc_sata_ops = {
26843 .inherits = &ata_bmdma_port_ops,
26844 /* The IRQ handling is not quite standard SFF behaviour so we
26845 cannot use the default lost interrupt handler */
26846 diff -urNp linux-2.6.39.3/drivers/atm/adummy.c linux-2.6.39.3/drivers/atm/adummy.c
26847 --- linux-2.6.39.3/drivers/atm/adummy.c 2011-05-19 00:06:34.000000000 -0400
26848 +++ linux-2.6.39.3/drivers/atm/adummy.c 2011-05-22 19:36:31.000000000 -0400
26849 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
26850 vcc->pop(vcc, skb);
26851 else
26852 dev_kfree_skb_any(skb);
26853 - atomic_inc(&vcc->stats->tx);
26854 + atomic_inc_unchecked(&vcc->stats->tx);
26855
26856 return 0;
26857 }
26858 diff -urNp linux-2.6.39.3/drivers/atm/ambassador.c linux-2.6.39.3/drivers/atm/ambassador.c
26859 --- linux-2.6.39.3/drivers/atm/ambassador.c 2011-05-19 00:06:34.000000000 -0400
26860 +++ linux-2.6.39.3/drivers/atm/ambassador.c 2011-05-22 19:36:31.000000000 -0400
26861 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
26862 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
26863
26864 // VC layer stats
26865 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
26866 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
26867
26868 // free the descriptor
26869 kfree (tx_descr);
26870 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
26871 dump_skb ("<<<", vc, skb);
26872
26873 // VC layer stats
26874 - atomic_inc(&atm_vcc->stats->rx);
26875 + atomic_inc_unchecked(&atm_vcc->stats->rx);
26876 __net_timestamp(skb);
26877 // end of our responsibility
26878 atm_vcc->push (atm_vcc, skb);
26879 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
26880 } else {
26881 PRINTK (KERN_INFO, "dropped over-size frame");
26882 // should we count this?
26883 - atomic_inc(&atm_vcc->stats->rx_drop);
26884 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
26885 }
26886
26887 } else {
26888 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
26889 }
26890
26891 if (check_area (skb->data, skb->len)) {
26892 - atomic_inc(&atm_vcc->stats->tx_err);
26893 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
26894 return -ENOMEM; // ?
26895 }
26896
26897 diff -urNp linux-2.6.39.3/drivers/atm/atmtcp.c linux-2.6.39.3/drivers/atm/atmtcp.c
26898 --- linux-2.6.39.3/drivers/atm/atmtcp.c 2011-05-19 00:06:34.000000000 -0400
26899 +++ linux-2.6.39.3/drivers/atm/atmtcp.c 2011-05-22 19:36:31.000000000 -0400
26900 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
26901 if (vcc->pop) vcc->pop(vcc,skb);
26902 else dev_kfree_skb(skb);
26903 if (dev_data) return 0;
26904 - atomic_inc(&vcc->stats->tx_err);
26905 + atomic_inc_unchecked(&vcc->stats->tx_err);
26906 return -ENOLINK;
26907 }
26908 size = skb->len+sizeof(struct atmtcp_hdr);
26909 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
26910 if (!new_skb) {
26911 if (vcc->pop) vcc->pop(vcc,skb);
26912 else dev_kfree_skb(skb);
26913 - atomic_inc(&vcc->stats->tx_err);
26914 + atomic_inc_unchecked(&vcc->stats->tx_err);
26915 return -ENOBUFS;
26916 }
26917 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
26918 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
26919 if (vcc->pop) vcc->pop(vcc,skb);
26920 else dev_kfree_skb(skb);
26921 out_vcc->push(out_vcc,new_skb);
26922 - atomic_inc(&vcc->stats->tx);
26923 - atomic_inc(&out_vcc->stats->rx);
26924 + atomic_inc_unchecked(&vcc->stats->tx);
26925 + atomic_inc_unchecked(&out_vcc->stats->rx);
26926 return 0;
26927 }
26928
26929 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
26930 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
26931 read_unlock(&vcc_sklist_lock);
26932 if (!out_vcc) {
26933 - atomic_inc(&vcc->stats->tx_err);
26934 + atomic_inc_unchecked(&vcc->stats->tx_err);
26935 goto done;
26936 }
26937 skb_pull(skb,sizeof(struct atmtcp_hdr));
26938 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
26939 __net_timestamp(new_skb);
26940 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
26941 out_vcc->push(out_vcc,new_skb);
26942 - atomic_inc(&vcc->stats->tx);
26943 - atomic_inc(&out_vcc->stats->rx);
26944 + atomic_inc_unchecked(&vcc->stats->tx);
26945 + atomic_inc_unchecked(&out_vcc->stats->rx);
26946 done:
26947 if (vcc->pop) vcc->pop(vcc,skb);
26948 else dev_kfree_skb(skb);
26949 diff -urNp linux-2.6.39.3/drivers/atm/eni.c linux-2.6.39.3/drivers/atm/eni.c
26950 --- linux-2.6.39.3/drivers/atm/eni.c 2011-05-19 00:06:34.000000000 -0400
26951 +++ linux-2.6.39.3/drivers/atm/eni.c 2011-05-22 19:36:31.000000000 -0400
26952 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
26953 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
26954 vcc->dev->number);
26955 length = 0;
26956 - atomic_inc(&vcc->stats->rx_err);
26957 + atomic_inc_unchecked(&vcc->stats->rx_err);
26958 }
26959 else {
26960 length = ATM_CELL_SIZE-1; /* no HEC */
26961 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
26962 size);
26963 }
26964 eff = length = 0;
26965 - atomic_inc(&vcc->stats->rx_err);
26966 + atomic_inc_unchecked(&vcc->stats->rx_err);
26967 }
26968 else {
26969 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
26970 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
26971 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
26972 vcc->dev->number,vcc->vci,length,size << 2,descr);
26973 length = eff = 0;
26974 - atomic_inc(&vcc->stats->rx_err);
26975 + atomic_inc_unchecked(&vcc->stats->rx_err);
26976 }
26977 }
26978 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
26979 @@ -771,7 +771,7 @@ rx_dequeued++;
26980 vcc->push(vcc,skb);
26981 pushed++;
26982 }
26983 - atomic_inc(&vcc->stats->rx);
26984 + atomic_inc_unchecked(&vcc->stats->rx);
26985 }
26986 wake_up(&eni_dev->rx_wait);
26987 }
26988 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
26989 PCI_DMA_TODEVICE);
26990 if (vcc->pop) vcc->pop(vcc,skb);
26991 else dev_kfree_skb_irq(skb);
26992 - atomic_inc(&vcc->stats->tx);
26993 + atomic_inc_unchecked(&vcc->stats->tx);
26994 wake_up(&eni_dev->tx_wait);
26995 dma_complete++;
26996 }
26997 diff -urNp linux-2.6.39.3/drivers/atm/firestream.c linux-2.6.39.3/drivers/atm/firestream.c
26998 --- linux-2.6.39.3/drivers/atm/firestream.c 2011-05-19 00:06:34.000000000 -0400
26999 +++ linux-2.6.39.3/drivers/atm/firestream.c 2011-05-22 19:36:31.000000000 -0400
27000 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
27001 }
27002 }
27003
27004 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27005 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27006
27007 fs_dprintk (FS_DEBUG_TXMEM, "i");
27008 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
27009 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
27010 #endif
27011 skb_put (skb, qe->p1 & 0xffff);
27012 ATM_SKB(skb)->vcc = atm_vcc;
27013 - atomic_inc(&atm_vcc->stats->rx);
27014 + atomic_inc_unchecked(&atm_vcc->stats->rx);
27015 __net_timestamp(skb);
27016 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
27017 atm_vcc->push (atm_vcc, skb);
27018 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
27019 kfree (pe);
27020 }
27021 if (atm_vcc)
27022 - atomic_inc(&atm_vcc->stats->rx_drop);
27023 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27024 break;
27025 case 0x1f: /* Reassembly abort: no buffers. */
27026 /* Silently increment error counter. */
27027 if (atm_vcc)
27028 - atomic_inc(&atm_vcc->stats->rx_drop);
27029 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27030 break;
27031 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
27032 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
27033 diff -urNp linux-2.6.39.3/drivers/atm/fore200e.c linux-2.6.39.3/drivers/atm/fore200e.c
27034 --- linux-2.6.39.3/drivers/atm/fore200e.c 2011-05-19 00:06:34.000000000 -0400
27035 +++ linux-2.6.39.3/drivers/atm/fore200e.c 2011-05-22 19:36:31.000000000 -0400
27036 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
27037 #endif
27038 /* check error condition */
27039 if (*entry->status & STATUS_ERROR)
27040 - atomic_inc(&vcc->stats->tx_err);
27041 + atomic_inc_unchecked(&vcc->stats->tx_err);
27042 else
27043 - atomic_inc(&vcc->stats->tx);
27044 + atomic_inc_unchecked(&vcc->stats->tx);
27045 }
27046 }
27047
27048 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
27049 if (skb == NULL) {
27050 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
27051
27052 - atomic_inc(&vcc->stats->rx_drop);
27053 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27054 return -ENOMEM;
27055 }
27056
27057 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
27058
27059 dev_kfree_skb_any(skb);
27060
27061 - atomic_inc(&vcc->stats->rx_drop);
27062 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27063 return -ENOMEM;
27064 }
27065
27066 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
27067
27068 vcc->push(vcc, skb);
27069 - atomic_inc(&vcc->stats->rx);
27070 + atomic_inc_unchecked(&vcc->stats->rx);
27071
27072 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
27073
27074 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
27075 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
27076 fore200e->atm_dev->number,
27077 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
27078 - atomic_inc(&vcc->stats->rx_err);
27079 + atomic_inc_unchecked(&vcc->stats->rx_err);
27080 }
27081 }
27082
27083 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
27084 goto retry_here;
27085 }
27086
27087 - atomic_inc(&vcc->stats->tx_err);
27088 + atomic_inc_unchecked(&vcc->stats->tx_err);
27089
27090 fore200e->tx_sat++;
27091 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
27092 diff -urNp linux-2.6.39.3/drivers/atm/he.c linux-2.6.39.3/drivers/atm/he.c
27093 --- linux-2.6.39.3/drivers/atm/he.c 2011-05-19 00:06:34.000000000 -0400
27094 +++ linux-2.6.39.3/drivers/atm/he.c 2011-05-22 19:36:31.000000000 -0400
27095 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
27096
27097 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
27098 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
27099 - atomic_inc(&vcc->stats->rx_drop);
27100 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27101 goto return_host_buffers;
27102 }
27103
27104 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
27105 RBRQ_LEN_ERR(he_dev->rbrq_head)
27106 ? "LEN_ERR" : "",
27107 vcc->vpi, vcc->vci);
27108 - atomic_inc(&vcc->stats->rx_err);
27109 + atomic_inc_unchecked(&vcc->stats->rx_err);
27110 goto return_host_buffers;
27111 }
27112
27113 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
27114 vcc->push(vcc, skb);
27115 spin_lock(&he_dev->global_lock);
27116
27117 - atomic_inc(&vcc->stats->rx);
27118 + atomic_inc_unchecked(&vcc->stats->rx);
27119
27120 return_host_buffers:
27121 ++pdus_assembled;
27122 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
27123 tpd->vcc->pop(tpd->vcc, tpd->skb);
27124 else
27125 dev_kfree_skb_any(tpd->skb);
27126 - atomic_inc(&tpd->vcc->stats->tx_err);
27127 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
27128 }
27129 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
27130 return;
27131 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27132 vcc->pop(vcc, skb);
27133 else
27134 dev_kfree_skb_any(skb);
27135 - atomic_inc(&vcc->stats->tx_err);
27136 + atomic_inc_unchecked(&vcc->stats->tx_err);
27137 return -EINVAL;
27138 }
27139
27140 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27141 vcc->pop(vcc, skb);
27142 else
27143 dev_kfree_skb_any(skb);
27144 - atomic_inc(&vcc->stats->tx_err);
27145 + atomic_inc_unchecked(&vcc->stats->tx_err);
27146 return -EINVAL;
27147 }
27148 #endif
27149 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27150 vcc->pop(vcc, skb);
27151 else
27152 dev_kfree_skb_any(skb);
27153 - atomic_inc(&vcc->stats->tx_err);
27154 + atomic_inc_unchecked(&vcc->stats->tx_err);
27155 spin_unlock_irqrestore(&he_dev->global_lock, flags);
27156 return -ENOMEM;
27157 }
27158 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27159 vcc->pop(vcc, skb);
27160 else
27161 dev_kfree_skb_any(skb);
27162 - atomic_inc(&vcc->stats->tx_err);
27163 + atomic_inc_unchecked(&vcc->stats->tx_err);
27164 spin_unlock_irqrestore(&he_dev->global_lock, flags);
27165 return -ENOMEM;
27166 }
27167 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27168 __enqueue_tpd(he_dev, tpd, cid);
27169 spin_unlock_irqrestore(&he_dev->global_lock, flags);
27170
27171 - atomic_inc(&vcc->stats->tx);
27172 + atomic_inc_unchecked(&vcc->stats->tx);
27173
27174 return 0;
27175 }
27176 diff -urNp linux-2.6.39.3/drivers/atm/horizon.c linux-2.6.39.3/drivers/atm/horizon.c
27177 --- linux-2.6.39.3/drivers/atm/horizon.c 2011-05-19 00:06:34.000000000 -0400
27178 +++ linux-2.6.39.3/drivers/atm/horizon.c 2011-05-22 19:36:31.000000000 -0400
27179 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
27180 {
27181 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
27182 // VC layer stats
27183 - atomic_inc(&vcc->stats->rx);
27184 + atomic_inc_unchecked(&vcc->stats->rx);
27185 __net_timestamp(skb);
27186 // end of our responsibility
27187 vcc->push (vcc, skb);
27188 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
27189 dev->tx_iovec = NULL;
27190
27191 // VC layer stats
27192 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27193 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27194
27195 // free the skb
27196 hrz_kfree_skb (skb);
27197 diff -urNp linux-2.6.39.3/drivers/atm/idt77252.c linux-2.6.39.3/drivers/atm/idt77252.c
27198 --- linux-2.6.39.3/drivers/atm/idt77252.c 2011-05-19 00:06:34.000000000 -0400
27199 +++ linux-2.6.39.3/drivers/atm/idt77252.c 2011-05-22 19:36:31.000000000 -0400
27200 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
27201 else
27202 dev_kfree_skb(skb);
27203
27204 - atomic_inc(&vcc->stats->tx);
27205 + atomic_inc_unchecked(&vcc->stats->tx);
27206 }
27207
27208 atomic_dec(&scq->used);
27209 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
27210 if ((sb = dev_alloc_skb(64)) == NULL) {
27211 printk("%s: Can't allocate buffers for aal0.\n",
27212 card->name);
27213 - atomic_add(i, &vcc->stats->rx_drop);
27214 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
27215 break;
27216 }
27217 if (!atm_charge(vcc, sb->truesize)) {
27218 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
27219 card->name);
27220 - atomic_add(i - 1, &vcc->stats->rx_drop);
27221 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
27222 dev_kfree_skb(sb);
27223 break;
27224 }
27225 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
27226 ATM_SKB(sb)->vcc = vcc;
27227 __net_timestamp(sb);
27228 vcc->push(vcc, sb);
27229 - atomic_inc(&vcc->stats->rx);
27230 + atomic_inc_unchecked(&vcc->stats->rx);
27231
27232 cell += ATM_CELL_PAYLOAD;
27233 }
27234 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
27235 "(CDC: %08x)\n",
27236 card->name, len, rpp->len, readl(SAR_REG_CDC));
27237 recycle_rx_pool_skb(card, rpp);
27238 - atomic_inc(&vcc->stats->rx_err);
27239 + atomic_inc_unchecked(&vcc->stats->rx_err);
27240 return;
27241 }
27242 if (stat & SAR_RSQE_CRC) {
27243 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
27244 recycle_rx_pool_skb(card, rpp);
27245 - atomic_inc(&vcc->stats->rx_err);
27246 + atomic_inc_unchecked(&vcc->stats->rx_err);
27247 return;
27248 }
27249 if (skb_queue_len(&rpp->queue) > 1) {
27250 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
27251 RXPRINTK("%s: Can't alloc RX skb.\n",
27252 card->name);
27253 recycle_rx_pool_skb(card, rpp);
27254 - atomic_inc(&vcc->stats->rx_err);
27255 + atomic_inc_unchecked(&vcc->stats->rx_err);
27256 return;
27257 }
27258 if (!atm_charge(vcc, skb->truesize)) {
27259 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
27260 __net_timestamp(skb);
27261
27262 vcc->push(vcc, skb);
27263 - atomic_inc(&vcc->stats->rx);
27264 + atomic_inc_unchecked(&vcc->stats->rx);
27265
27266 return;
27267 }
27268 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
27269 __net_timestamp(skb);
27270
27271 vcc->push(vcc, skb);
27272 - atomic_inc(&vcc->stats->rx);
27273 + atomic_inc_unchecked(&vcc->stats->rx);
27274
27275 if (skb->truesize > SAR_FB_SIZE_3)
27276 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
27277 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
27278 if (vcc->qos.aal != ATM_AAL0) {
27279 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
27280 card->name, vpi, vci);
27281 - atomic_inc(&vcc->stats->rx_drop);
27282 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27283 goto drop;
27284 }
27285
27286 if ((sb = dev_alloc_skb(64)) == NULL) {
27287 printk("%s: Can't allocate buffers for AAL0.\n",
27288 card->name);
27289 - atomic_inc(&vcc->stats->rx_err);
27290 + atomic_inc_unchecked(&vcc->stats->rx_err);
27291 goto drop;
27292 }
27293
27294 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
27295 ATM_SKB(sb)->vcc = vcc;
27296 __net_timestamp(sb);
27297 vcc->push(vcc, sb);
27298 - atomic_inc(&vcc->stats->rx);
27299 + atomic_inc_unchecked(&vcc->stats->rx);
27300
27301 drop:
27302 skb_pull(queue, 64);
27303 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
27304
27305 if (vc == NULL) {
27306 printk("%s: NULL connection in send().\n", card->name);
27307 - atomic_inc(&vcc->stats->tx_err);
27308 + atomic_inc_unchecked(&vcc->stats->tx_err);
27309 dev_kfree_skb(skb);
27310 return -EINVAL;
27311 }
27312 if (!test_bit(VCF_TX, &vc->flags)) {
27313 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
27314 - atomic_inc(&vcc->stats->tx_err);
27315 + atomic_inc_unchecked(&vcc->stats->tx_err);
27316 dev_kfree_skb(skb);
27317 return -EINVAL;
27318 }
27319 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
27320 break;
27321 default:
27322 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
27323 - atomic_inc(&vcc->stats->tx_err);
27324 + atomic_inc_unchecked(&vcc->stats->tx_err);
27325 dev_kfree_skb(skb);
27326 return -EINVAL;
27327 }
27328
27329 if (skb_shinfo(skb)->nr_frags != 0) {
27330 printk("%s: No scatter-gather yet.\n", card->name);
27331 - atomic_inc(&vcc->stats->tx_err);
27332 + atomic_inc_unchecked(&vcc->stats->tx_err);
27333 dev_kfree_skb(skb);
27334 return -EINVAL;
27335 }
27336 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
27337
27338 err = queue_skb(card, vc, skb, oam);
27339 if (err) {
27340 - atomic_inc(&vcc->stats->tx_err);
27341 + atomic_inc_unchecked(&vcc->stats->tx_err);
27342 dev_kfree_skb(skb);
27343 return err;
27344 }
27345 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
27346 skb = dev_alloc_skb(64);
27347 if (!skb) {
27348 printk("%s: Out of memory in send_oam().\n", card->name);
27349 - atomic_inc(&vcc->stats->tx_err);
27350 + atomic_inc_unchecked(&vcc->stats->tx_err);
27351 return -ENOMEM;
27352 }
27353 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
27354 diff -urNp linux-2.6.39.3/drivers/atm/iphase.c linux-2.6.39.3/drivers/atm/iphase.c
27355 --- linux-2.6.39.3/drivers/atm/iphase.c 2011-05-19 00:06:34.000000000 -0400
27356 +++ linux-2.6.39.3/drivers/atm/iphase.c 2011-05-22 19:36:31.000000000 -0400
27357 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
27358 status = (u_short) (buf_desc_ptr->desc_mode);
27359 if (status & (RX_CER | RX_PTE | RX_OFL))
27360 {
27361 - atomic_inc(&vcc->stats->rx_err);
27362 + atomic_inc_unchecked(&vcc->stats->rx_err);
27363 IF_ERR(printk("IA: bad packet, dropping it");)
27364 if (status & RX_CER) {
27365 IF_ERR(printk(" cause: packet CRC error\n");)
27366 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
27367 len = dma_addr - buf_addr;
27368 if (len > iadev->rx_buf_sz) {
27369 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
27370 - atomic_inc(&vcc->stats->rx_err);
27371 + atomic_inc_unchecked(&vcc->stats->rx_err);
27372 goto out_free_desc;
27373 }
27374
27375 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
27376 ia_vcc = INPH_IA_VCC(vcc);
27377 if (ia_vcc == NULL)
27378 {
27379 - atomic_inc(&vcc->stats->rx_err);
27380 + atomic_inc_unchecked(&vcc->stats->rx_err);
27381 dev_kfree_skb_any(skb);
27382 atm_return(vcc, atm_guess_pdu2truesize(len));
27383 goto INCR_DLE;
27384 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
27385 if ((length > iadev->rx_buf_sz) || (length >
27386 (skb->len - sizeof(struct cpcs_trailer))))
27387 {
27388 - atomic_inc(&vcc->stats->rx_err);
27389 + atomic_inc_unchecked(&vcc->stats->rx_err);
27390 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
27391 length, skb->len);)
27392 dev_kfree_skb_any(skb);
27393 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
27394
27395 IF_RX(printk("rx_dle_intr: skb push");)
27396 vcc->push(vcc,skb);
27397 - atomic_inc(&vcc->stats->rx);
27398 + atomic_inc_unchecked(&vcc->stats->rx);
27399 iadev->rx_pkt_cnt++;
27400 }
27401 INCR_DLE:
27402 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
27403 {
27404 struct k_sonet_stats *stats;
27405 stats = &PRIV(_ia_dev[board])->sonet_stats;
27406 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
27407 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
27408 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
27409 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
27410 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
27411 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
27412 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
27413 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
27414 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
27415 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
27416 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
27417 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
27418 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
27419 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
27420 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
27421 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
27422 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
27423 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
27424 }
27425 ia_cmds.status = 0;
27426 break;
27427 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
27428 if ((desc == 0) || (desc > iadev->num_tx_desc))
27429 {
27430 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
27431 - atomic_inc(&vcc->stats->tx);
27432 + atomic_inc_unchecked(&vcc->stats->tx);
27433 if (vcc->pop)
27434 vcc->pop(vcc, skb);
27435 else
27436 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
27437 ATM_DESC(skb) = vcc->vci;
27438 skb_queue_tail(&iadev->tx_dma_q, skb);
27439
27440 - atomic_inc(&vcc->stats->tx);
27441 + atomic_inc_unchecked(&vcc->stats->tx);
27442 iadev->tx_pkt_cnt++;
27443 /* Increment transaction counter */
27444 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
27445
27446 #if 0
27447 /* add flow control logic */
27448 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
27449 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
27450 if (iavcc->vc_desc_cnt > 10) {
27451 vcc->tx_quota = vcc->tx_quota * 3 / 4;
27452 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
27453 diff -urNp linux-2.6.39.3/drivers/atm/lanai.c linux-2.6.39.3/drivers/atm/lanai.c
27454 --- linux-2.6.39.3/drivers/atm/lanai.c 2011-05-19 00:06:34.000000000 -0400
27455 +++ linux-2.6.39.3/drivers/atm/lanai.c 2011-05-22 19:36:31.000000000 -0400
27456 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
27457 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
27458 lanai_endtx(lanai, lvcc);
27459 lanai_free_skb(lvcc->tx.atmvcc, skb);
27460 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
27461 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
27462 }
27463
27464 /* Try to fill the buffer - don't call unless there is backlog */
27465 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
27466 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
27467 __net_timestamp(skb);
27468 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
27469 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
27470 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
27471 out:
27472 lvcc->rx.buf.ptr = end;
27473 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
27474 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
27475 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
27476 "vcc %d\n", lanai->number, (unsigned int) s, vci);
27477 lanai->stats.service_rxnotaal5++;
27478 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27479 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27480 return 0;
27481 }
27482 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
27483 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
27484 int bytes;
27485 read_unlock(&vcc_sklist_lock);
27486 DPRINTK("got trashed rx pdu on vci %d\n", vci);
27487 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27488 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27489 lvcc->stats.x.aal5.service_trash++;
27490 bytes = (SERVICE_GET_END(s) * 16) -
27491 (((unsigned long) lvcc->rx.buf.ptr) -
27492 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
27493 }
27494 if (s & SERVICE_STREAM) {
27495 read_unlock(&vcc_sklist_lock);
27496 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27497 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27498 lvcc->stats.x.aal5.service_stream++;
27499 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
27500 "PDU on VCI %d!\n", lanai->number, vci);
27501 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
27502 return 0;
27503 }
27504 DPRINTK("got rx crc error on vci %d\n", vci);
27505 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27506 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27507 lvcc->stats.x.aal5.service_rxcrc++;
27508 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
27509 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
27510 diff -urNp linux-2.6.39.3/drivers/atm/nicstar.c linux-2.6.39.3/drivers/atm/nicstar.c
27511 --- linux-2.6.39.3/drivers/atm/nicstar.c 2011-05-19 00:06:34.000000000 -0400
27512 +++ linux-2.6.39.3/drivers/atm/nicstar.c 2011-05-22 19:36:31.000000000 -0400
27513 @@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
27514 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
27515 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
27516 card->index);
27517 - atomic_inc(&vcc->stats->tx_err);
27518 + atomic_inc_unchecked(&vcc->stats->tx_err);
27519 dev_kfree_skb_any(skb);
27520 return -EINVAL;
27521 }
27522 @@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
27523 if (!vc->tx) {
27524 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
27525 card->index);
27526 - atomic_inc(&vcc->stats->tx_err);
27527 + atomic_inc_unchecked(&vcc->stats->tx_err);
27528 dev_kfree_skb_any(skb);
27529 return -EINVAL;
27530 }
27531 @@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
27532 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
27533 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
27534 card->index);
27535 - atomic_inc(&vcc->stats->tx_err);
27536 + atomic_inc_unchecked(&vcc->stats->tx_err);
27537 dev_kfree_skb_any(skb);
27538 return -EINVAL;
27539 }
27540
27541 if (skb_shinfo(skb)->nr_frags != 0) {
27542 printk("nicstar%d: No scatter-gather yet.\n", card->index);
27543 - atomic_inc(&vcc->stats->tx_err);
27544 + atomic_inc_unchecked(&vcc->stats->tx_err);
27545 dev_kfree_skb_any(skb);
27546 return -EINVAL;
27547 }
27548 @@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
27549 }
27550
27551 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
27552 - atomic_inc(&vcc->stats->tx_err);
27553 + atomic_inc_unchecked(&vcc->stats->tx_err);
27554 dev_kfree_skb_any(skb);
27555 return -EIO;
27556 }
27557 - atomic_inc(&vcc->stats->tx);
27558 + atomic_inc_unchecked(&vcc->stats->tx);
27559
27560 return 0;
27561 }
27562 @@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
27563 printk
27564 ("nicstar%d: Can't allocate buffers for aal0.\n",
27565 card->index);
27566 - atomic_add(i, &vcc->stats->rx_drop);
27567 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
27568 break;
27569 }
27570 if (!atm_charge(vcc, sb->truesize)) {
27571 RXPRINTK
27572 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
27573 card->index);
27574 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
27575 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
27576 dev_kfree_skb_any(sb);
27577 break;
27578 }
27579 @@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
27580 ATM_SKB(sb)->vcc = vcc;
27581 __net_timestamp(sb);
27582 vcc->push(vcc, sb);
27583 - atomic_inc(&vcc->stats->rx);
27584 + atomic_inc_unchecked(&vcc->stats->rx);
27585 cell += ATM_CELL_PAYLOAD;
27586 }
27587
27588 @@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
27589 if (iovb == NULL) {
27590 printk("nicstar%d: Out of iovec buffers.\n",
27591 card->index);
27592 - atomic_inc(&vcc->stats->rx_drop);
27593 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27594 recycle_rx_buf(card, skb);
27595 return;
27596 }
27597 @@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
27598 small or large buffer itself. */
27599 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
27600 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
27601 - atomic_inc(&vcc->stats->rx_err);
27602 + atomic_inc_unchecked(&vcc->stats->rx_err);
27603 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
27604 NS_MAX_IOVECS);
27605 NS_PRV_IOVCNT(iovb) = 0;
27606 @@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
27607 ("nicstar%d: Expected a small buffer, and this is not one.\n",
27608 card->index);
27609 which_list(card, skb);
27610 - atomic_inc(&vcc->stats->rx_err);
27611 + atomic_inc_unchecked(&vcc->stats->rx_err);
27612 recycle_rx_buf(card, skb);
27613 vc->rx_iov = NULL;
27614 recycle_iov_buf(card, iovb);
27615 @@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
27616 ("nicstar%d: Expected a large buffer, and this is not one.\n",
27617 card->index);
27618 which_list(card, skb);
27619 - atomic_inc(&vcc->stats->rx_err);
27620 + atomic_inc_unchecked(&vcc->stats->rx_err);
27621 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
27622 NS_PRV_IOVCNT(iovb));
27623 vc->rx_iov = NULL;
27624 @@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
27625 printk(" - PDU size mismatch.\n");
27626 else
27627 printk(".\n");
27628 - atomic_inc(&vcc->stats->rx_err);
27629 + atomic_inc_unchecked(&vcc->stats->rx_err);
27630 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
27631 NS_PRV_IOVCNT(iovb));
27632 vc->rx_iov = NULL;
27633 @@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
27634 /* skb points to a small buffer */
27635 if (!atm_charge(vcc, skb->truesize)) {
27636 push_rxbufs(card, skb);
27637 - atomic_inc(&vcc->stats->rx_drop);
27638 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27639 } else {
27640 skb_put(skb, len);
27641 dequeue_sm_buf(card, skb);
27642 @@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
27643 ATM_SKB(skb)->vcc = vcc;
27644 __net_timestamp(skb);
27645 vcc->push(vcc, skb);
27646 - atomic_inc(&vcc->stats->rx);
27647 + atomic_inc_unchecked(&vcc->stats->rx);
27648 }
27649 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
27650 struct sk_buff *sb;
27651 @@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
27652 if (len <= NS_SMBUFSIZE) {
27653 if (!atm_charge(vcc, sb->truesize)) {
27654 push_rxbufs(card, sb);
27655 - atomic_inc(&vcc->stats->rx_drop);
27656 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27657 } else {
27658 skb_put(sb, len);
27659 dequeue_sm_buf(card, sb);
27660 @@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
27661 ATM_SKB(sb)->vcc = vcc;
27662 __net_timestamp(sb);
27663 vcc->push(vcc, sb);
27664 - atomic_inc(&vcc->stats->rx);
27665 + atomic_inc_unchecked(&vcc->stats->rx);
27666 }
27667
27668 push_rxbufs(card, skb);
27669 @@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
27670
27671 if (!atm_charge(vcc, skb->truesize)) {
27672 push_rxbufs(card, skb);
27673 - atomic_inc(&vcc->stats->rx_drop);
27674 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27675 } else {
27676 dequeue_lg_buf(card, skb);
27677 #ifdef NS_USE_DESTRUCTORS
27678 @@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
27679 ATM_SKB(skb)->vcc = vcc;
27680 __net_timestamp(skb);
27681 vcc->push(vcc, skb);
27682 - atomic_inc(&vcc->stats->rx);
27683 + atomic_inc_unchecked(&vcc->stats->rx);
27684 }
27685
27686 push_rxbufs(card, sb);
27687 @@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
27688 printk
27689 ("nicstar%d: Out of huge buffers.\n",
27690 card->index);
27691 - atomic_inc(&vcc->stats->rx_drop);
27692 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27693 recycle_iovec_rx_bufs(card,
27694 (struct iovec *)
27695 iovb->data,
27696 @@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
27697 card->hbpool.count++;
27698 } else
27699 dev_kfree_skb_any(hb);
27700 - atomic_inc(&vcc->stats->rx_drop);
27701 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27702 } else {
27703 /* Copy the small buffer to the huge buffer */
27704 sb = (struct sk_buff *)iov->iov_base;
27705 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
27706 #endif /* NS_USE_DESTRUCTORS */
27707 __net_timestamp(hb);
27708 vcc->push(vcc, hb);
27709 - atomic_inc(&vcc->stats->rx);
27710 + atomic_inc_unchecked(&vcc->stats->rx);
27711 }
27712 }
27713
27714 diff -urNp linux-2.6.39.3/drivers/atm/solos-pci.c linux-2.6.39.3/drivers/atm/solos-pci.c
27715 --- linux-2.6.39.3/drivers/atm/solos-pci.c 2011-05-19 00:06:34.000000000 -0400
27716 +++ linux-2.6.39.3/drivers/atm/solos-pci.c 2011-05-22 19:36:31.000000000 -0400
27717 @@ -715,7 +715,7 @@ void solos_bh(unsigned long card_arg)
27718 }
27719 atm_charge(vcc, skb->truesize);
27720 vcc->push(vcc, skb);
27721 - atomic_inc(&vcc->stats->rx);
27722 + atomic_inc_unchecked(&vcc->stats->rx);
27723 break;
27724
27725 case PKT_STATUS:
27726 @@ -900,6 +900,8 @@ static int print_buffer(struct sk_buff *
27727 char msg[500];
27728 char item[10];
27729
27730 + pax_track_stack();
27731 +
27732 len = buf->len;
27733 for (i = 0; i < len; i++){
27734 if(i % 8 == 0)
27735 @@ -1009,7 +1011,7 @@ static uint32_t fpga_tx(struct solos_car
27736 vcc = SKB_CB(oldskb)->vcc;
27737
27738 if (vcc) {
27739 - atomic_inc(&vcc->stats->tx);
27740 + atomic_inc_unchecked(&vcc->stats->tx);
27741 solos_pop(vcc, oldskb);
27742 } else
27743 dev_kfree_skb_irq(oldskb);
27744 diff -urNp linux-2.6.39.3/drivers/atm/suni.c linux-2.6.39.3/drivers/atm/suni.c
27745 --- linux-2.6.39.3/drivers/atm/suni.c 2011-05-19 00:06:34.000000000 -0400
27746 +++ linux-2.6.39.3/drivers/atm/suni.c 2011-05-22 19:36:31.000000000 -0400
27747 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
27748
27749
27750 #define ADD_LIMITED(s,v) \
27751 - atomic_add((v),&stats->s); \
27752 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
27753 + atomic_add_unchecked((v),&stats->s); \
27754 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
27755
27756
27757 static void suni_hz(unsigned long from_timer)
27758 diff -urNp linux-2.6.39.3/drivers/atm/uPD98402.c linux-2.6.39.3/drivers/atm/uPD98402.c
27759 --- linux-2.6.39.3/drivers/atm/uPD98402.c 2011-05-19 00:06:34.000000000 -0400
27760 +++ linux-2.6.39.3/drivers/atm/uPD98402.c 2011-05-22 19:36:31.000000000 -0400
27761 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
27762 struct sonet_stats tmp;
27763 int error = 0;
27764
27765 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
27766 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
27767 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
27768 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
27769 if (zero && !error) {
27770 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
27771
27772
27773 #define ADD_LIMITED(s,v) \
27774 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
27775 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
27776 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
27777 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
27778 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
27779 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
27780
27781
27782 static void stat_event(struct atm_dev *dev)
27783 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
27784 if (reason & uPD98402_INT_PFM) stat_event(dev);
27785 if (reason & uPD98402_INT_PCO) {
27786 (void) GET(PCOCR); /* clear interrupt cause */
27787 - atomic_add(GET(HECCT),
27788 + atomic_add_unchecked(GET(HECCT),
27789 &PRIV(dev)->sonet_stats.uncorr_hcs);
27790 }
27791 if ((reason & uPD98402_INT_RFO) &&
27792 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
27793 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
27794 uPD98402_INT_LOS),PIMR); /* enable them */
27795 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
27796 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
27797 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
27798 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
27799 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
27800 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
27801 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
27802 return 0;
27803 }
27804
27805 diff -urNp linux-2.6.39.3/drivers/atm/zatm.c linux-2.6.39.3/drivers/atm/zatm.c
27806 --- linux-2.6.39.3/drivers/atm/zatm.c 2011-05-19 00:06:34.000000000 -0400
27807 +++ linux-2.6.39.3/drivers/atm/zatm.c 2011-05-22 19:36:31.000000000 -0400
27808 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
27809 }
27810 if (!size) {
27811 dev_kfree_skb_irq(skb);
27812 - if (vcc) atomic_inc(&vcc->stats->rx_err);
27813 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
27814 continue;
27815 }
27816 if (!atm_charge(vcc,skb->truesize)) {
27817 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
27818 skb->len = size;
27819 ATM_SKB(skb)->vcc = vcc;
27820 vcc->push(vcc,skb);
27821 - atomic_inc(&vcc->stats->rx);
27822 + atomic_inc_unchecked(&vcc->stats->rx);
27823 }
27824 zout(pos & 0xffff,MTA(mbx));
27825 #if 0 /* probably a stupid idea */
27826 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
27827 skb_queue_head(&zatm_vcc->backlog,skb);
27828 break;
27829 }
27830 - atomic_inc(&vcc->stats->tx);
27831 + atomic_inc_unchecked(&vcc->stats->tx);
27832 wake_up(&zatm_vcc->tx_wait);
27833 }
27834
27835 diff -urNp linux-2.6.39.3/drivers/base/iommu.c linux-2.6.39.3/drivers/base/iommu.c
27836 --- linux-2.6.39.3/drivers/base/iommu.c 2011-05-19 00:06:34.000000000 -0400
27837 +++ linux-2.6.39.3/drivers/base/iommu.c 2011-05-22 19:36:31.000000000 -0400
27838 @@ -23,9 +23,8 @@
27839 #include <linux/errno.h>
27840 #include <linux/iommu.h>
27841
27842 -static struct iommu_ops *iommu_ops;
27843 -
27844 -void register_iommu(struct iommu_ops *ops)
27845 +static const struct iommu_ops *iommu_ops;
27846 +void register_iommu(const struct iommu_ops *ops)
27847 {
27848 if (iommu_ops)
27849 BUG();
27850 diff -urNp linux-2.6.39.3/drivers/base/power/generic_ops.c linux-2.6.39.3/drivers/base/power/generic_ops.c
27851 --- linux-2.6.39.3/drivers/base/power/generic_ops.c 2011-05-19 00:06:34.000000000 -0400
27852 +++ linux-2.6.39.3/drivers/base/power/generic_ops.c 2011-05-22 19:36:31.000000000 -0400
27853 @@ -215,7 +215,7 @@ int pm_generic_restore(struct device *de
27854 EXPORT_SYMBOL_GPL(pm_generic_restore);
27855 #endif /* CONFIG_PM_SLEEP */
27856
27857 -struct dev_pm_ops generic_subsys_pm_ops = {
27858 +const struct dev_pm_ops generic_subsys_pm_ops = {
27859 #ifdef CONFIG_PM_SLEEP
27860 .suspend = pm_generic_suspend,
27861 .resume = pm_generic_resume,
27862 diff -urNp linux-2.6.39.3/drivers/base/power/wakeup.c linux-2.6.39.3/drivers/base/power/wakeup.c
27863 --- linux-2.6.39.3/drivers/base/power/wakeup.c 2011-05-19 00:06:34.000000000 -0400
27864 +++ linux-2.6.39.3/drivers/base/power/wakeup.c 2011-05-22 19:36:31.000000000 -0400
27865 @@ -29,14 +29,14 @@ bool events_check_enabled;
27866 * They need to be modified together atomically, so it's better to use one
27867 * atomic variable to hold them both.
27868 */
27869 -static atomic_t combined_event_count = ATOMIC_INIT(0);
27870 +static atomic_unchecked_t combined_event_count = ATOMIC_INIT(0);
27871
27872 #define IN_PROGRESS_BITS (sizeof(int) * 4)
27873 #define MAX_IN_PROGRESS ((1 << IN_PROGRESS_BITS) - 1)
27874
27875 static void split_counters(unsigned int *cnt, unsigned int *inpr)
27876 {
27877 - unsigned int comb = atomic_read(&combined_event_count);
27878 + unsigned int comb = atomic_read_unchecked(&combined_event_count);
27879
27880 *cnt = (comb >> IN_PROGRESS_BITS);
27881 *inpr = comb & MAX_IN_PROGRESS;
27882 @@ -351,7 +351,7 @@ static void wakeup_source_activate(struc
27883 ws->last_time = ktime_get();
27884
27885 /* Increment the counter of events in progress. */
27886 - atomic_inc(&combined_event_count);
27887 + atomic_inc_unchecked(&combined_event_count);
27888 }
27889
27890 /**
27891 @@ -441,7 +441,7 @@ static void wakeup_source_deactivate(str
27892 * Increment the counter of registered wakeup events and decrement the
27893 * couter of wakeup events in progress simultaneously.
27894 */
27895 - atomic_add(MAX_IN_PROGRESS, &combined_event_count);
27896 + atomic_add_unchecked(MAX_IN_PROGRESS, &combined_event_count);
27897 }
27898
27899 /**
27900 diff -urNp linux-2.6.39.3/drivers/block/cciss.c linux-2.6.39.3/drivers/block/cciss.c
27901 --- linux-2.6.39.3/drivers/block/cciss.c 2011-05-19 00:06:34.000000000 -0400
27902 +++ linux-2.6.39.3/drivers/block/cciss.c 2011-05-22 19:41:32.000000000 -0400
27903 @@ -103,7 +103,7 @@ MODULE_DEVICE_TABLE(pci, cciss_pci_devic
27904 * product = Marketing Name for the board
27905 * access = Address of the struct of function pointers
27906 */
27907 -static struct board_type products[] = {
27908 +static const struct board_type products[] = {
27909 {0x40700E11, "Smart Array 5300", &SA5_access},
27910 {0x40800E11, "Smart Array 5i", &SA5B_access},
27911 {0x40820E11, "Smart Array 532", &SA5B_access},
27912 @@ -1151,6 +1151,8 @@ static int cciss_ioctl32_passthru(struct
27913 int err;
27914 u32 cp;
27915
27916 + memset(&arg64, 0, sizeof(arg64));
27917 +
27918 err = 0;
27919 err |=
27920 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
27921 diff -urNp linux-2.6.39.3/drivers/block/cciss.h linux-2.6.39.3/drivers/block/cciss.h
27922 --- linux-2.6.39.3/drivers/block/cciss.h 2011-05-19 00:06:34.000000000 -0400
27923 +++ linux-2.6.39.3/drivers/block/cciss.h 2011-05-22 19:36:31.000000000 -0400
27924 @@ -393,7 +393,7 @@ static bool SA5_performant_intr_pending(
27925 return register_value & SA5_OUTDB_STATUS_PERF_BIT;
27926 }
27927
27928 -static struct access_method SA5_access = {
27929 +static const struct access_method SA5_access = {
27930 SA5_submit_command,
27931 SA5_intr_mask,
27932 SA5_fifo_full,
27933 @@ -401,7 +401,7 @@ static struct access_method SA5_access =
27934 SA5_completed,
27935 };
27936
27937 -static struct access_method SA5B_access = {
27938 +static const struct access_method SA5B_access = {
27939 SA5_submit_command,
27940 SA5B_intr_mask,
27941 SA5_fifo_full,
27942 @@ -409,7 +409,7 @@ static struct access_method SA5B_access
27943 SA5_completed,
27944 };
27945
27946 -static struct access_method SA5_performant_access = {
27947 +static const struct access_method SA5_performant_access = {
27948 SA5_submit_command,
27949 SA5_performant_intr_mask,
27950 SA5_fifo_full,
27951 @@ -420,7 +420,7 @@ static struct access_method SA5_performa
27952 struct board_type {
27953 __u32 board_id;
27954 char *product_name;
27955 - struct access_method *access;
27956 + const struct access_method *access;
27957 int nr_cmds; /* Max cmds this kind of ctlr can handle. */
27958 };
27959
27960 diff -urNp linux-2.6.39.3/drivers/block/cpqarray.c linux-2.6.39.3/drivers/block/cpqarray.c
27961 --- linux-2.6.39.3/drivers/block/cpqarray.c 2011-05-19 00:06:34.000000000 -0400
27962 +++ linux-2.6.39.3/drivers/block/cpqarray.c 2011-05-22 19:36:31.000000000 -0400
27963 @@ -80,7 +80,7 @@ static int eisa[8];
27964 * product = Marketing Name for the board
27965 * access = Address of the struct of function pointers
27966 */
27967 -static struct board_type products[] = {
27968 +static const struct board_type products[] = {
27969 { 0x0040110E, "IDA", &smart1_access },
27970 { 0x0140110E, "IDA-2", &smart1_access },
27971 { 0x1040110E, "IAES", &smart1_access },
27972 @@ -911,6 +911,8 @@ static void do_ida_request(struct reques
27973 struct scatterlist tmp_sg[SG_MAX];
27974 int i, dir, seg;
27975
27976 + pax_track_stack();
27977 +
27978 queue_next:
27979 creq = blk_peek_request(q);
27980 if (!creq)
27981 diff -urNp linux-2.6.39.3/drivers/block/cpqarray.h linux-2.6.39.3/drivers/block/cpqarray.h
27982 --- linux-2.6.39.3/drivers/block/cpqarray.h 2011-05-19 00:06:34.000000000 -0400
27983 +++ linux-2.6.39.3/drivers/block/cpqarray.h 2011-05-22 19:36:31.000000000 -0400
27984 @@ -69,7 +69,7 @@ struct access_method {
27985 struct board_type {
27986 __u32 board_id;
27987 char *product_name;
27988 - struct access_method *access;
27989 + const struct access_method *access;
27990 };
27991
27992 struct ctlr_info {
27993 diff -urNp linux-2.6.39.3/drivers/block/DAC960.c linux-2.6.39.3/drivers/block/DAC960.c
27994 --- linux-2.6.39.3/drivers/block/DAC960.c 2011-05-19 00:06:34.000000000 -0400
27995 +++ linux-2.6.39.3/drivers/block/DAC960.c 2011-05-22 19:36:31.000000000 -0400
27996 @@ -1980,6 +1980,8 @@ static bool DAC960_V1_ReadDeviceConfigur
27997 unsigned long flags;
27998 int Channel, TargetID;
27999
28000 + pax_track_stack();
28001 +
28002 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
28003 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
28004 sizeof(DAC960_SCSI_Inquiry_T) +
28005 diff -urNp linux-2.6.39.3/drivers/block/drbd/drbd_int.h linux-2.6.39.3/drivers/block/drbd/drbd_int.h
28006 --- linux-2.6.39.3/drivers/block/drbd/drbd_int.h 2011-05-19 00:06:34.000000000 -0400
28007 +++ linux-2.6.39.3/drivers/block/drbd/drbd_int.h 2011-05-22 19:36:31.000000000 -0400
28008 @@ -736,7 +736,7 @@ struct drbd_request;
28009 struct drbd_epoch {
28010 struct list_head list;
28011 unsigned int barrier_nr;
28012 - atomic_t epoch_size; /* increased on every request added. */
28013 + atomic_unchecked_t epoch_size; /* increased on every request added. */
28014 atomic_t active; /* increased on every req. added, and dec on every finished. */
28015 unsigned long flags;
28016 };
28017 @@ -1108,7 +1108,7 @@ struct drbd_conf {
28018 void *int_dig_in;
28019 void *int_dig_vv;
28020 wait_queue_head_t seq_wait;
28021 - atomic_t packet_seq;
28022 + atomic_unchecked_t packet_seq;
28023 unsigned int peer_seq;
28024 spinlock_t peer_seq_lock;
28025 unsigned int minor;
28026 diff -urNp linux-2.6.39.3/drivers/block/drbd/drbd_main.c linux-2.6.39.3/drivers/block/drbd/drbd_main.c
28027 --- linux-2.6.39.3/drivers/block/drbd/drbd_main.c 2011-05-19 00:06:34.000000000 -0400
28028 +++ linux-2.6.39.3/drivers/block/drbd/drbd_main.c 2011-05-22 19:36:31.000000000 -0400
28029 @@ -2387,7 +2387,7 @@ static int _drbd_send_ack(struct drbd_co
28030 p.sector = sector;
28031 p.block_id = block_id;
28032 p.blksize = blksize;
28033 - p.seq_num = cpu_to_be32(atomic_add_return(1, &mdev->packet_seq));
28034 + p.seq_num = cpu_to_be32(atomic_add_return_unchecked(1, &mdev->packet_seq));
28035
28036 if (!mdev->meta.socket || mdev->state.conn < C_CONNECTED)
28037 return false;
28038 @@ -2686,7 +2686,7 @@ int drbd_send_dblock(struct drbd_conf *m
28039 p.sector = cpu_to_be64(req->sector);
28040 p.block_id = (unsigned long)req;
28041 p.seq_num = cpu_to_be32(req->seq_num =
28042 - atomic_add_return(1, &mdev->packet_seq));
28043 + atomic_add_return_unchecked(1, &mdev->packet_seq));
28044
28045 dp_flags = bio_flags_to_wire(mdev, req->master_bio->bi_rw);
28046
28047 @@ -2971,7 +2971,7 @@ void drbd_init_set_defaults(struct drbd_
28048 atomic_set(&mdev->unacked_cnt, 0);
28049 atomic_set(&mdev->local_cnt, 0);
28050 atomic_set(&mdev->net_cnt, 0);
28051 - atomic_set(&mdev->packet_seq, 0);
28052 + atomic_set_unchecked(&mdev->packet_seq, 0);
28053 atomic_set(&mdev->pp_in_use, 0);
28054 atomic_set(&mdev->pp_in_use_by_net, 0);
28055 atomic_set(&mdev->rs_sect_in, 0);
28056 @@ -3051,8 +3051,8 @@ void drbd_mdev_cleanup(struct drbd_conf
28057 mdev->receiver.t_state);
28058
28059 /* no need to lock it, I'm the only thread alive */
28060 - if (atomic_read(&mdev->current_epoch->epoch_size) != 0)
28061 - dev_err(DEV, "epoch_size:%d\n", atomic_read(&mdev->current_epoch->epoch_size));
28062 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size) != 0)
28063 + dev_err(DEV, "epoch_size:%d\n", atomic_read_unchecked(&mdev->current_epoch->epoch_size));
28064 mdev->al_writ_cnt =
28065 mdev->bm_writ_cnt =
28066 mdev->read_cnt =
28067 diff -urNp linux-2.6.39.3/drivers/block/drbd/drbd_nl.c linux-2.6.39.3/drivers/block/drbd/drbd_nl.c
28068 --- linux-2.6.39.3/drivers/block/drbd/drbd_nl.c 2011-05-19 00:06:34.000000000 -0400
28069 +++ linux-2.6.39.3/drivers/block/drbd/drbd_nl.c 2011-05-22 19:36:31.000000000 -0400
28070 @@ -2298,7 +2298,7 @@ static void drbd_connector_callback(stru
28071 module_put(THIS_MODULE);
28072 }
28073
28074 -static atomic_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
28075 +static atomic_unchecked_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
28076
28077 static unsigned short *
28078 __tl_add_blob(unsigned short *tl, enum drbd_tags tag, const void *data,
28079 @@ -2369,7 +2369,7 @@ void drbd_bcast_state(struct drbd_conf *
28080 cn_reply->id.idx = CN_IDX_DRBD;
28081 cn_reply->id.val = CN_VAL_DRBD;
28082
28083 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
28084 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
28085 cn_reply->ack = 0; /* not used here. */
28086 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
28087 (int)((char *)tl - (char *)reply->tag_list);
28088 @@ -2401,7 +2401,7 @@ void drbd_bcast_ev_helper(struct drbd_co
28089 cn_reply->id.idx = CN_IDX_DRBD;
28090 cn_reply->id.val = CN_VAL_DRBD;
28091
28092 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
28093 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
28094 cn_reply->ack = 0; /* not used here. */
28095 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
28096 (int)((char *)tl - (char *)reply->tag_list);
28097 @@ -2479,7 +2479,7 @@ void drbd_bcast_ee(struct drbd_conf *mde
28098 cn_reply->id.idx = CN_IDX_DRBD;
28099 cn_reply->id.val = CN_VAL_DRBD;
28100
28101 - cn_reply->seq = atomic_add_return(1,&drbd_nl_seq);
28102 + cn_reply->seq = atomic_add_return_unchecked(1,&drbd_nl_seq);
28103 cn_reply->ack = 0; // not used here.
28104 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
28105 (int)((char*)tl - (char*)reply->tag_list);
28106 @@ -2518,7 +2518,7 @@ void drbd_bcast_sync_progress(struct drb
28107 cn_reply->id.idx = CN_IDX_DRBD;
28108 cn_reply->id.val = CN_VAL_DRBD;
28109
28110 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
28111 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
28112 cn_reply->ack = 0; /* not used here. */
28113 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
28114 (int)((char *)tl - (char *)reply->tag_list);
28115 diff -urNp linux-2.6.39.3/drivers/block/drbd/drbd_receiver.c linux-2.6.39.3/drivers/block/drbd/drbd_receiver.c
28116 --- linux-2.6.39.3/drivers/block/drbd/drbd_receiver.c 2011-05-19 00:06:34.000000000 -0400
28117 +++ linux-2.6.39.3/drivers/block/drbd/drbd_receiver.c 2011-05-22 19:36:31.000000000 -0400
28118 @@ -894,7 +894,7 @@ retry:
28119 sock->sk->sk_sndtimeo = mdev->net_conf->timeout*HZ/10;
28120 sock->sk->sk_rcvtimeo = MAX_SCHEDULE_TIMEOUT;
28121
28122 - atomic_set(&mdev->packet_seq, 0);
28123 + atomic_set_unchecked(&mdev->packet_seq, 0);
28124 mdev->peer_seq = 0;
28125
28126 drbd_thread_start(&mdev->asender);
28127 @@ -990,7 +990,7 @@ static enum finish_epoch drbd_may_finish
28128 do {
28129 next_epoch = NULL;
28130
28131 - epoch_size = atomic_read(&epoch->epoch_size);
28132 + epoch_size = atomic_read_unchecked(&epoch->epoch_size);
28133
28134 switch (ev & ~EV_CLEANUP) {
28135 case EV_PUT:
28136 @@ -1025,7 +1025,7 @@ static enum finish_epoch drbd_may_finish
28137 rv = FE_DESTROYED;
28138 } else {
28139 epoch->flags = 0;
28140 - atomic_set(&epoch->epoch_size, 0);
28141 + atomic_set_unchecked(&epoch->epoch_size, 0);
28142 /* atomic_set(&epoch->active, 0); is already zero */
28143 if (rv == FE_STILL_LIVE)
28144 rv = FE_RECYCLED;
28145 @@ -1196,14 +1196,14 @@ static int receive_Barrier(struct drbd_c
28146 drbd_wait_ee_list_empty(mdev, &mdev->active_ee);
28147 drbd_flush(mdev);
28148
28149 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
28150 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
28151 epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO);
28152 if (epoch)
28153 break;
28154 }
28155
28156 epoch = mdev->current_epoch;
28157 - wait_event(mdev->ee_wait, atomic_read(&epoch->epoch_size) == 0);
28158 + wait_event(mdev->ee_wait, atomic_read_unchecked(&epoch->epoch_size) == 0);
28159
28160 D_ASSERT(atomic_read(&epoch->active) == 0);
28161 D_ASSERT(epoch->flags == 0);
28162 @@ -1215,11 +1215,11 @@ static int receive_Barrier(struct drbd_c
28163 }
28164
28165 epoch->flags = 0;
28166 - atomic_set(&epoch->epoch_size, 0);
28167 + atomic_set_unchecked(&epoch->epoch_size, 0);
28168 atomic_set(&epoch->active, 0);
28169
28170 spin_lock(&mdev->epoch_lock);
28171 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
28172 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
28173 list_add(&epoch->list, &mdev->current_epoch->list);
28174 mdev->current_epoch = epoch;
28175 mdev->epochs++;
28176 @@ -1668,7 +1668,7 @@ static int receive_Data(struct drbd_conf
28177 spin_unlock(&mdev->peer_seq_lock);
28178
28179 drbd_send_ack_dp(mdev, P_NEG_ACK, p, data_size);
28180 - atomic_inc(&mdev->current_epoch->epoch_size);
28181 + atomic_inc_unchecked(&mdev->current_epoch->epoch_size);
28182 return drbd_drain_block(mdev, data_size);
28183 }
28184
28185 @@ -1694,7 +1694,7 @@ static int receive_Data(struct drbd_conf
28186
28187 spin_lock(&mdev->epoch_lock);
28188 e->epoch = mdev->current_epoch;
28189 - atomic_inc(&e->epoch->epoch_size);
28190 + atomic_inc_unchecked(&e->epoch->epoch_size);
28191 atomic_inc(&e->epoch->active);
28192 spin_unlock(&mdev->epoch_lock);
28193
28194 @@ -3905,7 +3905,7 @@ static void drbd_disconnect(struct drbd_
28195 D_ASSERT(list_empty(&mdev->done_ee));
28196
28197 /* ok, no more ee's on the fly, it is safe to reset the epoch_size */
28198 - atomic_set(&mdev->current_epoch->epoch_size, 0);
28199 + atomic_set_unchecked(&mdev->current_epoch->epoch_size, 0);
28200 D_ASSERT(list_empty(&mdev->current_epoch->list));
28201 }
28202
28203 diff -urNp linux-2.6.39.3/drivers/block/nbd.c linux-2.6.39.3/drivers/block/nbd.c
28204 --- linux-2.6.39.3/drivers/block/nbd.c 2011-06-25 12:55:22.000000000 -0400
28205 +++ linux-2.6.39.3/drivers/block/nbd.c 2011-06-25 13:00:25.000000000 -0400
28206 @@ -157,6 +157,8 @@ static int sock_xmit(struct nbd_device *
28207 struct kvec iov;
28208 sigset_t blocked, oldset;
28209
28210 + pax_track_stack();
28211 +
28212 if (unlikely(!sock)) {
28213 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
28214 lo->disk->disk_name, (send ? "send" : "recv"));
28215 @@ -571,6 +573,8 @@ static void do_nbd_request(struct reques
28216 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
28217 unsigned int cmd, unsigned long arg)
28218 {
28219 + pax_track_stack();
28220 +
28221 switch (cmd) {
28222 case NBD_DISCONNECT: {
28223 struct request sreq;
28224 diff -urNp linux-2.6.39.3/drivers/block/smart1,2.h linux-2.6.39.3/drivers/block/smart1,2.h
28225 --- linux-2.6.39.3/drivers/block/smart1,2.h 2011-05-19 00:06:34.000000000 -0400
28226 +++ linux-2.6.39.3/drivers/block/smart1,2.h 2011-05-22 19:36:31.000000000 -0400
28227 @@ -107,7 +107,7 @@ static unsigned long smart4_intr_pending
28228 return 0 ;
28229 }
28230
28231 -static struct access_method smart4_access = {
28232 +static const struct access_method smart4_access = {
28233 smart4_submit_command,
28234 smart4_intr_mask,
28235 smart4_fifo_full,
28236 @@ -143,7 +143,7 @@ static unsigned long smart2_intr_pending
28237 return readl(h->vaddr + INTR_PENDING);
28238 }
28239
28240 -static struct access_method smart2_access = {
28241 +static const struct access_method smart2_access = {
28242 smart2_submit_command,
28243 smart2_intr_mask,
28244 smart2_fifo_full,
28245 @@ -179,7 +179,7 @@ static unsigned long smart2e_intr_pendin
28246 return inl(h->io_mem_addr + INTR_PENDING);
28247 }
28248
28249 -static struct access_method smart2e_access = {
28250 +static const struct access_method smart2e_access = {
28251 smart2e_submit_command,
28252 smart2e_intr_mask,
28253 smart2e_fifo_full,
28254 @@ -269,7 +269,7 @@ static unsigned long smart1_intr_pending
28255 return chan;
28256 }
28257
28258 -static struct access_method smart1_access = {
28259 +static const struct access_method smart1_access = {
28260 smart1_submit_command,
28261 smart1_intr_mask,
28262 smart1_fifo_full,
28263 diff -urNp linux-2.6.39.3/drivers/block/xsysace.c linux-2.6.39.3/drivers/block/xsysace.c
28264 --- linux-2.6.39.3/drivers/block/xsysace.c 2011-05-19 00:06:34.000000000 -0400
28265 +++ linux-2.6.39.3/drivers/block/xsysace.c 2011-05-22 19:36:31.000000000 -0400
28266 @@ -262,7 +262,7 @@ static void ace_dataout_8(struct ace_dev
28267 ace->data_ptr = src;
28268 }
28269
28270 -static struct ace_reg_ops ace_reg_8_ops = {
28271 +static const struct ace_reg_ops ace_reg_8_ops = {
28272 .in = ace_in_8,
28273 .out = ace_out_8,
28274 .datain = ace_datain_8,
28275 @@ -327,14 +327,14 @@ static void ace_dataout_le16(struct ace_
28276 ace->data_ptr = src;
28277 }
28278
28279 -static struct ace_reg_ops ace_reg_be16_ops = {
28280 +static const struct ace_reg_ops ace_reg_be16_ops = {
28281 .in = ace_in_be16,
28282 .out = ace_out_be16,
28283 .datain = ace_datain_be16,
28284 .dataout = ace_dataout_be16,
28285 };
28286
28287 -static struct ace_reg_ops ace_reg_le16_ops = {
28288 +static const struct ace_reg_ops ace_reg_le16_ops = {
28289 .in = ace_in_le16,
28290 .out = ace_out_le16,
28291 .datain = ace_datain_le16,
28292 diff -urNp linux-2.6.39.3/drivers/char/agp/frontend.c linux-2.6.39.3/drivers/char/agp/frontend.c
28293 --- linux-2.6.39.3/drivers/char/agp/frontend.c 2011-05-19 00:06:34.000000000 -0400
28294 +++ linux-2.6.39.3/drivers/char/agp/frontend.c 2011-05-22 19:36:31.000000000 -0400
28295 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
28296 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
28297 return -EFAULT;
28298
28299 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
28300 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
28301 return -EFAULT;
28302
28303 client = agp_find_client_by_pid(reserve.pid);
28304 diff -urNp linux-2.6.39.3/drivers/char/briq_panel.c linux-2.6.39.3/drivers/char/briq_panel.c
28305 --- linux-2.6.39.3/drivers/char/briq_panel.c 2011-05-19 00:06:34.000000000 -0400
28306 +++ linux-2.6.39.3/drivers/char/briq_panel.c 2011-05-22 19:41:32.000000000 -0400
28307 @@ -9,6 +9,7 @@
28308 #include <linux/types.h>
28309 #include <linux/errno.h>
28310 #include <linux/tty.h>
28311 +#include <linux/mutex.h>
28312 #include <linux/timer.h>
28313 #include <linux/kernel.h>
28314 #include <linux/wait.h>
28315 @@ -34,6 +35,7 @@ static int vfd_is_open;
28316 static unsigned char vfd[40];
28317 static int vfd_cursor;
28318 static unsigned char ledpb, led;
28319 +static DEFINE_MUTEX(vfd_mutex);
28320
28321 static void update_vfd(void)
28322 {
28323 @@ -140,12 +142,15 @@ static ssize_t briq_panel_write(struct f
28324 if (!vfd_is_open)
28325 return -EBUSY;
28326
28327 + mutex_lock(&vfd_mutex);
28328 for (;;) {
28329 char c;
28330 if (!indx)
28331 break;
28332 - if (get_user(c, buf))
28333 + if (get_user(c, buf)) {
28334 + mutex_unlock(&vfd_mutex);
28335 return -EFAULT;
28336 + }
28337 if (esc) {
28338 set_led(c);
28339 esc = 0;
28340 @@ -175,6 +180,7 @@ static ssize_t briq_panel_write(struct f
28341 buf++;
28342 }
28343 update_vfd();
28344 + mutex_unlock(&vfd_mutex);
28345
28346 return len;
28347 }
28348 diff -urNp linux-2.6.39.3/drivers/char/genrtc.c linux-2.6.39.3/drivers/char/genrtc.c
28349 --- linux-2.6.39.3/drivers/char/genrtc.c 2011-05-19 00:06:34.000000000 -0400
28350 +++ linux-2.6.39.3/drivers/char/genrtc.c 2011-05-22 19:41:32.000000000 -0400
28351 @@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *fi
28352 switch (cmd) {
28353
28354 case RTC_PLL_GET:
28355 + memset(&pll, 0, sizeof(pll));
28356 if (get_rtc_pll(&pll))
28357 return -EINVAL;
28358 else
28359 diff -urNp linux-2.6.39.3/drivers/char/hpet.c linux-2.6.39.3/drivers/char/hpet.c
28360 --- linux-2.6.39.3/drivers/char/hpet.c 2011-05-19 00:06:34.000000000 -0400
28361 +++ linux-2.6.39.3/drivers/char/hpet.c 2011-05-22 19:36:31.000000000 -0400
28362 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
28363 }
28364
28365 static int
28366 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
28367 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
28368 struct hpet_info *info)
28369 {
28370 struct hpet_timer __iomem *timer;
28371 diff -urNp linux-2.6.39.3/drivers/char/ipmi/ipmi_devintf.c linux-2.6.39.3/drivers/char/ipmi/ipmi_devintf.c
28372 --- linux-2.6.39.3/drivers/char/ipmi/ipmi_devintf.c 2011-05-19 00:06:34.000000000 -0400
28373 +++ linux-2.6.39.3/drivers/char/ipmi/ipmi_devintf.c 2011-05-22 19:36:31.000000000 -0400
28374 @@ -109,8 +109,7 @@ static int ipmi_fasync(int fd, struct fi
28375 return (result);
28376 }
28377
28378 -static struct ipmi_user_hndl ipmi_hndlrs =
28379 -{
28380 +static const struct ipmi_user_hndl ipmi_hndlrs = {
28381 .ipmi_recv_hndl = file_receive_handler,
28382 };
28383
28384 diff -urNp linux-2.6.39.3/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.39.3/drivers/char/ipmi/ipmi_msghandler.c
28385 --- linux-2.6.39.3/drivers/char/ipmi/ipmi_msghandler.c 2011-05-19 00:06:34.000000000 -0400
28386 +++ linux-2.6.39.3/drivers/char/ipmi/ipmi_msghandler.c 2011-05-22 19:36:31.000000000 -0400
28387 @@ -82,7 +82,7 @@ struct ipmi_user {
28388 struct kref refcount;
28389
28390 /* The upper layer that handles receive messages. */
28391 - struct ipmi_user_hndl *handler;
28392 + const struct ipmi_user_hndl *handler;
28393 void *handler_data;
28394
28395 /* The interface this user is bound to. */
28396 @@ -414,7 +414,7 @@ struct ipmi_smi {
28397 struct proc_dir_entry *proc_dir;
28398 char proc_dir_name[10];
28399
28400 - atomic_t stats[IPMI_NUM_STATS];
28401 + atomic_unchecked_t stats[IPMI_NUM_STATS];
28402
28403 /*
28404 * run_to_completion duplicate of smb_info, smi_info
28405 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
28406
28407
28408 #define ipmi_inc_stat(intf, stat) \
28409 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
28410 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
28411 #define ipmi_get_stat(intf, stat) \
28412 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
28413 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
28414
28415 static int is_lan_addr(struct ipmi_addr *addr)
28416 {
28417 @@ -875,7 +875,7 @@ static int intf_err_seq(ipmi_smi_t int
28418
28419
28420 int ipmi_create_user(unsigned int if_num,
28421 - struct ipmi_user_hndl *handler,
28422 + const struct ipmi_user_hndl *handler,
28423 void *handler_data,
28424 ipmi_user_t *user)
28425 {
28426 @@ -2844,7 +2844,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
28427 INIT_LIST_HEAD(&intf->cmd_rcvrs);
28428 init_waitqueue_head(&intf->waitq);
28429 for (i = 0; i < IPMI_NUM_STATS; i++)
28430 - atomic_set(&intf->stats[i], 0);
28431 + atomic_set_unchecked(&intf->stats[i], 0);
28432
28433 intf->proc_dir = NULL;
28434
28435 @@ -4196,6 +4196,8 @@ static void send_panic_events(char *str)
28436 struct ipmi_smi_msg smi_msg;
28437 struct ipmi_recv_msg recv_msg;
28438
28439 + pax_track_stack();
28440 +
28441 si = (struct ipmi_system_interface_addr *) &addr;
28442 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
28443 si->channel = IPMI_BMC_CHANNEL;
28444 diff -urNp linux-2.6.39.3/drivers/char/ipmi/ipmi_poweroff.c linux-2.6.39.3/drivers/char/ipmi/ipmi_poweroff.c
28445 --- linux-2.6.39.3/drivers/char/ipmi/ipmi_poweroff.c 2011-05-19 00:06:34.000000000 -0400
28446 +++ linux-2.6.39.3/drivers/char/ipmi/ipmi_poweroff.c 2011-05-22 19:36:31.000000000 -0400
28447 @@ -133,7 +133,7 @@ static void receive_handler(struct ipmi_
28448 complete(comp);
28449 }
28450
28451 -static struct ipmi_user_hndl ipmi_poweroff_handler = {
28452 +static const struct ipmi_user_hndl ipmi_poweroff_handler = {
28453 .ipmi_recv_hndl = receive_handler
28454 };
28455
28456 diff -urNp linux-2.6.39.3/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.39.3/drivers/char/ipmi/ipmi_si_intf.c
28457 --- linux-2.6.39.3/drivers/char/ipmi/ipmi_si_intf.c 2011-05-19 00:06:34.000000000 -0400
28458 +++ linux-2.6.39.3/drivers/char/ipmi/ipmi_si_intf.c 2011-05-22 19:36:31.000000000 -0400
28459 @@ -276,7 +276,7 @@ struct smi_info {
28460 unsigned char slave_addr;
28461
28462 /* Counters and things for the proc filesystem. */
28463 - atomic_t stats[SI_NUM_STATS];
28464 + atomic_unchecked_t stats[SI_NUM_STATS];
28465
28466 struct task_struct *thread;
28467
28468 @@ -285,9 +285,9 @@ struct smi_info {
28469 };
28470
28471 #define smi_inc_stat(smi, stat) \
28472 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
28473 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
28474 #define smi_get_stat(smi, stat) \
28475 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
28476 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
28477
28478 #define SI_MAX_PARMS 4
28479
28480 @@ -3198,7 +3198,7 @@ static int try_smi_init(struct smi_info
28481 atomic_set(&new_smi->req_events, 0);
28482 new_smi->run_to_completion = 0;
28483 for (i = 0; i < SI_NUM_STATS; i++)
28484 - atomic_set(&new_smi->stats[i], 0);
28485 + atomic_set_unchecked(&new_smi->stats[i], 0);
28486
28487 new_smi->interrupt_disabled = 1;
28488 atomic_set(&new_smi->stop_operation, 0);
28489 diff -urNp linux-2.6.39.3/drivers/char/ipmi/ipmi_watchdog.c linux-2.6.39.3/drivers/char/ipmi/ipmi_watchdog.c
28490 --- linux-2.6.39.3/drivers/char/ipmi/ipmi_watchdog.c 2011-05-19 00:06:34.000000000 -0400
28491 +++ linux-2.6.39.3/drivers/char/ipmi/ipmi_watchdog.c 2011-05-22 19:36:31.000000000 -0400
28492 @@ -216,7 +216,7 @@ static int set_param_timeout(const char
28493 return rv;
28494 }
28495
28496 -static struct kernel_param_ops param_ops_timeout = {
28497 +static const struct kernel_param_ops param_ops_timeout = {
28498 .set = set_param_timeout,
28499 .get = param_get_int,
28500 };
28501 @@ -278,14 +278,14 @@ static int set_param_wdog_ifnum(const ch
28502 return 0;
28503 }
28504
28505 -static struct kernel_param_ops param_ops_wdog_ifnum = {
28506 +static const struct kernel_param_ops param_ops_wdog_ifnum = {
28507 .set = set_param_wdog_ifnum,
28508 .get = param_get_int,
28509 };
28510
28511 #define param_check_wdog_ifnum param_check_int
28512
28513 -static struct kernel_param_ops param_ops_str = {
28514 +static const struct kernel_param_ops param_ops_str = {
28515 .set = set_param_str,
28516 .get = get_param_str,
28517 };
28518 @@ -953,7 +953,7 @@ static void ipmi_wdog_pretimeout_handler
28519 pretimeout_since_last_heartbeat = 1;
28520 }
28521
28522 -static struct ipmi_user_hndl ipmi_hndlrs = {
28523 +static const struct ipmi_user_hndl ipmi_hndlrs = {
28524 .ipmi_recv_hndl = ipmi_wdog_msg_handler,
28525 .ipmi_watchdog_pretimeout = ipmi_wdog_pretimeout_handler
28526 };
28527 diff -urNp linux-2.6.39.3/drivers/char/Kconfig linux-2.6.39.3/drivers/char/Kconfig
28528 --- linux-2.6.39.3/drivers/char/Kconfig 2011-05-19 00:06:34.000000000 -0400
28529 +++ linux-2.6.39.3/drivers/char/Kconfig 2011-05-22 19:41:37.000000000 -0400
28530 @@ -8,7 +8,8 @@ source "drivers/tty/Kconfig"
28531
28532 config DEVKMEM
28533 bool "/dev/kmem virtual device support"
28534 - default y
28535 + default n
28536 + depends on !GRKERNSEC_KMEM
28537 help
28538 Say Y here if you want to support the /dev/kmem device. The
28539 /dev/kmem device is rarely used, but can be used for certain
28540 @@ -596,6 +597,7 @@ config DEVPORT
28541 bool
28542 depends on !M68K
28543 depends on ISA || PCI
28544 + depends on !GRKERNSEC_KMEM
28545 default y
28546
28547 source "drivers/s390/char/Kconfig"
28548 diff -urNp linux-2.6.39.3/drivers/char/mem.c linux-2.6.39.3/drivers/char/mem.c
28549 --- linux-2.6.39.3/drivers/char/mem.c 2011-05-19 00:06:34.000000000 -0400
28550 +++ linux-2.6.39.3/drivers/char/mem.c 2011-05-22 19:41:37.000000000 -0400
28551 @@ -18,6 +18,7 @@
28552 #include <linux/raw.h>
28553 #include <linux/tty.h>
28554 #include <linux/capability.h>
28555 +#include <linux/security.h>
28556 #include <linux/ptrace.h>
28557 #include <linux/device.h>
28558 #include <linux/highmem.h>
28559 @@ -34,6 +35,10 @@
28560 # include <linux/efi.h>
28561 #endif
28562
28563 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
28564 +extern struct file_operations grsec_fops;
28565 +#endif
28566 +
28567 static inline unsigned long size_inside_page(unsigned long start,
28568 unsigned long size)
28569 {
28570 @@ -65,9 +70,13 @@ static inline int range_is_allowed(unsig
28571
28572 while (cursor < to) {
28573 if (!devmem_is_allowed(pfn)) {
28574 +#ifdef CONFIG_GRKERNSEC_KMEM
28575 + gr_handle_mem_readwrite(from, to);
28576 +#else
28577 printk(KERN_INFO
28578 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
28579 current->comm, from, to);
28580 +#endif
28581 return 0;
28582 }
28583 cursor += PAGE_SIZE;
28584 @@ -75,6 +84,11 @@ static inline int range_is_allowed(unsig
28585 }
28586 return 1;
28587 }
28588 +#elif defined(CONFIG_GRKERNSEC_KMEM)
28589 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
28590 +{
28591 + return 0;
28592 +}
28593 #else
28594 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
28595 {
28596 @@ -117,6 +131,7 @@ static ssize_t read_mem(struct file *fil
28597
28598 while (count > 0) {
28599 unsigned long remaining;
28600 + char *temp;
28601
28602 sz = size_inside_page(p, count);
28603
28604 @@ -132,7 +147,23 @@ static ssize_t read_mem(struct file *fil
28605 if (!ptr)
28606 return -EFAULT;
28607
28608 - remaining = copy_to_user(buf, ptr, sz);
28609 +#ifdef CONFIG_PAX_USERCOPY
28610 + temp = kmalloc(sz, GFP_KERNEL);
28611 + if (!temp) {
28612 + unxlate_dev_mem_ptr(p, ptr);
28613 + return -ENOMEM;
28614 + }
28615 + memcpy(temp, ptr, sz);
28616 +#else
28617 + temp = ptr;
28618 +#endif
28619 +
28620 + remaining = copy_to_user(buf, temp, sz);
28621 +
28622 +#ifdef CONFIG_PAX_USERCOPY
28623 + kfree(temp);
28624 +#endif
28625 +
28626 unxlate_dev_mem_ptr(p, ptr);
28627 if (remaining)
28628 return -EFAULT;
28629 @@ -395,9 +426,8 @@ static ssize_t read_kmem(struct file *fi
28630 size_t count, loff_t *ppos)
28631 {
28632 unsigned long p = *ppos;
28633 - ssize_t low_count, read, sz;
28634 + ssize_t low_count, read, sz, err = 0;
28635 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
28636 - int err = 0;
28637
28638 read = 0;
28639 if (p < (unsigned long) high_memory) {
28640 @@ -419,6 +449,8 @@ static ssize_t read_kmem(struct file *fi
28641 }
28642 #endif
28643 while (low_count > 0) {
28644 + char *temp;
28645 +
28646 sz = size_inside_page(p, low_count);
28647
28648 /*
28649 @@ -428,7 +460,22 @@ static ssize_t read_kmem(struct file *fi
28650 */
28651 kbuf = xlate_dev_kmem_ptr((char *)p);
28652
28653 - if (copy_to_user(buf, kbuf, sz))
28654 +#ifdef CONFIG_PAX_USERCOPY
28655 + temp = kmalloc(sz, GFP_KERNEL);
28656 + if (!temp)
28657 + return -ENOMEM;
28658 + memcpy(temp, kbuf, sz);
28659 +#else
28660 + temp = kbuf;
28661 +#endif
28662 +
28663 + err = copy_to_user(buf, temp, sz);
28664 +
28665 +#ifdef CONFIG_PAX_USERCOPY
28666 + kfree(temp);
28667 +#endif
28668 +
28669 + if (err)
28670 return -EFAULT;
28671 buf += sz;
28672 p += sz;
28673 @@ -854,6 +901,9 @@ static const struct memdev {
28674 #ifdef CONFIG_CRASH_DUMP
28675 [12] = { "oldmem", 0, &oldmem_fops, NULL },
28676 #endif
28677 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
28678 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
28679 +#endif
28680 };
28681
28682 static int memory_open(struct inode *inode, struct file *filp)
28683 diff -urNp linux-2.6.39.3/drivers/char/mmtimer.c linux-2.6.39.3/drivers/char/mmtimer.c
28684 --- linux-2.6.39.3/drivers/char/mmtimer.c 2011-05-19 00:06:34.000000000 -0400
28685 +++ linux-2.6.39.3/drivers/char/mmtimer.c 2011-05-22 19:36:31.000000000 -0400
28686 @@ -53,7 +53,7 @@ MODULE_LICENSE("GPL");
28687
28688 #define RTC_BITS 55 /* 55 bits for this implementation */
28689
28690 -static struct k_clock sgi_clock;
28691 +static const struct k_clock sgi_clock;
28692
28693 extern unsigned long sn_rtc_cycles_per_second;
28694
28695 @@ -772,7 +772,7 @@ static int sgi_clock_getres(const clocki
28696 return 0;
28697 }
28698
28699 -static struct k_clock sgi_clock = {
28700 +static const struct k_clock sgi_clock = {
28701 .clock_set = sgi_clock_set,
28702 .clock_get = sgi_clock_get,
28703 .clock_getres = sgi_clock_getres,
28704 diff -urNp linux-2.6.39.3/drivers/char/nvram.c linux-2.6.39.3/drivers/char/nvram.c
28705 --- linux-2.6.39.3/drivers/char/nvram.c 2011-05-19 00:06:34.000000000 -0400
28706 +++ linux-2.6.39.3/drivers/char/nvram.c 2011-05-22 19:36:31.000000000 -0400
28707 @@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
28708
28709 spin_unlock_irq(&rtc_lock);
28710
28711 - if (copy_to_user(buf, contents, tmp - contents))
28712 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
28713 return -EFAULT;
28714
28715 *ppos = i;
28716 diff -urNp linux-2.6.39.3/drivers/char/random.c linux-2.6.39.3/drivers/char/random.c
28717 --- linux-2.6.39.3/drivers/char/random.c 2011-05-19 00:06:34.000000000 -0400
28718 +++ linux-2.6.39.3/drivers/char/random.c 2011-05-22 19:41:37.000000000 -0400
28719 @@ -261,8 +261,13 @@
28720 /*
28721 * Configuration information
28722 */
28723 +#ifdef CONFIG_GRKERNSEC_RANDNET
28724 +#define INPUT_POOL_WORDS 512
28725 +#define OUTPUT_POOL_WORDS 128
28726 +#else
28727 #define INPUT_POOL_WORDS 128
28728 #define OUTPUT_POOL_WORDS 32
28729 +#endif
28730 #define SEC_XFER_SIZE 512
28731 #define EXTRACT_SIZE 10
28732
28733 @@ -300,10 +305,17 @@ static struct poolinfo {
28734 int poolwords;
28735 int tap1, tap2, tap3, tap4, tap5;
28736 } poolinfo_table[] = {
28737 +#ifdef CONFIG_GRKERNSEC_RANDNET
28738 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
28739 + { 512, 411, 308, 208, 104, 1 },
28740 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
28741 + { 128, 103, 76, 51, 25, 1 },
28742 +#else
28743 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
28744 { 128, 103, 76, 51, 25, 1 },
28745 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
28746 { 32, 26, 20, 14, 7, 1 },
28747 +#endif
28748 #if 0
28749 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
28750 { 2048, 1638, 1231, 819, 411, 1 },
28751 @@ -909,7 +921,7 @@ static ssize_t extract_entropy_user(stru
28752
28753 extract_buf(r, tmp);
28754 i = min_t(int, nbytes, EXTRACT_SIZE);
28755 - if (copy_to_user(buf, tmp, i)) {
28756 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
28757 ret = -EFAULT;
28758 break;
28759 }
28760 @@ -1214,7 +1226,7 @@ EXPORT_SYMBOL(generate_random_uuid);
28761 #include <linux/sysctl.h>
28762
28763 static int min_read_thresh = 8, min_write_thresh;
28764 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
28765 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
28766 static int max_write_thresh = INPUT_POOL_WORDS * 32;
28767 static char sysctl_bootid[16];
28768
28769 diff -urNp linux-2.6.39.3/drivers/char/sonypi.c linux-2.6.39.3/drivers/char/sonypi.c
28770 --- linux-2.6.39.3/drivers/char/sonypi.c 2011-05-19 00:06:34.000000000 -0400
28771 +++ linux-2.6.39.3/drivers/char/sonypi.c 2011-05-22 19:36:31.000000000 -0400
28772 @@ -55,6 +55,7 @@
28773 #include <asm/uaccess.h>
28774 #include <asm/io.h>
28775 #include <asm/system.h>
28776 +#include <asm/local.h>
28777
28778 #include <linux/sonypi.h>
28779
28780 @@ -491,7 +492,7 @@ static struct sonypi_device {
28781 spinlock_t fifo_lock;
28782 wait_queue_head_t fifo_proc_list;
28783 struct fasync_struct *fifo_async;
28784 - int open_count;
28785 + local_t open_count;
28786 int model;
28787 struct input_dev *input_jog_dev;
28788 struct input_dev *input_key_dev;
28789 @@ -898,7 +899,7 @@ static int sonypi_misc_fasync(int fd, st
28790 static int sonypi_misc_release(struct inode *inode, struct file *file)
28791 {
28792 mutex_lock(&sonypi_device.lock);
28793 - sonypi_device.open_count--;
28794 + local_dec(&sonypi_device.open_count);
28795 mutex_unlock(&sonypi_device.lock);
28796 return 0;
28797 }
28798 @@ -907,9 +908,9 @@ static int sonypi_misc_open(struct inode
28799 {
28800 mutex_lock(&sonypi_device.lock);
28801 /* Flush input queue on first open */
28802 - if (!sonypi_device.open_count)
28803 + if (!local_read(&sonypi_device.open_count))
28804 kfifo_reset(&sonypi_device.fifo);
28805 - sonypi_device.open_count++;
28806 + local_inc(&sonypi_device.open_count);
28807 mutex_unlock(&sonypi_device.lock);
28808
28809 return 0;
28810 diff -urNp linux-2.6.39.3/drivers/char/tpm/tpm_bios.c linux-2.6.39.3/drivers/char/tpm/tpm_bios.c
28811 --- linux-2.6.39.3/drivers/char/tpm/tpm_bios.c 2011-05-19 00:06:34.000000000 -0400
28812 +++ linux-2.6.39.3/drivers/char/tpm/tpm_bios.c 2011-05-22 19:36:31.000000000 -0400
28813 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
28814 event = addr;
28815
28816 if ((event->event_type == 0 && event->event_size == 0) ||
28817 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
28818 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
28819 return NULL;
28820
28821 return addr;
28822 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
28823 return NULL;
28824
28825 if ((event->event_type == 0 && event->event_size == 0) ||
28826 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
28827 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
28828 return NULL;
28829
28830 (*pos)++;
28831 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
28832 int i;
28833
28834 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
28835 - seq_putc(m, data[i]);
28836 + if (!seq_putc(m, data[i]))
28837 + return -EFAULT;
28838
28839 return 0;
28840 }
28841 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
28842 log->bios_event_log_end = log->bios_event_log + len;
28843
28844 virt = acpi_os_map_memory(start, len);
28845 + if (!virt) {
28846 + kfree(log->bios_event_log);
28847 + log->bios_event_log = NULL;
28848 + return -EFAULT;
28849 + }
28850
28851 memcpy(log->bios_event_log, virt, len);
28852
28853 diff -urNp linux-2.6.39.3/drivers/char/tpm/tpm.c linux-2.6.39.3/drivers/char/tpm/tpm.c
28854 --- linux-2.6.39.3/drivers/char/tpm/tpm.c 2011-05-19 00:06:34.000000000 -0400
28855 +++ linux-2.6.39.3/drivers/char/tpm/tpm.c 2011-05-22 19:36:31.000000000 -0400
28856 @@ -411,7 +411,7 @@ static ssize_t tpm_transmit(struct tpm_c
28857 chip->vendor.req_complete_val)
28858 goto out_recv;
28859
28860 - if ((status == chip->vendor.req_canceled)) {
28861 + if (status == chip->vendor.req_canceled) {
28862 dev_err(chip->dev, "Operation Canceled\n");
28863 rc = -ECANCELED;
28864 goto out;
28865 @@ -844,6 +844,8 @@ ssize_t tpm_show_pubek(struct device *de
28866
28867 struct tpm_chip *chip = dev_get_drvdata(dev);
28868
28869 + pax_track_stack();
28870 +
28871 tpm_cmd.header.in = tpm_readpubek_header;
28872 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
28873 "attempting to read the PUBEK");
28874 diff -urNp linux-2.6.39.3/drivers/char/ttyprintk.c linux-2.6.39.3/drivers/char/ttyprintk.c
28875 --- linux-2.6.39.3/drivers/char/ttyprintk.c 2011-05-19 00:06:34.000000000 -0400
28876 +++ linux-2.6.39.3/drivers/char/ttyprintk.c 2011-05-22 19:36:31.000000000 -0400
28877 @@ -170,7 +170,7 @@ static const struct tty_operations ttypr
28878 .ioctl = tpk_ioctl,
28879 };
28880
28881 -struct tty_port_operations null_ops = { };
28882 +const struct tty_port_operations null_ops = { };
28883
28884 static struct tty_driver *ttyprintk_driver;
28885
28886 diff -urNp linux-2.6.39.3/drivers/char/xilinx_hwicap/xilinx_hwicap.c linux-2.6.39.3/drivers/char/xilinx_hwicap/xilinx_hwicap.c
28887 --- linux-2.6.39.3/drivers/char/xilinx_hwicap/xilinx_hwicap.c 2011-05-19 00:06:34.000000000 -0400
28888 +++ linux-2.6.39.3/drivers/char/xilinx_hwicap/xilinx_hwicap.c 2011-05-22 19:36:31.000000000 -0400
28889 @@ -678,14 +678,14 @@ static int __devinit hwicap_setup(struct
28890 return retval;
28891 }
28892
28893 -static struct hwicap_driver_config buffer_icap_config = {
28894 +static const struct hwicap_driver_config buffer_icap_config = {
28895 .get_configuration = buffer_icap_get_configuration,
28896 .set_configuration = buffer_icap_set_configuration,
28897 .get_status = buffer_icap_get_status,
28898 .reset = buffer_icap_reset,
28899 };
28900
28901 -static struct hwicap_driver_config fifo_icap_config = {
28902 +static const struct hwicap_driver_config fifo_icap_config = {
28903 .get_configuration = fifo_icap_get_configuration,
28904 .set_configuration = fifo_icap_set_configuration,
28905 .get_status = fifo_icap_get_status,
28906 diff -urNp linux-2.6.39.3/drivers/crypto/hifn_795x.c linux-2.6.39.3/drivers/crypto/hifn_795x.c
28907 --- linux-2.6.39.3/drivers/crypto/hifn_795x.c 2011-05-19 00:06:34.000000000 -0400
28908 +++ linux-2.6.39.3/drivers/crypto/hifn_795x.c 2011-05-22 19:36:31.000000000 -0400
28909 @@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
28910 0xCA, 0x34, 0x2B, 0x2E};
28911 struct scatterlist sg;
28912
28913 + pax_track_stack();
28914 +
28915 memset(src, 0, sizeof(src));
28916 memset(ctx.key, 0, sizeof(ctx.key));
28917
28918 diff -urNp linux-2.6.39.3/drivers/crypto/padlock-aes.c linux-2.6.39.3/drivers/crypto/padlock-aes.c
28919 --- linux-2.6.39.3/drivers/crypto/padlock-aes.c 2011-05-19 00:06:34.000000000 -0400
28920 +++ linux-2.6.39.3/drivers/crypto/padlock-aes.c 2011-05-22 19:36:31.000000000 -0400
28921 @@ -109,6 +109,8 @@ static int aes_set_key(struct crypto_tfm
28922 struct crypto_aes_ctx gen_aes;
28923 int cpu;
28924
28925 + pax_track_stack();
28926 +
28927 if (key_len % 8) {
28928 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
28929 return -EINVAL;
28930 diff -urNp linux-2.6.39.3/drivers/dca/dca-core.c linux-2.6.39.3/drivers/dca/dca-core.c
28931 --- linux-2.6.39.3/drivers/dca/dca-core.c 2011-05-19 00:06:34.000000000 -0400
28932 +++ linux-2.6.39.3/drivers/dca/dca-core.c 2011-05-22 19:36:31.000000000 -0400
28933 @@ -325,7 +325,7 @@ EXPORT_SYMBOL_GPL(dca_get_tag);
28934 * @ops - pointer to struct of dca operation function pointers
28935 * @priv_size - size of extra mem to be added for provider's needs
28936 */
28937 -struct dca_provider *alloc_dca_provider(struct dca_ops *ops, int priv_size)
28938 +struct dca_provider *alloc_dca_provider(const struct dca_ops *ops, int priv_size)
28939 {
28940 struct dca_provider *dca;
28941 int alloc_size;
28942 diff -urNp linux-2.6.39.3/drivers/dma/ioat/dca.c linux-2.6.39.3/drivers/dma/ioat/dca.c
28943 --- linux-2.6.39.3/drivers/dma/ioat/dca.c 2011-05-19 00:06:34.000000000 -0400
28944 +++ linux-2.6.39.3/drivers/dma/ioat/dca.c 2011-05-22 19:36:31.000000000 -0400
28945 @@ -234,7 +234,7 @@ static int ioat_dca_dev_managed(struct d
28946 return 0;
28947 }
28948
28949 -static struct dca_ops ioat_dca_ops = {
28950 +static const struct dca_ops ioat_dca_ops = {
28951 .add_requester = ioat_dca_add_requester,
28952 .remove_requester = ioat_dca_remove_requester,
28953 .get_tag = ioat_dca_get_tag,
28954 @@ -384,7 +384,7 @@ static u8 ioat2_dca_get_tag(struct dca_p
28955 return tag;
28956 }
28957
28958 -static struct dca_ops ioat2_dca_ops = {
28959 +static const struct dca_ops ioat2_dca_ops = {
28960 .add_requester = ioat2_dca_add_requester,
28961 .remove_requester = ioat2_dca_remove_requester,
28962 .get_tag = ioat2_dca_get_tag,
28963 @@ -579,7 +579,7 @@ static u8 ioat3_dca_get_tag(struct dca_p
28964 return tag;
28965 }
28966
28967 -static struct dca_ops ioat3_dca_ops = {
28968 +static const struct dca_ops ioat3_dca_ops = {
28969 .add_requester = ioat3_dca_add_requester,
28970 .remove_requester = ioat3_dca_remove_requester,
28971 .get_tag = ioat3_dca_get_tag,
28972 diff -urNp linux-2.6.39.3/drivers/edac/amd64_edac.h linux-2.6.39.3/drivers/edac/amd64_edac.h
28973 --- linux-2.6.39.3/drivers/edac/amd64_edac.h 2011-05-19 00:06:34.000000000 -0400
28974 +++ linux-2.6.39.3/drivers/edac/amd64_edac.h 2011-05-22 19:36:31.000000000 -0400
28975 @@ -333,7 +333,7 @@ struct chip_select {
28976 };
28977
28978 struct amd64_pvt {
28979 - struct low_ops *ops;
28980 + const struct low_ops *ops;
28981
28982 /* pci_device handles which we utilize */
28983 struct pci_dev *F1, *F2, *F3;
28984 @@ -443,7 +443,7 @@ struct low_ops {
28985 struct amd64_family_type {
28986 const char *ctl_name;
28987 u16 f1_id, f3_id;
28988 - struct low_ops ops;
28989 + const struct low_ops ops;
28990 };
28991
28992 int __amd64_write_pci_cfg_dword(struct pci_dev *pdev, int offset,
28993 diff -urNp linux-2.6.39.3/drivers/edac/edac_mc_sysfs.c linux-2.6.39.3/drivers/edac/edac_mc_sysfs.c
28994 --- linux-2.6.39.3/drivers/edac/edac_mc_sysfs.c 2011-05-19 00:06:34.000000000 -0400
28995 +++ linux-2.6.39.3/drivers/edac/edac_mc_sysfs.c 2011-05-22 19:36:31.000000000 -0400
28996 @@ -760,7 +760,7 @@ static void edac_inst_grp_release(struct
28997 }
28998
28999 /* Intermediate show/store table */
29000 -static struct sysfs_ops inst_grp_ops = {
29001 +static const struct sysfs_ops inst_grp_ops = {
29002 .show = inst_grp_show,
29003 .store = inst_grp_store
29004 };
29005 diff -urNp linux-2.6.39.3/drivers/edac/edac_pci_sysfs.c linux-2.6.39.3/drivers/edac/edac_pci_sysfs.c
29006 --- linux-2.6.39.3/drivers/edac/edac_pci_sysfs.c 2011-05-19 00:06:34.000000000 -0400
29007 +++ linux-2.6.39.3/drivers/edac/edac_pci_sysfs.c 2011-05-22 19:36:31.000000000 -0400
29008 @@ -26,8 +26,8 @@ static int edac_pci_log_pe = 1; /* log
29009 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
29010 static int edac_pci_poll_msec = 1000; /* one second workq period */
29011
29012 -static atomic_t pci_parity_count = ATOMIC_INIT(0);
29013 -static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
29014 +static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
29015 +static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
29016
29017 static struct kobject *edac_pci_top_main_kobj;
29018 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
29019 @@ -582,7 +582,7 @@ static void edac_pci_dev_parity_test(str
29020 edac_printk(KERN_CRIT, EDAC_PCI,
29021 "Signaled System Error on %s\n",
29022 pci_name(dev));
29023 - atomic_inc(&pci_nonparity_count);
29024 + atomic_inc_unchecked(&pci_nonparity_count);
29025 }
29026
29027 if (status & (PCI_STATUS_PARITY)) {
29028 @@ -590,7 +590,7 @@ static void edac_pci_dev_parity_test(str
29029 "Master Data Parity Error on %s\n",
29030 pci_name(dev));
29031
29032 - atomic_inc(&pci_parity_count);
29033 + atomic_inc_unchecked(&pci_parity_count);
29034 }
29035
29036 if (status & (PCI_STATUS_DETECTED_PARITY)) {
29037 @@ -598,7 +598,7 @@ static void edac_pci_dev_parity_test(str
29038 "Detected Parity Error on %s\n",
29039 pci_name(dev));
29040
29041 - atomic_inc(&pci_parity_count);
29042 + atomic_inc_unchecked(&pci_parity_count);
29043 }
29044 }
29045
29046 @@ -619,7 +619,7 @@ static void edac_pci_dev_parity_test(str
29047 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
29048 "Signaled System Error on %s\n",
29049 pci_name(dev));
29050 - atomic_inc(&pci_nonparity_count);
29051 + atomic_inc_unchecked(&pci_nonparity_count);
29052 }
29053
29054 if (status & (PCI_STATUS_PARITY)) {
29055 @@ -627,7 +627,7 @@ static void edac_pci_dev_parity_test(str
29056 "Master Data Parity Error on "
29057 "%s\n", pci_name(dev));
29058
29059 - atomic_inc(&pci_parity_count);
29060 + atomic_inc_unchecked(&pci_parity_count);
29061 }
29062
29063 if (status & (PCI_STATUS_DETECTED_PARITY)) {
29064 @@ -635,7 +635,7 @@ static void edac_pci_dev_parity_test(str
29065 "Detected Parity Error on %s\n",
29066 pci_name(dev));
29067
29068 - atomic_inc(&pci_parity_count);
29069 + atomic_inc_unchecked(&pci_parity_count);
29070 }
29071 }
29072 }
29073 @@ -677,7 +677,7 @@ void edac_pci_do_parity_check(void)
29074 if (!check_pci_errors)
29075 return;
29076
29077 - before_count = atomic_read(&pci_parity_count);
29078 + before_count = atomic_read_unchecked(&pci_parity_count);
29079
29080 /* scan all PCI devices looking for a Parity Error on devices and
29081 * bridges.
29082 @@ -689,7 +689,7 @@ void edac_pci_do_parity_check(void)
29083 /* Only if operator has selected panic on PCI Error */
29084 if (edac_pci_get_panic_on_pe()) {
29085 /* If the count is different 'after' from 'before' */
29086 - if (before_count != atomic_read(&pci_parity_count))
29087 + if (before_count != atomic_read_unchecked(&pci_parity_count))
29088 panic("EDAC: PCI Parity Error");
29089 }
29090 }
29091 diff -urNp linux-2.6.39.3/drivers/edac/i7core_edac.c linux-2.6.39.3/drivers/edac/i7core_edac.c
29092 --- linux-2.6.39.3/drivers/edac/i7core_edac.c 2011-05-19 00:06:34.000000000 -0400
29093 +++ linux-2.6.39.3/drivers/edac/i7core_edac.c 2011-07-06 20:00:14.000000000 -0400
29094 @@ -1670,7 +1670,7 @@ static void i7core_mce_output_error(stru
29095 char *type, *optype, *err, *msg;
29096 unsigned long error = m->status & 0x1ff0000l;
29097 u32 optypenum = (m->status >> 4) & 0x07;
29098 - u32 core_err_cnt = (m->status >> 38) && 0x7fff;
29099 + u32 core_err_cnt = (m->status >> 38) & 0x7fff;
29100 u32 dimm = (m->misc >> 16) & 0x3;
29101 u32 channel = (m->misc >> 18) & 0x3;
29102 u32 syndrome = m->misc >> 32;
29103 diff -urNp linux-2.6.39.3/drivers/firewire/core-cdev.c linux-2.6.39.3/drivers/firewire/core-cdev.c
29104 --- linux-2.6.39.3/drivers/firewire/core-cdev.c 2011-05-19 00:06:34.000000000 -0400
29105 +++ linux-2.6.39.3/drivers/firewire/core-cdev.c 2011-05-22 19:36:31.000000000 -0400
29106 @@ -1312,8 +1312,7 @@ static int init_iso_resource(struct clie
29107 int ret;
29108
29109 if ((request->channels == 0 && request->bandwidth == 0) ||
29110 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
29111 - request->bandwidth < 0)
29112 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
29113 return -EINVAL;
29114
29115 r = kmalloc(sizeof(*r), GFP_KERNEL);
29116 diff -urNp linux-2.6.39.3/drivers/firewire/core-transaction.c linux-2.6.39.3/drivers/firewire/core-transaction.c
29117 --- linux-2.6.39.3/drivers/firewire/core-transaction.c 2011-05-19 00:06:34.000000000 -0400
29118 +++ linux-2.6.39.3/drivers/firewire/core-transaction.c 2011-05-22 19:36:31.000000000 -0400
29119 @@ -36,6 +36,7 @@
29120 #include <linux/string.h>
29121 #include <linux/timer.h>
29122 #include <linux/types.h>
29123 +#include <linux/sched.h>
29124
29125 #include <asm/byteorder.h>
29126
29127 @@ -420,6 +421,8 @@ int fw_run_transaction(struct fw_card *c
29128 struct transaction_callback_data d;
29129 struct fw_transaction t;
29130
29131 + pax_track_stack();
29132 +
29133 init_timer_on_stack(&t.split_timeout_timer);
29134 init_completion(&d.done);
29135 d.payload = payload;
29136 diff -urNp linux-2.6.39.3/drivers/firmware/dmi_scan.c linux-2.6.39.3/drivers/firmware/dmi_scan.c
29137 --- linux-2.6.39.3/drivers/firmware/dmi_scan.c 2011-05-19 00:06:34.000000000 -0400
29138 +++ linux-2.6.39.3/drivers/firmware/dmi_scan.c 2011-05-22 19:36:31.000000000 -0400
29139 @@ -449,11 +449,6 @@ void __init dmi_scan_machine(void)
29140 }
29141 }
29142 else {
29143 - /*
29144 - * no iounmap() for that ioremap(); it would be a no-op, but
29145 - * it's so early in setup that sucker gets confused into doing
29146 - * what it shouldn't if we actually call it.
29147 - */
29148 p = dmi_ioremap(0xF0000, 0x10000);
29149 if (p == NULL)
29150 goto error;
29151 diff -urNp linux-2.6.39.3/drivers/gpio/vr41xx_giu.c linux-2.6.39.3/drivers/gpio/vr41xx_giu.c
29152 --- linux-2.6.39.3/drivers/gpio/vr41xx_giu.c 2011-05-19 00:06:34.000000000 -0400
29153 +++ linux-2.6.39.3/drivers/gpio/vr41xx_giu.c 2011-05-22 19:36:31.000000000 -0400
29154 @@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
29155 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
29156 maskl, pendl, maskh, pendh);
29157
29158 - atomic_inc(&irq_err_count);
29159 + atomic_inc_unchecked(&irq_err_count);
29160
29161 return -EINVAL;
29162 }
29163 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.39.3/drivers/gpu/drm/drm_crtc_helper.c
29164 --- linux-2.6.39.3/drivers/gpu/drm/drm_crtc_helper.c 2011-05-19 00:06:34.000000000 -0400
29165 +++ linux-2.6.39.3/drivers/gpu/drm/drm_crtc_helper.c 2011-05-22 19:36:31.000000000 -0400
29166 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
29167 struct drm_crtc *tmp;
29168 int crtc_mask = 1;
29169
29170 - WARN(!crtc, "checking null crtc?\n");
29171 + BUG_ON(!crtc);
29172
29173 dev = crtc->dev;
29174
29175 @@ -343,6 +343,8 @@ bool drm_crtc_helper_set_mode(struct drm
29176 struct drm_encoder *encoder;
29177 bool ret = true;
29178
29179 + pax_track_stack();
29180 +
29181 crtc->enabled = drm_helper_crtc_in_use(crtc);
29182 if (!crtc->enabled)
29183 return true;
29184 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_drv.c linux-2.6.39.3/drivers/gpu/drm/drm_drv.c
29185 --- linux-2.6.39.3/drivers/gpu/drm/drm_drv.c 2011-05-19 00:06:34.000000000 -0400
29186 +++ linux-2.6.39.3/drivers/gpu/drm/drm_drv.c 2011-05-22 19:36:31.000000000 -0400
29187 @@ -386,7 +386,7 @@ long drm_ioctl(struct file *filp,
29188
29189 dev = file_priv->minor->dev;
29190 atomic_inc(&dev->ioctl_count);
29191 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
29192 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
29193 ++file_priv->ioctl_count;
29194
29195 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
29196 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_fops.c linux-2.6.39.3/drivers/gpu/drm/drm_fops.c
29197 --- linux-2.6.39.3/drivers/gpu/drm/drm_fops.c 2011-05-19 00:06:34.000000000 -0400
29198 +++ linux-2.6.39.3/drivers/gpu/drm/drm_fops.c 2011-05-22 19:36:31.000000000 -0400
29199 @@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
29200 }
29201
29202 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
29203 - atomic_set(&dev->counts[i], 0);
29204 + atomic_set_unchecked(&dev->counts[i], 0);
29205
29206 dev->sigdata.lock = NULL;
29207
29208 @@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
29209
29210 retcode = drm_open_helper(inode, filp, dev);
29211 if (!retcode) {
29212 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
29213 - if (!dev->open_count++)
29214 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
29215 + if (local_inc_return(&dev->open_count) == 1)
29216 retcode = drm_setup(dev);
29217 }
29218 if (!retcode) {
29219 @@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
29220
29221 mutex_lock(&drm_global_mutex);
29222
29223 - DRM_DEBUG("open_count = %d\n", dev->open_count);
29224 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
29225
29226 if (dev->driver->preclose)
29227 dev->driver->preclose(dev, file_priv);
29228 @@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
29229 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
29230 task_pid_nr(current),
29231 (long)old_encode_dev(file_priv->minor->device),
29232 - dev->open_count);
29233 + local_read(&dev->open_count));
29234
29235 /* if the master has gone away we can't do anything with the lock */
29236 if (file_priv->minor->master)
29237 @@ -565,8 +565,8 @@ int drm_release(struct inode *inode, str
29238 * End inline drm_release
29239 */
29240
29241 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
29242 - if (!--dev->open_count) {
29243 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
29244 + if (local_dec_and_test(&dev->open_count)) {
29245 if (atomic_read(&dev->ioctl_count)) {
29246 DRM_ERROR("Device busy: %d\n",
29247 atomic_read(&dev->ioctl_count));
29248 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_global.c linux-2.6.39.3/drivers/gpu/drm/drm_global.c
29249 --- linux-2.6.39.3/drivers/gpu/drm/drm_global.c 2011-05-19 00:06:34.000000000 -0400
29250 +++ linux-2.6.39.3/drivers/gpu/drm/drm_global.c 2011-05-22 19:36:31.000000000 -0400
29251 @@ -36,7 +36,7 @@
29252 struct drm_global_item {
29253 struct mutex mutex;
29254 void *object;
29255 - int refcount;
29256 + atomic_t refcount;
29257 };
29258
29259 static struct drm_global_item glob[DRM_GLOBAL_NUM];
29260 @@ -49,7 +49,7 @@ void drm_global_init(void)
29261 struct drm_global_item *item = &glob[i];
29262 mutex_init(&item->mutex);
29263 item->object = NULL;
29264 - item->refcount = 0;
29265 + atomic_set(&item->refcount, 0);
29266 }
29267 }
29268
29269 @@ -59,7 +59,7 @@ void drm_global_release(void)
29270 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
29271 struct drm_global_item *item = &glob[i];
29272 BUG_ON(item->object != NULL);
29273 - BUG_ON(item->refcount != 0);
29274 + BUG_ON(atomic_read(&item->refcount) != 0);
29275 }
29276 }
29277
29278 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
29279 void *object;
29280
29281 mutex_lock(&item->mutex);
29282 - if (item->refcount == 0) {
29283 + if (atomic_read(&item->refcount) == 0) {
29284 item->object = kzalloc(ref->size, GFP_KERNEL);
29285 if (unlikely(item->object == NULL)) {
29286 ret = -ENOMEM;
29287 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
29288 goto out_err;
29289
29290 }
29291 - ++item->refcount;
29292 + atomic_inc(&item->refcount);
29293 ref->object = item->object;
29294 object = item->object;
29295 mutex_unlock(&item->mutex);
29296 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
29297 struct drm_global_item *item = &glob[ref->global_type];
29298
29299 mutex_lock(&item->mutex);
29300 - BUG_ON(item->refcount == 0);
29301 + BUG_ON(atomic_read(&item->refcount) == 0);
29302 BUG_ON(ref->object != item->object);
29303 - if (--item->refcount == 0) {
29304 + if (atomic_dec_and_test(&item->refcount)) {
29305 ref->release(ref);
29306 item->object = NULL;
29307 }
29308 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_info.c linux-2.6.39.3/drivers/gpu/drm/drm_info.c
29309 --- linux-2.6.39.3/drivers/gpu/drm/drm_info.c 2011-05-19 00:06:34.000000000 -0400
29310 +++ linux-2.6.39.3/drivers/gpu/drm/drm_info.c 2011-05-22 19:41:37.000000000 -0400
29311 @@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
29312 struct drm_local_map *map;
29313 struct drm_map_list *r_list;
29314
29315 - /* Hardcoded from _DRM_FRAME_BUFFER,
29316 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
29317 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
29318 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
29319 + static const char * const types[] = {
29320 + [_DRM_FRAME_BUFFER] = "FB",
29321 + [_DRM_REGISTERS] = "REG",
29322 + [_DRM_SHM] = "SHM",
29323 + [_DRM_AGP] = "AGP",
29324 + [_DRM_SCATTER_GATHER] = "SG",
29325 + [_DRM_CONSISTENT] = "PCI",
29326 + [_DRM_GEM] = "GEM" };
29327 const char *type;
29328 int i;
29329
29330 @@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
29331 map = r_list->map;
29332 if (!map)
29333 continue;
29334 - if (map->type < 0 || map->type > 5)
29335 + if (map->type >= ARRAY_SIZE(types))
29336 type = "??";
29337 else
29338 type = types[map->type];
29339 @@ -290,7 +294,11 @@ int drm_vma_info(struct seq_file *m, voi
29340 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
29341 vma->vm_flags & VM_LOCKED ? 'l' : '-',
29342 vma->vm_flags & VM_IO ? 'i' : '-',
29343 +#ifdef CONFIG_GRKERNSEC_HIDESYM
29344 + 0);
29345 +#else
29346 vma->vm_pgoff);
29347 +#endif
29348
29349 #if defined(__i386__)
29350 pgprot = pgprot_val(vma->vm_page_prot);
29351 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_ioctl.c linux-2.6.39.3/drivers/gpu/drm/drm_ioctl.c
29352 --- linux-2.6.39.3/drivers/gpu/drm/drm_ioctl.c 2011-05-19 00:06:34.000000000 -0400
29353 +++ linux-2.6.39.3/drivers/gpu/drm/drm_ioctl.c 2011-05-22 19:36:31.000000000 -0400
29354 @@ -256,7 +256,7 @@ int drm_getstats(struct drm_device *dev,
29355 stats->data[i].value =
29356 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
29357 else
29358 - stats->data[i].value = atomic_read(&dev->counts[i]);
29359 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
29360 stats->data[i].type = dev->types[i];
29361 }
29362
29363 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_lock.c linux-2.6.39.3/drivers/gpu/drm/drm_lock.c
29364 --- linux-2.6.39.3/drivers/gpu/drm/drm_lock.c 2011-05-19 00:06:34.000000000 -0400
29365 +++ linux-2.6.39.3/drivers/gpu/drm/drm_lock.c 2011-05-22 19:36:31.000000000 -0400
29366 @@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
29367 if (drm_lock_take(&master->lock, lock->context)) {
29368 master->lock.file_priv = file_priv;
29369 master->lock.lock_time = jiffies;
29370 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
29371 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
29372 break; /* Got lock */
29373 }
29374
29375 @@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
29376 return -EINVAL;
29377 }
29378
29379 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
29380 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
29381
29382 if (drm_lock_free(&master->lock, lock->context)) {
29383 /* FIXME: Should really bail out here. */
29384 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i810/i810_dma.c linux-2.6.39.3/drivers/gpu/drm/i810/i810_dma.c
29385 --- linux-2.6.39.3/drivers/gpu/drm/i810/i810_dma.c 2011-05-19 00:06:34.000000000 -0400
29386 +++ linux-2.6.39.3/drivers/gpu/drm/i810/i810_dma.c 2011-05-22 19:36:31.000000000 -0400
29387 @@ -950,8 +950,8 @@ static int i810_dma_vertex(struct drm_de
29388 dma->buflist[vertex->idx],
29389 vertex->discard, vertex->used);
29390
29391 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
29392 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
29393 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
29394 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
29395 sarea_priv->last_enqueue = dev_priv->counter - 1;
29396 sarea_priv->last_dispatch = (int)hw_status[5];
29397
29398 @@ -1111,8 +1111,8 @@ static int i810_dma_mc(struct drm_device
29399 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
29400 mc->last_render);
29401
29402 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
29403 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
29404 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
29405 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
29406 sarea_priv->last_enqueue = dev_priv->counter - 1;
29407 sarea_priv->last_dispatch = (int)hw_status[5];
29408
29409 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i810/i810_drv.h linux-2.6.39.3/drivers/gpu/drm/i810/i810_drv.h
29410 --- linux-2.6.39.3/drivers/gpu/drm/i810/i810_drv.h 2011-05-19 00:06:34.000000000 -0400
29411 +++ linux-2.6.39.3/drivers/gpu/drm/i810/i810_drv.h 2011-05-22 19:36:31.000000000 -0400
29412 @@ -108,8 +108,8 @@ typedef struct drm_i810_private {
29413 int page_flipping;
29414
29415 wait_queue_head_t irq_queue;
29416 - atomic_t irq_received;
29417 - atomic_t irq_emitted;
29418 + atomic_unchecked_t irq_received;
29419 + atomic_unchecked_t irq_emitted;
29420
29421 int front_offset;
29422 } drm_i810_private_t;
29423 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7017.c
29424 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7017.c 2011-05-19 00:06:34.000000000 -0400
29425 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7017.c 2011-05-22 19:36:31.000000000 -0400
29426 @@ -390,7 +390,7 @@ static void ch7017_destroy(struct intel_
29427 }
29428 }
29429
29430 -struct intel_dvo_dev_ops ch7017_ops = {
29431 +const struct intel_dvo_dev_ops ch7017_ops = {
29432 .init = ch7017_init,
29433 .detect = ch7017_detect,
29434 .mode_valid = ch7017_mode_valid,
29435 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7xxx.c
29436 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-05-19 00:06:34.000000000 -0400
29437 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-05-22 19:36:31.000000000 -0400
29438 @@ -320,7 +320,7 @@ static void ch7xxx_destroy(struct intel_
29439 }
29440 }
29441
29442 -struct intel_dvo_dev_ops ch7xxx_ops = {
29443 +const struct intel_dvo_dev_ops ch7xxx_ops = {
29444 .init = ch7xxx_init,
29445 .detect = ch7xxx_detect,
29446 .mode_valid = ch7xxx_mode_valid,
29447 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo.h linux-2.6.39.3/drivers/gpu/drm/i915/dvo.h
29448 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo.h 2011-05-19 00:06:34.000000000 -0400
29449 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo.h 2011-05-22 19:36:31.000000000 -0400
29450 @@ -122,23 +122,23 @@ struct intel_dvo_dev_ops {
29451 *
29452 * \return singly-linked list of modes or NULL if no modes found.
29453 */
29454 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
29455 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
29456
29457 /**
29458 * Clean up driver-specific bits of the output
29459 */
29460 - void (*destroy) (struct intel_dvo_device *dvo);
29461 + void (* const destroy) (struct intel_dvo_device *dvo);
29462
29463 /**
29464 * Debugging hook to dump device registers to log file
29465 */
29466 - void (*dump_regs)(struct intel_dvo_device *dvo);
29467 + void (* const dump_regs)(struct intel_dvo_device *dvo);
29468 };
29469
29470 -extern struct intel_dvo_dev_ops sil164_ops;
29471 -extern struct intel_dvo_dev_ops ch7xxx_ops;
29472 -extern struct intel_dvo_dev_ops ivch_ops;
29473 -extern struct intel_dvo_dev_ops tfp410_ops;
29474 -extern struct intel_dvo_dev_ops ch7017_ops;
29475 +extern const struct intel_dvo_dev_ops sil164_ops;
29476 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
29477 +extern const struct intel_dvo_dev_ops ivch_ops;
29478 +extern const struct intel_dvo_dev_ops tfp410_ops;
29479 +extern const struct intel_dvo_dev_ops ch7017_ops;
29480
29481 #endif /* _INTEL_DVO_H */
29482 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ivch.c
29483 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ivch.c 2011-05-19 00:06:34.000000000 -0400
29484 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ivch.c 2011-05-22 19:36:31.000000000 -0400
29485 @@ -410,7 +410,7 @@ static void ivch_destroy(struct intel_dv
29486 }
29487 }
29488
29489 -struct intel_dvo_dev_ops ivch_ops= {
29490 +const struct intel_dvo_dev_ops ivch_ops= {
29491 .init = ivch_init,
29492 .dpms = ivch_dpms,
29493 .mode_valid = ivch_mode_valid,
29494 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.39.3/drivers/gpu/drm/i915/dvo_sil164.c
29495 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo_sil164.c 2011-05-19 00:06:34.000000000 -0400
29496 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo_sil164.c 2011-05-22 19:36:31.000000000 -0400
29497 @@ -252,7 +252,7 @@ static void sil164_destroy(struct intel_
29498 }
29499 }
29500
29501 -struct intel_dvo_dev_ops sil164_ops = {
29502 +const struct intel_dvo_dev_ops sil164_ops = {
29503 .init = sil164_init,
29504 .detect = sil164_detect,
29505 .mode_valid = sil164_mode_valid,
29506 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.39.3/drivers/gpu/drm/i915/dvo_tfp410.c
29507 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo_tfp410.c 2011-05-19 00:06:34.000000000 -0400
29508 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo_tfp410.c 2011-05-22 19:36:31.000000000 -0400
29509 @@ -293,7 +293,7 @@ static void tfp410_destroy(struct intel_
29510 }
29511 }
29512
29513 -struct intel_dvo_dev_ops tfp410_ops = {
29514 +const struct intel_dvo_dev_ops tfp410_ops = {
29515 .init = tfp410_init,
29516 .detect = tfp410_detect,
29517 .mode_valid = tfp410_mode_valid,
29518 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_debugfs.c linux-2.6.39.3/drivers/gpu/drm/i915/i915_debugfs.c
29519 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_debugfs.c 2011-05-19 00:06:34.000000000 -0400
29520 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_debugfs.c 2011-05-22 19:36:31.000000000 -0400
29521 @@ -496,7 +496,7 @@ static int i915_interrupt_info(struct se
29522 I915_READ(GTIMR));
29523 }
29524 seq_printf(m, "Interrupts received: %d\n",
29525 - atomic_read(&dev_priv->irq_received));
29526 + atomic_read_unchecked(&dev_priv->irq_received));
29527 for (i = 0; i < I915_NUM_RINGS; i++) {
29528 if (IS_GEN6(dev)) {
29529 seq_printf(m, "Graphics Interrupt mask (%s): %08x\n",
29530 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_dma.c linux-2.6.39.3/drivers/gpu/drm/i915/i915_dma.c
29531 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_dma.c 2011-05-19 00:06:34.000000000 -0400
29532 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_dma.c 2011-05-22 19:36:31.000000000 -0400
29533 @@ -1171,7 +1171,7 @@ static bool i915_switcheroo_can_switch(s
29534 bool can_switch;
29535
29536 spin_lock(&dev->count_lock);
29537 - can_switch = (dev->open_count == 0);
29538 + can_switch = (local_read(&dev->open_count) == 0);
29539 spin_unlock(&dev->count_lock);
29540 return can_switch;
29541 }
29542 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.c linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.c
29543 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.c 2011-05-19 00:06:34.000000000 -0400
29544 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.c 2011-05-22 19:36:31.000000000 -0400
29545 @@ -679,7 +679,7 @@ static const struct dev_pm_ops i915_pm_o
29546 .restore = i915_pm_resume,
29547 };
29548
29549 -static struct vm_operations_struct i915_gem_vm_ops = {
29550 +static const struct vm_operations_struct i915_gem_vm_ops = {
29551 .fault = i915_gem_fault,
29552 .open = drm_gem_vm_open,
29553 .close = drm_gem_vm_close,
29554 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.h linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.h
29555 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.h 2011-05-19 00:06:34.000000000 -0400
29556 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.h 2011-05-22 19:36:31.000000000 -0400
29557 @@ -287,7 +287,7 @@ typedef struct drm_i915_private {
29558 int current_page;
29559 int page_flipping;
29560
29561 - atomic_t irq_received;
29562 + atomic_unchecked_t irq_received;
29563
29564 /* protects the irq masks */
29565 spinlock_t irq_lock;
29566 @@ -848,7 +848,7 @@ struct drm_i915_gem_object {
29567 * will be page flipped away on the next vblank. When it
29568 * reaches 0, dev_priv->pending_flip_queue will be woken up.
29569 */
29570 - atomic_t pending_flip;
29571 + atomic_unchecked_t pending_flip;
29572 };
29573
29574 #define to_intel_bo(x) container_of(x, struct drm_i915_gem_object, base)
29575 @@ -1232,7 +1232,7 @@ extern int intel_setup_gmbus(struct drm_
29576 extern void intel_teardown_gmbus(struct drm_device *dev);
29577 extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
29578 extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
29579 -extern inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
29580 +static inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
29581 {
29582 return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
29583 }
29584 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_gem_execbuffer.c linux-2.6.39.3/drivers/gpu/drm/i915/i915_gem_execbuffer.c
29585 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-05-19 00:06:34.000000000 -0400
29586 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-05-22 19:36:31.000000000 -0400
29587 @@ -192,7 +192,7 @@ i915_gem_object_set_to_gpu_domain(struct
29588 i915_gem_release_mmap(obj);
29589
29590 if (obj->base.pending_write_domain)
29591 - cd->flips |= atomic_read(&obj->pending_flip);
29592 + cd->flips |= atomic_read_unchecked(&obj->pending_flip);
29593
29594 /* The actual obj->write_domain will be updated with
29595 * pending_write_domain after we emit the accumulated flush for all
29596 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_irq.c linux-2.6.39.3/drivers/gpu/drm/i915/i915_irq.c
29597 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_irq.c 2011-07-09 09:18:51.000000000 -0400
29598 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_irq.c 2011-07-09 09:19:18.000000000 -0400
29599 @@ -1101,7 +1101,7 @@ irqreturn_t i915_driver_irq_handler(DRM_
29600 int ret = IRQ_NONE, pipe;
29601 bool blc_event = false;
29602
29603 - atomic_inc(&dev_priv->irq_received);
29604 + atomic_inc_unchecked(&dev_priv->irq_received);
29605
29606 if (HAS_PCH_SPLIT(dev))
29607 return ironlake_irq_handler(dev);
29608 @@ -1666,7 +1666,7 @@ void i915_driver_irq_preinstall(struct d
29609 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
29610 int pipe;
29611
29612 - atomic_set(&dev_priv->irq_received, 0);
29613 + atomic_set_unchecked(&dev_priv->irq_received, 0);
29614
29615 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
29616 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
29617 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/intel_display.c linux-2.6.39.3/drivers/gpu/drm/i915/intel_display.c
29618 --- linux-2.6.39.3/drivers/gpu/drm/i915/intel_display.c 2011-05-19 00:06:34.000000000 -0400
29619 +++ linux-2.6.39.3/drivers/gpu/drm/i915/intel_display.c 2011-05-22 19:36:31.000000000 -0400
29620 @@ -2244,7 +2244,7 @@ intel_pipe_set_base(struct drm_crtc *crt
29621
29622 wait_event(dev_priv->pending_flip_queue,
29623 atomic_read(&dev_priv->mm.wedged) ||
29624 - atomic_read(&obj->pending_flip) == 0);
29625 + atomic_read_unchecked(&obj->pending_flip) == 0);
29626
29627 /* Big Hammer, we also need to ensure that any pending
29628 * MI_WAIT_FOR_EVENT inside a user batch buffer on the
29629 @@ -2712,7 +2712,7 @@ static void intel_crtc_wait_for_pending_
29630 obj = to_intel_framebuffer(crtc->fb)->obj;
29631 dev_priv = crtc->dev->dev_private;
29632 wait_event(dev_priv->pending_flip_queue,
29633 - atomic_read(&obj->pending_flip) == 0);
29634 + atomic_read_unchecked(&obj->pending_flip) == 0);
29635 }
29636
29637 static bool intel_crtc_driving_pch(struct drm_crtc *crtc)
29638 @@ -6016,7 +6016,7 @@ static void do_intel_finish_page_flip(st
29639
29640 atomic_clear_mask(1 << intel_crtc->plane,
29641 &obj->pending_flip.counter);
29642 - if (atomic_read(&obj->pending_flip) == 0)
29643 + if (atomic_read_unchecked(&obj->pending_flip) == 0)
29644 wake_up(&dev_priv->pending_flip_queue);
29645
29646 schedule_work(&work->work);
29647 @@ -6145,7 +6145,7 @@ static int intel_crtc_page_flip(struct d
29648 /* Block clients from rendering to the new back buffer until
29649 * the flip occurs and the object is no longer visible.
29650 */
29651 - atomic_add(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
29652 + atomic_add_unchecked(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
29653
29654 switch (INTEL_INFO(dev)->gen) {
29655 case 2:
29656 diff -urNp linux-2.6.39.3/drivers/gpu/drm/mga/mga_drv.h linux-2.6.39.3/drivers/gpu/drm/mga/mga_drv.h
29657 --- linux-2.6.39.3/drivers/gpu/drm/mga/mga_drv.h 2011-05-19 00:06:34.000000000 -0400
29658 +++ linux-2.6.39.3/drivers/gpu/drm/mga/mga_drv.h 2011-05-22 19:36:31.000000000 -0400
29659 @@ -120,9 +120,9 @@ typedef struct drm_mga_private {
29660 u32 clear_cmd;
29661 u32 maccess;
29662
29663 - atomic_t vbl_received; /**< Number of vblanks received. */
29664 + atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
29665 wait_queue_head_t fence_queue;
29666 - atomic_t last_fence_retired;
29667 + atomic_unchecked_t last_fence_retired;
29668 u32 next_fence_to_post;
29669
29670 unsigned int fb_cpp;
29671 diff -urNp linux-2.6.39.3/drivers/gpu/drm/mga/mga_irq.c linux-2.6.39.3/drivers/gpu/drm/mga/mga_irq.c
29672 --- linux-2.6.39.3/drivers/gpu/drm/mga/mga_irq.c 2011-05-19 00:06:34.000000000 -0400
29673 +++ linux-2.6.39.3/drivers/gpu/drm/mga/mga_irq.c 2011-05-22 19:36:31.000000000 -0400
29674 @@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
29675 if (crtc != 0)
29676 return 0;
29677
29678 - return atomic_read(&dev_priv->vbl_received);
29679 + return atomic_read_unchecked(&dev_priv->vbl_received);
29680 }
29681
29682
29683 @@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
29684 /* VBLANK interrupt */
29685 if (status & MGA_VLINEPEN) {
29686 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
29687 - atomic_inc(&dev_priv->vbl_received);
29688 + atomic_inc_unchecked(&dev_priv->vbl_received);
29689 drm_handle_vblank(dev, 0);
29690 handled = 1;
29691 }
29692 @@ -79,7 +79,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
29693 if ((prim_start & ~0x03) != (prim_end & ~0x03))
29694 MGA_WRITE(MGA_PRIMEND, prim_end);
29695
29696 - atomic_inc(&dev_priv->last_fence_retired);
29697 + atomic_inc_unchecked(&dev_priv->last_fence_retired);
29698 DRM_WAKEUP(&dev_priv->fence_queue);
29699 handled = 1;
29700 }
29701 @@ -130,7 +130,7 @@ int mga_driver_fence_wait(struct drm_dev
29702 * using fences.
29703 */
29704 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
29705 - (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
29706 + (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
29707 - *sequence) <= (1 << 23)));
29708
29709 *sequence = cur_fence;
29710 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_acpi.c linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_acpi.c
29711 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_acpi.c 2011-05-19 00:06:34.000000000 -0400
29712 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_acpi.c 2011-05-22 19:36:31.000000000 -0400
29713 @@ -141,7 +141,7 @@ static int nouveau_dsm_get_client_id(str
29714 return VGA_SWITCHEROO_DIS;
29715 }
29716
29717 -static struct vga_switcheroo_handler nouveau_dsm_handler = {
29718 +static const struct vga_switcheroo_handler nouveau_dsm_handler = {
29719 .switchto = nouveau_dsm_switchto,
29720 .power_state = nouveau_dsm_power_state,
29721 .init = nouveau_dsm_init,
29722 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_drv.h linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_drv.h
29723 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-05-19 00:06:34.000000000 -0400
29724 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-06-07 18:07:24.000000000 -0400
29725 @@ -228,7 +228,7 @@ struct nouveau_channel {
29726 struct list_head pending;
29727 uint32_t sequence;
29728 uint32_t sequence_ack;
29729 - atomic_t last_sequence_irq;
29730 + atomic_unchecked_t last_sequence_irq;
29731 } fence;
29732
29733 /* DMA push buffer */
29734 @@ -662,7 +662,7 @@ struct drm_nouveau_private {
29735 struct drm_global_reference mem_global_ref;
29736 struct ttm_bo_global_ref bo_global_ref;
29737 struct ttm_bo_device bdev;
29738 - atomic_t validate_sequence;
29739 + atomic_unchecked_t validate_sequence;
29740 } ttm;
29741
29742 struct {
29743 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_fence.c linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_fence.c
29744 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-05-19 00:06:34.000000000 -0400
29745 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-05-22 19:36:31.000000000 -0400
29746 @@ -85,7 +85,7 @@ nouveau_fence_update(struct nouveau_chan
29747 if (USE_REFCNT(dev))
29748 sequence = nvchan_rd32(chan, 0x48);
29749 else
29750 - sequence = atomic_read(&chan->fence.last_sequence_irq);
29751 + sequence = atomic_read_unchecked(&chan->fence.last_sequence_irq);
29752
29753 if (chan->fence.sequence_ack == sequence)
29754 goto out;
29755 @@ -553,7 +553,7 @@ nouveau_fence_channel_init(struct nouvea
29756 out_initialised:
29757 INIT_LIST_HEAD(&chan->fence.pending);
29758 spin_lock_init(&chan->fence.lock);
29759 - atomic_set(&chan->fence.last_sequence_irq, 0);
29760 + atomic_set_unchecked(&chan->fence.last_sequence_irq, 0);
29761 return 0;
29762 }
29763
29764 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_gem.c linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_gem.c
29765 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-05-19 00:06:34.000000000 -0400
29766 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-05-22 19:36:31.000000000 -0400
29767 @@ -249,7 +249,7 @@ validate_init(struct nouveau_channel *ch
29768 int trycnt = 0;
29769 int ret, i;
29770
29771 - sequence = atomic_add_return(1, &dev_priv->ttm.validate_sequence);
29772 + sequence = atomic_add_return_unchecked(1, &dev_priv->ttm.validate_sequence);
29773 retry:
29774 if (++trycnt > 100000) {
29775 NV_ERROR(dev, "%s failed and gave up.\n", __func__);
29776 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_state.c
29777 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_state.c 2011-05-19 00:06:34.000000000 -0400
29778 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_state.c 2011-05-22 19:36:31.000000000 -0400
29779 @@ -583,7 +583,7 @@ static bool nouveau_switcheroo_can_switc
29780 bool can_switch;
29781
29782 spin_lock(&dev->count_lock);
29783 - can_switch = (dev->open_count == 0);
29784 + can_switch = (local_read(&dev->open_count) == 0);
29785 spin_unlock(&dev->count_lock);
29786 return can_switch;
29787 }
29788 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nv04_graph.c linux-2.6.39.3/drivers/gpu/drm/nouveau/nv04_graph.c
29789 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nv04_graph.c 2011-05-19 00:06:34.000000000 -0400
29790 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nv04_graph.c 2011-05-22 19:36:31.000000000 -0400
29791 @@ -552,7 +552,7 @@ static int
29792 nv04_graph_mthd_set_ref(struct nouveau_channel *chan,
29793 u32 class, u32 mthd, u32 data)
29794 {
29795 - atomic_set(&chan->fence.last_sequence_irq, data);
29796 + atomic_set_unchecked(&chan->fence.last_sequence_irq, data);
29797 return 0;
29798 }
29799
29800 diff -urNp linux-2.6.39.3/drivers/gpu/drm/r128/r128_cce.c linux-2.6.39.3/drivers/gpu/drm/r128/r128_cce.c
29801 --- linux-2.6.39.3/drivers/gpu/drm/r128/r128_cce.c 2011-05-19 00:06:34.000000000 -0400
29802 +++ linux-2.6.39.3/drivers/gpu/drm/r128/r128_cce.c 2011-05-22 19:36:31.000000000 -0400
29803 @@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
29804
29805 /* GH: Simple idle check.
29806 */
29807 - atomic_set(&dev_priv->idle_count, 0);
29808 + atomic_set_unchecked(&dev_priv->idle_count, 0);
29809
29810 /* We don't support anything other than bus-mastering ring mode,
29811 * but the ring can be in either AGP or PCI space for the ring
29812 diff -urNp linux-2.6.39.3/drivers/gpu/drm/r128/r128_drv.h linux-2.6.39.3/drivers/gpu/drm/r128/r128_drv.h
29813 --- linux-2.6.39.3/drivers/gpu/drm/r128/r128_drv.h 2011-05-19 00:06:34.000000000 -0400
29814 +++ linux-2.6.39.3/drivers/gpu/drm/r128/r128_drv.h 2011-05-22 19:36:31.000000000 -0400
29815 @@ -90,14 +90,14 @@ typedef struct drm_r128_private {
29816 int is_pci;
29817 unsigned long cce_buffers_offset;
29818
29819 - atomic_t idle_count;
29820 + atomic_unchecked_t idle_count;
29821
29822 int page_flipping;
29823 int current_page;
29824 u32 crtc_offset;
29825 u32 crtc_offset_cntl;
29826
29827 - atomic_t vbl_received;
29828 + atomic_unchecked_t vbl_received;
29829
29830 u32 color_fmt;
29831 unsigned int front_offset;
29832 diff -urNp linux-2.6.39.3/drivers/gpu/drm/r128/r128_irq.c linux-2.6.39.3/drivers/gpu/drm/r128/r128_irq.c
29833 --- linux-2.6.39.3/drivers/gpu/drm/r128/r128_irq.c 2011-05-19 00:06:34.000000000 -0400
29834 +++ linux-2.6.39.3/drivers/gpu/drm/r128/r128_irq.c 2011-05-22 19:36:31.000000000 -0400
29835 @@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
29836 if (crtc != 0)
29837 return 0;
29838
29839 - return atomic_read(&dev_priv->vbl_received);
29840 + return atomic_read_unchecked(&dev_priv->vbl_received);
29841 }
29842
29843 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
29844 @@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
29845 /* VBLANK interrupt */
29846 if (status & R128_CRTC_VBLANK_INT) {
29847 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
29848 - atomic_inc(&dev_priv->vbl_received);
29849 + atomic_inc_unchecked(&dev_priv->vbl_received);
29850 drm_handle_vblank(dev, 0);
29851 return IRQ_HANDLED;
29852 }
29853 diff -urNp linux-2.6.39.3/drivers/gpu/drm/r128/r128_state.c linux-2.6.39.3/drivers/gpu/drm/r128/r128_state.c
29854 --- linux-2.6.39.3/drivers/gpu/drm/r128/r128_state.c 2011-05-19 00:06:34.000000000 -0400
29855 +++ linux-2.6.39.3/drivers/gpu/drm/r128/r128_state.c 2011-05-22 19:36:31.000000000 -0400
29856 @@ -321,10 +321,10 @@ static void r128_clear_box(drm_r128_priv
29857
29858 static void r128_cce_performance_boxes(drm_r128_private_t *dev_priv)
29859 {
29860 - if (atomic_read(&dev_priv->idle_count) == 0)
29861 + if (atomic_read_unchecked(&dev_priv->idle_count) == 0)
29862 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
29863 else
29864 - atomic_set(&dev_priv->idle_count, 0);
29865 + atomic_set_unchecked(&dev_priv->idle_count, 0);
29866 }
29867
29868 #endif
29869 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/atom.c linux-2.6.39.3/drivers/gpu/drm/radeon/atom.c
29870 --- linux-2.6.39.3/drivers/gpu/drm/radeon/atom.c 2011-05-19 00:06:34.000000000 -0400
29871 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/atom.c 2011-05-22 19:36:31.000000000 -0400
29872 @@ -1245,6 +1245,8 @@ struct atom_context *atom_parse(struct c
29873 char name[512];
29874 int i;
29875
29876 + pax_track_stack();
29877 +
29878 ctx->card = card;
29879 ctx->bios = bios;
29880
29881 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.39.3/drivers/gpu/drm/radeon/mkregtable.c
29882 --- linux-2.6.39.3/drivers/gpu/drm/radeon/mkregtable.c 2011-05-19 00:06:34.000000000 -0400
29883 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/mkregtable.c 2011-05-22 19:36:31.000000000 -0400
29884 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
29885 regex_t mask_rex;
29886 regmatch_t match[4];
29887 char buf[1024];
29888 - size_t end;
29889 + long end;
29890 int len;
29891 int done = 0;
29892 int r;
29893 unsigned o;
29894 struct offset *offset;
29895 char last_reg_s[10];
29896 - int last_reg;
29897 + unsigned long last_reg;
29898
29899 if (regcomp
29900 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
29901 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atombios.c
29902 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-19 00:06:34.000000000 -0400
29903 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-22 19:36:31.000000000 -0400
29904 @@ -545,6 +545,8 @@ bool radeon_get_atom_connector_info_from
29905 struct radeon_gpio_rec gpio;
29906 struct radeon_hpd hpd;
29907
29908 + pax_track_stack();
29909 +
29910 if (!atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset))
29911 return false;
29912
29913 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atpx_handler.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atpx_handler.c
29914 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atpx_handler.c 2011-05-19 00:06:34.000000000 -0400
29915 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atpx_handler.c 2011-05-22 19:36:31.000000000 -0400
29916 @@ -234,7 +234,7 @@ static int radeon_atpx_get_client_id(str
29917 return VGA_SWITCHEROO_DIS;
29918 }
29919
29920 -static struct vga_switcheroo_handler radeon_atpx_handler = {
29921 +static const struct vga_switcheroo_handler radeon_atpx_handler = {
29922 .switchto = radeon_atpx_switchto,
29923 .power_state = radeon_atpx_power_state,
29924 .init = radeon_atpx_init,
29925 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_device.c
29926 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_device.c 2011-06-25 12:55:22.000000000 -0400
29927 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_device.c 2011-06-25 13:00:25.000000000 -0400
29928 @@ -674,7 +674,7 @@ static bool radeon_switcheroo_can_switch
29929 bool can_switch;
29930
29931 spin_lock(&dev->count_lock);
29932 - can_switch = (dev->open_count == 0);
29933 + can_switch = (local_read(&dev->open_count) == 0);
29934 spin_unlock(&dev->count_lock);
29935 return can_switch;
29936 }
29937 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_display.c
29938 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_display.c 2011-05-19 00:06:34.000000000 -0400
29939 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_display.c 2011-05-22 19:36:31.000000000 -0400
29940 @@ -934,6 +934,8 @@ void radeon_compute_pll_legacy(struct ra
29941 uint32_t post_div;
29942 u32 pll_out_min, pll_out_max;
29943
29944 + pax_track_stack();
29945 +
29946 DRM_DEBUG_KMS("PLL freq %llu %u %u\n", freq, pll->min_ref_div, pll->max_ref_div);
29947 freq = freq * 1000;
29948
29949 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_drv.h linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_drv.h
29950 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_drv.h 2011-05-19 00:06:34.000000000 -0400
29951 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_drv.h 2011-05-22 19:36:31.000000000 -0400
29952 @@ -255,7 +255,7 @@ typedef struct drm_radeon_private {
29953
29954 /* SW interrupt */
29955 wait_queue_head_t swi_queue;
29956 - atomic_t swi_emitted;
29957 + atomic_unchecked_t swi_emitted;
29958 int vblank_crtc;
29959 uint32_t irq_enable_reg;
29960 uint32_t r500_disp_irq_reg;
29961 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_fence.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_fence.c
29962 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_fence.c 2011-05-19 00:06:34.000000000 -0400
29963 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_fence.c 2011-05-22 19:36:31.000000000 -0400
29964 @@ -49,7 +49,7 @@ int radeon_fence_emit(struct radeon_devi
29965 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
29966 return 0;
29967 }
29968 - fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
29969 + fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
29970 if (!rdev->cp.ready) {
29971 /* FIXME: cp is not running assume everythings is done right
29972 * away
29973 @@ -352,7 +352,7 @@ int radeon_fence_driver_init(struct rade
29974 return r;
29975 }
29976 WREG32(rdev->fence_drv.scratch_reg, 0);
29977 - atomic_set(&rdev->fence_drv.seq, 0);
29978 + atomic_set_unchecked(&rdev->fence_drv.seq, 0);
29979 INIT_LIST_HEAD(&rdev->fence_drv.created);
29980 INIT_LIST_HEAD(&rdev->fence_drv.emited);
29981 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
29982 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon.h linux-2.6.39.3/drivers/gpu/drm/radeon/radeon.h
29983 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon.h 2011-05-19 00:06:34.000000000 -0400
29984 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon.h 2011-05-22 19:36:31.000000000 -0400
29985 @@ -189,7 +189,7 @@ extern int sumo_get_temp(struct radeon_d
29986 */
29987 struct radeon_fence_driver {
29988 uint32_t scratch_reg;
29989 - atomic_t seq;
29990 + atomic_unchecked_t seq;
29991 uint32_t last_seq;
29992 unsigned long last_jiffies;
29993 unsigned long last_timeout;
29994 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ioc32.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ioc32.c
29995 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-05-19 00:06:34.000000000 -0400
29996 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-05-22 19:36:31.000000000 -0400
29997 @@ -359,7 +359,7 @@ static int compat_radeon_cp_setparam(str
29998 request = compat_alloc_user_space(sizeof(*request));
29999 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
30000 || __put_user(req32.param, &request->param)
30001 - || __put_user((void __user *)(unsigned long)req32.value,
30002 + || __put_user((unsigned long)req32.value,
30003 &request->value))
30004 return -EFAULT;
30005
30006 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_irq.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_irq.c
30007 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_irq.c 2011-05-19 00:06:34.000000000 -0400
30008 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_irq.c 2011-05-22 19:36:31.000000000 -0400
30009 @@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
30010 unsigned int ret;
30011 RING_LOCALS;
30012
30013 - atomic_inc(&dev_priv->swi_emitted);
30014 - ret = atomic_read(&dev_priv->swi_emitted);
30015 + atomic_inc_unchecked(&dev_priv->swi_emitted);
30016 + ret = atomic_read_unchecked(&dev_priv->swi_emitted);
30017
30018 BEGIN_RING(4);
30019 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
30020 @@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
30021 drm_radeon_private_t *dev_priv =
30022 (drm_radeon_private_t *) dev->dev_private;
30023
30024 - atomic_set(&dev_priv->swi_emitted, 0);
30025 + atomic_set_unchecked(&dev_priv->swi_emitted, 0);
30026 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
30027
30028 dev->max_vblank_count = 0x001fffff;
30029 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_state.c
30030 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_state.c 2011-05-19 00:06:34.000000000 -0400
30031 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_state.c 2011-05-22 19:36:31.000000000 -0400
30032 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
30033 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
30034 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
30035
30036 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
30037 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
30038 sarea_priv->nbox * sizeof(depth_boxes[0])))
30039 return -EFAULT;
30040
30041 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
30042 {
30043 drm_radeon_private_t *dev_priv = dev->dev_private;
30044 drm_radeon_getparam_t *param = data;
30045 - int value;
30046 + int value = 0;
30047
30048 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
30049
30050 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ttm.c
30051 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ttm.c 2011-05-19 00:06:34.000000000 -0400
30052 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ttm.c 2011-05-22 19:36:31.000000000 -0400
30053 @@ -603,8 +603,9 @@ void radeon_ttm_set_active_vram_size(str
30054 man->size = size >> PAGE_SHIFT;
30055 }
30056
30057 -static struct vm_operations_struct radeon_ttm_vm_ops;
30058 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
30059 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
30060 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
30061 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
30062
30063 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
30064 {
30065 @@ -612,17 +613,22 @@ static int radeon_ttm_fault(struct vm_ar
30066 struct radeon_device *rdev;
30067 int r;
30068
30069 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
30070 - if (bo == NULL) {
30071 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
30072 + if (!bo)
30073 return VM_FAULT_NOPAGE;
30074 - }
30075 rdev = radeon_get_rdev(bo->bdev);
30076 mutex_lock(&rdev->vram_mutex);
30077 - r = ttm_vm_ops->fault(vma, vmf);
30078 + r = ttm_bo_vm_fault(vma, vmf);
30079 mutex_unlock(&rdev->vram_mutex);
30080 return r;
30081 }
30082
30083 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
30084 + .fault = radeon_ttm_fault,
30085 + .open = ttm_bo_vm_open,
30086 + .close = ttm_bo_vm_close
30087 +};
30088 +
30089 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
30090 {
30091 struct drm_file *file_priv;
30092 @@ -635,18 +641,11 @@ int radeon_mmap(struct file *filp, struc
30093
30094 file_priv = filp->private_data;
30095 rdev = file_priv->minor->dev->dev_private;
30096 - if (rdev == NULL) {
30097 + if (!rdev)
30098 return -EINVAL;
30099 - }
30100 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
30101 - if (unlikely(r != 0)) {
30102 + if (r)
30103 return r;
30104 - }
30105 - if (unlikely(ttm_vm_ops == NULL)) {
30106 - ttm_vm_ops = vma->vm_ops;
30107 - radeon_ttm_vm_ops = *ttm_vm_ops;
30108 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
30109 - }
30110 vma->vm_ops = &radeon_ttm_vm_ops;
30111 return 0;
30112 }
30113 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/rs690.c linux-2.6.39.3/drivers/gpu/drm/radeon/rs690.c
30114 --- linux-2.6.39.3/drivers/gpu/drm/radeon/rs690.c 2011-05-19 00:06:34.000000000 -0400
30115 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/rs690.c 2011-05-22 19:36:31.000000000 -0400
30116 @@ -304,9 +304,11 @@ void rs690_crtc_bandwidth_compute(struct
30117 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
30118 rdev->pm.sideport_bandwidth.full)
30119 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
30120 - read_delay_latency.full = dfixed_const(370 * 800 * 1000);
30121 + read_delay_latency.full = dfixed_const(800 * 1000);
30122 read_delay_latency.full = dfixed_div(read_delay_latency,
30123 rdev->pm.igp_sideport_mclk);
30124 + a.full = dfixed_const(370);
30125 + read_delay_latency.full = dfixed_mul(read_delay_latency, a);
30126 } else {
30127 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
30128 rdev->pm.k8_bandwidth.full)
30129 diff -urNp linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_bo_vm.c
30130 --- linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-05-19 00:06:34.000000000 -0400
30131 +++ linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-05-22 19:36:31.000000000 -0400
30132 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
30133 return best_bo;
30134 }
30135
30136 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
30137 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
30138 {
30139 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
30140 vma->vm_private_data;
30141 - struct ttm_bo_device *bdev = bo->bdev;
30142 + struct ttm_bo_device *bdev;
30143 unsigned long page_offset;
30144 unsigned long page_last;
30145 unsigned long pfn;
30146 @@ -83,8 +83,12 @@ static int ttm_bo_vm_fault(struct vm_are
30147 int i;
30148 unsigned long address = (unsigned long)vmf->virtual_address;
30149 int retval = VM_FAULT_NOPAGE;
30150 - struct ttm_mem_type_manager *man =
30151 - &bdev->man[bo->mem.mem_type];
30152 + struct ttm_mem_type_manager *man;
30153 +
30154 + if (!bo)
30155 + return VM_FAULT_NOPAGE;
30156 + bdev = bo->bdev;
30157 + man = &bdev->man[bo->mem.mem_type];
30158
30159 /*
30160 * Work around locking order reversal in fault / nopfn
30161 @@ -219,22 +223,25 @@ out_unlock:
30162 ttm_bo_unreserve(bo);
30163 return retval;
30164 }
30165 +EXPORT_SYMBOL(ttm_bo_vm_fault);
30166
30167 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
30168 +void ttm_bo_vm_open(struct vm_area_struct *vma)
30169 {
30170 struct ttm_buffer_object *bo =
30171 (struct ttm_buffer_object *)vma->vm_private_data;
30172
30173 (void)ttm_bo_reference(bo);
30174 }
30175 +EXPORT_SYMBOL(ttm_bo_vm_open);
30176
30177 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
30178 +void ttm_bo_vm_close(struct vm_area_struct *vma)
30179 {
30180 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
30181
30182 ttm_bo_unref(&bo);
30183 vma->vm_private_data = NULL;
30184 }
30185 +EXPORT_SYMBOL(ttm_bo_vm_close);
30186
30187 static const struct vm_operations_struct ttm_bo_vm_ops = {
30188 .fault = ttm_bo_vm_fault,
30189 diff -urNp linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_page_alloc.c linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_page_alloc.c
30190 --- linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-05-19 00:06:34.000000000 -0400
30191 +++ linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-05-22 19:36:31.000000000 -0400
30192 @@ -397,9 +397,9 @@ static int ttm_pool_get_num_unused_pages
30193 */
30194 static int ttm_pool_mm_shrink(struct shrinker *shrink, int shrink_pages, gfp_t gfp_mask)
30195 {
30196 - static atomic_t start_pool = ATOMIC_INIT(0);
30197 + static atomic_unchecked_t start_pool = ATOMIC_INIT(0);
30198 unsigned i;
30199 - unsigned pool_offset = atomic_add_return(1, &start_pool);
30200 + unsigned pool_offset = atomic_add_return_unchecked(1, &start_pool);
30201 struct ttm_page_pool *pool;
30202
30203 pool_offset = pool_offset % NUM_POOLS;
30204 diff -urNp linux-2.6.39.3/drivers/gpu/drm/via/via_drv.h linux-2.6.39.3/drivers/gpu/drm/via/via_drv.h
30205 --- linux-2.6.39.3/drivers/gpu/drm/via/via_drv.h 2011-05-19 00:06:34.000000000 -0400
30206 +++ linux-2.6.39.3/drivers/gpu/drm/via/via_drv.h 2011-05-22 19:36:31.000000000 -0400
30207 @@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
30208 typedef uint32_t maskarray_t[5];
30209
30210 typedef struct drm_via_irq {
30211 - atomic_t irq_received;
30212 + atomic_unchecked_t irq_received;
30213 uint32_t pending_mask;
30214 uint32_t enable_mask;
30215 wait_queue_head_t irq_queue;
30216 @@ -75,7 +75,7 @@ typedef struct drm_via_private {
30217 struct timeval last_vblank;
30218 int last_vblank_valid;
30219 unsigned usec_per_vblank;
30220 - atomic_t vbl_received;
30221 + atomic_unchecked_t vbl_received;
30222 drm_via_state_t hc_state;
30223 char pci_buf[VIA_PCI_BUF_SIZE];
30224 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
30225 diff -urNp linux-2.6.39.3/drivers/gpu/drm/via/via_irq.c linux-2.6.39.3/drivers/gpu/drm/via/via_irq.c
30226 --- linux-2.6.39.3/drivers/gpu/drm/via/via_irq.c 2011-05-19 00:06:34.000000000 -0400
30227 +++ linux-2.6.39.3/drivers/gpu/drm/via/via_irq.c 2011-05-22 19:36:31.000000000 -0400
30228 @@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
30229 if (crtc != 0)
30230 return 0;
30231
30232 - return atomic_read(&dev_priv->vbl_received);
30233 + return atomic_read_unchecked(&dev_priv->vbl_received);
30234 }
30235
30236 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
30237 @@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
30238
30239 status = VIA_READ(VIA_REG_INTERRUPT);
30240 if (status & VIA_IRQ_VBLANK_PENDING) {
30241 - atomic_inc(&dev_priv->vbl_received);
30242 - if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
30243 + atomic_inc_unchecked(&dev_priv->vbl_received);
30244 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
30245 do_gettimeofday(&cur_vblank);
30246 if (dev_priv->last_vblank_valid) {
30247 dev_priv->usec_per_vblank =
30248 @@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
30249 dev_priv->last_vblank = cur_vblank;
30250 dev_priv->last_vblank_valid = 1;
30251 }
30252 - if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
30253 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
30254 DRM_DEBUG("US per vblank is: %u\n",
30255 dev_priv->usec_per_vblank);
30256 }
30257 @@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
30258
30259 for (i = 0; i < dev_priv->num_irqs; ++i) {
30260 if (status & cur_irq->pending_mask) {
30261 - atomic_inc(&cur_irq->irq_received);
30262 + atomic_inc_unchecked(&cur_irq->irq_received);
30263 DRM_WAKEUP(&cur_irq->irq_queue);
30264 handled = 1;
30265 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i)
30266 @@ -243,11 +243,11 @@ via_driver_irq_wait(struct drm_device *d
30267 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
30268 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
30269 masks[irq][4]));
30270 - cur_irq_sequence = atomic_read(&cur_irq->irq_received);
30271 + cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
30272 } else {
30273 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
30274 (((cur_irq_sequence =
30275 - atomic_read(&cur_irq->irq_received)) -
30276 + atomic_read_unchecked(&cur_irq->irq_received)) -
30277 *sequence) <= (1 << 23)));
30278 }
30279 *sequence = cur_irq_sequence;
30280 @@ -285,7 +285,7 @@ void via_driver_irq_preinstall(struct dr
30281 }
30282
30283 for (i = 0; i < dev_priv->num_irqs; ++i) {
30284 - atomic_set(&cur_irq->irq_received, 0);
30285 + atomic_set_unchecked(&cur_irq->irq_received, 0);
30286 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
30287 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
30288 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
30289 @@ -367,7 +367,7 @@ int via_wait_irq(struct drm_device *dev,
30290 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
30291 case VIA_IRQ_RELATIVE:
30292 irqwait->request.sequence +=
30293 - atomic_read(&cur_irq->irq_received);
30294 + atomic_read_unchecked(&cur_irq->irq_received);
30295 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
30296 case VIA_IRQ_ABSOLUTE:
30297 break;
30298 diff -urNp linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
30299 --- linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-05-19 00:06:34.000000000 -0400
30300 +++ linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-05-22 19:36:31.000000000 -0400
30301 @@ -240,7 +240,7 @@ struct vmw_private {
30302 * Fencing and IRQs.
30303 */
30304
30305 - atomic_t fence_seq;
30306 + atomic_unchecked_t fence_seq;
30307 wait_queue_head_t fence_queue;
30308 wait_queue_head_t fifo_queue;
30309 atomic_t fence_queue_waiters;
30310 diff -urNp linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
30311 --- linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-05-19 00:06:34.000000000 -0400
30312 +++ linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-05-22 19:36:31.000000000 -0400
30313 @@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev
30314 while (!vmw_lag_lt(queue, us)) {
30315 spin_lock(&queue->lock);
30316 if (list_empty(&queue->head))
30317 - sequence = atomic_read(&dev_priv->fence_seq);
30318 + sequence = atomic_read_unchecked(&dev_priv->fence_seq);
30319 else {
30320 fence = list_first_entry(&queue->head,
30321 struct vmw_fence, head);
30322 diff -urNp linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
30323 --- linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-05-19 00:06:34.000000000 -0400
30324 +++ linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-05-22 19:36:31.000000000 -0400
30325 @@ -137,7 +137,7 @@ int vmw_fifo_init(struct vmw_private *de
30326 (unsigned int) min,
30327 (unsigned int) fifo->capabilities);
30328
30329 - atomic_set(&dev_priv->fence_seq, dev_priv->last_read_sequence);
30330 + atomic_set_unchecked(&dev_priv->fence_seq, dev_priv->last_read_sequence);
30331 iowrite32(dev_priv->last_read_sequence, fifo_mem + SVGA_FIFO_FENCE);
30332 vmw_fence_queue_init(&fifo->fence_queue);
30333 return vmw_fifo_send_fence(dev_priv, &dummy);
30334 @@ -476,7 +476,7 @@ int vmw_fifo_send_fence(struct vmw_priva
30335
30336 fm = vmw_fifo_reserve(dev_priv, bytes);
30337 if (unlikely(fm == NULL)) {
30338 - *sequence = atomic_read(&dev_priv->fence_seq);
30339 + *sequence = atomic_read_unchecked(&dev_priv->fence_seq);
30340 ret = -ENOMEM;
30341 (void)vmw_fallback_wait(dev_priv, false, true, *sequence,
30342 false, 3*HZ);
30343 @@ -484,7 +484,7 @@ int vmw_fifo_send_fence(struct vmw_priva
30344 }
30345
30346 do {
30347 - *sequence = atomic_add_return(1, &dev_priv->fence_seq);
30348 + *sequence = atomic_add_return_unchecked(1, &dev_priv->fence_seq);
30349 } while (*sequence == 0);
30350
30351 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
30352 @@ -534,7 +534,7 @@ static int vmw_fifo_vm_fault(struct vm_a
30353 return VM_FAULT_SIGBUS;
30354 }
30355
30356 -static struct vm_operations_struct vmw_fifo_vm_ops = {
30357 +static const struct vm_operations_struct vmw_fifo_vm_ops = {
30358 .fault = vmw_fifo_vm_fault,
30359 .open = NULL,
30360 .close = NULL
30361 diff -urNp linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
30362 --- linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-05-19 00:06:34.000000000 -0400
30363 +++ linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-05-22 19:36:31.000000000 -0400
30364 @@ -100,7 +100,7 @@ bool vmw_fence_signaled(struct vmw_priva
30365 * emitted. Then the fence is stale and signaled.
30366 */
30367
30368 - ret = ((atomic_read(&dev_priv->fence_seq) - sequence)
30369 + ret = ((atomic_read_unchecked(&dev_priv->fence_seq) - sequence)
30370 > VMW_FENCE_WRAP);
30371
30372 return ret;
30373 @@ -131,7 +131,7 @@ int vmw_fallback_wait(struct vmw_private
30374
30375 if (fifo_idle)
30376 down_read(&fifo_state->rwsem);
30377 - signal_seq = atomic_read(&dev_priv->fence_seq);
30378 + signal_seq = atomic_read_unchecked(&dev_priv->fence_seq);
30379 ret = 0;
30380
30381 for (;;) {
30382 diff -urNp linux-2.6.39.3/drivers/gpu/vga/vga_switcheroo.c linux-2.6.39.3/drivers/gpu/vga/vga_switcheroo.c
30383 --- linux-2.6.39.3/drivers/gpu/vga/vga_switcheroo.c 2011-05-19 00:06:34.000000000 -0400
30384 +++ linux-2.6.39.3/drivers/gpu/vga/vga_switcheroo.c 2011-05-22 19:36:31.000000000 -0400
30385 @@ -53,7 +53,7 @@ struct vgasr_priv {
30386 int registered_clients;
30387 struct vga_switcheroo_client clients[VGA_SWITCHEROO_MAX_CLIENTS];
30388
30389 - struct vga_switcheroo_handler *handler;
30390 + const struct vga_switcheroo_handler *handler;
30391 };
30392
30393 static int vga_switcheroo_debugfs_init(struct vgasr_priv *priv);
30394 @@ -62,7 +62,7 @@ static void vga_switcheroo_debugfs_fini(
30395 /* only one switcheroo per system */
30396 static struct vgasr_priv vgasr_priv;
30397
30398 -int vga_switcheroo_register_handler(struct vga_switcheroo_handler *handler)
30399 +int vga_switcheroo_register_handler(const struct vga_switcheroo_handler *handler)
30400 {
30401 mutex_lock(&vgasr_mutex);
30402 if (vgasr_priv.handler) {
30403 diff -urNp linux-2.6.39.3/drivers/hid/hid-core.c linux-2.6.39.3/drivers/hid/hid-core.c
30404 --- linux-2.6.39.3/drivers/hid/hid-core.c 2011-05-19 00:06:34.000000000 -0400
30405 +++ linux-2.6.39.3/drivers/hid/hid-core.c 2011-05-22 19:36:31.000000000 -0400
30406 @@ -1888,7 +1888,7 @@ static bool hid_ignore(struct hid_device
30407
30408 int hid_add_device(struct hid_device *hdev)
30409 {
30410 - static atomic_t id = ATOMIC_INIT(0);
30411 + static atomic_unchecked_t id = ATOMIC_INIT(0);
30412 int ret;
30413
30414 if (WARN_ON(hdev->status & HID_STAT_ADDED))
30415 @@ -1903,7 +1903,7 @@ int hid_add_device(struct hid_device *hd
30416 /* XXX hack, any other cleaner solution after the driver core
30417 * is converted to allow more than 20 bytes as the device name? */
30418 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
30419 - hdev->vendor, hdev->product, atomic_inc_return(&id));
30420 + hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
30421
30422 hid_debug_register(hdev, dev_name(&hdev->dev));
30423 ret = device_add(&hdev->dev);
30424 diff -urNp linux-2.6.39.3/drivers/hid/hid-picolcd.c linux-2.6.39.3/drivers/hid/hid-picolcd.c
30425 --- linux-2.6.39.3/drivers/hid/hid-picolcd.c 2011-05-19 00:06:34.000000000 -0400
30426 +++ linux-2.6.39.3/drivers/hid/hid-picolcd.c 2011-05-22 19:36:31.000000000 -0400
30427 @@ -1037,7 +1037,7 @@ static int picolcd_check_lcd_fb(struct l
30428 return fb && fb == picolcd_fbinfo((struct picolcd_data *)lcd_get_data(ldev));
30429 }
30430
30431 -static struct lcd_ops picolcd_lcdops = {
30432 +static const struct lcd_ops picolcd_lcdops = {
30433 .get_contrast = picolcd_get_contrast,
30434 .set_contrast = picolcd_set_contrast,
30435 .check_fb = picolcd_check_lcd_fb,
30436 diff -urNp linux-2.6.39.3/drivers/hid/usbhid/hiddev.c linux-2.6.39.3/drivers/hid/usbhid/hiddev.c
30437 --- linux-2.6.39.3/drivers/hid/usbhid/hiddev.c 2011-05-19 00:06:34.000000000 -0400
30438 +++ linux-2.6.39.3/drivers/hid/usbhid/hiddev.c 2011-05-22 19:36:31.000000000 -0400
30439 @@ -613,7 +613,7 @@ static long hiddev_ioctl(struct file *fi
30440 break;
30441
30442 case HIDIOCAPPLICATION:
30443 - if (arg < 0 || arg >= hid->maxapplication)
30444 + if (arg >= hid->maxapplication)
30445 break;
30446
30447 for (i = 0; i < hid->maxcollection; i++)
30448 diff -urNp linux-2.6.39.3/drivers/hwmon/ibmaem.c linux-2.6.39.3/drivers/hwmon/ibmaem.c
30449 --- linux-2.6.39.3/drivers/hwmon/ibmaem.c 2011-07-09 09:18:51.000000000 -0400
30450 +++ linux-2.6.39.3/drivers/hwmon/ibmaem.c 2011-07-09 09:19:18.000000000 -0400
30451 @@ -238,7 +238,7 @@ struct aem_read_sensor_resp {
30452 struct aem_driver_data {
30453 struct list_head aem_devices;
30454 struct ipmi_smi_watcher bmc_events;
30455 - struct ipmi_user_hndl ipmi_hndlrs;
30456 + const struct ipmi_user_hndl ipmi_hndlrs;
30457 };
30458
30459 static void aem_register_bmc(int iface, struct device *dev);
30460 diff -urNp linux-2.6.39.3/drivers/hwmon/ibmpex.c linux-2.6.39.3/drivers/hwmon/ibmpex.c
30461 --- linux-2.6.39.3/drivers/hwmon/ibmpex.c 2011-07-09 09:18:51.000000000 -0400
30462 +++ linux-2.6.39.3/drivers/hwmon/ibmpex.c 2011-07-09 09:19:18.000000000 -0400
30463 @@ -110,7 +110,7 @@ struct ibmpex_bmc_data {
30464 struct ibmpex_driver_data {
30465 struct list_head bmc_data;
30466 struct ipmi_smi_watcher bmc_events;
30467 - struct ipmi_user_hndl ipmi_hndlrs;
30468 + const struct ipmi_user_hndl ipmi_hndlrs;
30469 };
30470
30471 static struct ibmpex_driver_data driver_data = {
30472 diff -urNp linux-2.6.39.3/drivers/hwmon/sht15.c linux-2.6.39.3/drivers/hwmon/sht15.c
30473 --- linux-2.6.39.3/drivers/hwmon/sht15.c 2011-05-19 00:06:34.000000000 -0400
30474 +++ linux-2.6.39.3/drivers/hwmon/sht15.c 2011-05-22 19:36:31.000000000 -0400
30475 @@ -113,7 +113,7 @@ struct sht15_data {
30476 int supply_uV;
30477 int supply_uV_valid;
30478 struct work_struct update_supply_work;
30479 - atomic_t interrupt_handled;
30480 + atomic_unchecked_t interrupt_handled;
30481 };
30482
30483 /**
30484 @@ -246,13 +246,13 @@ static inline int sht15_update_single_va
30485 return ret;
30486
30487 gpio_direction_input(data->pdata->gpio_data);
30488 - atomic_set(&data->interrupt_handled, 0);
30489 + atomic_set_unchecked(&data->interrupt_handled, 0);
30490
30491 enable_irq(gpio_to_irq(data->pdata->gpio_data));
30492 if (gpio_get_value(data->pdata->gpio_data) == 0) {
30493 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
30494 /* Only relevant if the interrupt hasn't occurred. */
30495 - if (!atomic_read(&data->interrupt_handled))
30496 + if (!atomic_read_unchecked(&data->interrupt_handled))
30497 schedule_work(&data->read_work);
30498 }
30499 ret = wait_event_timeout(data->wait_queue,
30500 @@ -399,7 +399,7 @@ static irqreturn_t sht15_interrupt_fired
30501 struct sht15_data *data = d;
30502 /* First disable the interrupt */
30503 disable_irq_nosync(irq);
30504 - atomic_inc(&data->interrupt_handled);
30505 + atomic_inc_unchecked(&data->interrupt_handled);
30506 /* Then schedule a reading work struct */
30507 if (data->flag != SHT15_READING_NOTHING)
30508 schedule_work(&data->read_work);
30509 @@ -450,11 +450,11 @@ static void sht15_bh_read_data(struct wo
30510 here as could have gone low in meantime so verify
30511 it hasn't!
30512 */
30513 - atomic_set(&data->interrupt_handled, 0);
30514 + atomic_set_unchecked(&data->interrupt_handled, 0);
30515 enable_irq(gpio_to_irq(data->pdata->gpio_data));
30516 /* If still not occurred or another handler has been scheduled */
30517 if (gpio_get_value(data->pdata->gpio_data)
30518 - || atomic_read(&data->interrupt_handled))
30519 + || atomic_read_unchecked(&data->interrupt_handled))
30520 return;
30521 }
30522 /* Read the data back from the device */
30523 diff -urNp linux-2.6.39.3/drivers/hwmon/w83791d.c linux-2.6.39.3/drivers/hwmon/w83791d.c
30524 --- linux-2.6.39.3/drivers/hwmon/w83791d.c 2011-05-19 00:06:34.000000000 -0400
30525 +++ linux-2.6.39.3/drivers/hwmon/w83791d.c 2011-05-22 19:36:31.000000000 -0400
30526 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
30527 struct i2c_board_info *info);
30528 static int w83791d_remove(struct i2c_client *client);
30529
30530 -static int w83791d_read(struct i2c_client *client, u8 register);
30531 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
30532 +static int w83791d_read(struct i2c_client *client, u8 reg);
30533 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
30534 static struct w83791d_data *w83791d_update_device(struct device *dev);
30535
30536 #ifdef DEBUG
30537 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-at91.c linux-2.6.39.3/drivers/i2c/busses/i2c-at91.c
30538 --- linux-2.6.39.3/drivers/i2c/busses/i2c-at91.c 2011-05-19 00:06:34.000000000 -0400
30539 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-at91.c 2011-05-22 19:36:31.000000000 -0400
30540 @@ -181,7 +181,7 @@ static u32 at91_func(struct i2c_adapter
30541 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30542 }
30543
30544 -static struct i2c_algorithm at91_algorithm = {
30545 +static const struct i2c_algorithm at91_algorithm = {
30546 .master_xfer = at91_xfer,
30547 .functionality = at91_func,
30548 };
30549 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-bfin-twi.c linux-2.6.39.3/drivers/i2c/busses/i2c-bfin-twi.c
30550 --- linux-2.6.39.3/drivers/i2c/busses/i2c-bfin-twi.c 2011-05-19 00:06:34.000000000 -0400
30551 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-bfin-twi.c 2011-05-22 19:36:31.000000000 -0400
30552 @@ -599,7 +599,7 @@ static u32 bfin_twi_functionality(struct
30553 I2C_FUNC_I2C | I2C_FUNC_SMBUS_I2C_BLOCK;
30554 }
30555
30556 -static struct i2c_algorithm bfin_twi_algorithm = {
30557 +static const struct i2c_algorithm bfin_twi_algorithm = {
30558 .master_xfer = bfin_twi_master_xfer,
30559 .smbus_xfer = bfin_twi_smbus_xfer,
30560 .functionality = bfin_twi_functionality,
30561 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-davinci.c linux-2.6.39.3/drivers/i2c/busses/i2c-davinci.c
30562 --- linux-2.6.39.3/drivers/i2c/busses/i2c-davinci.c 2011-05-19 00:06:34.000000000 -0400
30563 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-davinci.c 2011-05-22 19:36:31.000000000 -0400
30564 @@ -630,7 +630,7 @@ static inline void i2c_davinci_cpufreq_d
30565 }
30566 #endif
30567
30568 -static struct i2c_algorithm i2c_davinci_algo = {
30569 +static const struct i2c_algorithm i2c_davinci_algo = {
30570 .master_xfer = i2c_davinci_xfer,
30571 .functionality = i2c_davinci_func,
30572 };
30573 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-designware.c linux-2.6.39.3/drivers/i2c/busses/i2c-designware.c
30574 --- linux-2.6.39.3/drivers/i2c/busses/i2c-designware.c 2011-05-19 00:06:34.000000000 -0400
30575 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-designware.c 2011-05-22 19:36:31.000000000 -0400
30576 @@ -689,7 +689,7 @@ tx_aborted:
30577 return IRQ_HANDLED;
30578 }
30579
30580 -static struct i2c_algorithm i2c_dw_algo = {
30581 +static const struct i2c_algorithm i2c_dw_algo = {
30582 .master_xfer = i2c_dw_xfer,
30583 .functionality = i2c_dw_func,
30584 };
30585 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-eg20t.c linux-2.6.39.3/drivers/i2c/busses/i2c-eg20t.c
30586 --- linux-2.6.39.3/drivers/i2c/busses/i2c-eg20t.c 2011-05-19 00:06:34.000000000 -0400
30587 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-eg20t.c 2011-05-22 19:36:31.000000000 -0400
30588 @@ -708,7 +708,7 @@ static u32 pch_i2c_func(struct i2c_adapt
30589 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL | I2C_FUNC_10BIT_ADDR;
30590 }
30591
30592 -static struct i2c_algorithm pch_algorithm = {
30593 +static const struct i2c_algorithm pch_algorithm = {
30594 .master_xfer = pch_i2c_xfer,
30595 .functionality = pch_i2c_func
30596 };
30597 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-imx.c linux-2.6.39.3/drivers/i2c/busses/i2c-imx.c
30598 --- linux-2.6.39.3/drivers/i2c/busses/i2c-imx.c 2011-05-19 00:06:34.000000000 -0400
30599 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-imx.c 2011-05-22 19:36:31.000000000 -0400
30600 @@ -457,7 +457,7 @@ static u32 i2c_imx_func(struct i2c_adapt
30601 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30602 }
30603
30604 -static struct i2c_algorithm i2c_imx_algo = {
30605 +static const struct i2c_algorithm i2c_imx_algo = {
30606 .master_xfer = i2c_imx_xfer,
30607 .functionality = i2c_imx_func,
30608 };
30609 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-intel-mid.c linux-2.6.39.3/drivers/i2c/busses/i2c-intel-mid.c
30610 --- linux-2.6.39.3/drivers/i2c/busses/i2c-intel-mid.c 2011-05-19 00:06:34.000000000 -0400
30611 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-intel-mid.c 2011-05-22 19:36:31.000000000 -0400
30612 @@ -917,7 +917,7 @@ err:
30613 return IRQ_HANDLED;
30614 }
30615
30616 -static struct i2c_algorithm intel_mid_i2c_algorithm = {
30617 +static const struct i2c_algorithm intel_mid_i2c_algorithm = {
30618 .master_xfer = intel_mid_i2c_xfer,
30619 .functionality = intel_mid_i2c_func,
30620 };
30621 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-nforce2.c linux-2.6.39.3/drivers/i2c/busses/i2c-nforce2.c
30622 --- linux-2.6.39.3/drivers/i2c/busses/i2c-nforce2.c 2011-05-19 00:06:34.000000000 -0400
30623 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-nforce2.c 2011-05-22 19:36:31.000000000 -0400
30624 @@ -303,7 +303,7 @@ static u32 nforce2_func(struct i2c_adapt
30625 I2C_FUNC_SMBUS_BLOCK_DATA : 0);
30626 }
30627
30628 -static struct i2c_algorithm smbus_algorithm = {
30629 +static const struct i2c_algorithm smbus_algorithm = {
30630 .smbus_xfer = nforce2_access,
30631 .functionality = nforce2_func,
30632 };
30633 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-pmcmsp.c linux-2.6.39.3/drivers/i2c/busses/i2c-pmcmsp.c
30634 --- linux-2.6.39.3/drivers/i2c/busses/i2c-pmcmsp.c 2011-05-19 00:06:34.000000000 -0400
30635 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-pmcmsp.c 2011-05-22 19:36:31.000000000 -0400
30636 @@ -615,7 +615,7 @@ static u32 pmcmsptwi_i2c_func(struct i2c
30637
30638 /* -- Initialization -- */
30639
30640 -static struct i2c_algorithm pmcmsptwi_algo = {
30641 +static const struct i2c_algorithm pmcmsptwi_algo = {
30642 .master_xfer = pmcmsptwi_master_xfer,
30643 .functionality = pmcmsptwi_i2c_func,
30644 };
30645 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-pnx.c linux-2.6.39.3/drivers/i2c/busses/i2c-pnx.c
30646 --- linux-2.6.39.3/drivers/i2c/busses/i2c-pnx.c 2011-05-19 00:06:34.000000000 -0400
30647 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-pnx.c 2011-05-22 19:36:31.000000000 -0400
30648 @@ -535,7 +535,7 @@ static u32 i2c_pnx_func(struct i2c_adapt
30649 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30650 }
30651
30652 -static struct i2c_algorithm pnx_algorithm = {
30653 +static const struct i2c_algorithm pnx_algorithm = {
30654 .master_xfer = i2c_pnx_xfer,
30655 .functionality = i2c_pnx_func,
30656 };
30657 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-puv3.c linux-2.6.39.3/drivers/i2c/busses/i2c-puv3.c
30658 --- linux-2.6.39.3/drivers/i2c/busses/i2c-puv3.c 2011-05-19 00:06:34.000000000 -0400
30659 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-puv3.c 2011-05-22 19:36:31.000000000 -0400
30660 @@ -176,7 +176,7 @@ static u32 puv3_i2c_func(struct i2c_adap
30661 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30662 }
30663
30664 -static struct i2c_algorithm puv3_i2c_algorithm = {
30665 +static const struct i2c_algorithm puv3_i2c_algorithm = {
30666 .master_xfer = puv3_i2c_xfer,
30667 .functionality = puv3_i2c_func,
30668 };
30669 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-s6000.c linux-2.6.39.3/drivers/i2c/busses/i2c-s6000.c
30670 --- linux-2.6.39.3/drivers/i2c/busses/i2c-s6000.c 2011-05-19 00:06:34.000000000 -0400
30671 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-s6000.c 2011-05-22 19:36:31.000000000 -0400
30672 @@ -243,7 +243,7 @@ static u32 s6i2c_functionality(struct i2
30673 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30674 }
30675
30676 -static struct i2c_algorithm s6i2c_algorithm = {
30677 +static const struct i2c_algorithm s6i2c_algorithm = {
30678 .master_xfer = s6i2c_master_xfer,
30679 .functionality = s6i2c_functionality,
30680 };
30681 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-sh_mobile.c linux-2.6.39.3/drivers/i2c/busses/i2c-sh_mobile.c
30682 --- linux-2.6.39.3/drivers/i2c/busses/i2c-sh_mobile.c 2011-05-19 00:06:34.000000000 -0400
30683 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-sh_mobile.c 2011-05-22 19:36:31.000000000 -0400
30684 @@ -529,7 +529,7 @@ static u32 sh_mobile_i2c_func(struct i2c
30685 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30686 }
30687
30688 -static struct i2c_algorithm sh_mobile_i2c_algorithm = {
30689 +static const struct i2c_algorithm sh_mobile_i2c_algorithm = {
30690 .functionality = sh_mobile_i2c_func,
30691 .master_xfer = sh_mobile_i2c_xfer,
30692 };
30693 diff -urNp linux-2.6.39.3/drivers/ide/ide-cd.c linux-2.6.39.3/drivers/ide/ide-cd.c
30694 --- linux-2.6.39.3/drivers/ide/ide-cd.c 2011-06-03 00:04:14.000000000 -0400
30695 +++ linux-2.6.39.3/drivers/ide/ide-cd.c 2011-06-03 00:32:05.000000000 -0400
30696 @@ -769,7 +769,7 @@ static void cdrom_do_block_pc(ide_drive_
30697 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
30698 if ((unsigned long)buf & alignment
30699 || blk_rq_bytes(rq) & q->dma_pad_mask
30700 - || object_is_on_stack(buf))
30701 + || object_starts_on_stack(buf))
30702 drive->dma = 0;
30703 }
30704 }
30705 diff -urNp linux-2.6.39.3/drivers/ide/ide-floppy.c linux-2.6.39.3/drivers/ide/ide-floppy.c
30706 --- linux-2.6.39.3/drivers/ide/ide-floppy.c 2011-05-19 00:06:34.000000000 -0400
30707 +++ linux-2.6.39.3/drivers/ide/ide-floppy.c 2011-05-22 19:36:31.000000000 -0400
30708 @@ -379,6 +379,8 @@ static int ide_floppy_get_capacity(ide_d
30709 u8 pc_buf[256], header_len, desc_cnt;
30710 int i, rc = 1, blocks, length;
30711
30712 + pax_track_stack();
30713 +
30714 ide_debug_log(IDE_DBG_FUNC, "enter");
30715
30716 drive->bios_cyl = 0;
30717 diff -urNp linux-2.6.39.3/drivers/ide/it821x.c linux-2.6.39.3/drivers/ide/it821x.c
30718 --- linux-2.6.39.3/drivers/ide/it821x.c 2011-05-19 00:06:34.000000000 -0400
30719 +++ linux-2.6.39.3/drivers/ide/it821x.c 2011-05-22 19:36:31.000000000 -0400
30720 @@ -508,7 +508,7 @@ static void it821x_quirkproc(ide_drive_t
30721
30722 }
30723
30724 -static struct ide_dma_ops it821x_pass_through_dma_ops = {
30725 +static const struct ide_dma_ops it821x_pass_through_dma_ops = {
30726 .dma_host_set = ide_dma_host_set,
30727 .dma_setup = ide_dma_setup,
30728 .dma_start = it821x_dma_start,
30729 diff -urNp linux-2.6.39.3/drivers/ide/setup-pci.c linux-2.6.39.3/drivers/ide/setup-pci.c
30730 --- linux-2.6.39.3/drivers/ide/setup-pci.c 2011-05-19 00:06:34.000000000 -0400
30731 +++ linux-2.6.39.3/drivers/ide/setup-pci.c 2011-05-22 19:36:31.000000000 -0400
30732 @@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
30733 int ret, i, n_ports = dev2 ? 4 : 2;
30734 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
30735
30736 + pax_track_stack();
30737 +
30738 for (i = 0; i < n_ports / 2; i++) {
30739 ret = ide_setup_pci_controller(pdev[i], d, !i);
30740 if (ret < 0)
30741 diff -urNp linux-2.6.39.3/drivers/ide/trm290.c linux-2.6.39.3/drivers/ide/trm290.c
30742 --- linux-2.6.39.3/drivers/ide/trm290.c 2011-05-19 00:06:34.000000000 -0400
30743 +++ linux-2.6.39.3/drivers/ide/trm290.c 2011-05-22 19:36:31.000000000 -0400
30744 @@ -314,7 +314,7 @@ static const struct ide_tp_ops trm290_tp
30745 .output_data = ide_output_data,
30746 };
30747
30748 -static struct ide_dma_ops trm290_dma_ops = {
30749 +static const struct ide_dma_ops trm290_dma_ops = {
30750 .dma_host_set = trm290_dma_host_set,
30751 .dma_setup = trm290_dma_setup,
30752 .dma_start = trm290_dma_start,
30753 diff -urNp linux-2.6.39.3/drivers/infiniband/core/cm.c linux-2.6.39.3/drivers/infiniband/core/cm.c
30754 --- linux-2.6.39.3/drivers/infiniband/core/cm.c 2011-05-19 00:06:34.000000000 -0400
30755 +++ linux-2.6.39.3/drivers/infiniband/core/cm.c 2011-05-22 19:36:31.000000000 -0400
30756 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
30757
30758 struct cm_counter_group {
30759 struct kobject obj;
30760 - atomic_long_t counter[CM_ATTR_COUNT];
30761 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
30762 };
30763
30764 struct cm_counter_attribute {
30765 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
30766 struct ib_mad_send_buf *msg = NULL;
30767 int ret;
30768
30769 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30770 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30771 counter[CM_REQ_COUNTER]);
30772
30773 /* Quick state check to discard duplicate REQs. */
30774 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
30775 if (!cm_id_priv)
30776 return;
30777
30778 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30779 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30780 counter[CM_REP_COUNTER]);
30781 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
30782 if (ret)
30783 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
30784 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
30785 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
30786 spin_unlock_irq(&cm_id_priv->lock);
30787 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30788 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30789 counter[CM_RTU_COUNTER]);
30790 goto out;
30791 }
30792 @@ -2115,7 +2115,7 @@ static int cm_dreq_handler(struct cm_wor
30793 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
30794 dreq_msg->local_comm_id);
30795 if (!cm_id_priv) {
30796 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30797 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30798 counter[CM_DREQ_COUNTER]);
30799 cm_issue_drep(work->port, work->mad_recv_wc);
30800 return -EINVAL;
30801 @@ -2140,7 +2140,7 @@ static int cm_dreq_handler(struct cm_wor
30802 case IB_CM_MRA_REP_RCVD:
30803 break;
30804 case IB_CM_TIMEWAIT:
30805 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30806 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30807 counter[CM_DREQ_COUNTER]);
30808 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
30809 goto unlock;
30810 @@ -2154,7 +2154,7 @@ static int cm_dreq_handler(struct cm_wor
30811 cm_free_msg(msg);
30812 goto deref;
30813 case IB_CM_DREQ_RCVD:
30814 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30815 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30816 counter[CM_DREQ_COUNTER]);
30817 goto unlock;
30818 default:
30819 @@ -2521,7 +2521,7 @@ static int cm_mra_handler(struct cm_work
30820 ib_modify_mad(cm_id_priv->av.port->mad_agent,
30821 cm_id_priv->msg, timeout)) {
30822 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
30823 - atomic_long_inc(&work->port->
30824 + atomic_long_inc_unchecked(&work->port->
30825 counter_group[CM_RECV_DUPLICATES].
30826 counter[CM_MRA_COUNTER]);
30827 goto out;
30828 @@ -2530,7 +2530,7 @@ static int cm_mra_handler(struct cm_work
30829 break;
30830 case IB_CM_MRA_REQ_RCVD:
30831 case IB_CM_MRA_REP_RCVD:
30832 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30833 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30834 counter[CM_MRA_COUNTER]);
30835 /* fall through */
30836 default:
30837 @@ -2692,7 +2692,7 @@ static int cm_lap_handler(struct cm_work
30838 case IB_CM_LAP_IDLE:
30839 break;
30840 case IB_CM_MRA_LAP_SENT:
30841 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30842 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30843 counter[CM_LAP_COUNTER]);
30844 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
30845 goto unlock;
30846 @@ -2708,7 +2708,7 @@ static int cm_lap_handler(struct cm_work
30847 cm_free_msg(msg);
30848 goto deref;
30849 case IB_CM_LAP_RCVD:
30850 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30851 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30852 counter[CM_LAP_COUNTER]);
30853 goto unlock;
30854 default:
30855 @@ -2992,7 +2992,7 @@ static int cm_sidr_req_handler(struct cm
30856 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
30857 if (cur_cm_id_priv) {
30858 spin_unlock_irq(&cm.lock);
30859 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30860 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30861 counter[CM_SIDR_REQ_COUNTER]);
30862 goto out; /* Duplicate message. */
30863 }
30864 @@ -3204,10 +3204,10 @@ static void cm_send_handler(struct ib_ma
30865 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
30866 msg->retries = 1;
30867
30868 - atomic_long_add(1 + msg->retries,
30869 + atomic_long_add_unchecked(1 + msg->retries,
30870 &port->counter_group[CM_XMIT].counter[attr_index]);
30871 if (msg->retries)
30872 - atomic_long_add(msg->retries,
30873 + atomic_long_add_unchecked(msg->retries,
30874 &port->counter_group[CM_XMIT_RETRIES].
30875 counter[attr_index]);
30876
30877 @@ -3417,7 +3417,7 @@ static void cm_recv_handler(struct ib_ma
30878 }
30879
30880 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
30881 - atomic_long_inc(&port->counter_group[CM_RECV].
30882 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
30883 counter[attr_id - CM_ATTR_ID_OFFSET]);
30884
30885 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
30886 @@ -3615,7 +3615,7 @@ static ssize_t cm_show_counter(struct ko
30887 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
30888
30889 return sprintf(buf, "%ld\n",
30890 - atomic_long_read(&group->counter[cm_attr->index]));
30891 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
30892 }
30893
30894 static const struct sysfs_ops cm_counter_ops = {
30895 diff -urNp linux-2.6.39.3/drivers/infiniband/core/fmr_pool.c linux-2.6.39.3/drivers/infiniband/core/fmr_pool.c
30896 --- linux-2.6.39.3/drivers/infiniband/core/fmr_pool.c 2011-05-19 00:06:34.000000000 -0400
30897 +++ linux-2.6.39.3/drivers/infiniband/core/fmr_pool.c 2011-05-22 19:36:31.000000000 -0400
30898 @@ -97,8 +97,8 @@ struct ib_fmr_pool {
30899
30900 struct task_struct *thread;
30901
30902 - atomic_t req_ser;
30903 - atomic_t flush_ser;
30904 + atomic_unchecked_t req_ser;
30905 + atomic_unchecked_t flush_ser;
30906
30907 wait_queue_head_t force_wait;
30908 };
30909 @@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
30910 struct ib_fmr_pool *pool = pool_ptr;
30911
30912 do {
30913 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
30914 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
30915 ib_fmr_batch_release(pool);
30916
30917 - atomic_inc(&pool->flush_ser);
30918 + atomic_inc_unchecked(&pool->flush_ser);
30919 wake_up_interruptible(&pool->force_wait);
30920
30921 if (pool->flush_function)
30922 @@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
30923 }
30924
30925 set_current_state(TASK_INTERRUPTIBLE);
30926 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
30927 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
30928 !kthread_should_stop())
30929 schedule();
30930 __set_current_state(TASK_RUNNING);
30931 @@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
30932 pool->dirty_watermark = params->dirty_watermark;
30933 pool->dirty_len = 0;
30934 spin_lock_init(&pool->pool_lock);
30935 - atomic_set(&pool->req_ser, 0);
30936 - atomic_set(&pool->flush_ser, 0);
30937 + atomic_set_unchecked(&pool->req_ser, 0);
30938 + atomic_set_unchecked(&pool->flush_ser, 0);
30939 init_waitqueue_head(&pool->force_wait);
30940
30941 pool->thread = kthread_run(ib_fmr_cleanup_thread,
30942 @@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
30943 }
30944 spin_unlock_irq(&pool->pool_lock);
30945
30946 - serial = atomic_inc_return(&pool->req_ser);
30947 + serial = atomic_inc_return_unchecked(&pool->req_ser);
30948 wake_up_process(pool->thread);
30949
30950 if (wait_event_interruptible(pool->force_wait,
30951 - atomic_read(&pool->flush_ser) - serial >= 0))
30952 + atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
30953 return -EINTR;
30954
30955 return 0;
30956 @@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
30957 } else {
30958 list_add_tail(&fmr->list, &pool->dirty_list);
30959 if (++pool->dirty_len >= pool->dirty_watermark) {
30960 - atomic_inc(&pool->req_ser);
30961 + atomic_inc_unchecked(&pool->req_ser);
30962 wake_up_process(pool->thread);
30963 }
30964 }
30965 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/cxgb4/mem.c linux-2.6.39.3/drivers/infiniband/hw/cxgb4/mem.c
30966 --- linux-2.6.39.3/drivers/infiniband/hw/cxgb4/mem.c 2011-05-19 00:06:34.000000000 -0400
30967 +++ linux-2.6.39.3/drivers/infiniband/hw/cxgb4/mem.c 2011-05-22 19:36:31.000000000 -0400
30968 @@ -122,7 +122,7 @@ static int write_tpt_entry(struct c4iw_r
30969 int err;
30970 struct fw_ri_tpte tpt;
30971 u32 stag_idx;
30972 - static atomic_t key;
30973 + static atomic_unchecked_t key;
30974
30975 if (c4iw_fatal_error(rdev))
30976 return -EIO;
30977 @@ -135,7 +135,7 @@ static int write_tpt_entry(struct c4iw_r
30978 &rdev->resource.tpt_fifo_lock);
30979 if (!stag_idx)
30980 return -ENOMEM;
30981 - *stag = (stag_idx << 8) | (atomic_inc_return(&key) & 0xff);
30982 + *stag = (stag_idx << 8) | (atomic_inc_return_unchecked(&key) & 0xff);
30983 }
30984 PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n",
30985 __func__, stag_state, type, pdid, stag_idx);
30986 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_dma.c linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_dma.c
30987 --- linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_dma.c 2011-05-19 00:06:34.000000000 -0400
30988 +++ linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_dma.c 2011-05-22 19:36:31.000000000 -0400
30989 @@ -175,7 +175,7 @@ static void ipath_dma_free_coherent(stru
30990 free_pages((unsigned long) cpu_addr, get_order(size));
30991 }
30992
30993 -struct ib_dma_mapping_ops ipath_dma_mapping_ops = {
30994 +const struct ib_dma_mapping_ops ipath_dma_mapping_ops = {
30995 ipath_mapping_error,
30996 ipath_dma_map_single,
30997 ipath_dma_unmap_single,
30998 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_fs.c linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_fs.c
30999 --- linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-19 00:06:34.000000000 -0400
31000 +++ linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-22 19:36:31.000000000 -0400
31001 @@ -113,6 +113,8 @@ static ssize_t atomic_counters_read(stru
31002 struct infinipath_counters counters;
31003 struct ipath_devdata *dd;
31004
31005 + pax_track_stack();
31006 +
31007 dd = file->f_path.dentry->d_inode->i_private;
31008 dd->ipath_f_read_counters(dd, &counters);
31009
31010 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_rc.c linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_rc.c
31011 --- linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_rc.c 2011-05-19 00:06:34.000000000 -0400
31012 +++ linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_rc.c 2011-05-22 19:36:31.000000000 -0400
31013 @@ -1868,7 +1868,7 @@ void ipath_rc_rcv(struct ipath_ibdev *de
31014 struct ib_atomic_eth *ateth;
31015 struct ipath_ack_entry *e;
31016 u64 vaddr;
31017 - atomic64_t *maddr;
31018 + atomic64_unchecked_t *maddr;
31019 u64 sdata;
31020 u32 rkey;
31021 u8 next;
31022 @@ -1903,11 +1903,11 @@ void ipath_rc_rcv(struct ipath_ibdev *de
31023 IB_ACCESS_REMOTE_ATOMIC)))
31024 goto nack_acc_unlck;
31025 /* Perform atomic OP and save result. */
31026 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
31027 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
31028 sdata = be64_to_cpu(ateth->swap_data);
31029 e = &qp->s_ack_queue[qp->r_head_ack_queue];
31030 e->atomic_data = (opcode == OP(FETCH_ADD)) ?
31031 - (u64) atomic64_add_return(sdata, maddr) - sdata :
31032 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
31033 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
31034 be64_to_cpu(ateth->compare_data),
31035 sdata);
31036 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_ruc.c linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_ruc.c
31037 --- linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-05-19 00:06:34.000000000 -0400
31038 +++ linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-05-22 19:36:31.000000000 -0400
31039 @@ -266,7 +266,7 @@ static void ipath_ruc_loopback(struct ip
31040 unsigned long flags;
31041 struct ib_wc wc;
31042 u64 sdata;
31043 - atomic64_t *maddr;
31044 + atomic64_unchecked_t *maddr;
31045 enum ib_wc_status send_status;
31046
31047 /*
31048 @@ -382,11 +382,11 @@ again:
31049 IB_ACCESS_REMOTE_ATOMIC)))
31050 goto acc_err;
31051 /* Perform atomic OP and save result. */
31052 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
31053 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
31054 sdata = wqe->wr.wr.atomic.compare_add;
31055 *(u64 *) sqp->s_sge.sge.vaddr =
31056 (wqe->wr.opcode == IB_WR_ATOMIC_FETCH_AND_ADD) ?
31057 - (u64) atomic64_add_return(sdata, maddr) - sdata :
31058 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
31059 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
31060 sdata, wqe->wr.wr.atomic.swap);
31061 goto send_comp;
31062 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_verbs.h linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_verbs.h
31063 --- linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_verbs.h 2011-05-19 00:06:34.000000000 -0400
31064 +++ linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_verbs.h 2011-05-22 19:36:31.000000000 -0400
31065 @@ -931,6 +931,6 @@ extern unsigned int ib_ipath_max_srq_wrs
31066
31067 extern const u32 ib_ipath_rnr_table[];
31068
31069 -extern struct ib_dma_mapping_ops ipath_dma_mapping_ops;
31070 +extern const struct ib_dma_mapping_ops ipath_dma_mapping_ops;
31071
31072 #endif /* IPATH_VERBS_H */
31073 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/nes/nes.c linux-2.6.39.3/drivers/infiniband/hw/nes/nes.c
31074 --- linux-2.6.39.3/drivers/infiniband/hw/nes/nes.c 2011-05-19 00:06:34.000000000 -0400
31075 +++ linux-2.6.39.3/drivers/infiniband/hw/nes/nes.c 2011-05-22 19:36:31.000000000 -0400
31076 @@ -103,7 +103,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
31077 LIST_HEAD(nes_adapter_list);
31078 static LIST_HEAD(nes_dev_list);
31079
31080 -atomic_t qps_destroyed;
31081 +atomic_unchecked_t qps_destroyed;
31082
31083 static unsigned int ee_flsh_adapter;
31084 static unsigned int sysfs_nonidx_addr;
31085 @@ -275,7 +275,7 @@ static void nes_cqp_rem_ref_callback(str
31086 struct nes_qp *nesqp = cqp_request->cqp_callback_pointer;
31087 struct nes_adapter *nesadapter = nesdev->nesadapter;
31088
31089 - atomic_inc(&qps_destroyed);
31090 + atomic_inc_unchecked(&qps_destroyed);
31091
31092 /* Free the control structures */
31093
31094 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/nes/nes_cm.c linux-2.6.39.3/drivers/infiniband/hw/nes/nes_cm.c
31095 --- linux-2.6.39.3/drivers/infiniband/hw/nes/nes_cm.c 2011-05-19 00:06:34.000000000 -0400
31096 +++ linux-2.6.39.3/drivers/infiniband/hw/nes/nes_cm.c 2011-05-22 19:36:31.000000000 -0400
31097 @@ -68,14 +68,14 @@ u32 cm_packets_dropped;
31098 u32 cm_packets_retrans;
31099 u32 cm_packets_created;
31100 u32 cm_packets_received;
31101 -atomic_t cm_listens_created;
31102 -atomic_t cm_listens_destroyed;
31103 +atomic_unchecked_t cm_listens_created;
31104 +atomic_unchecked_t cm_listens_destroyed;
31105 u32 cm_backlog_drops;
31106 -atomic_t cm_loopbacks;
31107 -atomic_t cm_nodes_created;
31108 -atomic_t cm_nodes_destroyed;
31109 -atomic_t cm_accel_dropped_pkts;
31110 -atomic_t cm_resets_recvd;
31111 +atomic_unchecked_t cm_loopbacks;
31112 +atomic_unchecked_t cm_nodes_created;
31113 +atomic_unchecked_t cm_nodes_destroyed;
31114 +atomic_unchecked_t cm_accel_dropped_pkts;
31115 +atomic_unchecked_t cm_resets_recvd;
31116
31117 static inline int mini_cm_accelerated(struct nes_cm_core *,
31118 struct nes_cm_node *);
31119 @@ -151,13 +151,13 @@ static struct nes_cm_ops nes_cm_api = {
31120
31121 static struct nes_cm_core *g_cm_core;
31122
31123 -atomic_t cm_connects;
31124 -atomic_t cm_accepts;
31125 -atomic_t cm_disconnects;
31126 -atomic_t cm_closes;
31127 -atomic_t cm_connecteds;
31128 -atomic_t cm_connect_reqs;
31129 -atomic_t cm_rejects;
31130 +atomic_unchecked_t cm_connects;
31131 +atomic_unchecked_t cm_accepts;
31132 +atomic_unchecked_t cm_disconnects;
31133 +atomic_unchecked_t cm_closes;
31134 +atomic_unchecked_t cm_connecteds;
31135 +atomic_unchecked_t cm_connect_reqs;
31136 +atomic_unchecked_t cm_rejects;
31137
31138
31139 /**
31140 @@ -1045,7 +1045,7 @@ static int mini_cm_dec_refcnt_listen(str
31141 kfree(listener);
31142 listener = NULL;
31143 ret = 0;
31144 - atomic_inc(&cm_listens_destroyed);
31145 + atomic_inc_unchecked(&cm_listens_destroyed);
31146 } else {
31147 spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
31148 }
31149 @@ -1240,7 +1240,7 @@ static struct nes_cm_node *make_cm_node(
31150 cm_node->rem_mac);
31151
31152 add_hte_node(cm_core, cm_node);
31153 - atomic_inc(&cm_nodes_created);
31154 + atomic_inc_unchecked(&cm_nodes_created);
31155
31156 return cm_node;
31157 }
31158 @@ -1298,7 +1298,7 @@ static int rem_ref_cm_node(struct nes_cm
31159 }
31160
31161 atomic_dec(&cm_core->node_cnt);
31162 - atomic_inc(&cm_nodes_destroyed);
31163 + atomic_inc_unchecked(&cm_nodes_destroyed);
31164 nesqp = cm_node->nesqp;
31165 if (nesqp) {
31166 nesqp->cm_node = NULL;
31167 @@ -1365,7 +1365,7 @@ static int process_options(struct nes_cm
31168
31169 static void drop_packet(struct sk_buff *skb)
31170 {
31171 - atomic_inc(&cm_accel_dropped_pkts);
31172 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
31173 dev_kfree_skb_any(skb);
31174 }
31175
31176 @@ -1428,7 +1428,7 @@ static void handle_rst_pkt(struct nes_cm
31177 {
31178
31179 int reset = 0; /* whether to send reset in case of err.. */
31180 - atomic_inc(&cm_resets_recvd);
31181 + atomic_inc_unchecked(&cm_resets_recvd);
31182 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
31183 " refcnt=%d\n", cm_node, cm_node->state,
31184 atomic_read(&cm_node->ref_count));
31185 @@ -2057,7 +2057,7 @@ static struct nes_cm_node *mini_cm_conne
31186 rem_ref_cm_node(cm_node->cm_core, cm_node);
31187 return NULL;
31188 }
31189 - atomic_inc(&cm_loopbacks);
31190 + atomic_inc_unchecked(&cm_loopbacks);
31191 loopbackremotenode->loopbackpartner = cm_node;
31192 loopbackremotenode->tcp_cntxt.rcv_wscale =
31193 NES_CM_DEFAULT_RCV_WND_SCALE;
31194 @@ -2332,7 +2332,7 @@ static int mini_cm_recv_pkt(struct nes_c
31195 add_ref_cm_node(cm_node);
31196 } else if (cm_node->state == NES_CM_STATE_TSA) {
31197 rem_ref_cm_node(cm_core, cm_node);
31198 - atomic_inc(&cm_accel_dropped_pkts);
31199 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
31200 dev_kfree_skb_any(skb);
31201 break;
31202 }
31203 @@ -2638,7 +2638,7 @@ static int nes_cm_disconn_true(struct ne
31204
31205 if ((cm_id) && (cm_id->event_handler)) {
31206 if (issue_disconn) {
31207 - atomic_inc(&cm_disconnects);
31208 + atomic_inc_unchecked(&cm_disconnects);
31209 cm_event.event = IW_CM_EVENT_DISCONNECT;
31210 cm_event.status = disconn_status;
31211 cm_event.local_addr = cm_id->local_addr;
31212 @@ -2660,7 +2660,7 @@ static int nes_cm_disconn_true(struct ne
31213 }
31214
31215 if (issue_close) {
31216 - atomic_inc(&cm_closes);
31217 + atomic_inc_unchecked(&cm_closes);
31218 nes_disconnect(nesqp, 1);
31219
31220 cm_id->provider_data = nesqp;
31221 @@ -2791,7 +2791,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
31222
31223 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
31224 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
31225 - atomic_inc(&cm_accepts);
31226 + atomic_inc_unchecked(&cm_accepts);
31227
31228 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
31229 netdev_refcnt_read(nesvnic->netdev));
31230 @@ -3001,7 +3001,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
31231
31232 struct nes_cm_core *cm_core;
31233
31234 - atomic_inc(&cm_rejects);
31235 + atomic_inc_unchecked(&cm_rejects);
31236 cm_node = (struct nes_cm_node *) cm_id->provider_data;
31237 loopback = cm_node->loopbackpartner;
31238 cm_core = cm_node->cm_core;
31239 @@ -3067,7 +3067,7 @@ int nes_connect(struct iw_cm_id *cm_id,
31240 ntohl(cm_id->local_addr.sin_addr.s_addr),
31241 ntohs(cm_id->local_addr.sin_port));
31242
31243 - atomic_inc(&cm_connects);
31244 + atomic_inc_unchecked(&cm_connects);
31245 nesqp->active_conn = 1;
31246
31247 /* cache the cm_id in the qp */
31248 @@ -3173,7 +3173,7 @@ int nes_create_listen(struct iw_cm_id *c
31249 g_cm_core->api->stop_listener(g_cm_core, (void *)cm_node);
31250 return err;
31251 }
31252 - atomic_inc(&cm_listens_created);
31253 + atomic_inc_unchecked(&cm_listens_created);
31254 }
31255
31256 cm_id->add_ref(cm_id);
31257 @@ -3278,7 +3278,7 @@ static void cm_event_connected(struct ne
31258 if (nesqp->destroyed) {
31259 return;
31260 }
31261 - atomic_inc(&cm_connecteds);
31262 + atomic_inc_unchecked(&cm_connecteds);
31263 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
31264 " local port 0x%04X. jiffies = %lu.\n",
31265 nesqp->hwqp.qp_id,
31266 @@ -3493,7 +3493,7 @@ static void cm_event_reset(struct nes_cm
31267
31268 cm_id->add_ref(cm_id);
31269 ret = cm_id->event_handler(cm_id, &cm_event);
31270 - atomic_inc(&cm_closes);
31271 + atomic_inc_unchecked(&cm_closes);
31272 cm_event.event = IW_CM_EVENT_CLOSE;
31273 cm_event.status = IW_CM_EVENT_STATUS_OK;
31274 cm_event.provider_data = cm_id->provider_data;
31275 @@ -3529,7 +3529,7 @@ static void cm_event_mpa_req(struct nes_
31276 return;
31277 cm_id = cm_node->cm_id;
31278
31279 - atomic_inc(&cm_connect_reqs);
31280 + atomic_inc_unchecked(&cm_connect_reqs);
31281 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
31282 cm_node, cm_id, jiffies);
31283
31284 @@ -3567,7 +3567,7 @@ static void cm_event_mpa_reject(struct n
31285 return;
31286 cm_id = cm_node->cm_id;
31287
31288 - atomic_inc(&cm_connect_reqs);
31289 + atomic_inc_unchecked(&cm_connect_reqs);
31290 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
31291 cm_node, cm_id, jiffies);
31292
31293 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/nes/nes.h linux-2.6.39.3/drivers/infiniband/hw/nes/nes.h
31294 --- linux-2.6.39.3/drivers/infiniband/hw/nes/nes.h 2011-05-19 00:06:34.000000000 -0400
31295 +++ linux-2.6.39.3/drivers/infiniband/hw/nes/nes.h 2011-05-22 19:36:31.000000000 -0400
31296 @@ -175,17 +175,17 @@ extern unsigned int nes_debug_level;
31297 extern unsigned int wqm_quanta;
31298 extern struct list_head nes_adapter_list;
31299
31300 -extern atomic_t cm_connects;
31301 -extern atomic_t cm_accepts;
31302 -extern atomic_t cm_disconnects;
31303 -extern atomic_t cm_closes;
31304 -extern atomic_t cm_connecteds;
31305 -extern atomic_t cm_connect_reqs;
31306 -extern atomic_t cm_rejects;
31307 -extern atomic_t mod_qp_timouts;
31308 -extern atomic_t qps_created;
31309 -extern atomic_t qps_destroyed;
31310 -extern atomic_t sw_qps_destroyed;
31311 +extern atomic_unchecked_t cm_connects;
31312 +extern atomic_unchecked_t cm_accepts;
31313 +extern atomic_unchecked_t cm_disconnects;
31314 +extern atomic_unchecked_t cm_closes;
31315 +extern atomic_unchecked_t cm_connecteds;
31316 +extern atomic_unchecked_t cm_connect_reqs;
31317 +extern atomic_unchecked_t cm_rejects;
31318 +extern atomic_unchecked_t mod_qp_timouts;
31319 +extern atomic_unchecked_t qps_created;
31320 +extern atomic_unchecked_t qps_destroyed;
31321 +extern atomic_unchecked_t sw_qps_destroyed;
31322 extern u32 mh_detected;
31323 extern u32 mh_pauses_sent;
31324 extern u32 cm_packets_sent;
31325 @@ -194,14 +194,14 @@ extern u32 cm_packets_created;
31326 extern u32 cm_packets_received;
31327 extern u32 cm_packets_dropped;
31328 extern u32 cm_packets_retrans;
31329 -extern atomic_t cm_listens_created;
31330 -extern atomic_t cm_listens_destroyed;
31331 +extern atomic_unchecked_t cm_listens_created;
31332 +extern atomic_unchecked_t cm_listens_destroyed;
31333 extern u32 cm_backlog_drops;
31334 -extern atomic_t cm_loopbacks;
31335 -extern atomic_t cm_nodes_created;
31336 -extern atomic_t cm_nodes_destroyed;
31337 -extern atomic_t cm_accel_dropped_pkts;
31338 -extern atomic_t cm_resets_recvd;
31339 +extern atomic_unchecked_t cm_loopbacks;
31340 +extern atomic_unchecked_t cm_nodes_created;
31341 +extern atomic_unchecked_t cm_nodes_destroyed;
31342 +extern atomic_unchecked_t cm_accel_dropped_pkts;
31343 +extern atomic_unchecked_t cm_resets_recvd;
31344
31345 extern u32 int_mod_timer_init;
31346 extern u32 int_mod_cq_depth_256;
31347 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/nes/nes_nic.c linux-2.6.39.3/drivers/infiniband/hw/nes/nes_nic.c
31348 --- linux-2.6.39.3/drivers/infiniband/hw/nes/nes_nic.c 2011-05-19 00:06:34.000000000 -0400
31349 +++ linux-2.6.39.3/drivers/infiniband/hw/nes/nes_nic.c 2011-05-22 19:36:31.000000000 -0400
31350 @@ -1302,31 +1302,31 @@ static void nes_netdev_get_ethtool_stats
31351 target_stat_values[++index] = mh_detected;
31352 target_stat_values[++index] = mh_pauses_sent;
31353 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
31354 - target_stat_values[++index] = atomic_read(&cm_connects);
31355 - target_stat_values[++index] = atomic_read(&cm_accepts);
31356 - target_stat_values[++index] = atomic_read(&cm_disconnects);
31357 - target_stat_values[++index] = atomic_read(&cm_connecteds);
31358 - target_stat_values[++index] = atomic_read(&cm_connect_reqs);
31359 - target_stat_values[++index] = atomic_read(&cm_rejects);
31360 - target_stat_values[++index] = atomic_read(&mod_qp_timouts);
31361 - target_stat_values[++index] = atomic_read(&qps_created);
31362 - target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
31363 - target_stat_values[++index] = atomic_read(&qps_destroyed);
31364 - target_stat_values[++index] = atomic_read(&cm_closes);
31365 + target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
31366 + target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
31367 + target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
31368 + target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
31369 + target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
31370 + target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
31371 + target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
31372 + target_stat_values[++index] = atomic_read_unchecked(&qps_created);
31373 + target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
31374 + target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
31375 + target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
31376 target_stat_values[++index] = cm_packets_sent;
31377 target_stat_values[++index] = cm_packets_bounced;
31378 target_stat_values[++index] = cm_packets_created;
31379 target_stat_values[++index] = cm_packets_received;
31380 target_stat_values[++index] = cm_packets_dropped;
31381 target_stat_values[++index] = cm_packets_retrans;
31382 - target_stat_values[++index] = atomic_read(&cm_listens_created);
31383 - target_stat_values[++index] = atomic_read(&cm_listens_destroyed);
31384 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_created);
31385 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_destroyed);
31386 target_stat_values[++index] = cm_backlog_drops;
31387 - target_stat_values[++index] = atomic_read(&cm_loopbacks);
31388 - target_stat_values[++index] = atomic_read(&cm_nodes_created);
31389 - target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
31390 - target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
31391 - target_stat_values[++index] = atomic_read(&cm_resets_recvd);
31392 + target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
31393 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
31394 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
31395 + target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
31396 + target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
31397 target_stat_values[++index] = nesadapter->free_4kpbl;
31398 target_stat_values[++index] = nesadapter->free_256pbl;
31399 target_stat_values[++index] = int_mod_timer_init;
31400 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/nes/nes_verbs.c linux-2.6.39.3/drivers/infiniband/hw/nes/nes_verbs.c
31401 --- linux-2.6.39.3/drivers/infiniband/hw/nes/nes_verbs.c 2011-05-19 00:06:34.000000000 -0400
31402 +++ linux-2.6.39.3/drivers/infiniband/hw/nes/nes_verbs.c 2011-05-22 19:36:31.000000000 -0400
31403 @@ -46,9 +46,9 @@
31404
31405 #include <rdma/ib_umem.h>
31406
31407 -atomic_t mod_qp_timouts;
31408 -atomic_t qps_created;
31409 -atomic_t sw_qps_destroyed;
31410 +atomic_unchecked_t mod_qp_timouts;
31411 +atomic_unchecked_t qps_created;
31412 +atomic_unchecked_t sw_qps_destroyed;
31413
31414 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
31415
31416 @@ -1141,7 +1141,7 @@ static struct ib_qp *nes_create_qp(struc
31417 if (init_attr->create_flags)
31418 return ERR_PTR(-EINVAL);
31419
31420 - atomic_inc(&qps_created);
31421 + atomic_inc_unchecked(&qps_created);
31422 switch (init_attr->qp_type) {
31423 case IB_QPT_RC:
31424 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
31425 @@ -1470,7 +1470,7 @@ static int nes_destroy_qp(struct ib_qp *
31426 struct iw_cm_event cm_event;
31427 int ret;
31428
31429 - atomic_inc(&sw_qps_destroyed);
31430 + atomic_inc_unchecked(&sw_qps_destroyed);
31431 nesqp->destroyed = 1;
31432
31433 /* Blow away the connection if it exists. */
31434 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/qib/qib.h linux-2.6.39.3/drivers/infiniband/hw/qib/qib.h
31435 --- linux-2.6.39.3/drivers/infiniband/hw/qib/qib.h 2011-05-19 00:06:34.000000000 -0400
31436 +++ linux-2.6.39.3/drivers/infiniband/hw/qib/qib.h 2011-05-22 19:36:31.000000000 -0400
31437 @@ -51,6 +51,7 @@
31438 #include <linux/completion.h>
31439 #include <linux/kref.h>
31440 #include <linux/sched.h>
31441 +#include <linux/slab.h>
31442
31443 #include "qib_common.h"
31444 #include "qib_verbs.h"
31445 @@ -87,7 +88,7 @@ struct qlogic_ib_stats {
31446 };
31447
31448 extern struct qlogic_ib_stats qib_stats;
31449 -extern struct pci_error_handlers qib_pci_err_handler;
31450 +extern const struct pci_error_handlers qib_pci_err_handler;
31451 extern struct pci_driver qib_driver;
31452
31453 #define QIB_CHIP_SWVERSION QIB_CHIP_VERS_MAJ
31454 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/qib/qib_mmap.c linux-2.6.39.3/drivers/infiniband/hw/qib/qib_mmap.c
31455 --- linux-2.6.39.3/drivers/infiniband/hw/qib/qib_mmap.c 2011-05-19 00:06:34.000000000 -0400
31456 +++ linux-2.6.39.3/drivers/infiniband/hw/qib/qib_mmap.c 2011-05-22 19:36:31.000000000 -0400
31457 @@ -75,7 +75,7 @@ static void qib_vma_close(struct vm_area
31458 kref_put(&ip->ref, qib_release_mmap_info);
31459 }
31460
31461 -static struct vm_operations_struct qib_vm_ops = {
31462 +static const struct vm_operations_struct qib_vm_ops = {
31463 .open = qib_vma_open,
31464 .close = qib_vma_close,
31465 };
31466 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/qib/qib_pcie.c linux-2.6.39.3/drivers/infiniband/hw/qib/qib_pcie.c
31467 --- linux-2.6.39.3/drivers/infiniband/hw/qib/qib_pcie.c 2011-05-19 00:06:34.000000000 -0400
31468 +++ linux-2.6.39.3/drivers/infiniband/hw/qib/qib_pcie.c 2011-05-22 19:36:31.000000000 -0400
31469 @@ -735,7 +735,7 @@ qib_pci_resume(struct pci_dev *pdev)
31470 qib_init(dd, 1); /* same as re-init after reset */
31471 }
31472
31473 -struct pci_error_handlers qib_pci_err_handler = {
31474 +const struct pci_error_handlers qib_pci_err_handler = {
31475 .error_detected = qib_pci_error_detected,
31476 .mmio_enabled = qib_pci_mmio_enabled,
31477 .link_reset = qib_pci_link_reset,
31478 diff -urNp linux-2.6.39.3/drivers/input/gameport/gameport.c linux-2.6.39.3/drivers/input/gameport/gameport.c
31479 --- linux-2.6.39.3/drivers/input/gameport/gameport.c 2011-05-19 00:06:34.000000000 -0400
31480 +++ linux-2.6.39.3/drivers/input/gameport/gameport.c 2011-05-22 19:36:31.000000000 -0400
31481 @@ -488,14 +488,14 @@ EXPORT_SYMBOL(gameport_set_phys);
31482 */
31483 static void gameport_init_port(struct gameport *gameport)
31484 {
31485 - static atomic_t gameport_no = ATOMIC_INIT(0);
31486 + static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
31487
31488 __module_get(THIS_MODULE);
31489
31490 mutex_init(&gameport->drv_mutex);
31491 device_initialize(&gameport->dev);
31492 dev_set_name(&gameport->dev, "gameport%lu",
31493 - (unsigned long)atomic_inc_return(&gameport_no) - 1);
31494 + (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
31495 gameport->dev.bus = &gameport_bus;
31496 gameport->dev.release = gameport_release_port;
31497 if (gameport->parent)
31498 diff -urNp linux-2.6.39.3/drivers/input/input.c linux-2.6.39.3/drivers/input/input.c
31499 --- linux-2.6.39.3/drivers/input/input.c 2011-07-09 09:18:51.000000000 -0400
31500 +++ linux-2.6.39.3/drivers/input/input.c 2011-07-09 09:19:18.000000000 -0400
31501 @@ -1815,7 +1815,7 @@ static void input_cleanse_bitmasks(struc
31502 */
31503 int input_register_device(struct input_dev *dev)
31504 {
31505 - static atomic_t input_no = ATOMIC_INIT(0);
31506 + static atomic_unchecked_t input_no = ATOMIC_INIT(0);
31507 struct input_handler *handler;
31508 const char *path;
31509 int error;
31510 @@ -1852,7 +1852,7 @@ int input_register_device(struct input_d
31511 dev->setkeycode = input_default_setkeycode;
31512
31513 dev_set_name(&dev->dev, "input%ld",
31514 - (unsigned long) atomic_inc_return(&input_no) - 1);
31515 + (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
31516
31517 error = device_add(&dev->dev);
31518 if (error)
31519 diff -urNp linux-2.6.39.3/drivers/input/joystick/sidewinder.c linux-2.6.39.3/drivers/input/joystick/sidewinder.c
31520 --- linux-2.6.39.3/drivers/input/joystick/sidewinder.c 2011-05-19 00:06:34.000000000 -0400
31521 +++ linux-2.6.39.3/drivers/input/joystick/sidewinder.c 2011-05-22 19:36:31.000000000 -0400
31522 @@ -30,6 +30,7 @@
31523 #include <linux/kernel.h>
31524 #include <linux/module.h>
31525 #include <linux/slab.h>
31526 +#include <linux/sched.h>
31527 #include <linux/init.h>
31528 #include <linux/input.h>
31529 #include <linux/gameport.h>
31530 @@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
31531 unsigned char buf[SW_LENGTH];
31532 int i;
31533
31534 + pax_track_stack();
31535 +
31536 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
31537
31538 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
31539 diff -urNp linux-2.6.39.3/drivers/input/joystick/xpad.c linux-2.6.39.3/drivers/input/joystick/xpad.c
31540 --- linux-2.6.39.3/drivers/input/joystick/xpad.c 2011-05-19 00:06:34.000000000 -0400
31541 +++ linux-2.6.39.3/drivers/input/joystick/xpad.c 2011-05-22 19:36:31.000000000 -0400
31542 @@ -689,7 +689,7 @@ static void xpad_led_set(struct led_clas
31543
31544 static int xpad_led_probe(struct usb_xpad *xpad)
31545 {
31546 - static atomic_t led_seq = ATOMIC_INIT(0);
31547 + static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
31548 long led_no;
31549 struct xpad_led *led;
31550 struct led_classdev *led_cdev;
31551 @@ -702,7 +702,7 @@ static int xpad_led_probe(struct usb_xpa
31552 if (!led)
31553 return -ENOMEM;
31554
31555 - led_no = (long)atomic_inc_return(&led_seq) - 1;
31556 + led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
31557
31558 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
31559 led->xpad = xpad;
31560 diff -urNp linux-2.6.39.3/drivers/input/mousedev.c linux-2.6.39.3/drivers/input/mousedev.c
31561 --- linux-2.6.39.3/drivers/input/mousedev.c 2011-07-09 09:18:51.000000000 -0400
31562 +++ linux-2.6.39.3/drivers/input/mousedev.c 2011-07-09 09:19:18.000000000 -0400
31563 @@ -764,7 +764,7 @@ static ssize_t mousedev_read(struct file
31564
31565 spin_unlock_irq(&client->packet_lock);
31566
31567 - if (copy_to_user(buffer, data, count))
31568 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
31569 return -EFAULT;
31570
31571 return count;
31572 diff -urNp linux-2.6.39.3/drivers/input/serio/serio.c linux-2.6.39.3/drivers/input/serio/serio.c
31573 --- linux-2.6.39.3/drivers/input/serio/serio.c 2011-05-19 00:06:34.000000000 -0400
31574 +++ linux-2.6.39.3/drivers/input/serio/serio.c 2011-05-22 19:36:31.000000000 -0400
31575 @@ -497,7 +497,7 @@ static void serio_release_port(struct de
31576 */
31577 static void serio_init_port(struct serio *serio)
31578 {
31579 - static atomic_t serio_no = ATOMIC_INIT(0);
31580 + static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
31581
31582 __module_get(THIS_MODULE);
31583
31584 @@ -508,7 +508,7 @@ static void serio_init_port(struct serio
31585 mutex_init(&serio->drv_mutex);
31586 device_initialize(&serio->dev);
31587 dev_set_name(&serio->dev, "serio%ld",
31588 - (long)atomic_inc_return(&serio_no) - 1);
31589 + (long)atomic_inc_return_unchecked(&serio_no) - 1);
31590 serio->dev.bus = &serio_bus;
31591 serio->dev.release = serio_release_port;
31592 serio->dev.groups = serio_device_attr_groups;
31593 diff -urNp linux-2.6.39.3/drivers/isdn/capi/capi.c linux-2.6.39.3/drivers/isdn/capi/capi.c
31594 --- linux-2.6.39.3/drivers/isdn/capi/capi.c 2011-05-19 00:06:34.000000000 -0400
31595 +++ linux-2.6.39.3/drivers/isdn/capi/capi.c 2011-05-22 19:36:31.000000000 -0400
31596 @@ -89,8 +89,8 @@ struct capiminor {
31597
31598 struct capi20_appl *ap;
31599 u32 ncci;
31600 - atomic_t datahandle;
31601 - atomic_t msgid;
31602 + atomic_unchecked_t datahandle;
31603 + atomic_unchecked_t msgid;
31604
31605 struct tty_port port;
31606 int ttyinstop;
31607 @@ -414,7 +414,7 @@ gen_data_b3_resp_for(struct capiminor *m
31608 capimsg_setu16(s, 2, mp->ap->applid);
31609 capimsg_setu8 (s, 4, CAPI_DATA_B3);
31610 capimsg_setu8 (s, 5, CAPI_RESP);
31611 - capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid));
31612 + capimsg_setu16(s, 6, atomic_inc_return_unchecked(&mp->msgid));
31613 capimsg_setu32(s, 8, mp->ncci);
31614 capimsg_setu16(s, 12, datahandle);
31615 }
31616 @@ -547,14 +547,14 @@ static void handle_minor_send(struct cap
31617 mp->outbytes -= len;
31618 spin_unlock_bh(&mp->outlock);
31619
31620 - datahandle = atomic_inc_return(&mp->datahandle);
31621 + datahandle = atomic_inc_return_unchecked(&mp->datahandle);
31622 skb_push(skb, CAPI_DATA_B3_REQ_LEN);
31623 memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
31624 capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
31625 capimsg_setu16(skb->data, 2, mp->ap->applid);
31626 capimsg_setu8 (skb->data, 4, CAPI_DATA_B3);
31627 capimsg_setu8 (skb->data, 5, CAPI_REQ);
31628 - capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid));
31629 + capimsg_setu16(skb->data, 6, atomic_inc_return_unchecked(&mp->msgid));
31630 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
31631 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
31632 capimsg_setu16(skb->data, 16, len); /* Data length */
31633 diff -urNp linux-2.6.39.3/drivers/isdn/gigaset/common.c linux-2.6.39.3/drivers/isdn/gigaset/common.c
31634 --- linux-2.6.39.3/drivers/isdn/gigaset/common.c 2011-05-19 00:06:34.000000000 -0400
31635 +++ linux-2.6.39.3/drivers/isdn/gigaset/common.c 2011-05-22 19:36:31.000000000 -0400
31636 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
31637 cs->commands_pending = 0;
31638 cs->cur_at_seq = 0;
31639 cs->gotfwver = -1;
31640 - cs->open_count = 0;
31641 + local_set(&cs->open_count, 0);
31642 cs->dev = NULL;
31643 cs->tty = NULL;
31644 cs->tty_dev = NULL;
31645 diff -urNp linux-2.6.39.3/drivers/isdn/gigaset/gigaset.h linux-2.6.39.3/drivers/isdn/gigaset/gigaset.h
31646 --- linux-2.6.39.3/drivers/isdn/gigaset/gigaset.h 2011-05-19 00:06:34.000000000 -0400
31647 +++ linux-2.6.39.3/drivers/isdn/gigaset/gigaset.h 2011-05-22 19:36:31.000000000 -0400
31648 @@ -35,6 +35,7 @@
31649 #include <linux/tty_driver.h>
31650 #include <linux/list.h>
31651 #include <asm/atomic.h>
31652 +#include <asm/local.h>
31653
31654 #define GIG_VERSION {0, 5, 0, 0}
31655 #define GIG_COMPAT {0, 4, 0, 0}
31656 @@ -433,7 +434,7 @@ struct cardstate {
31657 spinlock_t cmdlock;
31658 unsigned curlen, cmdbytes;
31659
31660 - unsigned open_count;
31661 + local_t open_count;
31662 struct tty_struct *tty;
31663 struct tasklet_struct if_wake_tasklet;
31664 unsigned control_state;
31665 diff -urNp linux-2.6.39.3/drivers/isdn/gigaset/interface.c linux-2.6.39.3/drivers/isdn/gigaset/interface.c
31666 --- linux-2.6.39.3/drivers/isdn/gigaset/interface.c 2011-05-19 00:06:34.000000000 -0400
31667 +++ linux-2.6.39.3/drivers/isdn/gigaset/interface.c 2011-05-22 19:36:31.000000000 -0400
31668 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
31669 return -ERESTARTSYS;
31670 tty->driver_data = cs;
31671
31672 - ++cs->open_count;
31673 -
31674 - if (cs->open_count == 1) {
31675 + if (local_inc_return(&cs->open_count) == 1) {
31676 spin_lock_irqsave(&cs->lock, flags);
31677 cs->tty = tty;
31678 spin_unlock_irqrestore(&cs->lock, flags);
31679 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
31680
31681 if (!cs->connected)
31682 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31683 - else if (!cs->open_count)
31684 + else if (!local_read(&cs->open_count))
31685 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31686 else {
31687 - if (!--cs->open_count) {
31688 + if (!local_dec_return(&cs->open_count)) {
31689 spin_lock_irqsave(&cs->lock, flags);
31690 cs->tty = NULL;
31691 spin_unlock_irqrestore(&cs->lock, flags);
31692 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
31693 if (!cs->connected) {
31694 gig_dbg(DEBUG_IF, "not connected");
31695 retval = -ENODEV;
31696 - } else if (!cs->open_count)
31697 + } else if (!local_read(&cs->open_count))
31698 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31699 else {
31700 retval = 0;
31701 @@ -358,7 +356,7 @@ static int if_write(struct tty_struct *t
31702 retval = -ENODEV;
31703 goto done;
31704 }
31705 - if (!cs->open_count) {
31706 + if (!local_read(&cs->open_count)) {
31707 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31708 retval = -ENODEV;
31709 goto done;
31710 @@ -411,7 +409,7 @@ static int if_write_room(struct tty_stru
31711 if (!cs->connected) {
31712 gig_dbg(DEBUG_IF, "not connected");
31713 retval = -ENODEV;
31714 - } else if (!cs->open_count)
31715 + } else if (!local_read(&cs->open_count))
31716 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31717 else if (cs->mstate != MS_LOCKED) {
31718 dev_warn(cs->dev, "can't write to unlocked device\n");
31719 @@ -441,7 +439,7 @@ static int if_chars_in_buffer(struct tty
31720
31721 if (!cs->connected)
31722 gig_dbg(DEBUG_IF, "not connected");
31723 - else if (!cs->open_count)
31724 + else if (!local_read(&cs->open_count))
31725 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31726 else if (cs->mstate != MS_LOCKED)
31727 dev_warn(cs->dev, "can't write to unlocked device\n");
31728 @@ -469,7 +467,7 @@ static void if_throttle(struct tty_struc
31729
31730 if (!cs->connected)
31731 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31732 - else if (!cs->open_count)
31733 + else if (!local_read(&cs->open_count))
31734 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31735 else
31736 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
31737 @@ -493,7 +491,7 @@ static void if_unthrottle(struct tty_str
31738
31739 if (!cs->connected)
31740 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31741 - else if (!cs->open_count)
31742 + else if (!local_read(&cs->open_count))
31743 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31744 else
31745 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
31746 @@ -524,7 +522,7 @@ static void if_set_termios(struct tty_st
31747 goto out;
31748 }
31749
31750 - if (!cs->open_count) {
31751 + if (!local_read(&cs->open_count)) {
31752 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31753 goto out;
31754 }
31755 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/avm/b1.c linux-2.6.39.3/drivers/isdn/hardware/avm/b1.c
31756 --- linux-2.6.39.3/drivers/isdn/hardware/avm/b1.c 2011-05-19 00:06:34.000000000 -0400
31757 +++ linux-2.6.39.3/drivers/isdn/hardware/avm/b1.c 2011-05-22 19:36:31.000000000 -0400
31758 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
31759 }
31760 if (left) {
31761 if (t4file->user) {
31762 - if (copy_from_user(buf, dp, left))
31763 + if (left > sizeof buf || copy_from_user(buf, dp, left))
31764 return -EFAULT;
31765 } else {
31766 memcpy(buf, dp, left);
31767 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
31768 }
31769 if (left) {
31770 if (config->user) {
31771 - if (copy_from_user(buf, dp, left))
31772 + if (left > sizeof buf || copy_from_user(buf, dp, left))
31773 return -EFAULT;
31774 } else {
31775 memcpy(buf, dp, left);
31776 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/capidtmf.c linux-2.6.39.3/drivers/isdn/hardware/eicon/capidtmf.c
31777 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-19 00:06:34.000000000 -0400
31778 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-22 19:36:31.000000000 -0400
31779 @@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
31780 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
31781 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
31782
31783 + pax_track_stack();
31784
31785 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
31786 {
31787 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/capifunc.c linux-2.6.39.3/drivers/isdn/hardware/eicon/capifunc.c
31788 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/capifunc.c 2011-05-19 00:06:34.000000000 -0400
31789 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/capifunc.c 2011-05-22 19:36:31.000000000 -0400
31790 @@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
31791 IDI_SYNC_REQ req;
31792 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31793
31794 + pax_track_stack();
31795 +
31796 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31797
31798 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31799 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/diddfunc.c linux-2.6.39.3/drivers/isdn/hardware/eicon/diddfunc.c
31800 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-19 00:06:34.000000000 -0400
31801 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-22 19:36:31.000000000 -0400
31802 @@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
31803 IDI_SYNC_REQ req;
31804 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31805
31806 + pax_track_stack();
31807 +
31808 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31809
31810 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31811 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/divasfunc.c linux-2.6.39.3/drivers/isdn/hardware/eicon/divasfunc.c
31812 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-19 00:06:34.000000000 -0400
31813 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-22 19:36:31.000000000 -0400
31814 @@ -161,6 +161,8 @@ static int DIVA_INIT_FUNCTION connect_di
31815 IDI_SYNC_REQ req;
31816 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31817
31818 + pax_track_stack();
31819 +
31820 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31821
31822 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31823 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/idifunc.c linux-2.6.39.3/drivers/isdn/hardware/eicon/idifunc.c
31824 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/idifunc.c 2011-05-19 00:06:34.000000000 -0400
31825 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/idifunc.c 2011-05-22 19:36:31.000000000 -0400
31826 @@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
31827 IDI_SYNC_REQ req;
31828 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31829
31830 + pax_track_stack();
31831 +
31832 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31833
31834 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31835 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/message.c linux-2.6.39.3/drivers/isdn/hardware/eicon/message.c
31836 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/message.c 2011-05-19 00:06:34.000000000 -0400
31837 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/message.c 2011-05-22 19:36:31.000000000 -0400
31838 @@ -4889,6 +4889,8 @@ static void sig_ind(PLCI *plci)
31839 dword d;
31840 word w;
31841
31842 + pax_track_stack();
31843 +
31844 a = plci->adapter;
31845 Id = ((word)plci->Id<<8)|a->Id;
31846 PUT_WORD(&SS_Ind[4],0x0000);
31847 @@ -7484,6 +7486,8 @@ static word add_b1(PLCI *plci, API_PARSE
31848 word j, n, w;
31849 dword d;
31850
31851 + pax_track_stack();
31852 +
31853
31854 for(i=0;i<8;i++) bp_parms[i].length = 0;
31855 for(i=0;i<2;i++) global_config[i].length = 0;
31856 @@ -7958,6 +7962,8 @@ static word add_b23(PLCI *plci, API_PARS
31857 const byte llc3[] = {4,3,2,2,6,6,0};
31858 const byte header[] = {0,2,3,3,0,0,0};
31859
31860 + pax_track_stack();
31861 +
31862 for(i=0;i<8;i++) bp_parms[i].length = 0;
31863 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
31864 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
31865 @@ -14760,6 +14766,8 @@ static void group_optimization(DIVA_CAPI
31866 word appl_number_group_type[MAX_APPL];
31867 PLCI *auxplci;
31868
31869 + pax_track_stack();
31870 +
31871 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
31872
31873 if(!a->group_optimization_enabled)
31874 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/mntfunc.c linux-2.6.39.3/drivers/isdn/hardware/eicon/mntfunc.c
31875 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-19 00:06:34.000000000 -0400
31876 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-22 19:36:31.000000000 -0400
31877 @@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
31878 IDI_SYNC_REQ req;
31879 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31880
31881 + pax_track_stack();
31882 +
31883 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31884
31885 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31886 diff -urNp linux-2.6.39.3/drivers/isdn/i4l/isdn_common.c linux-2.6.39.3/drivers/isdn/i4l/isdn_common.c
31887 --- linux-2.6.39.3/drivers/isdn/i4l/isdn_common.c 2011-05-19 00:06:34.000000000 -0400
31888 +++ linux-2.6.39.3/drivers/isdn/i4l/isdn_common.c 2011-05-22 19:36:31.000000000 -0400
31889 @@ -1292,6 +1292,8 @@ isdn_ioctl(struct file *file, uint cmd,
31890 } iocpar;
31891 void __user *argp = (void __user *)arg;
31892
31893 + pax_track_stack();
31894 +
31895 #define name iocpar.name
31896 #define bname iocpar.bname
31897 #define iocts iocpar.iocts
31898 diff -urNp linux-2.6.39.3/drivers/isdn/i4l/isdn_net.c linux-2.6.39.3/drivers/isdn/i4l/isdn_net.c
31899 --- linux-2.6.39.3/drivers/isdn/i4l/isdn_net.c 2011-05-19 00:06:34.000000000 -0400
31900 +++ linux-2.6.39.3/drivers/isdn/i4l/isdn_net.c 2011-05-22 19:36:31.000000000 -0400
31901 @@ -400,7 +400,7 @@ isdn_net_stat_callback(int idx, isdn_ctr
31902 isdn_net_local *lp = p->local;
31903 #ifdef CONFIG_ISDN_X25
31904 struct concap_proto *cprot = lp->netdev->cprot;
31905 - struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31906 + const struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31907 #endif
31908 switch (cmd) {
31909 case ISDN_STAT_BSENT:
31910 @@ -831,7 +831,7 @@ isdn_net_hangup(struct net_device *d)
31911 isdn_ctrl cmd;
31912 #ifdef CONFIG_ISDN_X25
31913 struct concap_proto *cprot = lp->netdev->cprot;
31914 - struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31915 + const struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31916 #endif
31917
31918 if (lp->flags & ISDN_NET_CONNECTED) {
31919 diff -urNp linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.c linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.c
31920 --- linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.c 2011-05-19 00:06:34.000000000 -0400
31921 +++ linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.c 2011-05-22 19:36:31.000000000 -0400
31922 @@ -52,7 +52,7 @@ static int isdn_x25iface_connect_ind( st
31923 static int isdn_x25iface_disconn_ind( struct concap_proto * );
31924
31925
31926 -static struct concap_proto_ops ix25_pops = {
31927 +static const struct concap_proto_ops ix25_pops = {
31928 &isdn_x25iface_proto_new,
31929 &isdn_x25iface_proto_del,
31930 &isdn_x25iface_proto_restart,
31931 diff -urNp linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.h linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.h
31932 --- linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.h 2011-05-19 00:06:34.000000000 -0400
31933 +++ linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.h 2011-05-22 19:36:31.000000000 -0400
31934 @@ -23,7 +23,7 @@
31935 #include <linux/isdn.h>
31936 #include <linux/concap.h>
31937
31938 -extern struct concap_proto_ops * isdn_x25iface_concap_proto_ops_pt;
31939 +extern const struct concap_proto_ops *isdn_x25iface_concap_proto_ops_pt;
31940 extern struct concap_proto * isdn_x25iface_proto_new(void);
31941
31942
31943 diff -urNp linux-2.6.39.3/drivers/isdn/icn/icn.c linux-2.6.39.3/drivers/isdn/icn/icn.c
31944 --- linux-2.6.39.3/drivers/isdn/icn/icn.c 2011-05-19 00:06:34.000000000 -0400
31945 +++ linux-2.6.39.3/drivers/isdn/icn/icn.c 2011-05-22 19:36:31.000000000 -0400
31946 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
31947 if (count > len)
31948 count = len;
31949 if (user) {
31950 - if (copy_from_user(msg, buf, count))
31951 + if (count > sizeof msg || copy_from_user(msg, buf, count))
31952 return -EFAULT;
31953 } else
31954 memcpy(msg, buf, count);
31955 diff -urNp linux-2.6.39.3/drivers/lguest/core.c linux-2.6.39.3/drivers/lguest/core.c
31956 --- linux-2.6.39.3/drivers/lguest/core.c 2011-05-19 00:06:34.000000000 -0400
31957 +++ linux-2.6.39.3/drivers/lguest/core.c 2011-05-22 19:36:31.000000000 -0400
31958 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
31959 * it's worked so far. The end address needs +1 because __get_vm_area
31960 * allocates an extra guard page, so we need space for that.
31961 */
31962 +
31963 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
31964 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
31965 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
31966 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
31967 +#else
31968 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
31969 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
31970 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
31971 +#endif
31972 +
31973 if (!switcher_vma) {
31974 err = -ENOMEM;
31975 printk("lguest: could not map switcher pages high\n");
31976 @@ -119,7 +127,7 @@ static __init int map_switcher(void)
31977 * Now the Switcher is mapped at the right address, we can't fail!
31978 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
31979 */
31980 - memcpy(switcher_vma->addr, start_switcher_text,
31981 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
31982 end_switcher_text - start_switcher_text);
31983
31984 printk(KERN_INFO "lguest: mapped switcher at %p\n",
31985 diff -urNp linux-2.6.39.3/drivers/lguest/lguest_device.c linux-2.6.39.3/drivers/lguest/lguest_device.c
31986 --- linux-2.6.39.3/drivers/lguest/lguest_device.c 2011-05-19 00:06:34.000000000 -0400
31987 +++ linux-2.6.39.3/drivers/lguest/lguest_device.c 2011-05-22 19:36:31.000000000 -0400
31988 @@ -374,7 +374,7 @@ error:
31989 }
31990
31991 /* The ops structure which hooks everything together. */
31992 -static struct virtio_config_ops lguest_config_ops = {
31993 +static const struct virtio_config_ops lguest_config_ops = {
31994 .get_features = lg_get_features,
31995 .finalize_features = lg_finalize_features,
31996 .get = lg_get,
31997 diff -urNp linux-2.6.39.3/drivers/lguest/x86/core.c linux-2.6.39.3/drivers/lguest/x86/core.c
31998 --- linux-2.6.39.3/drivers/lguest/x86/core.c 2011-05-19 00:06:34.000000000 -0400
31999 +++ linux-2.6.39.3/drivers/lguest/x86/core.c 2011-05-22 19:36:31.000000000 -0400
32000 @@ -59,7 +59,7 @@ static struct {
32001 /* Offset from where switcher.S was compiled to where we've copied it */
32002 static unsigned long switcher_offset(void)
32003 {
32004 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
32005 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
32006 }
32007
32008 /* This cpu's struct lguest_pages. */
32009 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
32010 * These copies are pretty cheap, so we do them unconditionally: */
32011 /* Save the current Host top-level page directory.
32012 */
32013 +
32014 +#ifdef CONFIG_PAX_PER_CPU_PGD
32015 + pages->state.host_cr3 = read_cr3();
32016 +#else
32017 pages->state.host_cr3 = __pa(current->mm->pgd);
32018 +#endif
32019 +
32020 /*
32021 * Set up the Guest's page tables to see this CPU's pages (and no
32022 * other CPU's pages).
32023 @@ -547,7 +553,7 @@ void __init lguest_arch_host_init(void)
32024 * compiled-in switcher code and the high-mapped copy we just made.
32025 */
32026 for (i = 0; i < IDT_ENTRIES; i++)
32027 - default_idt_entries[i] += switcher_offset();
32028 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
32029
32030 /*
32031 * Set up the Switcher's per-cpu areas.
32032 @@ -630,7 +636,7 @@ void __init lguest_arch_host_init(void)
32033 * it will be undisturbed when we switch. To change %cs and jump we
32034 * need this structure to feed to Intel's "lcall" instruction.
32035 */
32036 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
32037 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
32038 lguest_entry.segment = LGUEST_CS;
32039
32040 /*
32041 diff -urNp linux-2.6.39.3/drivers/lguest/x86/switcher_32.S linux-2.6.39.3/drivers/lguest/x86/switcher_32.S
32042 --- linux-2.6.39.3/drivers/lguest/x86/switcher_32.S 2011-05-19 00:06:34.000000000 -0400
32043 +++ linux-2.6.39.3/drivers/lguest/x86/switcher_32.S 2011-05-22 19:36:31.000000000 -0400
32044 @@ -87,6 +87,7 @@
32045 #include <asm/page.h>
32046 #include <asm/segment.h>
32047 #include <asm/lguest.h>
32048 +#include <asm/processor-flags.h>
32049
32050 // We mark the start of the code to copy
32051 // It's placed in .text tho it's never run here
32052 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
32053 // Changes type when we load it: damn Intel!
32054 // For after we switch over our page tables
32055 // That entry will be read-only: we'd crash.
32056 +
32057 +#ifdef CONFIG_PAX_KERNEXEC
32058 + mov %cr0, %edx
32059 + xor $X86_CR0_WP, %edx
32060 + mov %edx, %cr0
32061 +#endif
32062 +
32063 movl $(GDT_ENTRY_TSS*8), %edx
32064 ltr %dx
32065
32066 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
32067 // Let's clear it again for our return.
32068 // The GDT descriptor of the Host
32069 // Points to the table after two "size" bytes
32070 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
32071 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
32072 // Clear "used" from type field (byte 5, bit 2)
32073 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
32074 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
32075 +
32076 +#ifdef CONFIG_PAX_KERNEXEC
32077 + mov %cr0, %eax
32078 + xor $X86_CR0_WP, %eax
32079 + mov %eax, %cr0
32080 +#endif
32081
32082 // Once our page table's switched, the Guest is live!
32083 // The Host fades as we run this final step.
32084 @@ -295,13 +309,12 @@ deliver_to_host:
32085 // I consulted gcc, and it gave
32086 // These instructions, which I gladly credit:
32087 leal (%edx,%ebx,8), %eax
32088 - movzwl (%eax),%edx
32089 - movl 4(%eax), %eax
32090 - xorw %ax, %ax
32091 - orl %eax, %edx
32092 + movl 4(%eax), %edx
32093 + movw (%eax), %dx
32094 // Now the address of the handler's in %edx
32095 // We call it now: its "iret" drops us home.
32096 - jmp *%edx
32097 + ljmp $__KERNEL_CS, $1f
32098 +1: jmp *%edx
32099
32100 // Every interrupt can come to us here
32101 // But we must truly tell each apart.
32102 diff -urNp linux-2.6.39.3/drivers/md/dm.c linux-2.6.39.3/drivers/md/dm.c
32103 --- linux-2.6.39.3/drivers/md/dm.c 2011-05-19 00:06:34.000000000 -0400
32104 +++ linux-2.6.39.3/drivers/md/dm.c 2011-05-22 19:36:31.000000000 -0400
32105 @@ -162,9 +162,9 @@ struct mapped_device {
32106 /*
32107 * Event handling.
32108 */
32109 - atomic_t event_nr;
32110 + atomic_unchecked_t event_nr;
32111 wait_queue_head_t eventq;
32112 - atomic_t uevent_seq;
32113 + atomic_unchecked_t uevent_seq;
32114 struct list_head uevent_list;
32115 spinlock_t uevent_lock; /* Protect access to uevent_list */
32116
32117 @@ -1836,8 +1836,8 @@ static struct mapped_device *alloc_dev(i
32118 rwlock_init(&md->map_lock);
32119 atomic_set(&md->holders, 1);
32120 atomic_set(&md->open_count, 0);
32121 - atomic_set(&md->event_nr, 0);
32122 - atomic_set(&md->uevent_seq, 0);
32123 + atomic_set_unchecked(&md->event_nr, 0);
32124 + atomic_set_unchecked(&md->uevent_seq, 0);
32125 INIT_LIST_HEAD(&md->uevent_list);
32126 spin_lock_init(&md->uevent_lock);
32127
32128 @@ -1971,7 +1971,7 @@ static void event_callback(void *context
32129
32130 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
32131
32132 - atomic_inc(&md->event_nr);
32133 + atomic_inc_unchecked(&md->event_nr);
32134 wake_up(&md->eventq);
32135 }
32136
32137 @@ -2547,18 +2547,18 @@ int dm_kobject_uevent(struct mapped_devi
32138
32139 uint32_t dm_next_uevent_seq(struct mapped_device *md)
32140 {
32141 - return atomic_add_return(1, &md->uevent_seq);
32142 + return atomic_add_return_unchecked(1, &md->uevent_seq);
32143 }
32144
32145 uint32_t dm_get_event_nr(struct mapped_device *md)
32146 {
32147 - return atomic_read(&md->event_nr);
32148 + return atomic_read_unchecked(&md->event_nr);
32149 }
32150
32151 int dm_wait_event(struct mapped_device *md, int event_nr)
32152 {
32153 return wait_event_interruptible(md->eventq,
32154 - (event_nr != atomic_read(&md->event_nr)));
32155 + (event_nr != atomic_read_unchecked(&md->event_nr)));
32156 }
32157
32158 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
32159 diff -urNp linux-2.6.39.3/drivers/md/dm-crypt.c linux-2.6.39.3/drivers/md/dm-crypt.c
32160 --- linux-2.6.39.3/drivers/md/dm-crypt.c 2011-05-19 00:06:34.000000000 -0400
32161 +++ linux-2.6.39.3/drivers/md/dm-crypt.c 2011-05-22 19:36:31.000000000 -0400
32162 @@ -138,7 +138,7 @@ struct crypt_config {
32163 char *cipher;
32164 char *cipher_string;
32165
32166 - struct crypt_iv_operations *iv_gen_ops;
32167 + const struct crypt_iv_operations *iv_gen_ops;
32168 union {
32169 struct iv_essiv_private essiv;
32170 struct iv_benbi_private benbi;
32171 @@ -620,15 +620,15 @@ static int crypt_iv_lmk_post(struct cryp
32172 return r;
32173 }
32174
32175 -static struct crypt_iv_operations crypt_iv_plain_ops = {
32176 +static const struct crypt_iv_operations crypt_iv_plain_ops = {
32177 .generator = crypt_iv_plain_gen
32178 };
32179
32180 -static struct crypt_iv_operations crypt_iv_plain64_ops = {
32181 +static const struct crypt_iv_operations crypt_iv_plain64_ops = {
32182 .generator = crypt_iv_plain64_gen
32183 };
32184
32185 -static struct crypt_iv_operations crypt_iv_essiv_ops = {
32186 +static const struct crypt_iv_operations crypt_iv_essiv_ops = {
32187 .ctr = crypt_iv_essiv_ctr,
32188 .dtr = crypt_iv_essiv_dtr,
32189 .init = crypt_iv_essiv_init,
32190 @@ -636,17 +636,17 @@ static struct crypt_iv_operations crypt_
32191 .generator = crypt_iv_essiv_gen
32192 };
32193
32194 -static struct crypt_iv_operations crypt_iv_benbi_ops = {
32195 +static const struct crypt_iv_operations crypt_iv_benbi_ops = {
32196 .ctr = crypt_iv_benbi_ctr,
32197 .dtr = crypt_iv_benbi_dtr,
32198 .generator = crypt_iv_benbi_gen
32199 };
32200
32201 -static struct crypt_iv_operations crypt_iv_null_ops = {
32202 +static const struct crypt_iv_operations crypt_iv_null_ops = {
32203 .generator = crypt_iv_null_gen
32204 };
32205
32206 -static struct crypt_iv_operations crypt_iv_lmk_ops = {
32207 +static const struct crypt_iv_operations crypt_iv_lmk_ops = {
32208 .ctr = crypt_iv_lmk_ctr,
32209 .dtr = crypt_iv_lmk_dtr,
32210 .init = crypt_iv_lmk_init,
32211 diff -urNp linux-2.6.39.3/drivers/md/dm-ioctl.c linux-2.6.39.3/drivers/md/dm-ioctl.c
32212 --- linux-2.6.39.3/drivers/md/dm-ioctl.c 2011-05-19 00:06:34.000000000 -0400
32213 +++ linux-2.6.39.3/drivers/md/dm-ioctl.c 2011-05-22 19:36:31.000000000 -0400
32214 @@ -1551,7 +1551,7 @@ static int validate_params(uint cmd, str
32215 cmd == DM_LIST_VERSIONS_CMD)
32216 return 0;
32217
32218 - if ((cmd == DM_DEV_CREATE_CMD)) {
32219 + if (cmd == DM_DEV_CREATE_CMD) {
32220 if (!*param->name) {
32221 DMWARN("name not supplied when creating device");
32222 return -EINVAL;
32223 diff -urNp linux-2.6.39.3/drivers/md/dm-raid1.c linux-2.6.39.3/drivers/md/dm-raid1.c
32224 --- linux-2.6.39.3/drivers/md/dm-raid1.c 2011-05-19 00:06:34.000000000 -0400
32225 +++ linux-2.6.39.3/drivers/md/dm-raid1.c 2011-05-22 19:36:31.000000000 -0400
32226 @@ -42,7 +42,7 @@ enum dm_raid1_error {
32227
32228 struct mirror {
32229 struct mirror_set *ms;
32230 - atomic_t error_count;
32231 + atomic_unchecked_t error_count;
32232 unsigned long error_type;
32233 struct dm_dev *dev;
32234 sector_t offset;
32235 @@ -187,7 +187,7 @@ static struct mirror *get_valid_mirror(s
32236 struct mirror *m;
32237
32238 for (m = ms->mirror; m < ms->mirror + ms->nr_mirrors; m++)
32239 - if (!atomic_read(&m->error_count))
32240 + if (!atomic_read_unchecked(&m->error_count))
32241 return m;
32242
32243 return NULL;
32244 @@ -219,7 +219,7 @@ static void fail_mirror(struct mirror *m
32245 * simple way to tell if a device has encountered
32246 * errors.
32247 */
32248 - atomic_inc(&m->error_count);
32249 + atomic_inc_unchecked(&m->error_count);
32250
32251 if (test_and_set_bit(error_type, &m->error_type))
32252 return;
32253 @@ -410,7 +410,7 @@ static struct mirror *choose_mirror(stru
32254 struct mirror *m = get_default_mirror(ms);
32255
32256 do {
32257 - if (likely(!atomic_read(&m->error_count)))
32258 + if (likely(!atomic_read_unchecked(&m->error_count)))
32259 return m;
32260
32261 if (m-- == ms->mirror)
32262 @@ -424,7 +424,7 @@ static int default_ok(struct mirror *m)
32263 {
32264 struct mirror *default_mirror = get_default_mirror(m->ms);
32265
32266 - return !atomic_read(&default_mirror->error_count);
32267 + return !atomic_read_unchecked(&default_mirror->error_count);
32268 }
32269
32270 static int mirror_available(struct mirror_set *ms, struct bio *bio)
32271 @@ -561,7 +561,7 @@ static void do_reads(struct mirror_set *
32272 */
32273 if (likely(region_in_sync(ms, region, 1)))
32274 m = choose_mirror(ms, bio->bi_sector);
32275 - else if (m && atomic_read(&m->error_count))
32276 + else if (m && atomic_read_unchecked(&m->error_count))
32277 m = NULL;
32278
32279 if (likely(m))
32280 @@ -939,7 +939,7 @@ static int get_mirror(struct mirror_set
32281 }
32282
32283 ms->mirror[mirror].ms = ms;
32284 - atomic_set(&(ms->mirror[mirror].error_count), 0);
32285 + atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
32286 ms->mirror[mirror].error_type = 0;
32287 ms->mirror[mirror].offset = offset;
32288
32289 @@ -1347,7 +1347,7 @@ static void mirror_resume(struct dm_targ
32290 */
32291 static char device_status_char(struct mirror *m)
32292 {
32293 - if (!atomic_read(&(m->error_count)))
32294 + if (!atomic_read_unchecked(&(m->error_count)))
32295 return 'A';
32296
32297 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
32298 diff -urNp linux-2.6.39.3/drivers/md/dm-stripe.c linux-2.6.39.3/drivers/md/dm-stripe.c
32299 --- linux-2.6.39.3/drivers/md/dm-stripe.c 2011-05-19 00:06:34.000000000 -0400
32300 +++ linux-2.6.39.3/drivers/md/dm-stripe.c 2011-05-22 19:36:31.000000000 -0400
32301 @@ -20,7 +20,7 @@ struct stripe {
32302 struct dm_dev *dev;
32303 sector_t physical_start;
32304
32305 - atomic_t error_count;
32306 + atomic_unchecked_t error_count;
32307 };
32308
32309 struct stripe_c {
32310 @@ -192,7 +192,7 @@ static int stripe_ctr(struct dm_target *
32311 kfree(sc);
32312 return r;
32313 }
32314 - atomic_set(&(sc->stripe[i].error_count), 0);
32315 + atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
32316 }
32317
32318 ti->private = sc;
32319 @@ -314,7 +314,7 @@ static int stripe_status(struct dm_targe
32320 DMEMIT("%d ", sc->stripes);
32321 for (i = 0; i < sc->stripes; i++) {
32322 DMEMIT("%s ", sc->stripe[i].dev->name);
32323 - buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
32324 + buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
32325 'D' : 'A';
32326 }
32327 buffer[i] = '\0';
32328 @@ -361,8 +361,8 @@ static int stripe_end_io(struct dm_targe
32329 */
32330 for (i = 0; i < sc->stripes; i++)
32331 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
32332 - atomic_inc(&(sc->stripe[i].error_count));
32333 - if (atomic_read(&(sc->stripe[i].error_count)) <
32334 + atomic_inc_unchecked(&(sc->stripe[i].error_count));
32335 + if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
32336 DM_IO_ERROR_THRESHOLD)
32337 schedule_work(&sc->trigger_event);
32338 }
32339 diff -urNp linux-2.6.39.3/drivers/md/dm-table.c linux-2.6.39.3/drivers/md/dm-table.c
32340 --- linux-2.6.39.3/drivers/md/dm-table.c 2011-06-03 00:04:14.000000000 -0400
32341 +++ linux-2.6.39.3/drivers/md/dm-table.c 2011-06-03 00:32:05.000000000 -0400
32342 @@ -390,7 +390,7 @@ static int device_area_is_invalid(struct
32343 if (!dev_size)
32344 return 0;
32345
32346 - if ((start >= dev_size) || (start + len > dev_size)) {
32347 + if ((start >= dev_size) || (len > dev_size - start)) {
32348 DMWARN("%s: %s too small for target: "
32349 "start=%llu, len=%llu, dev_size=%llu",
32350 dm_device_name(ti->table->md), bdevname(bdev, b),
32351 diff -urNp linux-2.6.39.3/drivers/md/md.c linux-2.6.39.3/drivers/md/md.c
32352 --- linux-2.6.39.3/drivers/md/md.c 2011-07-09 09:18:51.000000000 -0400
32353 +++ linux-2.6.39.3/drivers/md/md.c 2011-07-09 09:19:18.000000000 -0400
32354 @@ -226,10 +226,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
32355 * start build, activate spare
32356 */
32357 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
32358 -static atomic_t md_event_count;
32359 +static atomic_unchecked_t md_event_count;
32360 void md_new_event(mddev_t *mddev)
32361 {
32362 - atomic_inc(&md_event_count);
32363 + atomic_inc_unchecked(&md_event_count);
32364 wake_up(&md_event_waiters);
32365 }
32366 EXPORT_SYMBOL_GPL(md_new_event);
32367 @@ -239,7 +239,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
32368 */
32369 static void md_new_event_inintr(mddev_t *mddev)
32370 {
32371 - atomic_inc(&md_event_count);
32372 + atomic_inc_unchecked(&md_event_count);
32373 wake_up(&md_event_waiters);
32374 }
32375
32376 @@ -1454,7 +1454,7 @@ static int super_1_load(mdk_rdev_t *rdev
32377
32378 rdev->preferred_minor = 0xffff;
32379 rdev->data_offset = le64_to_cpu(sb->data_offset);
32380 - atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
32381 + atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
32382
32383 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
32384 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
32385 @@ -1632,7 +1632,7 @@ static void super_1_sync(mddev_t *mddev,
32386 else
32387 sb->resync_offset = cpu_to_le64(0);
32388
32389 - sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
32390 + sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
32391
32392 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
32393 sb->size = cpu_to_le64(mddev->dev_sectors);
32394 @@ -2414,7 +2414,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
32395 static ssize_t
32396 errors_show(mdk_rdev_t *rdev, char *page)
32397 {
32398 - return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
32399 + return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
32400 }
32401
32402 static ssize_t
32403 @@ -2423,7 +2423,7 @@ errors_store(mdk_rdev_t *rdev, const cha
32404 char *e;
32405 unsigned long n = simple_strtoul(buf, &e, 10);
32406 if (*buf && (*e == 0 || *e == '\n')) {
32407 - atomic_set(&rdev->corrected_errors, n);
32408 + atomic_set_unchecked(&rdev->corrected_errors, n);
32409 return len;
32410 }
32411 return -EINVAL;
32412 @@ -2779,8 +2779,8 @@ void md_rdev_init(mdk_rdev_t *rdev)
32413 rdev->last_read_error.tv_sec = 0;
32414 rdev->last_read_error.tv_nsec = 0;
32415 atomic_set(&rdev->nr_pending, 0);
32416 - atomic_set(&rdev->read_errors, 0);
32417 - atomic_set(&rdev->corrected_errors, 0);
32418 + atomic_set_unchecked(&rdev->read_errors, 0);
32419 + atomic_set_unchecked(&rdev->corrected_errors, 0);
32420
32421 INIT_LIST_HEAD(&rdev->same_set);
32422 init_waitqueue_head(&rdev->blocked_wait);
32423 @@ -6388,7 +6388,7 @@ static int md_seq_show(struct seq_file *
32424
32425 spin_unlock(&pers_lock);
32426 seq_printf(seq, "\n");
32427 - mi->event = atomic_read(&md_event_count);
32428 + mi->event = atomic_read_unchecked(&md_event_count);
32429 return 0;
32430 }
32431 if (v == (void*)2) {
32432 @@ -6477,7 +6477,7 @@ static int md_seq_show(struct seq_file *
32433 chunk_kb ? "KB" : "B");
32434 if (bitmap->file) {
32435 seq_printf(seq, ", file: ");
32436 - seq_path(seq, &bitmap->file->f_path, " \t\n");
32437 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
32438 }
32439
32440 seq_printf(seq, "\n");
32441 @@ -6511,7 +6511,7 @@ static int md_seq_open(struct inode *ino
32442 else {
32443 struct seq_file *p = file->private_data;
32444 p->private = mi;
32445 - mi->event = atomic_read(&md_event_count);
32446 + mi->event = atomic_read_unchecked(&md_event_count);
32447 }
32448 return error;
32449 }
32450 @@ -6527,7 +6527,7 @@ static unsigned int mdstat_poll(struct f
32451 /* always allow read */
32452 mask = POLLIN | POLLRDNORM;
32453
32454 - if (mi->event != atomic_read(&md_event_count))
32455 + if (mi->event != atomic_read_unchecked(&md_event_count))
32456 mask |= POLLERR | POLLPRI;
32457 return mask;
32458 }
32459 @@ -6571,7 +6571,7 @@ static int is_mddev_idle(mddev_t *mddev,
32460 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
32461 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
32462 (int)part_stat_read(&disk->part0, sectors[1]) -
32463 - atomic_read(&disk->sync_io);
32464 + atomic_read_unchecked(&disk->sync_io);
32465 /* sync IO will cause sync_io to increase before the disk_stats
32466 * as sync_io is counted when a request starts, and
32467 * disk_stats is counted when it completes.
32468 diff -urNp linux-2.6.39.3/drivers/md/md.h linux-2.6.39.3/drivers/md/md.h
32469 --- linux-2.6.39.3/drivers/md/md.h 2011-05-19 00:06:34.000000000 -0400
32470 +++ linux-2.6.39.3/drivers/md/md.h 2011-05-22 19:36:31.000000000 -0400
32471 @@ -97,13 +97,13 @@ struct mdk_rdev_s
32472 * only maintained for arrays that
32473 * support hot removal
32474 */
32475 - atomic_t read_errors; /* number of consecutive read errors that
32476 + atomic_unchecked_t read_errors; /* number of consecutive read errors that
32477 * we have tried to ignore.
32478 */
32479 struct timespec last_read_error; /* monotonic time since our
32480 * last read error
32481 */
32482 - atomic_t corrected_errors; /* number of corrected read errors,
32483 + atomic_unchecked_t corrected_errors; /* number of corrected read errors,
32484 * for reporting to userspace and storing
32485 * in superblock.
32486 */
32487 @@ -342,7 +342,7 @@ static inline void rdev_dec_pending(mdk_
32488
32489 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
32490 {
32491 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
32492 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
32493 }
32494
32495 struct mdk_personality
32496 diff -urNp linux-2.6.39.3/drivers/md/raid10.c linux-2.6.39.3/drivers/md/raid10.c
32497 --- linux-2.6.39.3/drivers/md/raid10.c 2011-05-19 00:06:34.000000000 -0400
32498 +++ linux-2.6.39.3/drivers/md/raid10.c 2011-05-22 19:36:31.000000000 -0400
32499 @@ -1209,7 +1209,7 @@ static void end_sync_read(struct bio *bi
32500 if (test_bit(BIO_UPTODATE, &bio->bi_flags))
32501 set_bit(R10BIO_Uptodate, &r10_bio->state);
32502 else {
32503 - atomic_add(r10_bio->sectors,
32504 + atomic_add_unchecked(r10_bio->sectors,
32505 &conf->mirrors[d].rdev->corrected_errors);
32506 if (!test_bit(MD_RECOVERY_SYNC, &conf->mddev->recovery))
32507 md_error(r10_bio->mddev,
32508 @@ -1417,7 +1417,7 @@ static void check_decay_read_errors(mdde
32509 {
32510 struct timespec cur_time_mon;
32511 unsigned long hours_since_last;
32512 - unsigned int read_errors = atomic_read(&rdev->read_errors);
32513 + unsigned int read_errors = atomic_read_unchecked(&rdev->read_errors);
32514
32515 ktime_get_ts(&cur_time_mon);
32516
32517 @@ -1439,9 +1439,9 @@ static void check_decay_read_errors(mdde
32518 * overflowing the shift of read_errors by hours_since_last.
32519 */
32520 if (hours_since_last >= 8 * sizeof(read_errors))
32521 - atomic_set(&rdev->read_errors, 0);
32522 + atomic_set_unchecked(&rdev->read_errors, 0);
32523 else
32524 - atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
32525 + atomic_set_unchecked(&rdev->read_errors, read_errors >> hours_since_last);
32526 }
32527
32528 /*
32529 @@ -1476,8 +1476,8 @@ static void fix_read_error(conf_t *conf,
32530 }
32531
32532 check_decay_read_errors(mddev, rdev);
32533 - atomic_inc(&rdev->read_errors);
32534 - cur_read_error_count = atomic_read(&rdev->read_errors);
32535 + atomic_inc_unchecked(&rdev->read_errors);
32536 + cur_read_error_count = atomic_read_unchecked(&rdev->read_errors);
32537 if (cur_read_error_count > max_read_errors) {
32538 rcu_read_unlock();
32539 printk(KERN_NOTICE
32540 @@ -1550,7 +1550,7 @@ static void fix_read_error(conf_t *conf,
32541 test_bit(In_sync, &rdev->flags)) {
32542 atomic_inc(&rdev->nr_pending);
32543 rcu_read_unlock();
32544 - atomic_add(s, &rdev->corrected_errors);
32545 + atomic_add_unchecked(s, &rdev->corrected_errors);
32546 if (sync_page_io(rdev,
32547 r10_bio->devs[sl].addr +
32548 sect,
32549 diff -urNp linux-2.6.39.3/drivers/md/raid1.c linux-2.6.39.3/drivers/md/raid1.c
32550 --- linux-2.6.39.3/drivers/md/raid1.c 2011-05-19 00:06:34.000000000 -0400
32551 +++ linux-2.6.39.3/drivers/md/raid1.c 2011-05-22 19:36:31.000000000 -0400
32552 @@ -1342,7 +1342,7 @@ static void sync_request_write(mddev_t *
32553 if (r1_bio->bios[d]->bi_end_io != end_sync_read)
32554 continue;
32555 rdev = conf->mirrors[d].rdev;
32556 - atomic_add(s, &rdev->corrected_errors);
32557 + atomic_add_unchecked(s, &rdev->corrected_errors);
32558 if (sync_page_io(rdev,
32559 sect,
32560 s<<9,
32561 @@ -1488,7 +1488,7 @@ static void fix_read_error(conf_t *conf,
32562 /* Well, this device is dead */
32563 md_error(mddev, rdev);
32564 else {
32565 - atomic_add(s, &rdev->corrected_errors);
32566 + atomic_add_unchecked(s, &rdev->corrected_errors);
32567 printk(KERN_INFO
32568 "md/raid1:%s: read error corrected "
32569 "(%d sectors at %llu on %s)\n",
32570 diff -urNp linux-2.6.39.3/drivers/md/raid5.c linux-2.6.39.3/drivers/md/raid5.c
32571 --- linux-2.6.39.3/drivers/md/raid5.c 2011-06-25 12:55:22.000000000 -0400
32572 +++ linux-2.6.39.3/drivers/md/raid5.c 2011-06-25 13:01:13.000000000 -0400
32573 @@ -550,7 +550,7 @@ static void ops_run_io(struct stripe_hea
32574 bi->bi_next = NULL;
32575 if ((rw & WRITE) &&
32576 test_bit(R5_ReWrite, &sh->dev[i].flags))
32577 - atomic_add(STRIPE_SECTORS,
32578 + atomic_add_unchecked(STRIPE_SECTORS,
32579 &rdev->corrected_errors);
32580 generic_make_request(bi);
32581 } else {
32582 @@ -1596,15 +1596,15 @@ static void raid5_end_read_request(struc
32583 clear_bit(R5_ReadError, &sh->dev[i].flags);
32584 clear_bit(R5_ReWrite, &sh->dev[i].flags);
32585 }
32586 - if (atomic_read(&conf->disks[i].rdev->read_errors))
32587 - atomic_set(&conf->disks[i].rdev->read_errors, 0);
32588 + if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
32589 + atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
32590 } else {
32591 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
32592 int retry = 0;
32593 rdev = conf->disks[i].rdev;
32594
32595 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
32596 - atomic_inc(&rdev->read_errors);
32597 + atomic_inc_unchecked(&rdev->read_errors);
32598 if (conf->mddev->degraded >= conf->max_degraded)
32599 printk_rl(KERN_WARNING
32600 "md/raid:%s: read error not correctable "
32601 @@ -1622,7 +1622,7 @@ static void raid5_end_read_request(struc
32602 (unsigned long long)(sh->sector
32603 + rdev->data_offset),
32604 bdn);
32605 - else if (atomic_read(&rdev->read_errors)
32606 + else if (atomic_read_unchecked(&rdev->read_errors)
32607 > conf->max_nr_stripes)
32608 printk(KERN_WARNING
32609 "md/raid:%s: Too many read errors, failing device %s.\n",
32610 @@ -1947,6 +1947,7 @@ static sector_t compute_blocknr(struct s
32611 sector_t r_sector;
32612 struct stripe_head sh2;
32613
32614 + pax_track_stack();
32615
32616 chunk_offset = sector_div(new_sector, sectors_per_chunk);
32617 stripe = new_sector;
32618 diff -urNp linux-2.6.39.3/drivers/media/common/saa7146_hlp.c linux-2.6.39.3/drivers/media/common/saa7146_hlp.c
32619 --- linux-2.6.39.3/drivers/media/common/saa7146_hlp.c 2011-05-19 00:06:34.000000000 -0400
32620 +++ linux-2.6.39.3/drivers/media/common/saa7146_hlp.c 2011-05-22 19:36:31.000000000 -0400
32621 @@ -353,6 +353,8 @@ static void calculate_clipping_registers
32622
32623 int x[32], y[32], w[32], h[32];
32624
32625 + pax_track_stack();
32626 +
32627 /* clear out memory */
32628 memset(&line_list[0], 0x00, sizeof(u32)*32);
32629 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
32630 diff -urNp linux-2.6.39.3/drivers/media/common/saa7146_vbi.c linux-2.6.39.3/drivers/media/common/saa7146_vbi.c
32631 --- linux-2.6.39.3/drivers/media/common/saa7146_vbi.c 2011-05-19 00:06:34.000000000 -0400
32632 +++ linux-2.6.39.3/drivers/media/common/saa7146_vbi.c 2011-05-22 19:36:31.000000000 -0400
32633 @@ -501,7 +501,7 @@ static ssize_t vbi_read(struct file *fil
32634 return ret;
32635 }
32636
32637 -struct saa7146_use_ops saa7146_vbi_uops = {
32638 +const struct saa7146_use_ops saa7146_vbi_uops = {
32639 .init = vbi_init,
32640 .open = vbi_open,
32641 .release = vbi_close,
32642 diff -urNp linux-2.6.39.3/drivers/media/common/saa7146_video.c linux-2.6.39.3/drivers/media/common/saa7146_video.c
32643 --- linux-2.6.39.3/drivers/media/common/saa7146_video.c 2011-05-19 00:06:34.000000000 -0400
32644 +++ linux-2.6.39.3/drivers/media/common/saa7146_video.c 2011-05-22 19:36:31.000000000 -0400
32645 @@ -1420,7 +1420,7 @@ out:
32646 return ret;
32647 }
32648
32649 -struct saa7146_use_ops saa7146_video_uops = {
32650 +const struct saa7146_use_ops saa7146_video_uops = {
32651 .init = video_init,
32652 .open = video_open,
32653 .release = video_close,
32654 diff -urNp linux-2.6.39.3/drivers/media/dvb/dm1105/dm1105.c linux-2.6.39.3/drivers/media/dvb/dm1105/dm1105.c
32655 --- linux-2.6.39.3/drivers/media/dvb/dm1105/dm1105.c 2011-05-19 00:06:34.000000000 -0400
32656 +++ linux-2.6.39.3/drivers/media/dvb/dm1105/dm1105.c 2011-05-22 19:36:31.000000000 -0400
32657 @@ -418,7 +418,7 @@ static u32 functionality(struct i2c_adap
32658 return I2C_FUNC_I2C;
32659 }
32660
32661 -static struct i2c_algorithm dm1105_algo = {
32662 +static const struct i2c_algorithm dm1105_algo = {
32663 .master_xfer = dm1105_i2c_xfer,
32664 .functionality = functionality,
32665 };
32666 diff -urNp linux-2.6.39.3/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-2.6.39.3/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
32667 --- linux-2.6.39.3/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-19 00:06:34.000000000 -0400
32668 +++ linux-2.6.39.3/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-22 19:36:31.000000000 -0400
32669 @@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
32670 u8 buf[HOST_LINK_BUF_SIZE];
32671 int i;
32672
32673 + pax_track_stack();
32674 +
32675 dprintk("%s\n", __func__);
32676
32677 /* check if we have space for a link buf in the rx_buffer */
32678 @@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
32679 unsigned long timeout;
32680 int written;
32681
32682 + pax_track_stack();
32683 +
32684 dprintk("%s\n", __func__);
32685
32686 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
32687 diff -urNp linux-2.6.39.3/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.39.3/drivers/media/dvb/dvb-core/dvbdev.c
32688 --- linux-2.6.39.3/drivers/media/dvb/dvb-core/dvbdev.c 2011-05-19 00:06:34.000000000 -0400
32689 +++ linux-2.6.39.3/drivers/media/dvb/dvb-core/dvbdev.c 2011-05-22 19:36:31.000000000 -0400
32690 @@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapt
32691 const struct dvb_device *template, void *priv, int type)
32692 {
32693 struct dvb_device *dvbdev;
32694 - struct file_operations *dvbdevfops;
32695 + struct file_operations *dvbdevfops; /* cannot be const, see this function */
32696 struct device *clsdev;
32697 int minor;
32698 int id;
32699 diff -urNp linux-2.6.39.3/drivers/media/dvb/dvb-usb/dib0700_core.c linux-2.6.39.3/drivers/media/dvb/dvb-usb/dib0700_core.c
32700 --- linux-2.6.39.3/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-19 00:06:34.000000000 -0400
32701 +++ linux-2.6.39.3/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-22 19:36:31.000000000 -0400
32702 @@ -391,6 +391,8 @@ int dib0700_download_firmware(struct usb
32703
32704 u8 buf[260];
32705
32706 + pax_track_stack();
32707 +
32708 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
32709 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",
32710 hx.addr, hx.len, hx.chk);
32711 diff -urNp linux-2.6.39.3/drivers/media/dvb/dvb-usb/lmedm04.c linux-2.6.39.3/drivers/media/dvb/dvb-usb/lmedm04.c
32712 --- linux-2.6.39.3/drivers/media/dvb/dvb-usb/lmedm04.c 2011-05-19 00:06:34.000000000 -0400
32713 +++ linux-2.6.39.3/drivers/media/dvb/dvb-usb/lmedm04.c 2011-05-22 19:36:31.000000000 -0400
32714 @@ -663,6 +663,7 @@ static int lme2510_download_firmware(str
32715 packet_size = 0x31;
32716 len_in = 1;
32717
32718 + pax_track_stack();
32719
32720 info("FRM Starting Firmware Download");
32721
32722 @@ -715,6 +716,8 @@ static void lme_coldreset(struct usb_dev
32723 int ret = 0, len_in;
32724 u8 data[512] = {0};
32725
32726 + pax_track_stack();
32727 +
32728 data[0] = 0x0a;
32729 len_in = 1;
32730 info("FRM Firmware Cold Reset");
32731 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/dib7000p.c linux-2.6.39.3/drivers/media/dvb/frontends/dib7000p.c
32732 --- linux-2.6.39.3/drivers/media/dvb/frontends/dib7000p.c 2011-06-03 00:04:14.000000000 -0400
32733 +++ linux-2.6.39.3/drivers/media/dvb/frontends/dib7000p.c 2011-06-03 00:32:05.000000000 -0400
32734 @@ -1945,7 +1945,7 @@ static u32 dib7000p_i2c_func(struct i2c_
32735 return I2C_FUNC_I2C;
32736 }
32737
32738 -static struct i2c_algorithm dib7090_tuner_xfer_algo = {
32739 +static const struct i2c_algorithm dib7090_tuner_xfer_algo = {
32740 .master_xfer = dib7090_tuner_xfer,
32741 .functionality = dib7000p_i2c_func,
32742 };
32743 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/dib9000.c linux-2.6.39.3/drivers/media/dvb/frontends/dib9000.c
32744 --- linux-2.6.39.3/drivers/media/dvb/frontends/dib9000.c 2011-06-03 00:04:14.000000000 -0400
32745 +++ linux-2.6.39.3/drivers/media/dvb/frontends/dib9000.c 2011-06-03 00:32:05.000000000 -0400
32746 @@ -1676,12 +1676,12 @@ static u32 dib9000_i2c_func(struct i2c_a
32747 return I2C_FUNC_I2C;
32748 }
32749
32750 -static struct i2c_algorithm dib9000_tuner_algo = {
32751 +static const struct i2c_algorithm dib9000_tuner_algo = {
32752 .master_xfer = dib9000_tuner_xfer,
32753 .functionality = dib9000_i2c_func,
32754 };
32755
32756 -static struct i2c_algorithm dib9000_component_bus_algo = {
32757 +static const struct i2c_algorithm dib9000_component_bus_algo = {
32758 .master_xfer = dib9000_fw_component_bus_xfer,
32759 .functionality = dib9000_i2c_func,
32760 };
32761 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/dibx000_common.c linux-2.6.39.3/drivers/media/dvb/frontends/dibx000_common.c
32762 --- linux-2.6.39.3/drivers/media/dvb/frontends/dibx000_common.c 2011-06-03 00:04:14.000000000 -0400
32763 +++ linux-2.6.39.3/drivers/media/dvb/frontends/dibx000_common.c 2011-06-03 00:37:36.000000000 -0400
32764 @@ -221,12 +221,12 @@ static int dibx000_i2c_master_xfer_gpio3
32765 return num;
32766 }
32767
32768 -static struct i2c_algorithm dibx000_i2c_master_gpio12_xfer_algo = {
32769 +static const struct i2c_algorithm dibx000_i2c_master_gpio12_xfer_algo = {
32770 .master_xfer = dibx000_i2c_master_xfer_gpio12,
32771 .functionality = dibx000_i2c_func,
32772 };
32773
32774 -static struct i2c_algorithm dibx000_i2c_master_gpio34_xfer_algo = {
32775 +static const struct i2c_algorithm dibx000_i2c_master_gpio34_xfer_algo = {
32776 .master_xfer = dibx000_i2c_master_xfer_gpio34,
32777 .functionality = dibx000_i2c_func,
32778 };
32779 @@ -285,7 +285,7 @@ static int dibx000_i2c_gated_gpio67_xfer
32780 return i2c_transfer(mst->i2c_adap, mst->msg, 2 + num) == 2 + num ? num : -EIO;
32781 }
32782
32783 -static struct i2c_algorithm dibx000_i2c_gated_gpio67_algo = {
32784 +static const struct i2c_algorithm dibx000_i2c_gated_gpio67_algo = {
32785 .master_xfer = dibx000_i2c_gated_gpio67_xfer,
32786 .functionality = dibx000_i2c_func,
32787 };
32788 @@ -322,7 +322,7 @@ static int dibx000_i2c_gated_tuner_xfer(
32789 return i2c_transfer(mst->i2c_adap, mst->msg, 2 + num) == 2 + num ? num : -EIO;
32790 }
32791
32792 -static struct i2c_algorithm dibx000_i2c_gated_tuner_algo = {
32793 +static const struct i2c_algorithm dibx000_i2c_gated_tuner_algo = {
32794 .master_xfer = dibx000_i2c_gated_tuner_xfer,
32795 .functionality = dibx000_i2c_func,
32796 };
32797 @@ -375,7 +375,7 @@ void dibx000_reset_i2c_master(struct dib
32798 EXPORT_SYMBOL(dibx000_reset_i2c_master);
32799
32800 static int i2c_adapter_init(struct i2c_adapter *i2c_adap,
32801 - struct i2c_algorithm *algo, const char *name,
32802 + const struct i2c_algorithm *algo, const char *name,
32803 struct dibx000_i2c_master *mst)
32804 {
32805 strncpy(i2c_adap->name, name, sizeof(i2c_adap->name));
32806 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/mb86a16.c linux-2.6.39.3/drivers/media/dvb/frontends/mb86a16.c
32807 --- linux-2.6.39.3/drivers/media/dvb/frontends/mb86a16.c 2011-05-19 00:06:34.000000000 -0400
32808 +++ linux-2.6.39.3/drivers/media/dvb/frontends/mb86a16.c 2011-05-22 19:36:31.000000000 -0400
32809 @@ -1060,6 +1060,8 @@ static int mb86a16_set_fe(struct mb86a16
32810 int ret = -1;
32811 int sync;
32812
32813 + pax_track_stack();
32814 +
32815 dprintk(verbose, MB86A16_INFO, 1, "freq=%d Mhz, symbrt=%d Ksps", state->frequency, state->srate);
32816
32817 fcp = 3000;
32818 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/or51211.c linux-2.6.39.3/drivers/media/dvb/frontends/or51211.c
32819 --- linux-2.6.39.3/drivers/media/dvb/frontends/or51211.c 2011-05-19 00:06:34.000000000 -0400
32820 +++ linux-2.6.39.3/drivers/media/dvb/frontends/or51211.c 2011-05-22 19:36:31.000000000 -0400
32821 @@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
32822 u8 tudata[585];
32823 int i;
32824
32825 + pax_track_stack();
32826 +
32827 dprintk("Firmware is %zd bytes\n",fw->size);
32828
32829 /* Get eprom data */
32830 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/s5h1420.c linux-2.6.39.3/drivers/media/dvb/frontends/s5h1420.c
32831 --- linux-2.6.39.3/drivers/media/dvb/frontends/s5h1420.c 2011-05-19 00:06:34.000000000 -0400
32832 +++ linux-2.6.39.3/drivers/media/dvb/frontends/s5h1420.c 2011-05-22 19:36:31.000000000 -0400
32833 @@ -870,7 +870,7 @@ static int s5h1420_tuner_i2c_tuner_xfer(
32834 return i2c_transfer(state->i2c, m, 1+num) == 1 + num ? num : -EIO;
32835 }
32836
32837 -static struct i2c_algorithm s5h1420_tuner_i2c_algo = {
32838 +static const struct i2c_algorithm s5h1420_tuner_i2c_algo = {
32839 .master_xfer = s5h1420_tuner_i2c_tuner_xfer,
32840 .functionality = s5h1420_tuner_i2c_func,
32841 };
32842 diff -urNp linux-2.6.39.3/drivers/media/dvb/mantis/mantis_i2c.c linux-2.6.39.3/drivers/media/dvb/mantis/mantis_i2c.c
32843 --- linux-2.6.39.3/drivers/media/dvb/mantis/mantis_i2c.c 2011-05-19 00:06:34.000000000 -0400
32844 +++ linux-2.6.39.3/drivers/media/dvb/mantis/mantis_i2c.c 2011-05-22 19:36:31.000000000 -0400
32845 @@ -212,7 +212,7 @@ static u32 mantis_i2c_func(struct i2c_ad
32846 return I2C_FUNC_SMBUS_EMUL;
32847 }
32848
32849 -static struct i2c_algorithm mantis_algo = {
32850 +static const struct i2c_algorithm mantis_algo = {
32851 .master_xfer = mantis_i2c_xfer,
32852 .functionality = mantis_i2c_func,
32853 };
32854 diff -urNp linux-2.6.39.3/drivers/media/dvb/ttusb-dec/ttusb_dec.c linux-2.6.39.3/drivers/media/dvb/ttusb-dec/ttusb_dec.c
32855 --- linux-2.6.39.3/drivers/media/dvb/ttusb-dec/ttusb_dec.c 2011-05-19 00:06:34.000000000 -0400
32856 +++ linux-2.6.39.3/drivers/media/dvb/ttusb-dec/ttusb_dec.c 2011-05-22 19:36:31.000000000 -0400
32857 @@ -1614,7 +1614,7 @@ static int fe_send_command(struct dvb_fr
32858 return ttusb_dec_send_command(dec, command, param_length, params, result_length, cmd_result);
32859 }
32860
32861 -static struct ttusbdecfe_config fe_config = {
32862 +static const struct ttusbdecfe_config fe_config = {
32863 .send_command = fe_send_command
32864 };
32865
32866 diff -urNp linux-2.6.39.3/drivers/media/radio/radio-cadet.c linux-2.6.39.3/drivers/media/radio/radio-cadet.c
32867 --- linux-2.6.39.3/drivers/media/radio/radio-cadet.c 2011-05-19 00:06:34.000000000 -0400
32868 +++ linux-2.6.39.3/drivers/media/radio/radio-cadet.c 2011-05-22 19:36:31.000000000 -0400
32869 @@ -349,7 +349,7 @@ static ssize_t cadet_read(struct file *f
32870 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
32871 mutex_unlock(&dev->lock);
32872
32873 - if (copy_to_user(data, readbuf, i))
32874 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
32875 return -EFAULT;
32876 return i;
32877 }
32878 diff -urNp linux-2.6.39.3/drivers/media/radio/radio-si4713.c linux-2.6.39.3/drivers/media/radio/radio-si4713.c
32879 --- linux-2.6.39.3/drivers/media/radio/radio-si4713.c 2011-05-19 00:06:34.000000000 -0400
32880 +++ linux-2.6.39.3/drivers/media/radio/radio-si4713.c 2011-05-22 19:36:31.000000000 -0400
32881 @@ -231,7 +231,7 @@ static long radio_si4713_default(struct
32882 ioctl, cmd, arg);
32883 }
32884
32885 -static struct v4l2_ioctl_ops radio_si4713_ioctl_ops = {
32886 +static const struct v4l2_ioctl_ops radio_si4713_ioctl_ops = {
32887 .vidioc_enumaudout = radio_si4713_enumaudout,
32888 .vidioc_g_audout = radio_si4713_g_audout,
32889 .vidioc_s_audout = radio_si4713_s_audout,
32890 diff -urNp linux-2.6.39.3/drivers/media/rc/ir-lirc-codec.c linux-2.6.39.3/drivers/media/rc/ir-lirc-codec.c
32891 --- linux-2.6.39.3/drivers/media/rc/ir-lirc-codec.c 2011-05-19 00:06:34.000000000 -0400
32892 +++ linux-2.6.39.3/drivers/media/rc/ir-lirc-codec.c 2011-05-22 19:36:31.000000000 -0400
32893 @@ -277,7 +277,7 @@ static void ir_lirc_close(void *data)
32894 return;
32895 }
32896
32897 -static struct file_operations lirc_fops = {
32898 +static const struct file_operations lirc_fops = {
32899 .owner = THIS_MODULE,
32900 .write = ir_lirc_transmit_ir,
32901 .unlocked_ioctl = ir_lirc_ioctl,
32902 diff -urNp linux-2.6.39.3/drivers/media/rc/lirc_dev.c linux-2.6.39.3/drivers/media/rc/lirc_dev.c
32903 --- linux-2.6.39.3/drivers/media/rc/lirc_dev.c 2011-05-19 00:06:34.000000000 -0400
32904 +++ linux-2.6.39.3/drivers/media/rc/lirc_dev.c 2011-05-22 19:36:31.000000000 -0400
32905 @@ -151,7 +151,7 @@ static int lirc_thread(void *irctl)
32906 }
32907
32908
32909 -static struct file_operations lirc_dev_fops = {
32910 +static const struct file_operations lirc_dev_fops = {
32911 .owner = THIS_MODULE,
32912 .read = lirc_dev_fop_read,
32913 .write = lirc_dev_fop_write,
32914 diff -urNp linux-2.6.39.3/drivers/media/rc/rc-main.c linux-2.6.39.3/drivers/media/rc/rc-main.c
32915 --- linux-2.6.39.3/drivers/media/rc/rc-main.c 2011-05-19 00:06:34.000000000 -0400
32916 +++ linux-2.6.39.3/drivers/media/rc/rc-main.c 2011-05-22 19:36:31.000000000 -0400
32917 @@ -996,7 +996,7 @@ EXPORT_SYMBOL_GPL(rc_free_device);
32918
32919 int rc_register_device(struct rc_dev *dev)
32920 {
32921 - static atomic_t devno = ATOMIC_INIT(0);
32922 + static atomic_unchecked_t devno = ATOMIC_INIT(0);
32923 struct rc_map *rc_map;
32924 const char *path;
32925 int rc;
32926 @@ -1019,7 +1019,7 @@ int rc_register_device(struct rc_dev *de
32927 if (dev->close)
32928 dev->input_dev->close = ir_close;
32929
32930 - dev->devno = (unsigned long)(atomic_inc_return(&devno) - 1);
32931 + dev->devno = (unsigned long)(atomic_inc_return_unchecked(&devno) - 1);
32932 dev_set_name(&dev->dev, "rc%ld", dev->devno);
32933 dev_set_drvdata(&dev->dev, dev);
32934 rc = device_add(&dev->dev);
32935 diff -urNp linux-2.6.39.3/drivers/media/video/cafe_ccic.c linux-2.6.39.3/drivers/media/video/cafe_ccic.c
32936 --- linux-2.6.39.3/drivers/media/video/cafe_ccic.c 2011-05-19 00:06:34.000000000 -0400
32937 +++ linux-2.6.39.3/drivers/media/video/cafe_ccic.c 2011-05-22 19:36:31.000000000 -0400
32938 @@ -520,7 +520,7 @@ static u32 cafe_smbus_func(struct i2c_ad
32939 I2C_FUNC_SMBUS_WRITE_BYTE_DATA;
32940 }
32941
32942 -static struct i2c_algorithm cafe_smbus_algo = {
32943 +static const struct i2c_algorithm cafe_smbus_algo = {
32944 .smbus_xfer = cafe_smbus_xfer,
32945 .functionality = cafe_smbus_func
32946 };
32947 diff -urNp linux-2.6.39.3/drivers/media/video/cx18/cx18-alsa-pcm.c linux-2.6.39.3/drivers/media/video/cx18/cx18-alsa-pcm.c
32948 --- linux-2.6.39.3/drivers/media/video/cx18/cx18-alsa-pcm.c 2011-05-19 00:06:34.000000000 -0400
32949 +++ linux-2.6.39.3/drivers/media/video/cx18/cx18-alsa-pcm.c 2011-05-22 19:36:31.000000000 -0400
32950 @@ -314,7 +314,7 @@ static struct page *snd_pcm_get_vmalloc_
32951 return vmalloc_to_page(pageptr);
32952 }
32953
32954 -static struct snd_pcm_ops snd_cx18_pcm_capture_ops = {
32955 +static const struct snd_pcm_ops snd_cx18_pcm_capture_ops = {
32956 .open = snd_cx18_pcm_capture_open,
32957 .close = snd_cx18_pcm_capture_close,
32958 .ioctl = snd_cx18_pcm_ioctl,
32959 diff -urNp linux-2.6.39.3/drivers/media/video/cx18/cx18-driver.c linux-2.6.39.3/drivers/media/video/cx18/cx18-driver.c
32960 --- linux-2.6.39.3/drivers/media/video/cx18/cx18-driver.c 2011-05-19 00:06:34.000000000 -0400
32961 +++ linux-2.6.39.3/drivers/media/video/cx18/cx18-driver.c 2011-05-22 19:36:31.000000000 -0400
32962 @@ -61,7 +61,7 @@ static struct pci_device_id cx18_pci_tbl
32963
32964 MODULE_DEVICE_TABLE(pci, cx18_pci_tbl);
32965
32966 -static atomic_t cx18_instance = ATOMIC_INIT(0);
32967 +static atomic_unchecked_t cx18_instance = ATOMIC_INIT(0);
32968
32969 /* Parameter declarations */
32970 static int cardtype[CX18_MAX_CARDS];
32971 @@ -327,6 +327,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
32972 struct i2c_client c;
32973 u8 eedata[256];
32974
32975 + pax_track_stack();
32976 +
32977 memset(&c, 0, sizeof(c));
32978 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
32979 c.adapter = &cx->i2c_adap[0];
32980 @@ -892,7 +894,7 @@ static int __devinit cx18_probe(struct p
32981 struct cx18 *cx;
32982
32983 /* FIXME - module parameter arrays constrain max instances */
32984 - i = atomic_inc_return(&cx18_instance) - 1;
32985 + i = atomic_inc_return_unchecked(&cx18_instance) - 1;
32986 if (i >= CX18_MAX_CARDS) {
32987 printk(KERN_ERR "cx18: cannot manage card %d, driver has a "
32988 "limit of 0 - %d\n", i, CX18_MAX_CARDS - 1);
32989 diff -urNp linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-audio.c linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-audio.c
32990 --- linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-audio.c 2011-05-19 00:06:34.000000000 -0400
32991 +++ linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-audio.c 2011-05-22 19:36:31.000000000 -0400
32992 @@ -613,7 +613,7 @@ static struct page *snd_pcm_get_vmalloc_
32993 return vmalloc_to_page(pageptr);
32994 }
32995
32996 -static struct snd_pcm_ops snd_cx231xx_pcm_capture = {
32997 +static const struct snd_pcm_ops snd_cx231xx_pcm_capture = {
32998 .open = snd_cx231xx_capture_open,
32999 .close = snd_cx231xx_pcm_close,
33000 .ioctl = snd_pcm_lib_ioctl,
33001 diff -urNp linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-i2c.c linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-i2c.c
33002 --- linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-i2c.c 2011-05-19 00:06:34.000000000 -0400
33003 +++ linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-i2c.c 2011-05-22 19:36:31.000000000 -0400
33004 @@ -435,7 +435,7 @@ static u32 functionality(struct i2c_adap
33005 return I2C_FUNC_SMBUS_EMUL | I2C_FUNC_I2C;
33006 }
33007
33008 -static struct i2c_algorithm cx231xx_algo = {
33009 +static const struct i2c_algorithm cx231xx_algo = {
33010 .master_xfer = cx231xx_i2c_xfer,
33011 .functionality = functionality,
33012 };
33013 diff -urNp linux-2.6.39.3/drivers/media/video/cx23885/cx23885-input.c linux-2.6.39.3/drivers/media/video/cx23885/cx23885-input.c
33014 --- linux-2.6.39.3/drivers/media/video/cx23885/cx23885-input.c 2011-05-19 00:06:34.000000000 -0400
33015 +++ linux-2.6.39.3/drivers/media/video/cx23885/cx23885-input.c 2011-05-22 19:36:31.000000000 -0400
33016 @@ -53,6 +53,8 @@ static void cx23885_input_process_measur
33017 bool handle = false;
33018 struct ir_raw_event ir_core_event[64];
33019
33020 + pax_track_stack();
33021 +
33022 do {
33023 num = 0;
33024 v4l2_subdev_call(dev->sd_ir, ir, rx_read, (u8 *) ir_core_event,
33025 diff -urNp linux-2.6.39.3/drivers/media/video/cx88/cx88-alsa.c linux-2.6.39.3/drivers/media/video/cx88/cx88-alsa.c
33026 --- linux-2.6.39.3/drivers/media/video/cx88/cx88-alsa.c 2011-05-19 00:06:34.000000000 -0400
33027 +++ linux-2.6.39.3/drivers/media/video/cx88/cx88-alsa.c 2011-05-22 19:36:31.000000000 -0400
33028 @@ -519,7 +519,7 @@ static struct page *snd_cx88_page(struct
33029 /*
33030 * operators
33031 */
33032 -static struct snd_pcm_ops snd_cx88_pcm_ops = {
33033 +static const struct snd_pcm_ops snd_cx88_pcm_ops = {
33034 .open = snd_cx88_pcm_open,
33035 .close = snd_cx88_close,
33036 .ioctl = snd_pcm_lib_ioctl,
33037 diff -urNp linux-2.6.39.3/drivers/media/video/davinci/ccdc_hw_device.h linux-2.6.39.3/drivers/media/video/davinci/ccdc_hw_device.h
33038 --- linux-2.6.39.3/drivers/media/video/davinci/ccdc_hw_device.h 2011-05-19 00:06:34.000000000 -0400
33039 +++ linux-2.6.39.3/drivers/media/video/davinci/ccdc_hw_device.h 2011-05-22 19:36:31.000000000 -0400
33040 @@ -99,7 +99,7 @@ struct ccdc_hw_device {
33041 /* module owner */
33042 struct module *owner;
33043 /* hw ops */
33044 - struct ccdc_hw_ops hw_ops;
33045 + const struct ccdc_hw_ops hw_ops;
33046 };
33047
33048 /* Used by CCDC module to register & unregister with vpfe capture driver */
33049 diff -urNp linux-2.6.39.3/drivers/media/video/davinci/vpss.c linux-2.6.39.3/drivers/media/video/davinci/vpss.c
33050 --- linux-2.6.39.3/drivers/media/video/davinci/vpss.c 2011-05-19 00:06:34.000000000 -0400
33051 +++ linux-2.6.39.3/drivers/media/video/davinci/vpss.c 2011-05-22 19:36:31.000000000 -0400
33052 @@ -103,7 +103,7 @@ struct vpss_oper_config {
33053 __iomem void *vpss_regs_base1;
33054 enum vpss_platform_type platform;
33055 spinlock_t vpss_lock;
33056 - struct vpss_hw_ops hw_ops;
33057 + const struct vpss_hw_ops hw_ops;
33058 };
33059
33060 static struct vpss_oper_config oper_cfg;
33061 diff -urNp linux-2.6.39.3/drivers/media/video/em28xx/em28xx-audio.c linux-2.6.39.3/drivers/media/video/em28xx/em28xx-audio.c
33062 --- linux-2.6.39.3/drivers/media/video/em28xx/em28xx-audio.c 2011-05-19 00:06:34.000000000 -0400
33063 +++ linux-2.6.39.3/drivers/media/video/em28xx/em28xx-audio.c 2011-05-22 19:36:31.000000000 -0400
33064 @@ -432,7 +432,7 @@ static struct page *snd_pcm_get_vmalloc_
33065 return vmalloc_to_page(pageptr);
33066 }
33067
33068 -static struct snd_pcm_ops snd_em28xx_pcm_capture = {
33069 +static const struct snd_pcm_ops snd_em28xx_pcm_capture = {
33070 .open = snd_em28xx_capture_open,
33071 .close = snd_em28xx_pcm_close,
33072 .ioctl = snd_pcm_lib_ioctl,
33073 diff -urNp linux-2.6.39.3/drivers/media/video/em28xx/em28xx-i2c.c linux-2.6.39.3/drivers/media/video/em28xx/em28xx-i2c.c
33074 --- linux-2.6.39.3/drivers/media/video/em28xx/em28xx-i2c.c 2011-05-19 00:06:34.000000000 -0400
33075 +++ linux-2.6.39.3/drivers/media/video/em28xx/em28xx-i2c.c 2011-05-22 19:36:31.000000000 -0400
33076 @@ -451,7 +451,7 @@ static u32 functionality(struct i2c_adap
33077 return I2C_FUNC_SMBUS_EMUL;
33078 }
33079
33080 -static struct i2c_algorithm em28xx_algo = {
33081 +static const struct i2c_algorithm em28xx_algo = {
33082 .master_xfer = em28xx_i2c_xfer,
33083 .functionality = functionality,
33084 };
33085 diff -urNp linux-2.6.39.3/drivers/media/video/hdpvr/hdpvr-i2c.c linux-2.6.39.3/drivers/media/video/hdpvr/hdpvr-i2c.c
33086 --- linux-2.6.39.3/drivers/media/video/hdpvr/hdpvr-i2c.c 2011-05-19 00:06:34.000000000 -0400
33087 +++ linux-2.6.39.3/drivers/media/video/hdpvr/hdpvr-i2c.c 2011-05-22 19:36:31.000000000 -0400
33088 @@ -179,7 +179,7 @@ static u32 hdpvr_functionality(struct i2
33089 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
33090 }
33091
33092 -static struct i2c_algorithm hdpvr_algo = {
33093 +static const struct i2c_algorithm hdpvr_algo = {
33094 .master_xfer = hdpvr_transfer,
33095 .functionality = hdpvr_functionality,
33096 };
33097 diff -urNp linux-2.6.39.3/drivers/media/video/imx074.c linux-2.6.39.3/drivers/media/video/imx074.c
33098 --- linux-2.6.39.3/drivers/media/video/imx074.c 2011-05-19 00:06:34.000000000 -0400
33099 +++ linux-2.6.39.3/drivers/media/video/imx074.c 2011-05-22 19:36:31.000000000 -0400
33100 @@ -267,7 +267,7 @@ static int imx074_g_chip_ident(struct v4
33101 return 0;
33102 }
33103
33104 -static struct v4l2_subdev_video_ops imx074_subdev_video_ops = {
33105 +static const struct v4l2_subdev_video_ops imx074_subdev_video_ops = {
33106 .s_stream = imx074_s_stream,
33107 .s_mbus_fmt = imx074_s_fmt,
33108 .g_mbus_fmt = imx074_g_fmt,
33109 @@ -277,7 +277,7 @@ static struct v4l2_subdev_video_ops imx0
33110 .cropcap = imx074_cropcap,
33111 };
33112
33113 -static struct v4l2_subdev_core_ops imx074_subdev_core_ops = {
33114 +static const struct v4l2_subdev_core_ops imx074_subdev_core_ops = {
33115 .g_chip_ident = imx074_g_chip_ident,
33116 };
33117
33118 diff -urNp linux-2.6.39.3/drivers/media/video/ivtv/ivtv-driver.c linux-2.6.39.3/drivers/media/video/ivtv/ivtv-driver.c
33119 --- linux-2.6.39.3/drivers/media/video/ivtv/ivtv-driver.c 2011-05-19 00:06:34.000000000 -0400
33120 +++ linux-2.6.39.3/drivers/media/video/ivtv/ivtv-driver.c 2011-05-22 19:36:31.000000000 -0400
33121 @@ -80,7 +80,7 @@ static struct pci_device_id ivtv_pci_tbl
33122 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
33123
33124 /* ivtv instance counter */
33125 -static atomic_t ivtv_instance = ATOMIC_INIT(0);
33126 +static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
33127
33128 /* Parameter declarations */
33129 static int cardtype[IVTV_MAX_CARDS];
33130 diff -urNp linux-2.6.39.3/drivers/media/video/mt9m001.c linux-2.6.39.3/drivers/media/video/mt9m001.c
33131 --- linux-2.6.39.3/drivers/media/video/mt9m001.c 2011-05-19 00:06:34.000000000 -0400
33132 +++ linux-2.6.39.3/drivers/media/video/mt9m001.c 2011-05-22 19:36:31.000000000 -0400
33133 @@ -691,7 +691,7 @@ static int mt9m001_g_skip_top_lines(stru
33134 return 0;
33135 }
33136
33137 -static struct v4l2_subdev_core_ops mt9m001_subdev_core_ops = {
33138 +static const struct v4l2_subdev_core_ops mt9m001_subdev_core_ops = {
33139 .g_ctrl = mt9m001_g_ctrl,
33140 .s_ctrl = mt9m001_s_ctrl,
33141 .g_chip_ident = mt9m001_g_chip_ident,
33142 @@ -714,7 +714,7 @@ static int mt9m001_enum_fmt(struct v4l2_
33143 return 0;
33144 }
33145
33146 -static struct v4l2_subdev_video_ops mt9m001_subdev_video_ops = {
33147 +static const struct v4l2_subdev_video_ops mt9m001_subdev_video_ops = {
33148 .s_stream = mt9m001_s_stream,
33149 .s_mbus_fmt = mt9m001_s_fmt,
33150 .g_mbus_fmt = mt9m001_g_fmt,
33151 @@ -725,7 +725,7 @@ static struct v4l2_subdev_video_ops mt9m
33152 .enum_mbus_fmt = mt9m001_enum_fmt,
33153 };
33154
33155 -static struct v4l2_subdev_sensor_ops mt9m001_subdev_sensor_ops = {
33156 +static const struct v4l2_subdev_sensor_ops mt9m001_subdev_sensor_ops = {
33157 .g_skip_top_lines = mt9m001_g_skip_top_lines,
33158 };
33159
33160 diff -urNp linux-2.6.39.3/drivers/media/video/mt9t031.c linux-2.6.39.3/drivers/media/video/mt9t031.c
33161 --- linux-2.6.39.3/drivers/media/video/mt9t031.c 2011-05-19 00:06:34.000000000 -0400
33162 +++ linux-2.6.39.3/drivers/media/video/mt9t031.c 2011-05-22 19:36:31.000000000 -0400
33163 @@ -725,7 +725,7 @@ static int mt9t031_runtime_resume(struct
33164 return 0;
33165 }
33166
33167 -static struct dev_pm_ops mt9t031_dev_pm_ops = {
33168 +static const struct dev_pm_ops mt9t031_dev_pm_ops = {
33169 .runtime_suspend = mt9t031_runtime_suspend,
33170 .runtime_resume = mt9t031_runtime_resume,
33171 };
33172 @@ -788,7 +788,7 @@ static int mt9t031_g_skip_top_lines(stru
33173 return 0;
33174 }
33175
33176 -static struct v4l2_subdev_core_ops mt9t031_subdev_core_ops = {
33177 +static const struct v4l2_subdev_core_ops mt9t031_subdev_core_ops = {
33178 .g_ctrl = mt9t031_g_ctrl,
33179 .s_ctrl = mt9t031_s_ctrl,
33180 .g_chip_ident = mt9t031_g_chip_ident,
33181 @@ -808,7 +808,7 @@ static int mt9t031_enum_fmt(struct v4l2_
33182 return 0;
33183 }
33184
33185 -static struct v4l2_subdev_video_ops mt9t031_subdev_video_ops = {
33186 +static const struct v4l2_subdev_video_ops mt9t031_subdev_video_ops = {
33187 .s_stream = mt9t031_s_stream,
33188 .s_mbus_fmt = mt9t031_s_fmt,
33189 .g_mbus_fmt = mt9t031_g_fmt,
33190 @@ -819,7 +819,7 @@ static struct v4l2_subdev_video_ops mt9t
33191 .enum_mbus_fmt = mt9t031_enum_fmt,
33192 };
33193
33194 -static struct v4l2_subdev_sensor_ops mt9t031_subdev_sensor_ops = {
33195 +static const struct v4l2_subdev_sensor_ops mt9t031_subdev_sensor_ops = {
33196 .g_skip_top_lines = mt9t031_g_skip_top_lines,
33197 };
33198
33199 diff -urNp linux-2.6.39.3/drivers/media/video/mt9v022.c linux-2.6.39.3/drivers/media/video/mt9v022.c
33200 --- linux-2.6.39.3/drivers/media/video/mt9v022.c 2011-05-19 00:06:34.000000000 -0400
33201 +++ linux-2.6.39.3/drivers/media/video/mt9v022.c 2011-05-22 19:36:31.000000000 -0400
33202 @@ -825,7 +825,7 @@ static int mt9v022_g_skip_top_lines(stru
33203 return 0;
33204 }
33205
33206 -static struct v4l2_subdev_core_ops mt9v022_subdev_core_ops = {
33207 +static const struct v4l2_subdev_core_ops mt9v022_subdev_core_ops = {
33208 .g_ctrl = mt9v022_g_ctrl,
33209 .s_ctrl = mt9v022_s_ctrl,
33210 .g_chip_ident = mt9v022_g_chip_ident,
33211 @@ -848,7 +848,7 @@ static int mt9v022_enum_fmt(struct v4l2_
33212 return 0;
33213 }
33214
33215 -static struct v4l2_subdev_video_ops mt9v022_subdev_video_ops = {
33216 +static const struct v4l2_subdev_video_ops mt9v022_subdev_video_ops = {
33217 .s_stream = mt9v022_s_stream,
33218 .s_mbus_fmt = mt9v022_s_fmt,
33219 .g_mbus_fmt = mt9v022_g_fmt,
33220 @@ -859,7 +859,7 @@ static struct v4l2_subdev_video_ops mt9v
33221 .enum_mbus_fmt = mt9v022_enum_fmt,
33222 };
33223
33224 -static struct v4l2_subdev_sensor_ops mt9v022_subdev_sensor_ops = {
33225 +static const struct v4l2_subdev_sensor_ops mt9v022_subdev_sensor_ops = {
33226 .g_skip_top_lines = mt9v022_g_skip_top_lines,
33227 };
33228
33229 diff -urNp linux-2.6.39.3/drivers/media/video/mx2_camera.c linux-2.6.39.3/drivers/media/video/mx2_camera.c
33230 --- linux-2.6.39.3/drivers/media/video/mx2_camera.c 2011-05-19 00:06:34.000000000 -0400
33231 +++ linux-2.6.39.3/drivers/media/video/mx2_camera.c 2011-05-22 19:36:31.000000000 -0400
33232 @@ -668,7 +668,7 @@ static void mx2_videobuf_release(struct
33233 free_buffer(vq, buf);
33234 }
33235
33236 -static struct videobuf_queue_ops mx2_videobuf_ops = {
33237 +static const struct videobuf_queue_ops mx2_videobuf_ops = {
33238 .buf_setup = mx2_videobuf_setup,
33239 .buf_prepare = mx2_videobuf_prepare,
33240 .buf_queue = mx2_videobuf_queue,
33241 diff -urNp linux-2.6.39.3/drivers/media/video/omap24xxcam.c linux-2.6.39.3/drivers/media/video/omap24xxcam.c
33242 --- linux-2.6.39.3/drivers/media/video/omap24xxcam.c 2011-05-19 00:06:34.000000000 -0400
33243 +++ linux-2.6.39.3/drivers/media/video/omap24xxcam.c 2011-05-22 19:36:31.000000000 -0400
33244 @@ -403,7 +403,7 @@ static void omap24xxcam_vbq_complete(str
33245 spin_unlock_irqrestore(&cam->core_enable_disable_lock, flags);
33246
33247 do_gettimeofday(&vb->ts);
33248 - vb->field_count = atomic_add_return(2, &fh->field_count);
33249 + vb->field_count = atomic_add_return_unchecked(2, &fh->field_count);
33250 if (csr & csr_error) {
33251 vb->state = VIDEOBUF_ERROR;
33252 if (!atomic_read(&fh->cam->in_reset)) {
33253 diff -urNp linux-2.6.39.3/drivers/media/video/omap24xxcam.h linux-2.6.39.3/drivers/media/video/omap24xxcam.h
33254 --- linux-2.6.39.3/drivers/media/video/omap24xxcam.h 2011-05-19 00:06:34.000000000 -0400
33255 +++ linux-2.6.39.3/drivers/media/video/omap24xxcam.h 2011-05-22 19:36:31.000000000 -0400
33256 @@ -533,7 +533,7 @@ struct omap24xxcam_fh {
33257 spinlock_t vbq_lock; /* spinlock for the videobuf queue */
33258 struct videobuf_queue vbq;
33259 struct v4l2_pix_format pix; /* serialise pix by vbq->lock */
33260 - atomic_t field_count; /* field counter for videobuf_buffer */
33261 + atomic_unchecked_t field_count; /* field counter for videobuf_buffer */
33262 /* accessing cam here doesn't need serialisation: it's constant */
33263 struct omap24xxcam_device *cam;
33264 };
33265 diff -urNp linux-2.6.39.3/drivers/media/video/omap3isp/isp.h linux-2.6.39.3/drivers/media/video/omap3isp/isp.h
33266 --- linux-2.6.39.3/drivers/media/video/omap3isp/isp.h 2011-05-19 00:06:34.000000000 -0400
33267 +++ linux-2.6.39.3/drivers/media/video/omap3isp/isp.h 2011-05-22 19:36:31.000000000 -0400
33268 @@ -290,7 +290,7 @@ struct isp_device {
33269
33270 struct iommu *iommu;
33271
33272 - struct isp_platform_callback platform_cb;
33273 + const struct isp_platform_callback platform_cb;
33274 };
33275
33276 #define v4l2_dev_to_isp_device(dev) \
33277 diff -urNp linux-2.6.39.3/drivers/media/video/ov2640.c linux-2.6.39.3/drivers/media/video/ov2640.c
33278 --- linux-2.6.39.3/drivers/media/video/ov2640.c 2011-05-19 00:06:34.000000000 -0400
33279 +++ linux-2.6.39.3/drivers/media/video/ov2640.c 2011-05-22 19:36:31.000000000 -0400
33280 @@ -1080,7 +1080,7 @@ static struct soc_camera_ops ov2640_ops
33281 .num_controls = ARRAY_SIZE(ov2640_controls),
33282 };
33283
33284 -static struct v4l2_subdev_core_ops ov2640_subdev_core_ops = {
33285 +static const struct v4l2_subdev_core_ops ov2640_subdev_core_ops = {
33286 .g_ctrl = ov2640_g_ctrl,
33287 .s_ctrl = ov2640_s_ctrl,
33288 .g_chip_ident = ov2640_g_chip_ident,
33289 @@ -1090,7 +1090,7 @@ static struct v4l2_subdev_core_ops ov264
33290 #endif
33291 };
33292
33293 -static struct v4l2_subdev_video_ops ov2640_subdev_video_ops = {
33294 +static const struct v4l2_subdev_video_ops ov2640_subdev_video_ops = {
33295 .s_stream = ov2640_s_stream,
33296 .g_mbus_fmt = ov2640_g_fmt,
33297 .s_mbus_fmt = ov2640_s_fmt,
33298 diff -urNp linux-2.6.39.3/drivers/media/video/ov772x.c linux-2.6.39.3/drivers/media/video/ov772x.c
33299 --- linux-2.6.39.3/drivers/media/video/ov772x.c 2011-05-19 00:06:34.000000000 -0400
33300 +++ linux-2.6.39.3/drivers/media/video/ov772x.c 2011-05-22 19:36:31.000000000 -0400
33301 @@ -1079,7 +1079,7 @@ static struct soc_camera_ops ov772x_ops
33302 .num_controls = ARRAY_SIZE(ov772x_controls),
33303 };
33304
33305 -static struct v4l2_subdev_core_ops ov772x_subdev_core_ops = {
33306 +static const struct v4l2_subdev_core_ops ov772x_subdev_core_ops = {
33307 .g_ctrl = ov772x_g_ctrl,
33308 .s_ctrl = ov772x_s_ctrl,
33309 .g_chip_ident = ov772x_g_chip_ident,
33310 @@ -1099,7 +1099,7 @@ static int ov772x_enum_fmt(struct v4l2_s
33311 return 0;
33312 }
33313
33314 -static struct v4l2_subdev_video_ops ov772x_subdev_video_ops = {
33315 +static const struct v4l2_subdev_video_ops ov772x_subdev_video_ops = {
33316 .s_stream = ov772x_s_stream,
33317 .g_mbus_fmt = ov772x_g_fmt,
33318 .s_mbus_fmt = ov772x_s_fmt,
33319 diff -urNp linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
33320 --- linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-19 00:06:34.000000000 -0400
33321 +++ linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-22 19:36:31.000000000 -0400
33322 @@ -120,6 +120,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
33323 u8 *eeprom;
33324 struct tveeprom tvdata;
33325
33326 + pax_track_stack();
33327 +
33328 memset(&tvdata,0,sizeof(tvdata));
33329
33330 eeprom = pvr2_eeprom_fetch(hdw);
33331 diff -urNp linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c
33332 --- linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c 2011-05-19 00:06:34.000000000 -0400
33333 +++ linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c 2011-05-22 19:36:31.000000000 -0400
33334 @@ -527,7 +527,7 @@ static u32 pvr2_i2c_functionality(struct
33335 return I2C_FUNC_SMBUS_EMUL | I2C_FUNC_I2C;
33336 }
33337
33338 -static struct i2c_algorithm pvr2_i2c_algo_template = {
33339 +static const struct i2c_algorithm pvr2_i2c_algo_template = {
33340 .master_xfer = pvr2_i2c_xfer,
33341 .functionality = pvr2_i2c_functionality,
33342 };
33343 diff -urNp linux-2.6.39.3/drivers/media/video/rj54n1cb0c.c linux-2.6.39.3/drivers/media/video/rj54n1cb0c.c
33344 --- linux-2.6.39.3/drivers/media/video/rj54n1cb0c.c 2011-05-19 00:06:34.000000000 -0400
33345 +++ linux-2.6.39.3/drivers/media/video/rj54n1cb0c.c 2011-05-22 19:36:31.000000000 -0400
33346 @@ -1327,7 +1327,7 @@ static int rj54n1_s_ctrl(struct v4l2_sub
33347 return 0;
33348 }
33349
33350 -static struct v4l2_subdev_core_ops rj54n1_subdev_core_ops = {
33351 +static const struct v4l2_subdev_core_ops rj54n1_subdev_core_ops = {
33352 .g_ctrl = rj54n1_g_ctrl,
33353 .s_ctrl = rj54n1_s_ctrl,
33354 .g_chip_ident = rj54n1_g_chip_ident,
33355 @@ -1337,7 +1337,7 @@ static struct v4l2_subdev_core_ops rj54n
33356 #endif
33357 };
33358
33359 -static struct v4l2_subdev_video_ops rj54n1_subdev_video_ops = {
33360 +static const struct v4l2_subdev_video_ops rj54n1_subdev_video_ops = {
33361 .s_stream = rj54n1_s_stream,
33362 .s_mbus_fmt = rj54n1_s_fmt,
33363 .g_mbus_fmt = rj54n1_g_fmt,
33364 diff -urNp linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-capture.c linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-capture.c
33365 --- linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-capture.c 2011-05-19 00:06:34.000000000 -0400
33366 +++ linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-capture.c 2011-05-22 19:36:31.000000000 -0400
33367 @@ -376,7 +376,7 @@ static void fimc_unlock(struct vb2_queue
33368 mutex_unlock(&ctx->fimc_dev->lock);
33369 }
33370
33371 -static struct vb2_ops fimc_capture_qops = {
33372 +static const struct vb2_ops fimc_capture_qops = {
33373 .queue_setup = queue_setup,
33374 .buf_prepare = buffer_prepare,
33375 .buf_queue = buffer_queue,
33376 diff -urNp linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-core.c linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-core.c
33377 --- linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-core.c 2011-05-19 00:06:34.000000000 -0400
33378 +++ linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-core.c 2011-05-22 19:36:31.000000000 -0400
33379 @@ -768,7 +768,7 @@ static void fimc_unlock(struct vb2_queue
33380 mutex_unlock(&ctx->fimc_dev->lock);
33381 }
33382
33383 -static struct vb2_ops fimc_qops = {
33384 +static const struct vb2_ops fimc_qops = {
33385 .queue_setup = fimc_queue_setup,
33386 .buf_prepare = fimc_buf_prepare,
33387 .buf_queue = fimc_buf_queue,
33388 diff -urNp linux-2.6.39.3/drivers/media/video/saa7134/saa6752hs.c linux-2.6.39.3/drivers/media/video/saa7134/saa6752hs.c
33389 --- linux-2.6.39.3/drivers/media/video/saa7134/saa6752hs.c 2011-05-19 00:06:34.000000000 -0400
33390 +++ linux-2.6.39.3/drivers/media/video/saa7134/saa6752hs.c 2011-05-22 19:36:31.000000000 -0400
33391 @@ -682,6 +682,8 @@ static int saa6752hs_init(struct v4l2_su
33392 unsigned char localPAT[256];
33393 unsigned char localPMT[256];
33394
33395 + pax_track_stack();
33396 +
33397 /* Set video format - must be done first as it resets other settings */
33398 set_reg8(client, 0x41, h->video_format);
33399
33400 diff -urNp linux-2.6.39.3/drivers/media/video/saa7134/saa7134-alsa.c linux-2.6.39.3/drivers/media/video/saa7134/saa7134-alsa.c
33401 --- linux-2.6.39.3/drivers/media/video/saa7134/saa7134-alsa.c 2011-05-19 00:06:34.000000000 -0400
33402 +++ linux-2.6.39.3/drivers/media/video/saa7134/saa7134-alsa.c 2011-05-22 19:36:31.000000000 -0400
33403 @@ -808,7 +808,7 @@ static struct page *snd_card_saa7134_pag
33404 * ALSA capture callbacks definition
33405 */
33406
33407 -static struct snd_pcm_ops snd_card_saa7134_capture_ops = {
33408 +static const struct snd_pcm_ops snd_card_saa7134_capture_ops = {
33409 .open = snd_card_saa7134_capture_open,
33410 .close = snd_card_saa7134_capture_close,
33411 .ioctl = snd_pcm_lib_ioctl,
33412 diff -urNp linux-2.6.39.3/drivers/media/video/saa7164/saa7164-cmd.c linux-2.6.39.3/drivers/media/video/saa7164/saa7164-cmd.c
33413 --- linux-2.6.39.3/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-19 00:06:34.000000000 -0400
33414 +++ linux-2.6.39.3/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-22 19:36:31.000000000 -0400
33415 @@ -88,6 +88,8 @@ int saa7164_irq_dequeue(struct saa7164_d
33416 u8 tmp[512];
33417 dprintk(DBGLVL_CMD, "%s()\n", __func__);
33418
33419 + pax_track_stack();
33420 +
33421 /* While any outstand message on the bus exists... */
33422 do {
33423
33424 @@ -141,6 +143,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
33425 u8 tmp[512];
33426 dprintk(DBGLVL_CMD, "%s()\n", __func__);
33427
33428 + pax_track_stack();
33429 +
33430 while (loop) {
33431
33432 struct tmComResInfo tRsp = { 0, 0, 0, 0, 0, 0 };
33433 diff -urNp linux-2.6.39.3/drivers/media/video/sh_mobile_csi2.c linux-2.6.39.3/drivers/media/video/sh_mobile_csi2.c
33434 --- linux-2.6.39.3/drivers/media/video/sh_mobile_csi2.c 2011-05-19 00:06:34.000000000 -0400
33435 +++ linux-2.6.39.3/drivers/media/video/sh_mobile_csi2.c 2011-05-22 19:36:31.000000000 -0400
33436 @@ -127,12 +127,12 @@ static int sh_csi2_s_fmt(struct v4l2_sub
33437 return 0;
33438 }
33439
33440 -static struct v4l2_subdev_video_ops sh_csi2_subdev_video_ops = {
33441 +static const struct v4l2_subdev_video_ops sh_csi2_subdev_video_ops = {
33442 .s_mbus_fmt = sh_csi2_s_fmt,
33443 .try_mbus_fmt = sh_csi2_try_fmt,
33444 };
33445
33446 -static struct v4l2_subdev_core_ops sh_csi2_subdev_core_ops;
33447 +static const struct v4l2_subdev_core_ops sh_csi2_subdev_core_ops;
33448
33449 static struct v4l2_subdev_ops sh_csi2_subdev_ops = {
33450 .core = &sh_csi2_subdev_core_ops,
33451 diff -urNp linux-2.6.39.3/drivers/media/video/soc_camera_platform.c linux-2.6.39.3/drivers/media/video/soc_camera_platform.c
33452 --- linux-2.6.39.3/drivers/media/video/soc_camera_platform.c 2011-05-19 00:06:34.000000000 -0400
33453 +++ linux-2.6.39.3/drivers/media/video/soc_camera_platform.c 2011-05-22 19:36:31.000000000 -0400
33454 @@ -70,7 +70,7 @@ static int soc_camera_platform_fill_fmt(
33455 return 0;
33456 }
33457
33458 -static struct v4l2_subdev_core_ops platform_subdev_core_ops;
33459 +static const struct v4l2_subdev_core_ops platform_subdev_core_ops;
33460
33461 static int soc_camera_platform_enum_fmt(struct v4l2_subdev *sd, unsigned int index,
33462 enum v4l2_mbus_pixelcode *code)
33463 @@ -115,7 +115,7 @@ static int soc_camera_platform_cropcap(s
33464 return 0;
33465 }
33466
33467 -static struct v4l2_subdev_video_ops platform_subdev_video_ops = {
33468 +static const struct v4l2_subdev_video_ops platform_subdev_video_ops = {
33469 .s_stream = soc_camera_platform_s_stream,
33470 .enum_mbus_fmt = soc_camera_platform_enum_fmt,
33471 .cropcap = soc_camera_platform_cropcap,
33472 diff -urNp linux-2.6.39.3/drivers/media/video/tlg2300/pd-alsa.c linux-2.6.39.3/drivers/media/video/tlg2300/pd-alsa.c
33473 --- linux-2.6.39.3/drivers/media/video/tlg2300/pd-alsa.c 2011-05-19 00:06:34.000000000 -0400
33474 +++ linux-2.6.39.3/drivers/media/video/tlg2300/pd-alsa.c 2011-05-22 19:36:31.000000000 -0400
33475 @@ -265,7 +265,7 @@ static struct page *snd_pcm_pd_get_page(
33476 return vmalloc_to_page(pageptr);
33477 }
33478
33479 -static struct snd_pcm_ops pcm_capture_ops = {
33480 +static const struct snd_pcm_ops pcm_capture_ops = {
33481 .open = snd_pd_capture_open,
33482 .close = snd_pd_pcm_close,
33483 .ioctl = snd_pcm_lib_ioctl,
33484 diff -urNp linux-2.6.39.3/drivers/media/video/tw9910.c linux-2.6.39.3/drivers/media/video/tw9910.c
33485 --- linux-2.6.39.3/drivers/media/video/tw9910.c 2011-05-19 00:06:34.000000000 -0400
33486 +++ linux-2.6.39.3/drivers/media/video/tw9910.c 2011-05-22 19:36:31.000000000 -0400
33487 @@ -894,7 +894,7 @@ static struct soc_camera_ops tw9910_ops
33488 .enum_input = tw9910_enum_input,
33489 };
33490
33491 -static struct v4l2_subdev_core_ops tw9910_subdev_core_ops = {
33492 +static const struct v4l2_subdev_core_ops tw9910_subdev_core_ops = {
33493 .g_chip_ident = tw9910_g_chip_ident,
33494 .s_std = tw9910_s_std,
33495 #ifdef CONFIG_VIDEO_ADV_DEBUG
33496 @@ -913,7 +913,7 @@ static int tw9910_enum_fmt(struct v4l2_s
33497 return 0;
33498 }
33499
33500 -static struct v4l2_subdev_video_ops tw9910_subdev_video_ops = {
33501 +static const struct v4l2_subdev_video_ops tw9910_subdev_video_ops = {
33502 .s_stream = tw9910_s_stream,
33503 .g_mbus_fmt = tw9910_g_fmt,
33504 .s_mbus_fmt = tw9910_s_fmt,
33505 diff -urNp linux-2.6.39.3/drivers/media/video/usbvision/usbvision-core.c linux-2.6.39.3/drivers/media/video/usbvision/usbvision-core.c
33506 --- linux-2.6.39.3/drivers/media/video/usbvision/usbvision-core.c 2011-05-19 00:06:34.000000000 -0400
33507 +++ linux-2.6.39.3/drivers/media/video/usbvision/usbvision-core.c 2011-05-22 19:36:31.000000000 -0400
33508 @@ -799,6 +799,8 @@ static enum parse_state usbvision_parse_
33509 unsigned char rv, gv, bv;
33510 static unsigned char *Y, *U, *V;
33511
33512 + pax_track_stack();
33513 +
33514 frame = usbvision->cur_frame;
33515 image_size = frame->frmwidth * frame->frmheight;
33516 if ((frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
33517 diff -urNp linux-2.6.39.3/drivers/media/video/usbvision/usbvision-i2c.c linux-2.6.39.3/drivers/media/video/usbvision/usbvision-i2c.c
33518 --- linux-2.6.39.3/drivers/media/video/usbvision/usbvision-i2c.c 2011-05-19 00:06:34.000000000 -0400
33519 +++ linux-2.6.39.3/drivers/media/video/usbvision/usbvision-i2c.c 2011-05-22 19:36:31.000000000 -0400
33520 @@ -189,7 +189,7 @@ static u32 functionality(struct i2c_adap
33521
33522 /* -----exported algorithm data: ------------------------------------- */
33523
33524 -static struct i2c_algorithm usbvision_algo = {
33525 +static const struct i2c_algorithm usbvision_algo = {
33526 .master_xfer = usbvision_i2c_xfer,
33527 .smbus_xfer = NULL,
33528 .functionality = functionality,
33529 diff -urNp linux-2.6.39.3/drivers/media/video/v4l2-device.c linux-2.6.39.3/drivers/media/video/v4l2-device.c
33530 --- linux-2.6.39.3/drivers/media/video/v4l2-device.c 2011-05-19 00:06:34.000000000 -0400
33531 +++ linux-2.6.39.3/drivers/media/video/v4l2-device.c 2011-05-22 19:36:31.000000000 -0400
33532 @@ -71,9 +71,9 @@ int v4l2_device_put(struct v4l2_device *
33533 EXPORT_SYMBOL_GPL(v4l2_device_put);
33534
33535 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
33536 - atomic_t *instance)
33537 + atomic_unchecked_t *instance)
33538 {
33539 - int num = atomic_inc_return(instance) - 1;
33540 + int num = atomic_inc_return_unchecked(instance) - 1;
33541 int len = strlen(basename);
33542
33543 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
33544 diff -urNp linux-2.6.39.3/drivers/media/video/videobuf-dma-sg.c linux-2.6.39.3/drivers/media/video/videobuf-dma-sg.c
33545 --- linux-2.6.39.3/drivers/media/video/videobuf-dma-sg.c 2011-05-19 00:06:34.000000000 -0400
33546 +++ linux-2.6.39.3/drivers/media/video/videobuf-dma-sg.c 2011-05-22 19:36:31.000000000 -0400
33547 @@ -606,6 +606,8 @@ void *videobuf_sg_alloc(size_t size)
33548 {
33549 struct videobuf_queue q;
33550
33551 + pax_track_stack();
33552 +
33553 /* Required to make generic handler to call __videobuf_alloc */
33554 q.int_ops = &sg_ops;
33555
33556 diff -urNp linux-2.6.39.3/drivers/message/fusion/mptbase.c linux-2.6.39.3/drivers/message/fusion/mptbase.c
33557 --- linux-2.6.39.3/drivers/message/fusion/mptbase.c 2011-05-19 00:06:34.000000000 -0400
33558 +++ linux-2.6.39.3/drivers/message/fusion/mptbase.c 2011-05-22 19:41:37.000000000 -0400
33559 @@ -143,7 +143,7 @@ static int MptDriverClass[MPT_MAX_PRO
33560 static MPT_EVHANDLER MptEvHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33561 /* Reset handler lookup table */
33562 static MPT_RESETHANDLER MptResetHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33563 -static struct mpt_pci_driver *MptDeviceDriverHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33564 +static const struct mpt_pci_driver *MptDeviceDriverHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33565
33566 #ifdef CONFIG_PROC_FS
33567 static struct proc_dir_entry *mpt_proc_root_dir;
33568 @@ -772,7 +772,7 @@ mpt_reset_deregister(u8 cb_idx)
33569 * @cb_idx: MPT protocol driver index
33570 */
33571 int
33572 -mpt_device_driver_register(struct mpt_pci_driver * dd_cbfunc, u8 cb_idx)
33573 +mpt_device_driver_register(const struct mpt_pci_driver * dd_cbfunc, u8 cb_idx)
33574 {
33575 MPT_ADAPTER *ioc;
33576 const struct pci_device_id *id;
33577 @@ -801,7 +801,7 @@ mpt_device_driver_register(struct mpt_pc
33578 void
33579 mpt_device_driver_deregister(u8 cb_idx)
33580 {
33581 - struct mpt_pci_driver *dd_cbfunc;
33582 + const struct mpt_pci_driver *dd_cbfunc;
33583 MPT_ADAPTER *ioc;
33584
33585 if (!cb_idx || cb_idx >= MPT_MAX_PROTOCOL_DRIVERS)
33586 @@ -6683,8 +6683,13 @@ static int mpt_iocinfo_proc_show(struct
33587 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
33588 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
33589
33590 +#ifdef CONFIG_GRKERNSEC_HIDESYM
33591 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
33592 +#else
33593 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
33594 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
33595 +#endif
33596 +
33597 /*
33598 * Rounding UP to nearest 4-kB boundary here...
33599 */
33600 diff -urNp linux-2.6.39.3/drivers/message/fusion/mptbase.h linux-2.6.39.3/drivers/message/fusion/mptbase.h
33601 --- linux-2.6.39.3/drivers/message/fusion/mptbase.h 2011-05-19 00:06:34.000000000 -0400
33602 +++ linux-2.6.39.3/drivers/message/fusion/mptbase.h 2011-05-22 19:36:31.000000000 -0400
33603 @@ -908,7 +908,7 @@ extern int mpt_event_register(u8 cb_idx
33604 extern void mpt_event_deregister(u8 cb_idx);
33605 extern int mpt_reset_register(u8 cb_idx, MPT_RESETHANDLER reset_func);
33606 extern void mpt_reset_deregister(u8 cb_idx);
33607 -extern int mpt_device_driver_register(struct mpt_pci_driver * dd_cbfunc, u8 cb_idx);
33608 +extern int mpt_device_driver_register(const struct mpt_pci_driver * dd_cbfunc, u8 cb_idx);
33609 extern void mpt_device_driver_deregister(u8 cb_idx);
33610 extern MPT_FRAME_HDR *mpt_get_msg_frame(u8 cb_idx, MPT_ADAPTER *ioc);
33611 extern void mpt_free_msg_frame(MPT_ADAPTER *ioc, MPT_FRAME_HDR *mf);
33612 diff -urNp linux-2.6.39.3/drivers/message/fusion/mptctl.c linux-2.6.39.3/drivers/message/fusion/mptctl.c
33613 --- linux-2.6.39.3/drivers/message/fusion/mptctl.c 2011-05-19 00:06:34.000000000 -0400
33614 +++ linux-2.6.39.3/drivers/message/fusion/mptctl.c 2011-05-22 19:36:31.000000000 -0400
33615 @@ -3000,7 +3000,7 @@ mptctl_remove(struct pci_dev *pdev)
33616 {
33617 }
33618
33619 -static struct mpt_pci_driver mptctl_driver = {
33620 +static const struct mpt_pci_driver mptctl_driver = {
33621 .probe = mptctl_probe,
33622 .remove = mptctl_remove,
33623 };
33624 diff -urNp linux-2.6.39.3/drivers/message/fusion/mptsas.c linux-2.6.39.3/drivers/message/fusion/mptsas.c
33625 --- linux-2.6.39.3/drivers/message/fusion/mptsas.c 2011-05-19 00:06:34.000000000 -0400
33626 +++ linux-2.6.39.3/drivers/message/fusion/mptsas.c 2011-05-22 19:36:31.000000000 -0400
33627 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
33628 return 0;
33629 }
33630
33631 +static inline void
33632 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
33633 +{
33634 + if (phy_info->port_details) {
33635 + phy_info->port_details->rphy = rphy;
33636 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
33637 + ioc->name, rphy));
33638 + }
33639 +
33640 + if (rphy) {
33641 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
33642 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
33643 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
33644 + ioc->name, rphy, rphy->dev.release));
33645 + }
33646 +}
33647 +
33648 /* no mutex */
33649 static void
33650 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
33651 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
33652 return NULL;
33653 }
33654
33655 -static inline void
33656 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
33657 -{
33658 - if (phy_info->port_details) {
33659 - phy_info->port_details->rphy = rphy;
33660 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
33661 - ioc->name, rphy));
33662 - }
33663 -
33664 - if (rphy) {
33665 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
33666 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
33667 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
33668 - ioc->name, rphy, rphy->dev.release));
33669 - }
33670 -}
33671 -
33672 static inline struct sas_port *
33673 mptsas_get_port(struct mptsas_phyinfo *phy_info)
33674 {
33675 diff -urNp linux-2.6.39.3/drivers/message/fusion/mptscsih.c linux-2.6.39.3/drivers/message/fusion/mptscsih.c
33676 --- linux-2.6.39.3/drivers/message/fusion/mptscsih.c 2011-05-19 00:06:34.000000000 -0400
33677 +++ linux-2.6.39.3/drivers/message/fusion/mptscsih.c 2011-05-22 19:36:31.000000000 -0400
33678 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
33679
33680 h = shost_priv(SChost);
33681
33682 - if (h) {
33683 - if (h->info_kbuf == NULL)
33684 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
33685 - return h->info_kbuf;
33686 - h->info_kbuf[0] = '\0';
33687 + if (!h)
33688 + return NULL;
33689
33690 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
33691 - h->info_kbuf[size-1] = '\0';
33692 - }
33693 + if (h->info_kbuf == NULL)
33694 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
33695 + return h->info_kbuf;
33696 + h->info_kbuf[0] = '\0';
33697 +
33698 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
33699 + h->info_kbuf[size-1] = '\0';
33700
33701 return h->info_kbuf;
33702 }
33703 diff -urNp linux-2.6.39.3/drivers/message/i2o/i2o_config.c linux-2.6.39.3/drivers/message/i2o/i2o_config.c
33704 --- linux-2.6.39.3/drivers/message/i2o/i2o_config.c 2011-05-19 00:06:34.000000000 -0400
33705 +++ linux-2.6.39.3/drivers/message/i2o/i2o_config.c 2011-05-22 19:36:31.000000000 -0400
33706 @@ -781,6 +781,8 @@ static int i2o_cfg_passthru(unsigned lon
33707 struct i2o_message *msg;
33708 unsigned int iop;
33709
33710 + pax_track_stack();
33711 +
33712 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
33713 return -EFAULT;
33714
33715 diff -urNp linux-2.6.39.3/drivers/message/i2o/i2o_proc.c linux-2.6.39.3/drivers/message/i2o/i2o_proc.c
33716 --- linux-2.6.39.3/drivers/message/i2o/i2o_proc.c 2011-05-19 00:06:34.000000000 -0400
33717 +++ linux-2.6.39.3/drivers/message/i2o/i2o_proc.c 2011-05-22 19:36:31.000000000 -0400
33718 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
33719 "Array Controller Device"
33720 };
33721
33722 -static char *chtostr(u8 * chars, int n)
33723 -{
33724 - char tmp[256];
33725 - tmp[0] = 0;
33726 - return strncat(tmp, (char *)chars, n);
33727 -}
33728 -
33729 static int i2o_report_query_status(struct seq_file *seq, int block_status,
33730 char *group)
33731 {
33732 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
33733
33734 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
33735 seq_printf(seq, "%-#8x", ddm_table.module_id);
33736 - seq_printf(seq, "%-29s",
33737 - chtostr(ddm_table.module_name_version, 28));
33738 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
33739 seq_printf(seq, "%9d ", ddm_table.data_size);
33740 seq_printf(seq, "%8d", ddm_table.code_size);
33741
33742 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
33743
33744 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
33745 seq_printf(seq, "%-#8x", dst->module_id);
33746 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
33747 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
33748 + seq_printf(seq, "%-.28s", dst->module_name_version);
33749 + seq_printf(seq, "%-.8s", dst->date);
33750 seq_printf(seq, "%8d ", dst->module_size);
33751 seq_printf(seq, "%8d ", dst->mpb_size);
33752 seq_printf(seq, "0x%04x", dst->module_flags);
33753 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
33754 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
33755 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
33756 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
33757 - seq_printf(seq, "Vendor info : %s\n",
33758 - chtostr((u8 *) (work32 + 2), 16));
33759 - seq_printf(seq, "Product info : %s\n",
33760 - chtostr((u8 *) (work32 + 6), 16));
33761 - seq_printf(seq, "Description : %s\n",
33762 - chtostr((u8 *) (work32 + 10), 16));
33763 - seq_printf(seq, "Product rev. : %s\n",
33764 - chtostr((u8 *) (work32 + 14), 8));
33765 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
33766 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
33767 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
33768 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
33769
33770 seq_printf(seq, "Serial number : ");
33771 print_serial_number(seq, (u8 *) (work32 + 16),
33772 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
33773 }
33774
33775 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
33776 - seq_printf(seq, "Module name : %s\n",
33777 - chtostr(result.module_name, 24));
33778 - seq_printf(seq, "Module revision : %s\n",
33779 - chtostr(result.module_rev, 8));
33780 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
33781 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
33782
33783 seq_printf(seq, "Serial number : ");
33784 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
33785 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
33786 return 0;
33787 }
33788
33789 - seq_printf(seq, "Device name : %s\n",
33790 - chtostr(result.device_name, 64));
33791 - seq_printf(seq, "Service name : %s\n",
33792 - chtostr(result.service_name, 64));
33793 - seq_printf(seq, "Physical name : %s\n",
33794 - chtostr(result.physical_location, 64));
33795 - seq_printf(seq, "Instance number : %s\n",
33796 - chtostr(result.instance_number, 4));
33797 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
33798 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
33799 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
33800 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
33801
33802 return 0;
33803 }
33804 diff -urNp linux-2.6.39.3/drivers/message/i2o/iop.c linux-2.6.39.3/drivers/message/i2o/iop.c
33805 --- linux-2.6.39.3/drivers/message/i2o/iop.c 2011-05-19 00:06:34.000000000 -0400
33806 +++ linux-2.6.39.3/drivers/message/i2o/iop.c 2011-05-22 19:36:31.000000000 -0400
33807 @@ -111,10 +111,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
33808
33809 spin_lock_irqsave(&c->context_list_lock, flags);
33810
33811 - if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
33812 - atomic_inc(&c->context_list_counter);
33813 + if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
33814 + atomic_inc_unchecked(&c->context_list_counter);
33815
33816 - entry->context = atomic_read(&c->context_list_counter);
33817 + entry->context = atomic_read_unchecked(&c->context_list_counter);
33818
33819 list_add(&entry->list, &c->context_list);
33820
33821 @@ -1077,7 +1077,7 @@ struct i2o_controller *i2o_iop_alloc(voi
33822
33823 #if BITS_PER_LONG == 64
33824 spin_lock_init(&c->context_list_lock);
33825 - atomic_set(&c->context_list_counter, 0);
33826 + atomic_set_unchecked(&c->context_list_counter, 0);
33827 INIT_LIST_HEAD(&c->context_list);
33828 #endif
33829
33830 diff -urNp linux-2.6.39.3/drivers/mfd/ab3100-core.c linux-2.6.39.3/drivers/mfd/ab3100-core.c
33831 --- linux-2.6.39.3/drivers/mfd/ab3100-core.c 2011-05-19 00:06:34.000000000 -0400
33832 +++ linux-2.6.39.3/drivers/mfd/ab3100-core.c 2011-05-22 19:36:31.000000000 -0400
33833 @@ -385,7 +385,7 @@ static int ab3100_event_registers_startu
33834 return 0;
33835 }
33836
33837 -static struct abx500_ops ab3100_ops = {
33838 +static const struct abx500_ops ab3100_ops = {
33839 .get_chip_id = ab3100_get_chip_id,
33840 .set_register = set_register_interruptible,
33841 .get_register = get_register_interruptible,
33842 diff -urNp linux-2.6.39.3/drivers/mfd/ab3550-core.c linux-2.6.39.3/drivers/mfd/ab3550-core.c
33843 --- linux-2.6.39.3/drivers/mfd/ab3550-core.c 2011-05-19 00:06:34.000000000 -0400
33844 +++ linux-2.6.39.3/drivers/mfd/ab3550-core.c 2011-05-22 19:36:31.000000000 -0400
33845 @@ -676,7 +676,7 @@ static int ab3550_startup_irq_enabled(st
33846 return val;
33847 }
33848
33849 -static struct abx500_ops ab3550_ops = {
33850 +static const struct abx500_ops ab3550_ops = {
33851 .get_chip_id = ab3550_get_chip_id,
33852 .get_register = ab3550_get_register_interruptible,
33853 .set_register = ab3550_set_register_interruptible,
33854 diff -urNp linux-2.6.39.3/drivers/mfd/ab8500-core.c linux-2.6.39.3/drivers/mfd/ab8500-core.c
33855 --- linux-2.6.39.3/drivers/mfd/ab8500-core.c 2011-05-19 00:06:34.000000000 -0400
33856 +++ linux-2.6.39.3/drivers/mfd/ab8500-core.c 2011-05-22 19:36:31.000000000 -0400
33857 @@ -223,7 +223,7 @@ static int ab8500_mask_and_set_register(
33858
33859 }
33860
33861 -static struct abx500_ops ab8500_ops = {
33862 +static const struct abx500_ops ab8500_ops = {
33863 .get_chip_id = ab8500_get_chip_id,
33864 .get_register = ab8500_get_register,
33865 .set_register = ab8500_set_register,
33866 diff -urNp linux-2.6.39.3/drivers/mfd/abx500-core.c linux-2.6.39.3/drivers/mfd/abx500-core.c
33867 --- linux-2.6.39.3/drivers/mfd/abx500-core.c 2011-05-19 00:06:34.000000000 -0400
33868 +++ linux-2.6.39.3/drivers/mfd/abx500-core.c 2011-05-22 19:36:31.000000000 -0400
33869 @@ -18,7 +18,7 @@ struct abx500_device_entry {
33870 struct device *dev;
33871 };
33872
33873 -static void lookup_ops(struct device *dev, struct abx500_ops **ops)
33874 +static void lookup_ops(struct device *dev, const struct abx500_ops **ops)
33875 {
33876 struct abx500_device_entry *dev_entry;
33877
33878 @@ -31,7 +31,7 @@ static void lookup_ops(struct device *de
33879 }
33880 }
33881
33882 -int abx500_register_ops(struct device *dev, struct abx500_ops *ops)
33883 +int abx500_register_ops(struct device *dev, const struct abx500_ops *ops)
33884 {
33885 struct abx500_device_entry *dev_entry;
33886
33887 @@ -65,7 +65,7 @@ EXPORT_SYMBOL(abx500_remove_ops);
33888 int abx500_set_register_interruptible(struct device *dev, u8 bank, u8 reg,
33889 u8 value)
33890 {
33891 - struct abx500_ops *ops;
33892 + const struct abx500_ops *ops;
33893
33894 lookup_ops(dev->parent, &ops);
33895 if ((ops != NULL) && (ops->set_register != NULL))
33896 @@ -78,7 +78,7 @@ EXPORT_SYMBOL(abx500_set_register_interr
33897 int abx500_get_register_interruptible(struct device *dev, u8 bank, u8 reg,
33898 u8 *value)
33899 {
33900 - struct abx500_ops *ops;
33901 + const struct abx500_ops *ops;
33902
33903 lookup_ops(dev->parent, &ops);
33904 if ((ops != NULL) && (ops->get_register != NULL))
33905 @@ -91,7 +91,7 @@ EXPORT_SYMBOL(abx500_get_register_interr
33906 int abx500_get_register_page_interruptible(struct device *dev, u8 bank,
33907 u8 first_reg, u8 *regvals, u8 numregs)
33908 {
33909 - struct abx500_ops *ops;
33910 + const struct abx500_ops *ops;
33911
33912 lookup_ops(dev->parent, &ops);
33913 if ((ops != NULL) && (ops->get_register_page != NULL))
33914 @@ -105,7 +105,7 @@ EXPORT_SYMBOL(abx500_get_register_page_i
33915 int abx500_mask_and_set_register_interruptible(struct device *dev, u8 bank,
33916 u8 reg, u8 bitmask, u8 bitvalues)
33917 {
33918 - struct abx500_ops *ops;
33919 + const struct abx500_ops *ops;
33920
33921 lookup_ops(dev->parent, &ops);
33922 if ((ops != NULL) && (ops->mask_and_set_register != NULL))
33923 @@ -118,7 +118,7 @@ EXPORT_SYMBOL(abx500_mask_and_set_regist
33924
33925 int abx500_get_chip_id(struct device *dev)
33926 {
33927 - struct abx500_ops *ops;
33928 + const struct abx500_ops *ops;
33929
33930 lookup_ops(dev->parent, &ops);
33931 if ((ops != NULL) && (ops->get_chip_id != NULL))
33932 @@ -130,7 +130,7 @@ EXPORT_SYMBOL(abx500_get_chip_id);
33933
33934 int abx500_event_registers_startup_state_get(struct device *dev, u8 *event)
33935 {
33936 - struct abx500_ops *ops;
33937 + const struct abx500_ops *ops;
33938
33939 lookup_ops(dev->parent, &ops);
33940 if ((ops != NULL) && (ops->event_registers_startup_state_get != NULL))
33941 @@ -142,7 +142,7 @@ EXPORT_SYMBOL(abx500_event_registers_sta
33942
33943 int abx500_startup_irq_enabled(struct device *dev, unsigned int irq)
33944 {
33945 - struct abx500_ops *ops;
33946 + const struct abx500_ops *ops;
33947
33948 lookup_ops(dev->parent, &ops);
33949 if ((ops != NULL) && (ops->startup_irq_enabled != NULL))
33950 diff -urNp linux-2.6.39.3/drivers/mfd/janz-cmodio.c linux-2.6.39.3/drivers/mfd/janz-cmodio.c
33951 --- linux-2.6.39.3/drivers/mfd/janz-cmodio.c 2011-05-19 00:06:34.000000000 -0400
33952 +++ linux-2.6.39.3/drivers/mfd/janz-cmodio.c 2011-05-22 19:36:31.000000000 -0400
33953 @@ -13,6 +13,7 @@
33954
33955 #include <linux/kernel.h>
33956 #include <linux/module.h>
33957 +#include <linux/slab.h>
33958 #include <linux/init.h>
33959 #include <linux/pci.h>
33960 #include <linux/interrupt.h>
33961 diff -urNp linux-2.6.39.3/drivers/mfd/mcp-sa11x0.c linux-2.6.39.3/drivers/mfd/mcp-sa11x0.c
33962 --- linux-2.6.39.3/drivers/mfd/mcp-sa11x0.c 2011-05-19 00:06:34.000000000 -0400
33963 +++ linux-2.6.39.3/drivers/mfd/mcp-sa11x0.c 2011-05-22 19:36:31.000000000 -0400
33964 @@ -128,7 +128,7 @@ static void mcp_sa11x0_disable(struct mc
33965 /*
33966 * Our methods.
33967 */
33968 -static struct mcp_ops mcp_sa11x0 = {
33969 +static const struct mcp_ops mcp_sa11x0 = {
33970 .set_telecom_divisor = mcp_sa11x0_set_telecom_divisor,
33971 .set_audio_divisor = mcp_sa11x0_set_audio_divisor,
33972 .reg_write = mcp_sa11x0_write,
33973 diff -urNp linux-2.6.39.3/drivers/mfd/wm8350-i2c.c linux-2.6.39.3/drivers/mfd/wm8350-i2c.c
33974 --- linux-2.6.39.3/drivers/mfd/wm8350-i2c.c 2011-05-19 00:06:34.000000000 -0400
33975 +++ linux-2.6.39.3/drivers/mfd/wm8350-i2c.c 2011-05-22 19:36:31.000000000 -0400
33976 @@ -44,6 +44,8 @@ static int wm8350_i2c_write_device(struc
33977 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
33978 int ret;
33979
33980 + pax_track_stack();
33981 +
33982 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
33983 return -EINVAL;
33984
33985 diff -urNp linux-2.6.39.3/drivers/misc/enclosure.c linux-2.6.39.3/drivers/misc/enclosure.c
33986 --- linux-2.6.39.3/drivers/misc/enclosure.c 2011-05-19 00:06:34.000000000 -0400
33987 +++ linux-2.6.39.3/drivers/misc/enclosure.c 2011-05-22 19:36:31.000000000 -0400
33988 @@ -161,7 +161,7 @@ enclosure_register(struct device *dev, c
33989 }
33990 EXPORT_SYMBOL_GPL(enclosure_register);
33991
33992 -static struct enclosure_component_callbacks enclosure_null_callbacks;
33993 +static const struct enclosure_component_callbacks enclosure_null_callbacks;
33994
33995 /**
33996 * enclosure_unregister - remove an enclosure
33997 diff -urNp linux-2.6.39.3/drivers/misc/kgdbts.c linux-2.6.39.3/drivers/misc/kgdbts.c
33998 --- linux-2.6.39.3/drivers/misc/kgdbts.c 2011-05-19 00:06:34.000000000 -0400
33999 +++ linux-2.6.39.3/drivers/misc/kgdbts.c 2011-05-22 19:36:31.000000000 -0400
34000 @@ -118,7 +118,7 @@
34001 } while (0)
34002 #define MAX_CONFIG_LEN 40
34003
34004 -static struct kgdb_io kgdbts_io_ops;
34005 +static const struct kgdb_io kgdbts_io_ops;
34006 static char get_buf[BUFMAX];
34007 static int get_buf_cnt;
34008 static char put_buf[BUFMAX];
34009 @@ -1103,7 +1103,7 @@ static void kgdbts_post_exp_handler(void
34010 module_put(THIS_MODULE);
34011 }
34012
34013 -static struct kgdb_io kgdbts_io_ops = {
34014 +static const struct kgdb_io kgdbts_io_ops = {
34015 .name = "kgdbts",
34016 .read_char = kgdbts_get_char,
34017 .write_char = kgdbts_put_char,
34018 diff -urNp linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.c linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.c
34019 --- linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.c 2011-05-19 00:06:34.000000000 -0400
34020 +++ linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.c 2011-05-22 19:36:31.000000000 -0400
34021 @@ -435,7 +435,7 @@ static irqreturn_t lis302dl_interrupt(in
34022 * the lid is closed. This leads to interrupts as soon as a little move
34023 * is done.
34024 */
34025 - atomic_inc(&lis3_dev.count);
34026 + atomic_inc_unchecked(&lis3_dev.count);
34027
34028 wake_up_interruptible(&lis3_dev.misc_wait);
34029 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
34030 @@ -518,7 +518,7 @@ static int lis3lv02d_misc_open(struct in
34031 if (lis3_dev.pm_dev)
34032 pm_runtime_get_sync(lis3_dev.pm_dev);
34033
34034 - atomic_set(&lis3_dev.count, 0);
34035 + atomic_set_unchecked(&lis3_dev.count, 0);
34036 return 0;
34037 }
34038
34039 @@ -545,7 +545,7 @@ static ssize_t lis3lv02d_misc_read(struc
34040 add_wait_queue(&lis3_dev.misc_wait, &wait);
34041 while (true) {
34042 set_current_state(TASK_INTERRUPTIBLE);
34043 - data = atomic_xchg(&lis3_dev.count, 0);
34044 + data = atomic_xchg_unchecked(&lis3_dev.count, 0);
34045 if (data)
34046 break;
34047
34048 @@ -583,7 +583,7 @@ out:
34049 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
34050 {
34051 poll_wait(file, &lis3_dev.misc_wait, wait);
34052 - if (atomic_read(&lis3_dev.count))
34053 + if (atomic_read_unchecked(&lis3_dev.count))
34054 return POLLIN | POLLRDNORM;
34055 return 0;
34056 }
34057 diff -urNp linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.h linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.h
34058 --- linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.h 2011-05-19 00:06:34.000000000 -0400
34059 +++ linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.h 2011-05-22 19:36:31.000000000 -0400
34060 @@ -265,7 +265,7 @@ struct lis3lv02d {
34061 struct input_polled_dev *idev; /* input device */
34062 struct platform_device *pdev; /* platform device */
34063 struct regulator_bulk_data regulators[2];
34064 - atomic_t count; /* interrupt count after last read */
34065 + atomic_unchecked_t count; /* interrupt count after last read */
34066 union axis_conversion ac; /* hw -> logical axis */
34067 int mapped_btns[3];
34068
34069 diff -urNp linux-2.6.39.3/drivers/misc/sgi-gru/gruhandles.c linux-2.6.39.3/drivers/misc/sgi-gru/gruhandles.c
34070 --- linux-2.6.39.3/drivers/misc/sgi-gru/gruhandles.c 2011-05-19 00:06:34.000000000 -0400
34071 +++ linux-2.6.39.3/drivers/misc/sgi-gru/gruhandles.c 2011-05-22 19:36:31.000000000 -0400
34072 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
34073 unsigned long nsec;
34074
34075 nsec = CLKS2NSEC(clks);
34076 - atomic_long_inc(&mcs_op_statistics[op].count);
34077 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
34078 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
34079 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
34080 if (mcs_op_statistics[op].max < nsec)
34081 mcs_op_statistics[op].max = nsec;
34082 }
34083 diff -urNp linux-2.6.39.3/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.39.3/drivers/misc/sgi-gru/gruprocfs.c
34084 --- linux-2.6.39.3/drivers/misc/sgi-gru/gruprocfs.c 2011-05-19 00:06:34.000000000 -0400
34085 +++ linux-2.6.39.3/drivers/misc/sgi-gru/gruprocfs.c 2011-05-22 19:36:31.000000000 -0400
34086 @@ -32,9 +32,9 @@
34087
34088 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
34089
34090 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
34091 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
34092 {
34093 - unsigned long val = atomic_long_read(v);
34094 + unsigned long val = atomic_long_read_unchecked(v);
34095
34096 seq_printf(s, "%16lu %s\n", val, id);
34097 }
34098 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
34099
34100 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
34101 for (op = 0; op < mcsop_last; op++) {
34102 - count = atomic_long_read(&mcs_op_statistics[op].count);
34103 - total = atomic_long_read(&mcs_op_statistics[op].total);
34104 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
34105 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
34106 max = mcs_op_statistics[op].max;
34107 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
34108 count ? total / count : 0, max);
34109 diff -urNp linux-2.6.39.3/drivers/misc/sgi-gru/grutables.h linux-2.6.39.3/drivers/misc/sgi-gru/grutables.h
34110 --- linux-2.6.39.3/drivers/misc/sgi-gru/grutables.h 2011-05-19 00:06:34.000000000 -0400
34111 +++ linux-2.6.39.3/drivers/misc/sgi-gru/grutables.h 2011-05-22 19:36:31.000000000 -0400
34112 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
34113 * GRU statistics.
34114 */
34115 struct gru_stats_s {
34116 - atomic_long_t vdata_alloc;
34117 - atomic_long_t vdata_free;
34118 - atomic_long_t gts_alloc;
34119 - atomic_long_t gts_free;
34120 - atomic_long_t gms_alloc;
34121 - atomic_long_t gms_free;
34122 - atomic_long_t gts_double_allocate;
34123 - atomic_long_t assign_context;
34124 - atomic_long_t assign_context_failed;
34125 - atomic_long_t free_context;
34126 - atomic_long_t load_user_context;
34127 - atomic_long_t load_kernel_context;
34128 - atomic_long_t lock_kernel_context;
34129 - atomic_long_t unlock_kernel_context;
34130 - atomic_long_t steal_user_context;
34131 - atomic_long_t steal_kernel_context;
34132 - atomic_long_t steal_context_failed;
34133 - atomic_long_t nopfn;
34134 - atomic_long_t asid_new;
34135 - atomic_long_t asid_next;
34136 - atomic_long_t asid_wrap;
34137 - atomic_long_t asid_reuse;
34138 - atomic_long_t intr;
34139 - atomic_long_t intr_cbr;
34140 - atomic_long_t intr_tfh;
34141 - atomic_long_t intr_spurious;
34142 - atomic_long_t intr_mm_lock_failed;
34143 - atomic_long_t call_os;
34144 - atomic_long_t call_os_wait_queue;
34145 - atomic_long_t user_flush_tlb;
34146 - atomic_long_t user_unload_context;
34147 - atomic_long_t user_exception;
34148 - atomic_long_t set_context_option;
34149 - atomic_long_t check_context_retarget_intr;
34150 - atomic_long_t check_context_unload;
34151 - atomic_long_t tlb_dropin;
34152 - atomic_long_t tlb_preload_page;
34153 - atomic_long_t tlb_dropin_fail_no_asid;
34154 - atomic_long_t tlb_dropin_fail_upm;
34155 - atomic_long_t tlb_dropin_fail_invalid;
34156 - atomic_long_t tlb_dropin_fail_range_active;
34157 - atomic_long_t tlb_dropin_fail_idle;
34158 - atomic_long_t tlb_dropin_fail_fmm;
34159 - atomic_long_t tlb_dropin_fail_no_exception;
34160 - atomic_long_t tfh_stale_on_fault;
34161 - atomic_long_t mmu_invalidate_range;
34162 - atomic_long_t mmu_invalidate_page;
34163 - atomic_long_t flush_tlb;
34164 - atomic_long_t flush_tlb_gru;
34165 - atomic_long_t flush_tlb_gru_tgh;
34166 - atomic_long_t flush_tlb_gru_zero_asid;
34167 -
34168 - atomic_long_t copy_gpa;
34169 - atomic_long_t read_gpa;
34170 -
34171 - atomic_long_t mesq_receive;
34172 - atomic_long_t mesq_receive_none;
34173 - atomic_long_t mesq_send;
34174 - atomic_long_t mesq_send_failed;
34175 - atomic_long_t mesq_noop;
34176 - atomic_long_t mesq_send_unexpected_error;
34177 - atomic_long_t mesq_send_lb_overflow;
34178 - atomic_long_t mesq_send_qlimit_reached;
34179 - atomic_long_t mesq_send_amo_nacked;
34180 - atomic_long_t mesq_send_put_nacked;
34181 - atomic_long_t mesq_page_overflow;
34182 - atomic_long_t mesq_qf_locked;
34183 - atomic_long_t mesq_qf_noop_not_full;
34184 - atomic_long_t mesq_qf_switch_head_failed;
34185 - atomic_long_t mesq_qf_unexpected_error;
34186 - atomic_long_t mesq_noop_unexpected_error;
34187 - atomic_long_t mesq_noop_lb_overflow;
34188 - atomic_long_t mesq_noop_qlimit_reached;
34189 - atomic_long_t mesq_noop_amo_nacked;
34190 - atomic_long_t mesq_noop_put_nacked;
34191 - atomic_long_t mesq_noop_page_overflow;
34192 + atomic_long_unchecked_t vdata_alloc;
34193 + atomic_long_unchecked_t vdata_free;
34194 + atomic_long_unchecked_t gts_alloc;
34195 + atomic_long_unchecked_t gts_free;
34196 + atomic_long_unchecked_t gms_alloc;
34197 + atomic_long_unchecked_t gms_free;
34198 + atomic_long_unchecked_t gts_double_allocate;
34199 + atomic_long_unchecked_t assign_context;
34200 + atomic_long_unchecked_t assign_context_failed;
34201 + atomic_long_unchecked_t free_context;
34202 + atomic_long_unchecked_t load_user_context;
34203 + atomic_long_unchecked_t load_kernel_context;
34204 + atomic_long_unchecked_t lock_kernel_context;
34205 + atomic_long_unchecked_t unlock_kernel_context;
34206 + atomic_long_unchecked_t steal_user_context;
34207 + atomic_long_unchecked_t steal_kernel_context;
34208 + atomic_long_unchecked_t steal_context_failed;
34209 + atomic_long_unchecked_t nopfn;
34210 + atomic_long_unchecked_t asid_new;
34211 + atomic_long_unchecked_t asid_next;
34212 + atomic_long_unchecked_t asid_wrap;
34213 + atomic_long_unchecked_t asid_reuse;
34214 + atomic_long_unchecked_t intr;
34215 + atomic_long_unchecked_t intr_cbr;
34216 + atomic_long_unchecked_t intr_tfh;
34217 + atomic_long_unchecked_t intr_spurious;
34218 + atomic_long_unchecked_t intr_mm_lock_failed;
34219 + atomic_long_unchecked_t call_os;
34220 + atomic_long_unchecked_t call_os_wait_queue;
34221 + atomic_long_unchecked_t user_flush_tlb;
34222 + atomic_long_unchecked_t user_unload_context;
34223 + atomic_long_unchecked_t user_exception;
34224 + atomic_long_unchecked_t set_context_option;
34225 + atomic_long_unchecked_t check_context_retarget_intr;
34226 + atomic_long_unchecked_t check_context_unload;
34227 + atomic_long_unchecked_t tlb_dropin;
34228 + atomic_long_unchecked_t tlb_preload_page;
34229 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
34230 + atomic_long_unchecked_t tlb_dropin_fail_upm;
34231 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
34232 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
34233 + atomic_long_unchecked_t tlb_dropin_fail_idle;
34234 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
34235 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
34236 + atomic_long_unchecked_t tfh_stale_on_fault;
34237 + atomic_long_unchecked_t mmu_invalidate_range;
34238 + atomic_long_unchecked_t mmu_invalidate_page;
34239 + atomic_long_unchecked_t flush_tlb;
34240 + atomic_long_unchecked_t flush_tlb_gru;
34241 + atomic_long_unchecked_t flush_tlb_gru_tgh;
34242 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
34243 +
34244 + atomic_long_unchecked_t copy_gpa;
34245 + atomic_long_unchecked_t read_gpa;
34246 +
34247 + atomic_long_unchecked_t mesq_receive;
34248 + atomic_long_unchecked_t mesq_receive_none;
34249 + atomic_long_unchecked_t mesq_send;
34250 + atomic_long_unchecked_t mesq_send_failed;
34251 + atomic_long_unchecked_t mesq_noop;
34252 + atomic_long_unchecked_t mesq_send_unexpected_error;
34253 + atomic_long_unchecked_t mesq_send_lb_overflow;
34254 + atomic_long_unchecked_t mesq_send_qlimit_reached;
34255 + atomic_long_unchecked_t mesq_send_amo_nacked;
34256 + atomic_long_unchecked_t mesq_send_put_nacked;
34257 + atomic_long_unchecked_t mesq_page_overflow;
34258 + atomic_long_unchecked_t mesq_qf_locked;
34259 + atomic_long_unchecked_t mesq_qf_noop_not_full;
34260 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
34261 + atomic_long_unchecked_t mesq_qf_unexpected_error;
34262 + atomic_long_unchecked_t mesq_noop_unexpected_error;
34263 + atomic_long_unchecked_t mesq_noop_lb_overflow;
34264 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
34265 + atomic_long_unchecked_t mesq_noop_amo_nacked;
34266 + atomic_long_unchecked_t mesq_noop_put_nacked;
34267 + atomic_long_unchecked_t mesq_noop_page_overflow;
34268
34269 };
34270
34271 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
34272 tghop_invalidate, mcsop_last};
34273
34274 struct mcs_op_statistic {
34275 - atomic_long_t count;
34276 - atomic_long_t total;
34277 + atomic_long_unchecked_t count;
34278 + atomic_long_unchecked_t total;
34279 unsigned long max;
34280 };
34281
34282 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
34283
34284 #define STAT(id) do { \
34285 if (gru_options & OPT_STATS) \
34286 - atomic_long_inc(&gru_stats.id); \
34287 + atomic_long_inc_unchecked(&gru_stats.id); \
34288 } while (0)
34289
34290 #ifdef CONFIG_SGI_GRU_DEBUG
34291 diff -urNp linux-2.6.39.3/drivers/misc/sgi-xp/xpc_sn2.c linux-2.6.39.3/drivers/misc/sgi-xp/xpc_sn2.c
34292 --- linux-2.6.39.3/drivers/misc/sgi-xp/xpc_sn2.c 2011-05-19 00:06:34.000000000 -0400
34293 +++ linux-2.6.39.3/drivers/misc/sgi-xp/xpc_sn2.c 2011-05-22 19:36:31.000000000 -0400
34294 @@ -2351,7 +2351,7 @@ xpc_received_payload_sn2(struct xpc_chan
34295 xpc_acknowledge_msgs_sn2(ch, get, msg->flags);
34296 }
34297
34298 -static struct xpc_arch_operations xpc_arch_ops_sn2 = {
34299 +static const struct xpc_arch_operations xpc_arch_ops_sn2 = {
34300 .setup_partitions = xpc_setup_partitions_sn2,
34301 .teardown_partitions = xpc_teardown_partitions_sn2,
34302 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_sn2,
34303 diff -urNp linux-2.6.39.3/drivers/misc/sgi-xp/xpc_uv.c linux-2.6.39.3/drivers/misc/sgi-xp/xpc_uv.c
34304 --- linux-2.6.39.3/drivers/misc/sgi-xp/xpc_uv.c 2011-05-19 00:06:34.000000000 -0400
34305 +++ linux-2.6.39.3/drivers/misc/sgi-xp/xpc_uv.c 2011-05-22 19:36:31.000000000 -0400
34306 @@ -1674,7 +1674,7 @@ xpc_received_payload_uv(struct xpc_chann
34307 XPC_DEACTIVATE_PARTITION(&xpc_partitions[ch->partid], ret);
34308 }
34309
34310 -static struct xpc_arch_operations xpc_arch_ops_uv = {
34311 +static const struct xpc_arch_operations xpc_arch_ops_uv = {
34312 .setup_partitions = xpc_setup_partitions_uv,
34313 .teardown_partitions = xpc_teardown_partitions_uv,
34314 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_uv,
34315 diff -urNp linux-2.6.39.3/drivers/misc/spear13xx_pcie_gadget.c linux-2.6.39.3/drivers/misc/spear13xx_pcie_gadget.c
34316 --- linux-2.6.39.3/drivers/misc/spear13xx_pcie_gadget.c 2011-05-19 00:06:34.000000000 -0400
34317 +++ linux-2.6.39.3/drivers/misc/spear13xx_pcie_gadget.c 2011-05-22 19:36:31.000000000 -0400
34318 @@ -644,7 +644,7 @@ static ssize_t pcie_gadget_target_attr_s
34319 return ret;
34320 }
34321
34322 -static struct configfs_item_operations pcie_gadget_target_item_ops = {
34323 +static const struct configfs_item_operations pcie_gadget_target_item_ops = {
34324 .show_attribute = pcie_gadget_target_attr_show,
34325 .store_attribute = pcie_gadget_target_attr_store,
34326 };
34327 diff -urNp linux-2.6.39.3/drivers/mmc/host/davinci_mmc.c linux-2.6.39.3/drivers/mmc/host/davinci_mmc.c
34328 --- linux-2.6.39.3/drivers/mmc/host/davinci_mmc.c 2011-05-19 00:06:34.000000000 -0400
34329 +++ linux-2.6.39.3/drivers/mmc/host/davinci_mmc.c 2011-05-22 19:36:31.000000000 -0400
34330 @@ -1133,7 +1133,7 @@ static void mmc_davinci_enable_sdio_irq(
34331 }
34332 }
34333
34334 -static struct mmc_host_ops mmc_davinci_ops = {
34335 +static const struct mmc_host_ops mmc_davinci_ops = {
34336 .request = mmc_davinci_request,
34337 .set_ios = mmc_davinci_set_ios,
34338 .get_cd = mmc_davinci_get_cd,
34339 diff -urNp linux-2.6.39.3/drivers/mmc/host/dw_mmc.c linux-2.6.39.3/drivers/mmc/host/dw_mmc.c
34340 --- linux-2.6.39.3/drivers/mmc/host/dw_mmc.c 2011-05-19 00:06:34.000000000 -0400
34341 +++ linux-2.6.39.3/drivers/mmc/host/dw_mmc.c 2011-05-22 19:36:31.000000000 -0400
34342 @@ -417,7 +417,7 @@ static int dw_mci_idmac_init(struct dw_m
34343 return 0;
34344 }
34345
34346 -static struct dw_mci_dma_ops dw_mci_idmac_ops = {
34347 +static const struct dw_mci_dma_ops dw_mci_idmac_ops = {
34348 .init = dw_mci_idmac_init,
34349 .start = dw_mci_idmac_start_dma,
34350 .stop = dw_mci_idmac_stop_dma,
34351 diff -urNp linux-2.6.39.3/drivers/mmc/host/s3cmci.c linux-2.6.39.3/drivers/mmc/host/s3cmci.c
34352 --- linux-2.6.39.3/drivers/mmc/host/s3cmci.c 2011-05-19 00:06:34.000000000 -0400
34353 +++ linux-2.6.39.3/drivers/mmc/host/s3cmci.c 2011-05-22 19:36:31.000000000 -0400
34354 @@ -1349,7 +1349,7 @@ static void s3cmci_enable_sdio_irq(struc
34355 s3cmci_check_sdio_irq(host);
34356 }
34357
34358 -static struct mmc_host_ops s3cmci_ops = {
34359 +static const struct mmc_host_ops s3cmci_ops = {
34360 .request = s3cmci_request,
34361 .set_ios = s3cmci_set_ios,
34362 .get_ro = s3cmci_get_ro,
34363 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-cns3xxx.c linux-2.6.39.3/drivers/mmc/host/sdhci-cns3xxx.c
34364 --- linux-2.6.39.3/drivers/mmc/host/sdhci-cns3xxx.c 2011-05-19 00:06:34.000000000 -0400
34365 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-cns3xxx.c 2011-05-22 19:36:31.000000000 -0400
34366 @@ -81,7 +81,7 @@ out:
34367 host->clock = clock;
34368 }
34369
34370 -static struct sdhci_ops sdhci_cns3xxx_ops = {
34371 +static const struct sdhci_ops sdhci_cns3xxx_ops = {
34372 .get_max_clock = sdhci_cns3xxx_get_max_clk,
34373 .set_clock = sdhci_cns3xxx_set_clock,
34374 };
34375 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-dove.c linux-2.6.39.3/drivers/mmc/host/sdhci-dove.c
34376 --- linux-2.6.39.3/drivers/mmc/host/sdhci-dove.c 2011-05-19 00:06:34.000000000 -0400
34377 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-dove.c 2011-05-22 19:36:31.000000000 -0400
34378 @@ -56,7 +56,7 @@ static u32 sdhci_dove_readl(struct sdhci
34379 return ret;
34380 }
34381
34382 -static struct sdhci_ops sdhci_dove_ops = {
34383 +static const struct sdhci_ops sdhci_dove_ops = {
34384 .read_w = sdhci_dove_readw,
34385 .read_l = sdhci_dove_readl,
34386 };
34387 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-esdhc-imx.c linux-2.6.39.3/drivers/mmc/host/sdhci-esdhc-imx.c
34388 --- linux-2.6.39.3/drivers/mmc/host/sdhci-esdhc-imx.c 2011-05-19 00:06:34.000000000 -0400
34389 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-esdhc-imx.c 2011-05-22 19:36:31.000000000 -0400
34390 @@ -201,7 +201,7 @@ static unsigned int esdhc_pltfm_get_ro(s
34391 return -ENOSYS;
34392 }
34393
34394 -static struct sdhci_ops sdhci_esdhc_ops = {
34395 +static const struct sdhci_ops sdhci_esdhc_ops = {
34396 .read_l = esdhc_readl_le,
34397 .read_w = esdhc_readw_le,
34398 .write_l = esdhc_writel_le,
34399 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-of.h linux-2.6.39.3/drivers/mmc/host/sdhci-of.h
34400 --- linux-2.6.39.3/drivers/mmc/host/sdhci-of.h 2011-05-19 00:06:34.000000000 -0400
34401 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-of.h 2011-05-22 19:36:31.000000000 -0400
34402 @@ -21,7 +21,7 @@
34403
34404 struct sdhci_of_data {
34405 unsigned int quirks;
34406 - struct sdhci_ops ops;
34407 + const struct sdhci_ops ops;
34408 };
34409
34410 struct sdhci_of_host {
34411 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-pci.c linux-2.6.39.3/drivers/mmc/host/sdhci-pci.c
34412 --- linux-2.6.39.3/drivers/mmc/host/sdhci-pci.c 2011-05-19 00:06:34.000000000 -0400
34413 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-pci.c 2011-05-22 19:36:31.000000000 -0400
34414 @@ -786,7 +786,7 @@ static int sdhci_pci_enable_dma(struct s
34415 return 0;
34416 }
34417
34418 -static struct sdhci_ops sdhci_pci_ops = {
34419 +static const struct sdhci_ops sdhci_pci_ops = {
34420 .enable_dma = sdhci_pci_enable_dma,
34421 };
34422
34423 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-pltfm.c linux-2.6.39.3/drivers/mmc/host/sdhci-pltfm.c
34424 --- linux-2.6.39.3/drivers/mmc/host/sdhci-pltfm.c 2011-05-19 00:06:34.000000000 -0400
34425 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-pltfm.c 2011-05-22 19:36:31.000000000 -0400
34426 @@ -41,7 +41,7 @@
34427 * *
34428 \*****************************************************************************/
34429
34430 -static struct sdhci_ops sdhci_pltfm_ops = {
34431 +static const struct sdhci_ops sdhci_pltfm_ops = {
34432 };
34433
34434 /*****************************************************************************\
34435 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-pxa.c linux-2.6.39.3/drivers/mmc/host/sdhci-pxa.c
34436 --- linux-2.6.39.3/drivers/mmc/host/sdhci-pxa.c 2011-05-19 00:06:34.000000000 -0400
34437 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-pxa.c 2011-05-22 19:36:31.000000000 -0400
34438 @@ -69,7 +69,7 @@ static void set_clock(struct sdhci_host
34439 }
34440 }
34441
34442 -static struct sdhci_ops sdhci_pxa_ops = {
34443 +static const struct sdhci_ops sdhci_pxa_ops = {
34444 .set_clock = set_clock,
34445 };
34446
34447 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-s3c.c linux-2.6.39.3/drivers/mmc/host/sdhci-s3c.c
34448 --- linux-2.6.39.3/drivers/mmc/host/sdhci-s3c.c 2011-05-19 00:06:34.000000000 -0400
34449 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-s3c.c 2011-05-22 19:36:31.000000000 -0400
34450 @@ -309,7 +309,7 @@ static int sdhci_s3c_platform_8bit_width
34451 return 0;
34452 }
34453
34454 -static struct sdhci_ops sdhci_s3c_ops = {
34455 +static const struct sdhci_ops sdhci_s3c_ops = {
34456 .get_max_clock = sdhci_s3c_get_max_clk,
34457 .set_clock = sdhci_s3c_set_clock,
34458 .get_min_clock = sdhci_s3c_get_min_clock,
34459 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-spear.c linux-2.6.39.3/drivers/mmc/host/sdhci-spear.c
34460 --- linux-2.6.39.3/drivers/mmc/host/sdhci-spear.c 2011-05-19 00:06:34.000000000 -0400
34461 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-spear.c 2011-05-22 19:36:31.000000000 -0400
34462 @@ -32,7 +32,7 @@ struct spear_sdhci {
34463 };
34464
34465 /* sdhci ops */
34466 -static struct sdhci_ops sdhci_pltfm_ops = {
34467 +static const struct sdhci_ops sdhci_pltfm_ops = {
34468 /* Nothing to do for now. */
34469 };
34470
34471 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-tegra.c linux-2.6.39.3/drivers/mmc/host/sdhci-tegra.c
34472 --- linux-2.6.39.3/drivers/mmc/host/sdhci-tegra.c 2011-05-19 00:06:34.000000000 -0400
34473 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-tegra.c 2011-05-22 19:36:31.000000000 -0400
34474 @@ -242,7 +242,7 @@ static void tegra_sdhci_pltfm_exit(struc
34475 clk_put(pltfm_host->clk);
34476 }
34477
34478 -static struct sdhci_ops tegra_sdhci_ops = {
34479 +static const struct sdhci_ops tegra_sdhci_ops = {
34480 .get_ro = tegra_sdhci_get_ro,
34481 .read_l = tegra_sdhci_readl,
34482 .read_w = tegra_sdhci_readw,
34483 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdricoh_cs.c linux-2.6.39.3/drivers/mmc/host/sdricoh_cs.c
34484 --- linux-2.6.39.3/drivers/mmc/host/sdricoh_cs.c 2011-05-19 00:06:34.000000000 -0400
34485 +++ linux-2.6.39.3/drivers/mmc/host/sdricoh_cs.c 2011-05-22 19:36:31.000000000 -0400
34486 @@ -387,7 +387,7 @@ static int sdricoh_get_ro(struct mmc_hos
34487 return (status & STATUS_CARD_LOCKED);
34488 }
34489
34490 -static struct mmc_host_ops sdricoh_ops = {
34491 +static const struct mmc_host_ops sdricoh_ops = {
34492 .request = sdricoh_request,
34493 .set_ios = sdricoh_set_ios,
34494 .get_ro = sdricoh_get_ro,
34495 diff -urNp linux-2.6.39.3/drivers/mmc/host/sh_mmcif.c linux-2.6.39.3/drivers/mmc/host/sh_mmcif.c
34496 --- linux-2.6.39.3/drivers/mmc/host/sh_mmcif.c 2011-05-19 00:06:34.000000000 -0400
34497 +++ linux-2.6.39.3/drivers/mmc/host/sh_mmcif.c 2011-05-22 19:36:31.000000000 -0400
34498 @@ -872,7 +872,7 @@ static int sh_mmcif_get_cd(struct mmc_ho
34499 return p->get_cd(host->pd);
34500 }
34501
34502 -static struct mmc_host_ops sh_mmcif_ops = {
34503 +static const struct mmc_host_ops sh_mmcif_ops = {
34504 .request = sh_mmcif_request,
34505 .set_ios = sh_mmcif_set_ios,
34506 .get_cd = sh_mmcif_get_cd,
34507 diff -urNp linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0001.c linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0001.c
34508 --- linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-19 00:06:34.000000000 -0400
34509 +++ linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-22 19:36:31.000000000 -0400
34510 @@ -757,6 +757,8 @@ static int chip_ready (struct map_info *
34511 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
34512 unsigned long timeo = jiffies + HZ;
34513
34514 + pax_track_stack();
34515 +
34516 /* Prevent setting state FL_SYNCING for chip in suspended state. */
34517 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
34518 goto sleep;
34519 @@ -1657,6 +1659,8 @@ static int __xipram do_write_buffer(stru
34520 unsigned long initial_adr;
34521 int initial_len = len;
34522
34523 + pax_track_stack();
34524 +
34525 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
34526 adr += chip->start;
34527 initial_adr = adr;
34528 @@ -1875,6 +1879,8 @@ static int __xipram do_erase_oneblock(st
34529 int retries = 3;
34530 int ret;
34531
34532 + pax_track_stack();
34533 +
34534 adr += chip->start;
34535
34536 retry:
34537 diff -urNp linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0020.c linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0020.c
34538 --- linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-19 00:06:34.000000000 -0400
34539 +++ linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-22 19:36:31.000000000 -0400
34540 @@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
34541 unsigned long cmd_addr;
34542 struct cfi_private *cfi = map->fldrv_priv;
34543
34544 + pax_track_stack();
34545 +
34546 adr += chip->start;
34547
34548 /* Ensure cmd read/writes are aligned. */
34549 @@ -428,6 +430,8 @@ static inline int do_write_buffer(struct
34550 DECLARE_WAITQUEUE(wait, current);
34551 int wbufsize, z;
34552
34553 + pax_track_stack();
34554 +
34555 /* M58LW064A requires bus alignment for buffer wriets -- saw */
34556 if (adr & (map_bankwidth(map)-1))
34557 return -EINVAL;
34558 @@ -742,6 +746,8 @@ static inline int do_erase_oneblock(stru
34559 DECLARE_WAITQUEUE(wait, current);
34560 int ret = 0;
34561
34562 + pax_track_stack();
34563 +
34564 adr += chip->start;
34565
34566 /* Let's determine this according to the interleave only once */
34567 @@ -1047,6 +1053,8 @@ static inline int do_lock_oneblock(struc
34568 unsigned long timeo = jiffies + HZ;
34569 DECLARE_WAITQUEUE(wait, current);
34570
34571 + pax_track_stack();
34572 +
34573 adr += chip->start;
34574
34575 /* Let's determine this according to the interleave only once */
34576 @@ -1196,6 +1204,8 @@ static inline int do_unlock_oneblock(str
34577 unsigned long timeo = jiffies + HZ;
34578 DECLARE_WAITQUEUE(wait, current);
34579
34580 + pax_track_stack();
34581 +
34582 adr += chip->start;
34583
34584 /* Let's determine this according to the interleave only once */
34585 diff -urNp linux-2.6.39.3/drivers/mtd/devices/doc2000.c linux-2.6.39.3/drivers/mtd/devices/doc2000.c
34586 --- linux-2.6.39.3/drivers/mtd/devices/doc2000.c 2011-05-19 00:06:34.000000000 -0400
34587 +++ linux-2.6.39.3/drivers/mtd/devices/doc2000.c 2011-05-22 19:36:31.000000000 -0400
34588 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
34589
34590 /* The ECC will not be calculated correctly if less than 512 is written */
34591 /* DBB-
34592 - if (len != 0x200 && eccbuf)
34593 + if (len != 0x200)
34594 printk(KERN_WARNING
34595 "ECC needs a full sector write (adr: %lx size %lx)\n",
34596 (long) to, (long) len);
34597 diff -urNp linux-2.6.39.3/drivers/mtd/devices/doc2001.c linux-2.6.39.3/drivers/mtd/devices/doc2001.c
34598 --- linux-2.6.39.3/drivers/mtd/devices/doc2001.c 2011-05-19 00:06:34.000000000 -0400
34599 +++ linux-2.6.39.3/drivers/mtd/devices/doc2001.c 2011-05-22 19:36:31.000000000 -0400
34600 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
34601 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
34602
34603 /* Don't allow read past end of device */
34604 - if (from >= this->totlen)
34605 + if (from >= this->totlen || !len)
34606 return -EINVAL;
34607
34608 /* Don't allow a single read to cross a 512-byte block boundary */
34609 diff -urNp linux-2.6.39.3/drivers/mtd/ftl.c linux-2.6.39.3/drivers/mtd/ftl.c
34610 --- linux-2.6.39.3/drivers/mtd/ftl.c 2011-05-19 00:06:34.000000000 -0400
34611 +++ linux-2.6.39.3/drivers/mtd/ftl.c 2011-05-22 19:36:31.000000000 -0400
34612 @@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
34613 loff_t offset;
34614 uint16_t srcunitswap = cpu_to_le16(srcunit);
34615
34616 + pax_track_stack();
34617 +
34618 eun = &part->EUNInfo[srcunit];
34619 xfer = &part->XferInfo[xferunit];
34620 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
34621 diff -urNp linux-2.6.39.3/drivers/mtd/inftlcore.c linux-2.6.39.3/drivers/mtd/inftlcore.c
34622 --- linux-2.6.39.3/drivers/mtd/inftlcore.c 2011-05-19 00:06:34.000000000 -0400
34623 +++ linux-2.6.39.3/drivers/mtd/inftlcore.c 2011-05-22 19:36:31.000000000 -0400
34624 @@ -259,6 +259,8 @@ static u16 INFTL_foldchain(struct INFTLr
34625 struct inftl_oob oob;
34626 size_t retlen;
34627
34628 + pax_track_stack();
34629 +
34630 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
34631 "pending=%d)\n", inftl, thisVUC, pendingblock);
34632
34633 diff -urNp linux-2.6.39.3/drivers/mtd/inftlmount.c linux-2.6.39.3/drivers/mtd/inftlmount.c
34634 --- linux-2.6.39.3/drivers/mtd/inftlmount.c 2011-05-19 00:06:34.000000000 -0400
34635 +++ linux-2.6.39.3/drivers/mtd/inftlmount.c 2011-05-22 19:36:31.000000000 -0400
34636 @@ -53,6 +53,8 @@ static int find_boot_record(struct INFTL
34637 struct INFTLPartition *ip;
34638 size_t retlen;
34639
34640 + pax_track_stack();
34641 +
34642 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
34643
34644 /*
34645 diff -urNp linux-2.6.39.3/drivers/mtd/lpddr/qinfo_probe.c linux-2.6.39.3/drivers/mtd/lpddr/qinfo_probe.c
34646 --- linux-2.6.39.3/drivers/mtd/lpddr/qinfo_probe.c 2011-05-19 00:06:34.000000000 -0400
34647 +++ linux-2.6.39.3/drivers/mtd/lpddr/qinfo_probe.c 2011-05-22 19:36:31.000000000 -0400
34648 @@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
34649 {
34650 map_word pfow_val[4];
34651
34652 + pax_track_stack();
34653 +
34654 /* Check identification string */
34655 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
34656 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
34657 diff -urNp linux-2.6.39.3/drivers/mtd/mtdchar.c linux-2.6.39.3/drivers/mtd/mtdchar.c
34658 --- linux-2.6.39.3/drivers/mtd/mtdchar.c 2011-05-19 00:06:34.000000000 -0400
34659 +++ linux-2.6.39.3/drivers/mtd/mtdchar.c 2011-05-22 19:36:31.000000000 -0400
34660 @@ -560,6 +560,8 @@ static int mtd_ioctl(struct file *file,
34661 u_long size;
34662 struct mtd_info_user info;
34663
34664 + pax_track_stack();
34665 +
34666 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
34667
34668 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
34669 diff -urNp linux-2.6.39.3/drivers/mtd/nand/denali.c linux-2.6.39.3/drivers/mtd/nand/denali.c
34670 --- linux-2.6.39.3/drivers/mtd/nand/denali.c 2011-05-19 00:06:34.000000000 -0400
34671 +++ linux-2.6.39.3/drivers/mtd/nand/denali.c 2011-05-22 19:36:31.000000000 -0400
34672 @@ -25,6 +25,7 @@
34673 #include <linux/pci.h>
34674 #include <linux/mtd/mtd.h>
34675 #include <linux/module.h>
34676 +#include <linux/slab.h>
34677
34678 #include "denali.h"
34679
34680 diff -urNp linux-2.6.39.3/drivers/mtd/nftlcore.c linux-2.6.39.3/drivers/mtd/nftlcore.c
34681 --- linux-2.6.39.3/drivers/mtd/nftlcore.c 2011-05-19 00:06:34.000000000 -0400
34682 +++ linux-2.6.39.3/drivers/mtd/nftlcore.c 2011-05-22 19:36:31.000000000 -0400
34683 @@ -264,6 +264,8 @@ static u16 NFTL_foldchain (struct NFTLre
34684 int inplace = 1;
34685 size_t retlen;
34686
34687 + pax_track_stack();
34688 +
34689 memset(BlockMap, 0xff, sizeof(BlockMap));
34690 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
34691
34692 diff -urNp linux-2.6.39.3/drivers/mtd/nftlmount.c linux-2.6.39.3/drivers/mtd/nftlmount.c
34693 --- linux-2.6.39.3/drivers/mtd/nftlmount.c 2011-05-19 00:06:34.000000000 -0400
34694 +++ linux-2.6.39.3/drivers/mtd/nftlmount.c 2011-05-22 19:36:31.000000000 -0400
34695 @@ -24,6 +24,7 @@
34696 #include <asm/errno.h>
34697 #include <linux/delay.h>
34698 #include <linux/slab.h>
34699 +#include <linux/sched.h>
34700 #include <linux/mtd/mtd.h>
34701 #include <linux/mtd/nand.h>
34702 #include <linux/mtd/nftl.h>
34703 @@ -45,6 +46,8 @@ static int find_boot_record(struct NFTLr
34704 struct mtd_info *mtd = nftl->mbd.mtd;
34705 unsigned int i;
34706
34707 + pax_track_stack();
34708 +
34709 /* Assume logical EraseSize == physical erasesize for starting the scan.
34710 We'll sort it out later if we find a MediaHeader which says otherwise */
34711 /* Actually, we won't. The new DiskOnChip driver has already scanned
34712 diff -urNp linux-2.6.39.3/drivers/mtd/ubi/build.c linux-2.6.39.3/drivers/mtd/ubi/build.c
34713 --- linux-2.6.39.3/drivers/mtd/ubi/build.c 2011-05-19 00:06:34.000000000 -0400
34714 +++ linux-2.6.39.3/drivers/mtd/ubi/build.c 2011-05-22 19:36:31.000000000 -0400
34715 @@ -1287,7 +1287,7 @@ module_exit(ubi_exit);
34716 static int __init bytes_str_to_int(const char *str)
34717 {
34718 char *endp;
34719 - unsigned long result;
34720 + unsigned long result, scale = 1;
34721
34722 result = simple_strtoul(str, &endp, 0);
34723 if (str == endp || result >= INT_MAX) {
34724 @@ -1298,11 +1298,11 @@ static int __init bytes_str_to_int(const
34725
34726 switch (*endp) {
34727 case 'G':
34728 - result *= 1024;
34729 + scale *= 1024;
34730 case 'M':
34731 - result *= 1024;
34732 + scale *= 1024;
34733 case 'K':
34734 - result *= 1024;
34735 + scale *= 1024;
34736 if (endp[1] == 'i' && endp[2] == 'B')
34737 endp += 2;
34738 case '\0':
34739 @@ -1313,7 +1313,13 @@ static int __init bytes_str_to_int(const
34740 return -EINVAL;
34741 }
34742
34743 - return result;
34744 + if ((intoverflow_t)result*scale >= INT_MAX) {
34745 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
34746 + str);
34747 + return -EINVAL;
34748 + }
34749 +
34750 + return result*scale;
34751 }
34752
34753 /**
34754 diff -urNp linux-2.6.39.3/drivers/net/bcm63xx_enet.c linux-2.6.39.3/drivers/net/bcm63xx_enet.c
34755 --- linux-2.6.39.3/drivers/net/bcm63xx_enet.c 2011-05-19 00:06:34.000000000 -0400
34756 +++ linux-2.6.39.3/drivers/net/bcm63xx_enet.c 2011-05-22 19:36:31.000000000 -0400
34757 @@ -1469,7 +1469,7 @@ static int bcm_enet_set_pauseparam(struc
34758 return 0;
34759 }
34760
34761 -static struct ethtool_ops bcm_enet_ethtool_ops = {
34762 +static const struct ethtool_ops bcm_enet_ethtool_ops = {
34763 .get_strings = bcm_enet_get_strings,
34764 .get_sset_count = bcm_enet_get_sset_count,
34765 .get_ethtool_stats = bcm_enet_get_ethtool_stats,
34766 diff -urNp linux-2.6.39.3/drivers/net/bna/bnad_ethtool.c linux-2.6.39.3/drivers/net/bna/bnad_ethtool.c
34767 --- linux-2.6.39.3/drivers/net/bna/bnad_ethtool.c 2011-05-19 00:06:34.000000000 -0400
34768 +++ linux-2.6.39.3/drivers/net/bna/bnad_ethtool.c 2011-05-22 19:36:31.000000000 -0400
34769 @@ -1242,7 +1242,7 @@ bnad_get_sset_count(struct net_device *n
34770 }
34771 }
34772
34773 -static struct ethtool_ops bnad_ethtool_ops = {
34774 +static const struct ethtool_ops bnad_ethtool_ops = {
34775 .get_settings = bnad_get_settings,
34776 .set_settings = bnad_set_settings,
34777 .get_drvinfo = bnad_get_drvinfo,
34778 diff -urNp linux-2.6.39.3/drivers/net/bnx2.c linux-2.6.39.3/drivers/net/bnx2.c
34779 --- linux-2.6.39.3/drivers/net/bnx2.c 2011-05-19 00:06:34.000000000 -0400
34780 +++ linux-2.6.39.3/drivers/net/bnx2.c 2011-05-22 19:36:31.000000000 -0400
34781 @@ -5828,6 +5828,8 @@ bnx2_test_nvram(struct bnx2 *bp)
34782 int rc = 0;
34783 u32 magic, csum;
34784
34785 + pax_track_stack();
34786 +
34787 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
34788 goto test_nvram_done;
34789
34790 diff -urNp linux-2.6.39.3/drivers/net/bnx2x/bnx2x_ethtool.c linux-2.6.39.3/drivers/net/bnx2x/bnx2x_ethtool.c
34791 --- linux-2.6.39.3/drivers/net/bnx2x/bnx2x_ethtool.c 2011-05-19 00:06:34.000000000 -0400
34792 +++ linux-2.6.39.3/drivers/net/bnx2x/bnx2x_ethtool.c 2011-05-22 19:36:31.000000000 -0400
34793 @@ -1788,6 +1788,8 @@ static int bnx2x_test_nvram(struct bnx2x
34794 int i, rc;
34795 u32 magic, crc;
34796
34797 + pax_track_stack();
34798 +
34799 if (BP_NOMCP(bp))
34800 return 0;
34801
34802 diff -urNp linux-2.6.39.3/drivers/net/chelsio/pm3393.c linux-2.6.39.3/drivers/net/chelsio/pm3393.c
34803 --- linux-2.6.39.3/drivers/net/chelsio/pm3393.c 2011-05-19 00:06:34.000000000 -0400
34804 +++ linux-2.6.39.3/drivers/net/chelsio/pm3393.c 2011-05-22 19:36:31.000000000 -0400
34805 @@ -571,7 +571,7 @@ static void pm3393_destroy(struct cmac *
34806 kfree(cmac);
34807 }
34808
34809 -static struct cmac_ops pm3393_ops = {
34810 +static const struct cmac_ops pm3393_ops = {
34811 .destroy = pm3393_destroy,
34812 .reset = pm3393_reset,
34813 .interrupt_enable = pm3393_interrupt_enable,
34814 diff -urNp linux-2.6.39.3/drivers/net/chelsio/vsc7326.c linux-2.6.39.3/drivers/net/chelsio/vsc7326.c
34815 --- linux-2.6.39.3/drivers/net/chelsio/vsc7326.c 2011-05-19 00:06:34.000000000 -0400
34816 +++ linux-2.6.39.3/drivers/net/chelsio/vsc7326.c 2011-05-22 19:36:31.000000000 -0400
34817 @@ -666,7 +666,7 @@ static void mac_destroy(struct cmac *mac
34818 kfree(mac);
34819 }
34820
34821 -static struct cmac_ops vsc7326_ops = {
34822 +static const struct cmac_ops vsc7326_ops = {
34823 .destroy = mac_destroy,
34824 .reset = mac_reset,
34825 .interrupt_handler = mac_intr_handler,
34826 diff -urNp linux-2.6.39.3/drivers/net/cxgb4/cxgb4_main.c linux-2.6.39.3/drivers/net/cxgb4/cxgb4_main.c
34827 --- linux-2.6.39.3/drivers/net/cxgb4/cxgb4_main.c 2011-05-19 00:06:34.000000000 -0400
34828 +++ linux-2.6.39.3/drivers/net/cxgb4/cxgb4_main.c 2011-05-22 19:36:31.000000000 -0400
34829 @@ -3428,6 +3428,8 @@ static int __devinit enable_msix(struct
34830 unsigned int nchan = adap->params.nports;
34831 struct msix_entry entries[MAX_INGQ + 1];
34832
34833 + pax_track_stack();
34834 +
34835 for (i = 0; i < ARRAY_SIZE(entries); ++i)
34836 entries[i].entry = i;
34837
34838 diff -urNp linux-2.6.39.3/drivers/net/cxgb4/t4_hw.c linux-2.6.39.3/drivers/net/cxgb4/t4_hw.c
34839 --- linux-2.6.39.3/drivers/net/cxgb4/t4_hw.c 2011-05-19 00:06:34.000000000 -0400
34840 +++ linux-2.6.39.3/drivers/net/cxgb4/t4_hw.c 2011-05-22 19:36:31.000000000 -0400
34841 @@ -362,6 +362,8 @@ static int get_vpd_params(struct adapter
34842 u8 vpd[VPD_LEN], csum;
34843 unsigned int vpdr_len, kw_offset, id_len;
34844
34845 + pax_track_stack();
34846 +
34847 ret = pci_read_vpd(adapter->pdev, VPD_BASE, sizeof(vpd), vpd);
34848 if (ret < 0)
34849 return ret;
34850 diff -urNp linux-2.6.39.3/drivers/net/cxgb4vf/cxgb4vf_main.c linux-2.6.39.3/drivers/net/cxgb4vf/cxgb4vf_main.c
34851 --- linux-2.6.39.3/drivers/net/cxgb4vf/cxgb4vf_main.c 2011-05-19 00:06:34.000000000 -0400
34852 +++ linux-2.6.39.3/drivers/net/cxgb4vf/cxgb4vf_main.c 2011-05-22 19:36:31.000000000 -0400
34853 @@ -1572,7 +1572,7 @@ static int cxgb4vf_set_tso(struct net_de
34854 return 0;
34855 }
34856
34857 -static struct ethtool_ops cxgb4vf_ethtool_ops = {
34858 +static const struct ethtool_ops cxgb4vf_ethtool_ops = {
34859 .get_settings = cxgb4vf_get_settings,
34860 .get_drvinfo = cxgb4vf_get_drvinfo,
34861 .get_msglevel = cxgb4vf_get_msglevel,
34862 diff -urNp linux-2.6.39.3/drivers/net/e1000e/82571.c linux-2.6.39.3/drivers/net/e1000e/82571.c
34863 --- linux-2.6.39.3/drivers/net/e1000e/82571.c 2011-05-19 00:06:34.000000000 -0400
34864 +++ linux-2.6.39.3/drivers/net/e1000e/82571.c 2011-05-22 19:36:31.000000000 -0400
34865 @@ -239,7 +239,7 @@ static s32 e1000_init_mac_params_82571(s
34866 {
34867 struct e1000_hw *hw = &adapter->hw;
34868 struct e1000_mac_info *mac = &hw->mac;
34869 - struct e1000_mac_operations *func = &mac->ops;
34870 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
34871 u32 swsm = 0;
34872 u32 swsm2 = 0;
34873 bool force_clear_smbi = false;
34874 @@ -1930,7 +1930,7 @@ static void e1000_clear_hw_cntrs_82571(s
34875 er32(ICRXDMTC);
34876 }
34877
34878 -static struct e1000_mac_operations e82571_mac_ops = {
34879 +static const struct e1000_mac_operations e82571_mac_ops = {
34880 /* .check_mng_mode: mac type dependent */
34881 /* .check_for_link: media type dependent */
34882 .id_led_init = e1000e_id_led_init,
34883 @@ -1952,7 +1952,7 @@ static struct e1000_mac_operations e8257
34884 .read_mac_addr = e1000_read_mac_addr_82571,
34885 };
34886
34887 -static struct e1000_phy_operations e82_phy_ops_igp = {
34888 +static const struct e1000_phy_operations e82_phy_ops_igp = {
34889 .acquire = e1000_get_hw_semaphore_82571,
34890 .check_polarity = e1000_check_polarity_igp,
34891 .check_reset_block = e1000e_check_reset_block_generic,
34892 @@ -1970,7 +1970,7 @@ static struct e1000_phy_operations e82_p
34893 .cfg_on_link_up = NULL,
34894 };
34895
34896 -static struct e1000_phy_operations e82_phy_ops_m88 = {
34897 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
34898 .acquire = e1000_get_hw_semaphore_82571,
34899 .check_polarity = e1000_check_polarity_m88,
34900 .check_reset_block = e1000e_check_reset_block_generic,
34901 @@ -1988,7 +1988,7 @@ static struct e1000_phy_operations e82_p
34902 .cfg_on_link_up = NULL,
34903 };
34904
34905 -static struct e1000_phy_operations e82_phy_ops_bm = {
34906 +static const struct e1000_phy_operations e82_phy_ops_bm = {
34907 .acquire = e1000_get_hw_semaphore_82571,
34908 .check_polarity = e1000_check_polarity_m88,
34909 .check_reset_block = e1000e_check_reset_block_generic,
34910 @@ -2006,7 +2006,7 @@ static struct e1000_phy_operations e82_p
34911 .cfg_on_link_up = NULL,
34912 };
34913
34914 -static struct e1000_nvm_operations e82571_nvm_ops = {
34915 +static const struct e1000_nvm_operations e82571_nvm_ops = {
34916 .acquire = e1000_acquire_nvm_82571,
34917 .read = e1000e_read_nvm_eerd,
34918 .release = e1000_release_nvm_82571,
34919 diff -urNp linux-2.6.39.3/drivers/net/e1000e/e1000.h linux-2.6.39.3/drivers/net/e1000e/e1000.h
34920 --- linux-2.6.39.3/drivers/net/e1000e/e1000.h 2011-05-19 00:06:34.000000000 -0400
34921 +++ linux-2.6.39.3/drivers/net/e1000e/e1000.h 2011-05-22 19:36:31.000000000 -0400
34922 @@ -409,9 +409,9 @@ struct e1000_info {
34923 u32 pba;
34924 u32 max_hw_frame_size;
34925 s32 (*get_variants)(struct e1000_adapter *);
34926 - struct e1000_mac_operations *mac_ops;
34927 - struct e1000_phy_operations *phy_ops;
34928 - struct e1000_nvm_operations *nvm_ops;
34929 + const struct e1000_mac_operations *mac_ops;
34930 + const struct e1000_phy_operations *phy_ops;
34931 + const struct e1000_nvm_operations *nvm_ops;
34932 };
34933
34934 /* hardware capability, feature, and workaround flags */
34935 diff -urNp linux-2.6.39.3/drivers/net/e1000e/es2lan.c linux-2.6.39.3/drivers/net/e1000e/es2lan.c
34936 --- linux-2.6.39.3/drivers/net/e1000e/es2lan.c 2011-05-19 00:06:34.000000000 -0400
34937 +++ linux-2.6.39.3/drivers/net/e1000e/es2lan.c 2011-05-22 19:36:31.000000000 -0400
34938 @@ -205,7 +205,7 @@ static s32 e1000_init_mac_params_80003es
34939 {
34940 struct e1000_hw *hw = &adapter->hw;
34941 struct e1000_mac_info *mac = &hw->mac;
34942 - struct e1000_mac_operations *func = &mac->ops;
34943 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
34944
34945 /* Set media type */
34946 switch (adapter->pdev->device) {
34947 @@ -1431,7 +1431,7 @@ static void e1000_clear_hw_cntrs_80003es
34948 er32(ICRXDMTC);
34949 }
34950
34951 -static struct e1000_mac_operations es2_mac_ops = {
34952 +static const struct e1000_mac_operations es2_mac_ops = {
34953 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
34954 .id_led_init = e1000e_id_led_init,
34955 .check_mng_mode = e1000e_check_mng_mode_generic,
34956 @@ -1453,7 +1453,7 @@ static struct e1000_mac_operations es2_m
34957 .setup_led = e1000e_setup_led_generic,
34958 };
34959
34960 -static struct e1000_phy_operations es2_phy_ops = {
34961 +static const struct e1000_phy_operations es2_phy_ops = {
34962 .acquire = e1000_acquire_phy_80003es2lan,
34963 .check_polarity = e1000_check_polarity_m88,
34964 .check_reset_block = e1000e_check_reset_block_generic,
34965 @@ -1471,7 +1471,7 @@ static struct e1000_phy_operations es2_p
34966 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
34967 };
34968
34969 -static struct e1000_nvm_operations es2_nvm_ops = {
34970 +static const struct e1000_nvm_operations es2_nvm_ops = {
34971 .acquire = e1000_acquire_nvm_80003es2lan,
34972 .read = e1000e_read_nvm_eerd,
34973 .release = e1000_release_nvm_80003es2lan,
34974 diff -urNp linux-2.6.39.3/drivers/net/e1000e/hw.h linux-2.6.39.3/drivers/net/e1000e/hw.h
34975 --- linux-2.6.39.3/drivers/net/e1000e/hw.h 2011-05-19 00:06:34.000000000 -0400
34976 +++ linux-2.6.39.3/drivers/net/e1000e/hw.h 2011-05-22 19:36:31.000000000 -0400
34977 @@ -811,6 +811,7 @@ struct e1000_nvm_operations {
34978 };
34979
34980 struct e1000_mac_info {
34981 + /* cannot be const see e1000_init_mac_params_ich8lan */
34982 struct e1000_mac_operations ops;
34983 u8 addr[ETH_ALEN];
34984 u8 perm_addr[ETH_ALEN];
34985 @@ -852,6 +853,7 @@ struct e1000_mac_info {
34986 };
34987
34988 struct e1000_phy_info {
34989 + /* Cannot be const see e1000_init_phy_params_82571() */
34990 struct e1000_phy_operations ops;
34991
34992 enum e1000_phy_type type;
34993 @@ -886,6 +888,7 @@ struct e1000_phy_info {
34994 };
34995
34996 struct e1000_nvm_info {
34997 + /* cannot be const */
34998 struct e1000_nvm_operations ops;
34999
35000 enum e1000_nvm_type type;
35001 diff -urNp linux-2.6.39.3/drivers/net/e1000e/ich8lan.c linux-2.6.39.3/drivers/net/e1000e/ich8lan.c
35002 --- linux-2.6.39.3/drivers/net/e1000e/ich8lan.c 2011-05-19 00:06:34.000000000 -0400
35003 +++ linux-2.6.39.3/drivers/net/e1000e/ich8lan.c 2011-05-22 19:36:31.000000000 -0400
35004 @@ -3866,7 +3866,7 @@ static void e1000_clear_hw_cntrs_ich8lan
35005 }
35006 }
35007
35008 -static struct e1000_mac_operations ich8_mac_ops = {
35009 +static const struct e1000_mac_operations ich8_mac_ops = {
35010 .id_led_init = e1000e_id_led_init,
35011 /* check_mng_mode dependent on mac type */
35012 .check_for_link = e1000_check_for_copper_link_ich8lan,
35013 @@ -3885,7 +3885,7 @@ static struct e1000_mac_operations ich8_
35014 /* id_led_init dependent on mac type */
35015 };
35016
35017 -static struct e1000_phy_operations ich8_phy_ops = {
35018 +static const struct e1000_phy_operations ich8_phy_ops = {
35019 .acquire = e1000_acquire_swflag_ich8lan,
35020 .check_reset_block = e1000_check_reset_block_ich8lan,
35021 .commit = NULL,
35022 @@ -3899,7 +3899,7 @@ static struct e1000_phy_operations ich8_
35023 .write_reg = e1000e_write_phy_reg_igp,
35024 };
35025
35026 -static struct e1000_nvm_operations ich8_nvm_ops = {
35027 +static const struct e1000_nvm_operations ich8_nvm_ops = {
35028 .acquire = e1000_acquire_nvm_ich8lan,
35029 .read = e1000_read_nvm_ich8lan,
35030 .release = e1000_release_nvm_ich8lan,
35031 diff -urNp linux-2.6.39.3/drivers/net/greth.c linux-2.6.39.3/drivers/net/greth.c
35032 --- linux-2.6.39.3/drivers/net/greth.c 2011-05-19 00:06:34.000000000 -0400
35033 +++ linux-2.6.39.3/drivers/net/greth.c 2011-05-22 19:36:31.000000000 -0400
35034 @@ -1192,7 +1192,7 @@ static const struct ethtool_ops greth_et
35035 .get_link = ethtool_op_get_link,
35036 };
35037
35038 -static struct net_device_ops greth_netdev_ops = {
35039 +static const struct net_device_ops greth_netdev_ops = {
35040 .ndo_open = greth_open,
35041 .ndo_stop = greth_close,
35042 .ndo_start_xmit = greth_start_xmit,
35043 diff -urNp linux-2.6.39.3/drivers/net/hamradio/6pack.c linux-2.6.39.3/drivers/net/hamradio/6pack.c
35044 --- linux-2.6.39.3/drivers/net/hamradio/6pack.c 2011-07-09 09:18:51.000000000 -0400
35045 +++ linux-2.6.39.3/drivers/net/hamradio/6pack.c 2011-07-09 09:19:18.000000000 -0400
35046 @@ -463,6 +463,8 @@ static void sixpack_receive_buf(struct t
35047 unsigned char buf[512];
35048 int count1;
35049
35050 + pax_track_stack();
35051 +
35052 if (!count)
35053 return;
35054
35055 diff -urNp linux-2.6.39.3/drivers/net/ibm_newemac/phy.c linux-2.6.39.3/drivers/net/ibm_newemac/phy.c
35056 --- linux-2.6.39.3/drivers/net/ibm_newemac/phy.c 2011-05-19 00:06:34.000000000 -0400
35057 +++ linux-2.6.39.3/drivers/net/ibm_newemac/phy.c 2011-05-22 19:36:31.000000000 -0400
35058 @@ -273,7 +273,7 @@ static int genmii_read_link(struct mii_p
35059 }
35060
35061 /* Generic implementation for most 10/100/1000 PHYs */
35062 -static struct mii_phy_ops generic_phy_ops = {
35063 +static const struct mii_phy_ops generic_phy_ops = {
35064 .setup_aneg = genmii_setup_aneg,
35065 .setup_forced = genmii_setup_forced,
35066 .poll_link = genmii_poll_link,
35067 @@ -337,7 +337,7 @@ static int cis8201_init(struct mii_phy *
35068 return 0;
35069 }
35070
35071 -static struct mii_phy_ops cis8201_phy_ops = {
35072 +static const struct mii_phy_ops cis8201_phy_ops = {
35073 .init = cis8201_init,
35074 .setup_aneg = genmii_setup_aneg,
35075 .setup_forced = genmii_setup_forced,
35076 @@ -417,7 +417,7 @@ static int et1011c_init(struct mii_phy *
35077 return 0;
35078 }
35079
35080 -static struct mii_phy_ops et1011c_phy_ops = {
35081 +static const struct mii_phy_ops et1011c_phy_ops = {
35082 .init = et1011c_init,
35083 .setup_aneg = genmii_setup_aneg,
35084 .setup_forced = genmii_setup_forced,
35085 @@ -436,7 +436,7 @@ static struct mii_phy_def et1011c_phy_de
35086
35087
35088
35089 -static struct mii_phy_ops m88e1111_phy_ops = {
35090 +static const struct mii_phy_ops m88e1111_phy_ops = {
35091 .init = m88e1111_init,
35092 .setup_aneg = genmii_setup_aneg,
35093 .setup_forced = genmii_setup_forced,
35094 @@ -452,7 +452,7 @@ static struct mii_phy_def m88e1111_phy_d
35095 .ops = &m88e1111_phy_ops,
35096 };
35097
35098 -static struct mii_phy_ops m88e1112_phy_ops = {
35099 +static const struct mii_phy_ops m88e1112_phy_ops = {
35100 .init = m88e1112_init,
35101 .setup_aneg = genmii_setup_aneg,
35102 .setup_forced = genmii_setup_forced,
35103 diff -urNp linux-2.6.39.3/drivers/net/ibmveth.c linux-2.6.39.3/drivers/net/ibmveth.c
35104 --- linux-2.6.39.3/drivers/net/ibmveth.c 2011-05-19 00:06:34.000000000 -0400
35105 +++ linux-2.6.39.3/drivers/net/ibmveth.c 2011-05-22 19:36:31.000000000 -0400
35106 @@ -1625,7 +1625,7 @@ static struct vio_device_id ibmveth_devi
35107 };
35108 MODULE_DEVICE_TABLE(vio, ibmveth_device_table);
35109
35110 -static struct dev_pm_ops ibmveth_pm_ops = {
35111 +static const struct dev_pm_ops ibmveth_pm_ops = {
35112 .resume = ibmveth_resume
35113 };
35114
35115 diff -urNp linux-2.6.39.3/drivers/net/igb/e1000_82575.c linux-2.6.39.3/drivers/net/igb/e1000_82575.c
35116 --- linux-2.6.39.3/drivers/net/igb/e1000_82575.c 2011-05-19 00:06:34.000000000 -0400
35117 +++ linux-2.6.39.3/drivers/net/igb/e1000_82575.c 2011-05-22 19:36:31.000000000 -0400
35118 @@ -2029,7 +2029,7 @@ out:
35119 return ret_val;
35120 }
35121
35122 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
35123 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
35124 .init_hw = igb_init_hw_82575,
35125 .check_for_link = igb_check_for_link_82575,
35126 .rar_set = igb_rar_set,
35127 @@ -2037,13 +2037,13 @@ static struct e1000_mac_operations e1000
35128 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
35129 };
35130
35131 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
35132 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
35133 .acquire = igb_acquire_phy_82575,
35134 .get_cfg_done = igb_get_cfg_done_82575,
35135 .release = igb_release_phy_82575,
35136 };
35137
35138 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
35139 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
35140 .acquire = igb_acquire_nvm_82575,
35141 .read = igb_read_nvm_eerd,
35142 .release = igb_release_nvm_82575,
35143 diff -urNp linux-2.6.39.3/drivers/net/igb/e1000_hw.h linux-2.6.39.3/drivers/net/igb/e1000_hw.h
35144 --- linux-2.6.39.3/drivers/net/igb/e1000_hw.h 2011-05-19 00:06:34.000000000 -0400
35145 +++ linux-2.6.39.3/drivers/net/igb/e1000_hw.h 2011-05-22 19:36:31.000000000 -0400
35146 @@ -342,14 +342,15 @@ struct e1000_nvm_operations {
35147
35148 struct e1000_info {
35149 s32 (*get_invariants)(struct e1000_hw *);
35150 - struct e1000_mac_operations *mac_ops;
35151 - struct e1000_phy_operations *phy_ops;
35152 - struct e1000_nvm_operations *nvm_ops;
35153 + const struct e1000_mac_operations *mac_ops;
35154 + const struct e1000_phy_operations *phy_ops;
35155 + const struct e1000_nvm_operations *nvm_ops;
35156 };
35157
35158 extern const struct e1000_info e1000_82575_info;
35159
35160 struct e1000_mac_info {
35161 + /* cannot be const see igb_get_invariants_82575() */
35162 struct e1000_mac_operations ops;
35163
35164 u8 addr[6];
35165 @@ -388,6 +389,7 @@ struct e1000_mac_info {
35166 };
35167
35168 struct e1000_phy_info {
35169 + /* cannot be const see igb_get_invariants_82575() */
35170 struct e1000_phy_operations ops;
35171
35172 enum e1000_phy_type type;
35173 @@ -423,6 +425,7 @@ struct e1000_phy_info {
35174 };
35175
35176 struct e1000_nvm_info {
35177 + /* cannot be const */
35178 struct e1000_nvm_operations ops;
35179 enum e1000_nvm_type type;
35180 enum e1000_nvm_override override;
35181 diff -urNp linux-2.6.39.3/drivers/net/igbvf/vf.h linux-2.6.39.3/drivers/net/igbvf/vf.h
35182 --- linux-2.6.39.3/drivers/net/igbvf/vf.h 2011-05-19 00:06:34.000000000 -0400
35183 +++ linux-2.6.39.3/drivers/net/igbvf/vf.h 2011-05-22 19:36:31.000000000 -0400
35184 @@ -191,6 +191,7 @@ struct e1000_mac_operations {
35185 };
35186
35187 struct e1000_mac_info {
35188 + /* cannot be const see e1000_init_mac_params_vf() */
35189 struct e1000_mac_operations ops;
35190 u8 addr[6];
35191 u8 perm_addr[6];
35192 diff -urNp linux-2.6.39.3/drivers/net/irda/sh_irda.c linux-2.6.39.3/drivers/net/irda/sh_irda.c
35193 --- linux-2.6.39.3/drivers/net/irda/sh_irda.c 2011-05-19 00:06:34.000000000 -0400
35194 +++ linux-2.6.39.3/drivers/net/irda/sh_irda.c 2011-05-22 19:36:31.000000000 -0400
35195 @@ -307,7 +307,7 @@ static int xir_fte(struct sh_irda_self *
35196 return 0;
35197 }
35198
35199 -static struct sh_irda_xir_func xir_func = {
35200 +static const struct sh_irda_xir_func xir_func = {
35201 .xir_fre = xir_fre,
35202 .xir_trov = xir_trov,
35203 .xir_9 = xir_9,
35204 @@ -321,7 +321,7 @@ static struct sh_irda_xir_func xir_func
35205 *
35206 * MIR/FIR are not supported now
35207 *=====================================*/
35208 -static struct sh_irda_xir_func mfir_func = {
35209 +static const struct sh_irda_xir_func mfir_func = {
35210 .xir_fre = xir_fre,
35211 .xir_trov = xir_trov,
35212 .xir_9 = xir_9,
35213 @@ -400,7 +400,7 @@ static int sir_fte(struct sh_irda_self *
35214 return 0;
35215 }
35216
35217 -static struct sh_irda_xir_func sir_func = {
35218 +static const struct sh_irda_xir_func sir_func = {
35219 .xir_fre = sir_fre,
35220 .xir_trov = sir_trov,
35221 .xir_9 = sir_tot,
35222 @@ -411,7 +411,7 @@ static struct sh_irda_xir_func sir_func
35223 static void sh_irda_set_mode(struct sh_irda_self *self, enum sh_irda_mode mode)
35224 {
35225 struct device *dev = &self->ndev->dev;
35226 - struct sh_irda_xir_func *func;
35227 + const struct sh_irda_xir_func *func;
35228 const char *name;
35229 u16 data;
35230
35231 diff -urNp linux-2.6.39.3/drivers/net/ixgb/ixgb_main.c linux-2.6.39.3/drivers/net/ixgb/ixgb_main.c
35232 --- linux-2.6.39.3/drivers/net/ixgb/ixgb_main.c 2011-05-19 00:06:34.000000000 -0400
35233 +++ linux-2.6.39.3/drivers/net/ixgb/ixgb_main.c 2011-05-22 19:36:31.000000000 -0400
35234 @@ -1069,6 +1069,8 @@ ixgb_set_multi(struct net_device *netdev
35235 u32 rctl;
35236 int i;
35237
35238 + pax_track_stack();
35239 +
35240 /* Check for Promiscuous and All Multicast modes */
35241
35242 rctl = IXGB_READ_REG(hw, RCTL);
35243 diff -urNp linux-2.6.39.3/drivers/net/ixgb/ixgb_param.c linux-2.6.39.3/drivers/net/ixgb/ixgb_param.c
35244 --- linux-2.6.39.3/drivers/net/ixgb/ixgb_param.c 2011-05-19 00:06:34.000000000 -0400
35245 +++ linux-2.6.39.3/drivers/net/ixgb/ixgb_param.c 2011-05-22 19:36:31.000000000 -0400
35246 @@ -261,6 +261,9 @@ void __devinit
35247 ixgb_check_options(struct ixgb_adapter *adapter)
35248 {
35249 int bd = adapter->bd_number;
35250 +
35251 + pax_track_stack();
35252 +
35253 if (bd >= IXGB_MAX_NIC) {
35254 pr_notice("Warning: no configuration for board #%i\n", bd);
35255 pr_notice("Using defaults for all values\n");
35256 diff -urNp linux-2.6.39.3/drivers/net/ixgbe/ixgbe_82599.c linux-2.6.39.3/drivers/net/ixgbe/ixgbe_82599.c
35257 --- linux-2.6.39.3/drivers/net/ixgbe/ixgbe_82599.c 2011-05-19 00:06:34.000000000 -0400
35258 +++ linux-2.6.39.3/drivers/net/ixgbe/ixgbe_82599.c 2011-05-22 19:36:31.000000000 -0400
35259 @@ -2099,7 +2099,7 @@ static struct ixgbe_phy_operations phy_o
35260 .check_overtemp = &ixgbe_tn_check_overtemp,
35261 };
35262
35263 -struct ixgbe_info ixgbe_82599_info = {
35264 +const struct ixgbe_info ixgbe_82599_info = {
35265 .mac = ixgbe_mac_82599EB,
35266 .get_invariants = &ixgbe_get_invariants_82599,
35267 .mac_ops = &mac_ops_82599,
35268 diff -urNp linux-2.6.39.3/drivers/net/ixgbe/ixgbe.h linux-2.6.39.3/drivers/net/ixgbe/ixgbe.h
35269 --- linux-2.6.39.3/drivers/net/ixgbe/ixgbe.h 2011-05-19 00:06:34.000000000 -0400
35270 +++ linux-2.6.39.3/drivers/net/ixgbe/ixgbe.h 2011-05-22 19:36:31.000000000 -0400
35271 @@ -493,8 +493,8 @@ enum ixgbe_boards {
35272 };
35273
35274 extern struct ixgbe_info ixgbe_82598_info;
35275 -extern struct ixgbe_info ixgbe_82599_info;
35276 -extern struct ixgbe_info ixgbe_X540_info;
35277 +extern const struct ixgbe_info ixgbe_82599_info;
35278 +extern const struct ixgbe_info ixgbe_X540_info;
35279 #ifdef CONFIG_IXGBE_DCB
35280 extern const struct dcbnl_rtnl_ops dcbnl_ops;
35281 extern int ixgbe_copy_dcb_cfg(struct ixgbe_dcb_config *src_dcb_cfg,
35282 diff -urNp linux-2.6.39.3/drivers/net/ixgbe/ixgbe_x540.c linux-2.6.39.3/drivers/net/ixgbe/ixgbe_x540.c
35283 --- linux-2.6.39.3/drivers/net/ixgbe/ixgbe_x540.c 2011-05-19 00:06:34.000000000 -0400
35284 +++ linux-2.6.39.3/drivers/net/ixgbe/ixgbe_x540.c 2011-05-22 19:36:31.000000000 -0400
35285 @@ -727,7 +727,7 @@ static struct ixgbe_phy_operations phy_o
35286 .check_overtemp = &ixgbe_tn_check_overtemp,
35287 };
35288
35289 -struct ixgbe_info ixgbe_X540_info = {
35290 +const struct ixgbe_info ixgbe_X540_info = {
35291 .mac = ixgbe_mac_X540,
35292 .get_invariants = &ixgbe_get_invariants_X540,
35293 .mac_ops = &mac_ops_X540,
35294 diff -urNp linux-2.6.39.3/drivers/net/ixgbevf/ethtool.c linux-2.6.39.3/drivers/net/ixgbevf/ethtool.c
35295 --- linux-2.6.39.3/drivers/net/ixgbevf/ethtool.c 2011-05-19 00:06:34.000000000 -0400
35296 +++ linux-2.6.39.3/drivers/net/ixgbevf/ethtool.c 2011-05-22 19:36:31.000000000 -0400
35297 @@ -709,7 +709,7 @@ static int ixgbevf_nway_reset(struct net
35298 return 0;
35299 }
35300
35301 -static struct ethtool_ops ixgbevf_ethtool_ops = {
35302 +static const struct ethtool_ops ixgbevf_ethtool_ops = {
35303 .get_settings = ixgbevf_get_settings,
35304 .get_drvinfo = ixgbevf_get_drvinfo,
35305 .get_regs_len = ixgbevf_get_regs_len,
35306 diff -urNp linux-2.6.39.3/drivers/net/ixgbevf/ixgbevf.h linux-2.6.39.3/drivers/net/ixgbevf/ixgbevf.h
35307 --- linux-2.6.39.3/drivers/net/ixgbevf/ixgbevf.h 2011-05-19 00:06:34.000000000 -0400
35308 +++ linux-2.6.39.3/drivers/net/ixgbevf/ixgbevf.h 2011-05-22 19:36:31.000000000 -0400
35309 @@ -279,7 +279,7 @@ enum ixgbevf_boards {
35310
35311 extern struct ixgbevf_info ixgbevf_82599_vf_info;
35312 extern struct ixgbevf_info ixgbevf_X540_vf_info;
35313 -extern struct ixgbe_mac_operations ixgbevf_mbx_ops;
35314 +extern const struct ixgbe_mac_operations ixgbevf_mbx_ops;
35315
35316 /* needed by ethtool.c */
35317 extern char ixgbevf_driver_name[];
35318 diff -urNp linux-2.6.39.3/drivers/net/ixgbevf/vf.c linux-2.6.39.3/drivers/net/ixgbevf/vf.c
35319 --- linux-2.6.39.3/drivers/net/ixgbevf/vf.c 2011-05-19 00:06:34.000000000 -0400
35320 +++ linux-2.6.39.3/drivers/net/ixgbevf/vf.c 2011-05-22 19:36:31.000000000 -0400
35321 @@ -368,7 +368,7 @@ static s32 ixgbevf_check_mac_link_vf(str
35322 return 0;
35323 }
35324
35325 -static struct ixgbe_mac_operations ixgbevf_mac_ops = {
35326 +static const struct ixgbe_mac_operations ixgbevf_mac_ops = {
35327 .init_hw = ixgbevf_init_hw_vf,
35328 .reset_hw = ixgbevf_reset_hw_vf,
35329 .start_hw = ixgbevf_start_hw_vf,
35330 @@ -381,12 +381,12 @@ static struct ixgbe_mac_operations ixgbe
35331 .set_vfta = ixgbevf_set_vfta_vf,
35332 };
35333
35334 -struct ixgbevf_info ixgbevf_82599_vf_info = {
35335 +const struct ixgbevf_info ixgbevf_82599_vf_info = {
35336 .mac = ixgbe_mac_82599_vf,
35337 .mac_ops = &ixgbevf_mac_ops,
35338 };
35339
35340 -struct ixgbevf_info ixgbevf_X540_vf_info = {
35341 +const struct ixgbevf_info ixgbevf_X540_vf_info = {
35342 .mac = ixgbe_mac_X540_vf,
35343 .mac_ops = &ixgbevf_mac_ops,
35344 };
35345 diff -urNp linux-2.6.39.3/drivers/net/ixgbevf/vf.h linux-2.6.39.3/drivers/net/ixgbevf/vf.h
35346 --- linux-2.6.39.3/drivers/net/ixgbevf/vf.h 2011-05-19 00:06:34.000000000 -0400
35347 +++ linux-2.6.39.3/drivers/net/ixgbevf/vf.h 2011-05-22 19:36:31.000000000 -0400
35348 @@ -166,7 +166,7 @@ struct ixgbevf_hw_stats {
35349
35350 struct ixgbevf_info {
35351 enum ixgbe_mac_type mac;
35352 - struct ixgbe_mac_operations *mac_ops;
35353 + const struct ixgbe_mac_operations *mac_ops;
35354 };
35355
35356 #endif /* __IXGBE_VF_H__ */
35357 diff -urNp linux-2.6.39.3/drivers/net/ksz884x.c linux-2.6.39.3/drivers/net/ksz884x.c
35358 --- linux-2.6.39.3/drivers/net/ksz884x.c 2011-05-19 00:06:34.000000000 -0400
35359 +++ linux-2.6.39.3/drivers/net/ksz884x.c 2011-05-22 19:36:31.000000000 -0400
35360 @@ -6536,6 +6536,8 @@ static void netdev_get_ethtool_stats(str
35361 int rc;
35362 u64 counter[TOTAL_PORT_COUNTER_NUM];
35363
35364 + pax_track_stack();
35365 +
35366 mutex_lock(&hw_priv->lock);
35367 n = SWITCH_PORT_NUM;
35368 for (i = 0, p = port->first_port; i < port->mib_port_cnt; i++, p++) {
35369 @@ -6637,7 +6639,7 @@ static int netdev_set_rx_csum(struct net
35370 return 0;
35371 }
35372
35373 -static struct ethtool_ops netdev_ethtool_ops = {
35374 +static const struct ethtool_ops netdev_ethtool_ops = {
35375 .get_settings = netdev_get_settings,
35376 .set_settings = netdev_set_settings,
35377 .nway_reset = netdev_nway_reset,
35378 diff -urNp linux-2.6.39.3/drivers/net/mlx4/main.c linux-2.6.39.3/drivers/net/mlx4/main.c
35379 --- linux-2.6.39.3/drivers/net/mlx4/main.c 2011-05-19 00:06:34.000000000 -0400
35380 +++ linux-2.6.39.3/drivers/net/mlx4/main.c 2011-05-22 19:36:31.000000000 -0400
35381 @@ -40,6 +40,7 @@
35382 #include <linux/dma-mapping.h>
35383 #include <linux/slab.h>
35384 #include <linux/io-mapping.h>
35385 +#include <linux/sched.h>
35386
35387 #include <linux/mlx4/device.h>
35388 #include <linux/mlx4/doorbell.h>
35389 @@ -764,6 +765,8 @@ static int mlx4_init_hca(struct mlx4_dev
35390 u64 icm_size;
35391 int err;
35392
35393 + pax_track_stack();
35394 +
35395 err = mlx4_QUERY_FW(dev);
35396 if (err) {
35397 if (err == -EACCES)
35398 diff -urNp linux-2.6.39.3/drivers/net/netconsole.c linux-2.6.39.3/drivers/net/netconsole.c
35399 --- linux-2.6.39.3/drivers/net/netconsole.c 2011-05-19 00:06:34.000000000 -0400
35400 +++ linux-2.6.39.3/drivers/net/netconsole.c 2011-05-22 19:36:31.000000000 -0400
35401 @@ -634,7 +634,7 @@ static void drop_netconsole_target(struc
35402 config_item_put(&nt->item);
35403 }
35404
35405 -static struct configfs_group_operations netconsole_subsys_group_ops = {
35406 +static const struct configfs_group_operations netconsole_subsys_group_ops = {
35407 .make_item = make_netconsole_target,
35408 .drop_item = drop_netconsole_target,
35409 };
35410 diff -urNp linux-2.6.39.3/drivers/net/niu.c linux-2.6.39.3/drivers/net/niu.c
35411 --- linux-2.6.39.3/drivers/net/niu.c 2011-05-19 00:06:34.000000000 -0400
35412 +++ linux-2.6.39.3/drivers/net/niu.c 2011-05-22 19:36:31.000000000 -0400
35413 @@ -9067,6 +9067,8 @@ static void __devinit niu_try_msix(struc
35414 int i, num_irqs, err;
35415 u8 first_ldg;
35416
35417 + pax_track_stack();
35418 +
35419 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
35420 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
35421 ldg_num_map[i] = first_ldg + i;
35422 diff -urNp linux-2.6.39.3/drivers/net/pcnet32.c linux-2.6.39.3/drivers/net/pcnet32.c
35423 --- linux-2.6.39.3/drivers/net/pcnet32.c 2011-05-19 00:06:34.000000000 -0400
35424 +++ linux-2.6.39.3/drivers/net/pcnet32.c 2011-05-22 19:36:31.000000000 -0400
35425 @@ -82,7 +82,7 @@ static int cards_found;
35426 /*
35427 * VLB I/O addresses
35428 */
35429 -static unsigned int pcnet32_portlist[] __initdata =
35430 +static unsigned int pcnet32_portlist[] __devinitdata =
35431 { 0x300, 0x320, 0x340, 0x360, 0 };
35432
35433 static int pcnet32_debug;
35434 @@ -379,7 +379,7 @@ static int pcnet32_wio_check(unsigned lo
35435 return inw(addr + PCNET32_WIO_RAP) == 88;
35436 }
35437
35438 -static struct pcnet32_access pcnet32_wio = {
35439 +static const struct pcnet32_access pcnet32_wio = {
35440 .read_csr = pcnet32_wio_read_csr,
35441 .write_csr = pcnet32_wio_write_csr,
35442 .read_bcr = pcnet32_wio_read_bcr,
35443 @@ -434,7 +434,7 @@ static int pcnet32_dwio_check(unsigned l
35444 return (inl(addr + PCNET32_DWIO_RAP) & 0xffff) == 88;
35445 }
35446
35447 -static struct pcnet32_access pcnet32_dwio = {
35448 +static const struct pcnet32_access pcnet32_dwio = {
35449 .read_csr = pcnet32_dwio_read_csr,
35450 .write_csr = pcnet32_dwio_write_csr,
35451 .read_bcr = pcnet32_dwio_read_bcr,
35452 @@ -1546,7 +1546,7 @@ pcnet32_probe1(unsigned long ioaddr, int
35453 int chip_version;
35454 char *chipname;
35455 struct net_device *dev;
35456 - struct pcnet32_access *a = NULL;
35457 + const struct pcnet32_access *a = NULL;
35458 u8 promaddr[6];
35459 int ret = -ENODEV;
35460
35461 diff -urNp linux-2.6.39.3/drivers/net/ppp_generic.c linux-2.6.39.3/drivers/net/ppp_generic.c
35462 --- linux-2.6.39.3/drivers/net/ppp_generic.c 2011-05-19 00:06:34.000000000 -0400
35463 +++ linux-2.6.39.3/drivers/net/ppp_generic.c 2011-05-22 19:36:31.000000000 -0400
35464 @@ -987,7 +987,6 @@ ppp_net_ioctl(struct net_device *dev, st
35465 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
35466 struct ppp_stats stats;
35467 struct ppp_comp_stats cstats;
35468 - char *vers;
35469
35470 switch (cmd) {
35471 case SIOCGPPPSTATS:
35472 @@ -1009,8 +1008,7 @@ ppp_net_ioctl(struct net_device *dev, st
35473 break;
35474
35475 case SIOCGPPPVER:
35476 - vers = PPP_VERSION;
35477 - if (copy_to_user(addr, vers, strlen(vers) + 1))
35478 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
35479 break;
35480 err = 0;
35481 break;
35482 diff -urNp linux-2.6.39.3/drivers/net/qlcnic/qlcnic.h linux-2.6.39.3/drivers/net/qlcnic/qlcnic.h
35483 --- linux-2.6.39.3/drivers/net/qlcnic/qlcnic.h 2011-05-19 00:06:34.000000000 -0400
35484 +++ linux-2.6.39.3/drivers/net/qlcnic/qlcnic.h 2011-05-22 19:36:31.000000000 -0400
35485 @@ -1037,7 +1037,7 @@ struct qlcnic_adapter {
35486 struct vlan_group *vlgrp;
35487 struct qlcnic_npar_info *npars;
35488 struct qlcnic_eswitch *eswitch;
35489 - struct qlcnic_nic_template *nic_ops;
35490 + const struct qlcnic_nic_template *nic_ops;
35491
35492 struct qlcnic_adapter_stats stats;
35493
35494 diff -urNp linux-2.6.39.3/drivers/net/qlcnic/qlcnic_main.c linux-2.6.39.3/drivers/net/qlcnic/qlcnic_main.c
35495 --- linux-2.6.39.3/drivers/net/qlcnic/qlcnic_main.c 2011-05-19 00:06:34.000000000 -0400
35496 +++ linux-2.6.39.3/drivers/net/qlcnic/qlcnic_main.c 2011-05-22 19:36:31.000000000 -0400
35497 @@ -340,13 +340,13 @@ static const struct net_device_ops qlcni
35498 #endif
35499 };
35500
35501 -static struct qlcnic_nic_template qlcnic_ops = {
35502 +static const struct qlcnic_nic_template qlcnic_ops = {
35503 .config_bridged_mode = qlcnic_config_bridged_mode,
35504 .config_led = qlcnic_config_led,
35505 .start_firmware = qlcnic_start_firmware
35506 };
35507
35508 -static struct qlcnic_nic_template qlcnic_vf_ops = {
35509 +static const struct qlcnic_nic_template qlcnic_vf_ops = {
35510 .config_bridged_mode = qlcnicvf_config_bridged_mode,
35511 .config_led = qlcnicvf_config_led,
35512 .start_firmware = qlcnicvf_start_firmware
35513 diff -urNp linux-2.6.39.3/drivers/net/qlge/qlge.h linux-2.6.39.3/drivers/net/qlge/qlge.h
35514 --- linux-2.6.39.3/drivers/net/qlge/qlge.h 2011-05-19 00:06:34.000000000 -0400
35515 +++ linux-2.6.39.3/drivers/net/qlge/qlge.h 2011-05-22 19:36:31.000000000 -0400
35516 @@ -2134,7 +2134,7 @@ struct ql_adapter {
35517 struct delayed_work mpi_idc_work;
35518 struct delayed_work mpi_core_to_log;
35519 struct completion ide_completion;
35520 - struct nic_operations *nic_ops;
35521 + const struct nic_operations *nic_ops;
35522 u16 device_id;
35523 struct timer_list timer;
35524 atomic_t lb_count;
35525 diff -urNp linux-2.6.39.3/drivers/net/qlge/qlge_main.c linux-2.6.39.3/drivers/net/qlge/qlge_main.c
35526 --- linux-2.6.39.3/drivers/net/qlge/qlge_main.c 2011-05-19 00:06:34.000000000 -0400
35527 +++ linux-2.6.39.3/drivers/net/qlge/qlge_main.c 2011-05-22 19:36:31.000000000 -0400
35528 @@ -4412,12 +4412,12 @@ error:
35529 rtnl_unlock();
35530 }
35531
35532 -static struct nic_operations qla8012_nic_ops = {
35533 +static const struct nic_operations qla8012_nic_ops = {
35534 .get_flash = ql_get_8012_flash_params,
35535 .port_initialize = ql_8012_port_initialize,
35536 };
35537
35538 -static struct nic_operations qla8000_nic_ops = {
35539 +static const struct nic_operations qla8000_nic_ops = {
35540 .get_flash = ql_get_8000_flash_params,
35541 .port_initialize = ql_8000_port_initialize,
35542 };
35543 diff -urNp linux-2.6.39.3/drivers/net/sfc/falcon.c linux-2.6.39.3/drivers/net/sfc/falcon.c
35544 --- linux-2.6.39.3/drivers/net/sfc/falcon.c 2011-05-19 00:06:34.000000000 -0400
35545 +++ linux-2.6.39.3/drivers/net/sfc/falcon.c 2011-05-22 19:36:31.000000000 -0400
35546 @@ -1703,7 +1703,7 @@ static int falcon_set_wol(struct efx_nic
35547 **************************************************************************
35548 */
35549
35550 -struct efx_nic_type falcon_a1_nic_type = {
35551 +const struct efx_nic_type falcon_a1_nic_type = {
35552 .probe = falcon_probe_nic,
35553 .remove = falcon_remove_nic,
35554 .init = falcon_init_nic,
35555 @@ -1744,7 +1744,7 @@ struct efx_nic_type falcon_a1_nic_type =
35556 .reset_world_flags = ETH_RESET_IRQ,
35557 };
35558
35559 -struct efx_nic_type falcon_b0_nic_type = {
35560 +const struct efx_nic_type falcon_b0_nic_type = {
35561 .probe = falcon_probe_nic,
35562 .remove = falcon_remove_nic,
35563 .init = falcon_init_nic,
35564 diff -urNp linux-2.6.39.3/drivers/net/sfc/mtd.c linux-2.6.39.3/drivers/net/sfc/mtd.c
35565 --- linux-2.6.39.3/drivers/net/sfc/mtd.c 2011-05-19 00:06:34.000000000 -0400
35566 +++ linux-2.6.39.3/drivers/net/sfc/mtd.c 2011-05-22 19:36:31.000000000 -0400
35567 @@ -382,7 +382,7 @@ static int falcon_mtd_sync(struct mtd_in
35568 return rc;
35569 }
35570
35571 -static struct efx_mtd_ops falcon_mtd_ops = {
35572 +static const struct efx_mtd_ops falcon_mtd_ops = {
35573 .read = falcon_mtd_read,
35574 .erase = falcon_mtd_erase,
35575 .write = falcon_mtd_write,
35576 @@ -560,7 +560,7 @@ static int siena_mtd_sync(struct mtd_inf
35577 return rc;
35578 }
35579
35580 -static struct efx_mtd_ops siena_mtd_ops = {
35581 +static const struct efx_mtd_ops siena_mtd_ops = {
35582 .read = siena_mtd_read,
35583 .erase = siena_mtd_erase,
35584 .write = siena_mtd_write,
35585 diff -urNp linux-2.6.39.3/drivers/net/sfc/nic.h linux-2.6.39.3/drivers/net/sfc/nic.h
35586 --- linux-2.6.39.3/drivers/net/sfc/nic.h 2011-05-19 00:06:34.000000000 -0400
35587 +++ linux-2.6.39.3/drivers/net/sfc/nic.h 2011-05-22 19:36:31.000000000 -0400
35588 @@ -152,9 +152,9 @@ struct siena_nic_data {
35589 int wol_filter_id;
35590 };
35591
35592 -extern struct efx_nic_type falcon_a1_nic_type;
35593 -extern struct efx_nic_type falcon_b0_nic_type;
35594 -extern struct efx_nic_type siena_a0_nic_type;
35595 +extern const struct efx_nic_type falcon_a1_nic_type;
35596 +extern const struct efx_nic_type falcon_b0_nic_type;
35597 +extern const struct efx_nic_type siena_a0_nic_type;
35598
35599 /**************************************************************************
35600 *
35601 diff -urNp linux-2.6.39.3/drivers/net/sfc/siena.c linux-2.6.39.3/drivers/net/sfc/siena.c
35602 --- linux-2.6.39.3/drivers/net/sfc/siena.c 2011-05-19 00:06:34.000000000 -0400
35603 +++ linux-2.6.39.3/drivers/net/sfc/siena.c 2011-05-22 19:36:31.000000000 -0400
35604 @@ -599,7 +599,7 @@ static void siena_init_wol(struct efx_ni
35605 **************************************************************************
35606 */
35607
35608 -struct efx_nic_type siena_a0_nic_type = {
35609 +const struct efx_nic_type siena_a0_nic_type = {
35610 .probe = siena_probe_nic,
35611 .remove = siena_remove_nic,
35612 .init = siena_init_nic,
35613 diff -urNp linux-2.6.39.3/drivers/net/sh_eth.c linux-2.6.39.3/drivers/net/sh_eth.c
35614 --- linux-2.6.39.3/drivers/net/sh_eth.c 2011-05-19 00:06:34.000000000 -0400
35615 +++ linux-2.6.39.3/drivers/net/sh_eth.c 2011-05-22 19:36:31.000000000 -0400
35616 @@ -1360,7 +1360,7 @@ static void sh_eth_get_strings(struct ne
35617 }
35618 }
35619
35620 -static struct ethtool_ops sh_eth_ethtool_ops = {
35621 +static const struct ethtool_ops sh_eth_ethtool_ops = {
35622 .get_settings = sh_eth_get_settings,
35623 .set_settings = sh_eth_set_settings,
35624 .nway_reset = sh_eth_nway_reset,
35625 diff -urNp linux-2.6.39.3/drivers/net/stmmac/stmmac_ethtool.c linux-2.6.39.3/drivers/net/stmmac/stmmac_ethtool.c
35626 --- linux-2.6.39.3/drivers/net/stmmac/stmmac_ethtool.c 2011-05-19 00:06:34.000000000 -0400
35627 +++ linux-2.6.39.3/drivers/net/stmmac/stmmac_ethtool.c 2011-05-22 19:36:31.000000000 -0400
35628 @@ -348,7 +348,7 @@ static int stmmac_set_wol(struct net_dev
35629 return 0;
35630 }
35631
35632 -static struct ethtool_ops stmmac_ethtool_ops = {
35633 +static const struct ethtool_ops stmmac_ethtool_ops = {
35634 .begin = stmmac_check_if_running,
35635 .get_drvinfo = stmmac_ethtool_getdrvinfo,
35636 .get_settings = stmmac_ethtool_getsettings,
35637 diff -urNp linux-2.6.39.3/drivers/net/sungem_phy.c linux-2.6.39.3/drivers/net/sungem_phy.c
35638 --- linux-2.6.39.3/drivers/net/sungem_phy.c 2011-05-19 00:06:34.000000000 -0400
35639 +++ linux-2.6.39.3/drivers/net/sungem_phy.c 2011-05-22 19:36:31.000000000 -0400
35640 @@ -886,7 +886,7 @@ static int marvell_read_link(struct mii_
35641 SUPPORTED_1000baseT_Half | SUPPORTED_1000baseT_Full)
35642
35643 /* Broadcom BCM 5201 */
35644 -static struct mii_phy_ops bcm5201_phy_ops = {
35645 +static const struct mii_phy_ops bcm5201_phy_ops = {
35646 .init = bcm5201_init,
35647 .suspend = bcm5201_suspend,
35648 .setup_aneg = genmii_setup_aneg,
35649 @@ -905,7 +905,7 @@ static struct mii_phy_def bcm5201_phy_de
35650 };
35651
35652 /* Broadcom BCM 5221 */
35653 -static struct mii_phy_ops bcm5221_phy_ops = {
35654 +static const struct mii_phy_ops bcm5221_phy_ops = {
35655 .suspend = bcm5221_suspend,
35656 .init = bcm5221_init,
35657 .setup_aneg = genmii_setup_aneg,
35658 @@ -924,7 +924,7 @@ static struct mii_phy_def bcm5221_phy_de
35659 };
35660
35661 /* Broadcom BCM 5241 */
35662 -static struct mii_phy_ops bcm5241_phy_ops = {
35663 +static const struct mii_phy_ops bcm5241_phy_ops = {
35664 .suspend = bcm5241_suspend,
35665 .init = bcm5241_init,
35666 .setup_aneg = genmii_setup_aneg,
35667 @@ -942,7 +942,7 @@ static struct mii_phy_def bcm5241_phy_de
35668 };
35669
35670 /* Broadcom BCM 5400 */
35671 -static struct mii_phy_ops bcm5400_phy_ops = {
35672 +static const struct mii_phy_ops bcm5400_phy_ops = {
35673 .init = bcm5400_init,
35674 .suspend = bcm5400_suspend,
35675 .setup_aneg = bcm54xx_setup_aneg,
35676 @@ -961,7 +961,7 @@ static struct mii_phy_def bcm5400_phy_de
35677 };
35678
35679 /* Broadcom BCM 5401 */
35680 -static struct mii_phy_ops bcm5401_phy_ops = {
35681 +static const struct mii_phy_ops bcm5401_phy_ops = {
35682 .init = bcm5401_init,
35683 .suspend = bcm5401_suspend,
35684 .setup_aneg = bcm54xx_setup_aneg,
35685 @@ -980,7 +980,7 @@ static struct mii_phy_def bcm5401_phy_de
35686 };
35687
35688 /* Broadcom BCM 5411 */
35689 -static struct mii_phy_ops bcm5411_phy_ops = {
35690 +static const struct mii_phy_ops bcm5411_phy_ops = {
35691 .init = bcm5411_init,
35692 .suspend = generic_suspend,
35693 .setup_aneg = bcm54xx_setup_aneg,
35694 @@ -999,7 +999,7 @@ static struct mii_phy_def bcm5411_phy_de
35695 };
35696
35697 /* Broadcom BCM 5421 */
35698 -static struct mii_phy_ops bcm5421_phy_ops = {
35699 +static const struct mii_phy_ops bcm5421_phy_ops = {
35700 .init = bcm5421_init,
35701 .suspend = generic_suspend,
35702 .setup_aneg = bcm54xx_setup_aneg,
35703 @@ -1019,7 +1019,7 @@ static struct mii_phy_def bcm5421_phy_de
35704 };
35705
35706 /* Broadcom BCM 5421 built-in K2 */
35707 -static struct mii_phy_ops bcm5421k2_phy_ops = {
35708 +static const struct mii_phy_ops bcm5421k2_phy_ops = {
35709 .init = bcm5421_init,
35710 .suspend = generic_suspend,
35711 .setup_aneg = bcm54xx_setup_aneg,
35712 @@ -1037,7 +1037,7 @@ static struct mii_phy_def bcm5421k2_phy_
35713 .ops = &bcm5421k2_phy_ops
35714 };
35715
35716 -static struct mii_phy_ops bcm5461_phy_ops = {
35717 +static const struct mii_phy_ops bcm5461_phy_ops = {
35718 .init = bcm5421_init,
35719 .suspend = generic_suspend,
35720 .setup_aneg = bcm54xx_setup_aneg,
35721 @@ -1057,7 +1057,7 @@ static struct mii_phy_def bcm5461_phy_de
35722 };
35723
35724 /* Broadcom BCM 5462 built-in Vesta */
35725 -static struct mii_phy_ops bcm5462V_phy_ops = {
35726 +static const struct mii_phy_ops bcm5462V_phy_ops = {
35727 .init = bcm5421_init,
35728 .suspend = generic_suspend,
35729 .setup_aneg = bcm54xx_setup_aneg,
35730 @@ -1076,7 +1076,7 @@ static struct mii_phy_def bcm5462V_phy_d
35731 };
35732
35733 /* Marvell 88E1101 amd 88E1111 */
35734 -static struct mii_phy_ops marvell88e1101_phy_ops = {
35735 +static const struct mii_phy_ops marvell88e1101_phy_ops = {
35736 .suspend = generic_suspend,
35737 .setup_aneg = marvell_setup_aneg,
35738 .setup_forced = marvell_setup_forced,
35739 @@ -1084,7 +1084,7 @@ static struct mii_phy_ops marvell88e1101
35740 .read_link = marvell_read_link
35741 };
35742
35743 -static struct mii_phy_ops marvell88e1111_phy_ops = {
35744 +static const struct mii_phy_ops marvell88e1111_phy_ops = {
35745 .init = marvell88e1111_init,
35746 .suspend = generic_suspend,
35747 .setup_aneg = marvell_setup_aneg,
35748 @@ -1122,7 +1122,7 @@ static struct mii_phy_def marvell88e1111
35749 };
35750
35751 /* Generic implementation for most 10/100 PHYs */
35752 -static struct mii_phy_ops generic_phy_ops = {
35753 +static const struct mii_phy_ops generic_phy_ops = {
35754 .setup_aneg = genmii_setup_aneg,
35755 .setup_forced = genmii_setup_forced,
35756 .poll_link = genmii_poll_link,
35757 diff -urNp linux-2.6.39.3/drivers/net/tg3.h linux-2.6.39.3/drivers/net/tg3.h
35758 --- linux-2.6.39.3/drivers/net/tg3.h 2011-05-19 00:06:34.000000000 -0400
35759 +++ linux-2.6.39.3/drivers/net/tg3.h 2011-05-22 19:36:31.000000000 -0400
35760 @@ -131,6 +131,7 @@
35761 #define CHIPREV_ID_5750_A0 0x4000
35762 #define CHIPREV_ID_5750_A1 0x4001
35763 #define CHIPREV_ID_5750_A3 0x4003
35764 +#define CHIPREV_ID_5750_C1 0x4201
35765 #define CHIPREV_ID_5750_C2 0x4202
35766 #define CHIPREV_ID_5752_A0_HW 0x5000
35767 #define CHIPREV_ID_5752_A0 0x6000
35768 diff -urNp linux-2.6.39.3/drivers/net/tile/tilepro.c linux-2.6.39.3/drivers/net/tile/tilepro.c
35769 --- linux-2.6.39.3/drivers/net/tile/tilepro.c 2011-05-19 00:06:34.000000000 -0400
35770 +++ linux-2.6.39.3/drivers/net/tile/tilepro.c 2011-05-22 19:36:31.000000000 -0400
35771 @@ -2263,7 +2263,7 @@ static int tile_net_get_mac(struct net_d
35772 }
35773
35774
35775 -static struct net_device_ops tile_net_ops = {
35776 +static const struct net_device_ops tile_net_ops = {
35777 .ndo_open = tile_net_open,
35778 .ndo_stop = tile_net_stop,
35779 .ndo_start_xmit = tile_net_tx,
35780 diff -urNp linux-2.6.39.3/drivers/net/tulip/de2104x.c linux-2.6.39.3/drivers/net/tulip/de2104x.c
35781 --- linux-2.6.39.3/drivers/net/tulip/de2104x.c 2011-05-19 00:06:34.000000000 -0400
35782 +++ linux-2.6.39.3/drivers/net/tulip/de2104x.c 2011-05-22 19:36:31.000000000 -0400
35783 @@ -1817,6 +1817,8 @@ static void __devinit de21041_get_srom_i
35784 struct de_srom_info_leaf *il;
35785 void *bufp;
35786
35787 + pax_track_stack();
35788 +
35789 /* download entire eeprom */
35790 for (i = 0; i < DE_EEPROM_WORDS; i++)
35791 ((__le16 *)ee_data)[i] =
35792 diff -urNp linux-2.6.39.3/drivers/net/tulip/de4x5.c linux-2.6.39.3/drivers/net/tulip/de4x5.c
35793 --- linux-2.6.39.3/drivers/net/tulip/de4x5.c 2011-05-19 00:06:34.000000000 -0400
35794 +++ linux-2.6.39.3/drivers/net/tulip/de4x5.c 2011-05-22 19:36:31.000000000 -0400
35795 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
35796 for (i=0; i<ETH_ALEN; i++) {
35797 tmp.addr[i] = dev->dev_addr[i];
35798 }
35799 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
35800 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
35801 break;
35802
35803 case DE4X5_SET_HWADDR: /* Set the hardware address */
35804 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
35805 spin_lock_irqsave(&lp->lock, flags);
35806 memcpy(&statbuf, &lp->pktStats, ioc->len);
35807 spin_unlock_irqrestore(&lp->lock, flags);
35808 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
35809 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
35810 return -EFAULT;
35811 break;
35812 }
35813 diff -urNp linux-2.6.39.3/drivers/net/usb/asix.c linux-2.6.39.3/drivers/net/usb/asix.c
35814 --- linux-2.6.39.3/drivers/net/usb/asix.c 2011-05-19 00:06:34.000000000 -0400
35815 +++ linux-2.6.39.3/drivers/net/usb/asix.c 2011-05-22 19:36:31.000000000 -0400
35816 @@ -1098,7 +1098,7 @@ out:
35817 return ret;
35818 }
35819
35820 -static struct ethtool_ops ax88178_ethtool_ops = {
35821 +static const struct ethtool_ops ax88178_ethtool_ops = {
35822 .get_drvinfo = asix_get_drvinfo,
35823 .get_link = asix_get_link,
35824 .get_msglevel = usbnet_get_msglevel,
35825 diff -urNp linux-2.6.39.3/drivers/net/usb/cdc_ncm.c linux-2.6.39.3/drivers/net/usb/cdc_ncm.c
35826 --- linux-2.6.39.3/drivers/net/usb/cdc_ncm.c 2011-06-25 12:55:22.000000000 -0400
35827 +++ linux-2.6.39.3/drivers/net/usb/cdc_ncm.c 2011-06-25 13:00:26.000000000 -0400
35828 @@ -141,7 +141,7 @@ struct cdc_ncm_ctx {
35829 static void cdc_ncm_tx_timeout(unsigned long arg);
35830 static const struct driver_info cdc_ncm_info;
35831 static struct usb_driver cdc_ncm_driver;
35832 -static struct ethtool_ops cdc_ncm_ethtool_ops;
35833 +static const struct ethtool_ops cdc_ncm_ethtool_ops;
35834
35835 static const struct usb_device_id cdc_devs[] = {
35836 { USB_INTERFACE_INFO(USB_CLASS_COMM,
35837 @@ -1258,7 +1258,7 @@ static struct usb_driver cdc_ncm_driver
35838 .supports_autosuspend = 1,
35839 };
35840
35841 -static struct ethtool_ops cdc_ncm_ethtool_ops = {
35842 +static const struct ethtool_ops cdc_ncm_ethtool_ops = {
35843 .get_drvinfo = cdc_ncm_get_drvinfo,
35844 .get_link = usbnet_get_link,
35845 .get_msglevel = usbnet_get_msglevel,
35846 diff -urNp linux-2.6.39.3/drivers/net/usb/hso.c linux-2.6.39.3/drivers/net/usb/hso.c
35847 --- linux-2.6.39.3/drivers/net/usb/hso.c 2011-05-19 00:06:34.000000000 -0400
35848 +++ linux-2.6.39.3/drivers/net/usb/hso.c 2011-05-22 19:36:31.000000000 -0400
35849 @@ -71,7 +71,7 @@
35850 #include <asm/byteorder.h>
35851 #include <linux/serial_core.h>
35852 #include <linux/serial.h>
35853 -
35854 +#include <asm/local.h>
35855
35856 #define MOD_AUTHOR "Option Wireless"
35857 #define MOD_DESCRIPTION "USB High Speed Option driver"
35858 @@ -257,7 +257,7 @@ struct hso_serial {
35859
35860 /* from usb_serial_port */
35861 struct tty_struct *tty;
35862 - int open_count;
35863 + local_t open_count;
35864 spinlock_t serial_lock;
35865
35866 int (*write_data) (struct hso_serial *serial);
35867 @@ -1190,7 +1190,7 @@ static void put_rxbuf_data_and_resubmit_
35868 struct urb *urb;
35869
35870 urb = serial->rx_urb[0];
35871 - if (serial->open_count > 0) {
35872 + if (local_read(&serial->open_count) > 0) {
35873 count = put_rxbuf_data(urb, serial);
35874 if (count == -1)
35875 return;
35876 @@ -1226,7 +1226,7 @@ static void hso_std_serial_read_bulk_cal
35877 DUMP1(urb->transfer_buffer, urb->actual_length);
35878
35879 /* Anyone listening? */
35880 - if (serial->open_count == 0)
35881 + if (local_read(&serial->open_count) == 0)
35882 return;
35883
35884 if (status == 0) {
35885 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
35886 spin_unlock_irq(&serial->serial_lock);
35887
35888 /* check for port already opened, if not set the termios */
35889 - serial->open_count++;
35890 - if (serial->open_count == 1) {
35891 + if (local_inc_return(&serial->open_count) == 1) {
35892 serial->rx_state = RX_IDLE;
35893 /* Force default termio settings */
35894 _hso_serial_set_termios(tty, NULL);
35895 @@ -1324,7 +1323,7 @@ static int hso_serial_open(struct tty_st
35896 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
35897 if (result) {
35898 hso_stop_serial_device(serial->parent);
35899 - serial->open_count--;
35900 + local_dec(&serial->open_count);
35901 kref_put(&serial->parent->ref, hso_serial_ref_free);
35902 }
35903 } else {
35904 @@ -1361,10 +1360,10 @@ static void hso_serial_close(struct tty_
35905
35906 /* reset the rts and dtr */
35907 /* do the actual close */
35908 - serial->open_count--;
35909 + local_dec(&serial->open_count);
35910
35911 - if (serial->open_count <= 0) {
35912 - serial->open_count = 0;
35913 + if (local_read(&serial->open_count) <= 0) {
35914 + local_set(&serial->open_count, 0);
35915 spin_lock_irq(&serial->serial_lock);
35916 if (serial->tty == tty) {
35917 serial->tty->driver_data = NULL;
35918 @@ -1446,7 +1445,7 @@ static void hso_serial_set_termios(struc
35919
35920 /* the actual setup */
35921 spin_lock_irqsave(&serial->serial_lock, flags);
35922 - if (serial->open_count)
35923 + if (local_read(&serial->open_count))
35924 _hso_serial_set_termios(tty, old);
35925 else
35926 tty->termios = old;
35927 @@ -1905,7 +1904,7 @@ static void intr_callback(struct urb *ur
35928 D1("Pending read interrupt on port %d\n", i);
35929 spin_lock(&serial->serial_lock);
35930 if (serial->rx_state == RX_IDLE &&
35931 - serial->open_count > 0) {
35932 + local_read(&serial->open_count) > 0) {
35933 /* Setup and send a ctrl req read on
35934 * port i */
35935 if (!serial->rx_urb_filled[0]) {
35936 @@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
35937 /* Start all serial ports */
35938 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
35939 if (serial_table[i] && (serial_table[i]->interface == iface)) {
35940 - if (dev2ser(serial_table[i])->open_count) {
35941 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
35942 result =
35943 hso_start_serial_device(serial_table[i], GFP_NOIO);
35944 hso_kick_transmit(dev2ser(serial_table[i]));
35945 diff -urNp linux-2.6.39.3/drivers/net/usb/ipheth.c linux-2.6.39.3/drivers/net/usb/ipheth.c
35946 --- linux-2.6.39.3/drivers/net/usb/ipheth.c 2011-05-19 00:06:34.000000000 -0400
35947 +++ linux-2.6.39.3/drivers/net/usb/ipheth.c 2011-05-22 19:36:31.000000000 -0400
35948 @@ -421,7 +421,7 @@ static u32 ipheth_ethtool_op_get_link(st
35949 return netif_carrier_ok(dev->net);
35950 }
35951
35952 -static struct ethtool_ops ops = {
35953 +static const struct ethtool_ops ops = {
35954 .get_link = ipheth_ethtool_op_get_link
35955 };
35956
35957 diff -urNp linux-2.6.39.3/drivers/net/usb/sierra_net.c linux-2.6.39.3/drivers/net/usb/sierra_net.c
35958 --- linux-2.6.39.3/drivers/net/usb/sierra_net.c 2011-05-19 00:06:34.000000000 -0400
35959 +++ linux-2.6.39.3/drivers/net/usb/sierra_net.c 2011-05-22 19:36:31.000000000 -0400
35960 @@ -618,7 +618,7 @@ static u32 sierra_net_get_link(struct ne
35961 return sierra_net_get_private(dev)->link_up && netif_running(net);
35962 }
35963
35964 -static struct ethtool_ops sierra_net_ethtool_ops = {
35965 +static const struct ethtool_ops sierra_net_ethtool_ops = {
35966 .get_drvinfo = sierra_net_get_drvinfo,
35967 .get_link = sierra_net_get_link,
35968 .get_msglevel = usbnet_get_msglevel,
35969 diff -urNp linux-2.6.39.3/drivers/net/vmxnet3/vmxnet3_ethtool.c linux-2.6.39.3/drivers/net/vmxnet3/vmxnet3_ethtool.c
35970 --- linux-2.6.39.3/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-05-19 00:06:34.000000000 -0400
35971 +++ linux-2.6.39.3/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-05-22 19:36:31.000000000 -0400
35972 @@ -631,8 +631,7 @@ vmxnet3_set_rss_indir(struct net_device
35973 * Return with error code if any of the queue indices
35974 * is out of range
35975 */
35976 - if (p->ring_index[i] < 0 ||
35977 - p->ring_index[i] >= adapter->num_rx_queues)
35978 + if (p->ring_index[i] >= adapter->num_rx_queues)
35979 return -EINVAL;
35980 }
35981
35982 diff -urNp linux-2.6.39.3/drivers/net/vxge/vxge-main.c linux-2.6.39.3/drivers/net/vxge/vxge-main.c
35983 --- linux-2.6.39.3/drivers/net/vxge/vxge-main.c 2011-05-19 00:06:34.000000000 -0400
35984 +++ linux-2.6.39.3/drivers/net/vxge/vxge-main.c 2011-05-22 19:36:31.000000000 -0400
35985 @@ -97,6 +97,8 @@ static inline void VXGE_COMPLETE_VPATH_T
35986 struct sk_buff *completed[NR_SKB_COMPLETED];
35987 int more;
35988
35989 + pax_track_stack();
35990 +
35991 do {
35992 more = 0;
35993 skb_ptr = completed;
35994 @@ -1927,6 +1929,8 @@ static enum vxge_hw_status vxge_rth_conf
35995 u8 mtable[256] = {0}; /* CPU to vpath mapping */
35996 int index;
35997
35998 + pax_track_stack();
35999 +
36000 /*
36001 * Filling
36002 * - itable with bucket numbers
36003 diff -urNp linux-2.6.39.3/drivers/net/wan/cycx_x25.c linux-2.6.39.3/drivers/net/wan/cycx_x25.c
36004 --- linux-2.6.39.3/drivers/net/wan/cycx_x25.c 2011-05-19 00:06:34.000000000 -0400
36005 +++ linux-2.6.39.3/drivers/net/wan/cycx_x25.c 2011-05-22 19:36:31.000000000 -0400
36006 @@ -1018,6 +1018,8 @@ static void hex_dump(char *msg, unsigned
36007 unsigned char hex[1024],
36008 * phex = hex;
36009
36010 + pax_track_stack();
36011 +
36012 if (len >= (sizeof(hex) / 2))
36013 len = (sizeof(hex) / 2) - 1;
36014
36015 diff -urNp linux-2.6.39.3/drivers/net/wan/lapbether.c linux-2.6.39.3/drivers/net/wan/lapbether.c
36016 --- linux-2.6.39.3/drivers/net/wan/lapbether.c 2011-05-19 00:06:34.000000000 -0400
36017 +++ linux-2.6.39.3/drivers/net/wan/lapbether.c 2011-05-22 19:36:31.000000000 -0400
36018 @@ -259,7 +259,7 @@ static int lapbeth_set_mac_address(struc
36019 }
36020
36021
36022 -static struct lapb_register_struct lapbeth_callbacks = {
36023 +static const struct lapb_register_struct lapbeth_callbacks = {
36024 .connect_confirmation = lapbeth_connected,
36025 .connect_indication = lapbeth_connected,
36026 .disconnect_confirmation = lapbeth_disconnected,
36027 diff -urNp linux-2.6.39.3/drivers/net/wan/x25_asy.c linux-2.6.39.3/drivers/net/wan/x25_asy.c
36028 --- linux-2.6.39.3/drivers/net/wan/x25_asy.c 2011-05-19 00:06:34.000000000 -0400
36029 +++ linux-2.6.39.3/drivers/net/wan/x25_asy.c 2011-05-22 19:36:31.000000000 -0400
36030 @@ -434,7 +434,7 @@ static void x25_asy_disconnected(struct
36031 netif_rx(skb);
36032 }
36033
36034 -static struct lapb_register_struct x25_asy_callbacks = {
36035 +static const struct lapb_register_struct x25_asy_callbacks = {
36036 .connect_confirmation = x25_asy_connected,
36037 .connect_indication = x25_asy_connected,
36038 .disconnect_confirmation = x25_asy_disconnected,
36039 diff -urNp linux-2.6.39.3/drivers/net/wimax/i2400m/usb-fw.c linux-2.6.39.3/drivers/net/wimax/i2400m/usb-fw.c
36040 --- linux-2.6.39.3/drivers/net/wimax/i2400m/usb-fw.c 2011-05-19 00:06:34.000000000 -0400
36041 +++ linux-2.6.39.3/drivers/net/wimax/i2400m/usb-fw.c 2011-05-22 19:36:31.000000000 -0400
36042 @@ -287,6 +287,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
36043 int do_autopm = 1;
36044 DECLARE_COMPLETION_ONSTACK(notif_completion);
36045
36046 + pax_track_stack();
36047 +
36048 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
36049 i2400m, ack, ack_size);
36050 BUG_ON(_ack == i2400m->bm_ack_buf);
36051 diff -urNp linux-2.6.39.3/drivers/net/wireless/airo.c linux-2.6.39.3/drivers/net/wireless/airo.c
36052 --- linux-2.6.39.3/drivers/net/wireless/airo.c 2011-05-19 00:06:34.000000000 -0400
36053 +++ linux-2.6.39.3/drivers/net/wireless/airo.c 2011-05-22 19:36:31.000000000 -0400
36054 @@ -3001,6 +3001,8 @@ static void airo_process_scan_results (s
36055 BSSListElement * loop_net;
36056 BSSListElement * tmp_net;
36057
36058 + pax_track_stack();
36059 +
36060 /* Blow away current list of scan results */
36061 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
36062 list_move_tail (&loop_net->list, &ai->network_free_list);
36063 @@ -3792,6 +3794,8 @@ static u16 setup_card(struct airo_info *
36064 WepKeyRid wkr;
36065 int rc;
36066
36067 + pax_track_stack();
36068 +
36069 memset( &mySsid, 0, sizeof( mySsid ) );
36070 kfree (ai->flash);
36071 ai->flash = NULL;
36072 @@ -4760,6 +4764,8 @@ static int proc_stats_rid_open( struct i
36073 __le32 *vals = stats.vals;
36074 int len;
36075
36076 + pax_track_stack();
36077 +
36078 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
36079 return -ENOMEM;
36080 data = file->private_data;
36081 @@ -5483,6 +5489,8 @@ static int proc_BSSList_open( struct ino
36082 /* If doLoseSync is not 1, we won't do a Lose Sync */
36083 int doLoseSync = -1;
36084
36085 + pax_track_stack();
36086 +
36087 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
36088 return -ENOMEM;
36089 data = file->private_data;
36090 @@ -7190,6 +7198,8 @@ static int airo_get_aplist(struct net_de
36091 int i;
36092 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
36093
36094 + pax_track_stack();
36095 +
36096 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
36097 if (!qual)
36098 return -ENOMEM;
36099 @@ -7750,6 +7760,8 @@ static void airo_read_wireless_stats(str
36100 CapabilityRid cap_rid;
36101 __le32 *vals = stats_rid.vals;
36102
36103 + pax_track_stack();
36104 +
36105 /* Get stats out of the card */
36106 clear_bit(JOB_WSTATS, &local->jobs);
36107 if (local->power.event) {
36108 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath5k/debug.c linux-2.6.39.3/drivers/net/wireless/ath/ath5k/debug.c
36109 --- linux-2.6.39.3/drivers/net/wireless/ath/ath5k/debug.c 2011-05-19 00:06:34.000000000 -0400
36110 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath5k/debug.c 2011-05-22 19:36:31.000000000 -0400
36111 @@ -204,6 +204,8 @@ static ssize_t read_file_beacon(struct f
36112 unsigned int v;
36113 u64 tsf;
36114
36115 + pax_track_stack();
36116 +
36117 v = ath5k_hw_reg_read(sc->ah, AR5K_BEACON);
36118 len += snprintf(buf+len, sizeof(buf)-len,
36119 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
36120 @@ -323,6 +325,8 @@ static ssize_t read_file_debug(struct fi
36121 unsigned int len = 0;
36122 unsigned int i;
36123
36124 + pax_track_stack();
36125 +
36126 len += snprintf(buf+len, sizeof(buf)-len,
36127 "DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
36128
36129 @@ -384,6 +388,8 @@ static ssize_t read_file_antenna(struct
36130 unsigned int i;
36131 unsigned int v;
36132
36133 + pax_track_stack();
36134 +
36135 len += snprintf(buf+len, sizeof(buf)-len, "antenna mode\t%d\n",
36136 sc->ah->ah_ant_mode);
36137 len += snprintf(buf+len, sizeof(buf)-len, "default antenna\t%d\n",
36138 @@ -494,6 +500,8 @@ static ssize_t read_file_misc(struct fil
36139 unsigned int len = 0;
36140 u32 filt = ath5k_hw_get_rx_filter(sc->ah);
36141
36142 + pax_track_stack();
36143 +
36144 len += snprintf(buf+len, sizeof(buf)-len, "bssid-mask: %pM\n",
36145 sc->bssidmask);
36146 len += snprintf(buf+len, sizeof(buf)-len, "filter-flags: 0x%x ",
36147 @@ -550,6 +558,8 @@ static ssize_t read_file_frameerrors(str
36148 unsigned int len = 0;
36149 int i;
36150
36151 + pax_track_stack();
36152 +
36153 len += snprintf(buf+len, sizeof(buf)-len,
36154 "RX\n---------------------\n");
36155 len += snprintf(buf+len, sizeof(buf)-len, "CRC\t%u\t(%u%%)\n",
36156 @@ -667,6 +677,8 @@ static ssize_t read_file_ani(struct file
36157 char buf[700];
36158 unsigned int len = 0;
36159
36160 + pax_track_stack();
36161 +
36162 len += snprintf(buf+len, sizeof(buf)-len,
36163 "HW has PHY error counters:\t%s\n",
36164 sc->ah->ah_capabilities.cap_has_phyerr_counters ?
36165 @@ -827,6 +839,8 @@ static ssize_t read_file_queue(struct fi
36166 struct ath5k_buf *bf, *bf0;
36167 int i, n;
36168
36169 + pax_track_stack();
36170 +
36171 len += snprintf(buf+len, sizeof(buf)-len,
36172 "available txbuffers: %d\n", sc->txbuf_len);
36173
36174 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_calib.c linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_calib.c
36175 --- linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-05-19 00:06:34.000000000 -0400
36176 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-05-22 19:36:31.000000000 -0400
36177 @@ -734,6 +734,8 @@ static void ar9003_hw_tx_iq_cal(struct a
36178 s32 i, j, ip, im, nmeasurement;
36179 u8 nchains = get_streams(common->tx_chainmask);
36180
36181 + pax_track_stack();
36182 +
36183 for (ip = 0; ip < MPASS; ip++) {
36184 REG_RMW_FIELD(ah, AR_PHY_TX_IQCAL_CONTROL_1,
36185 AR_PHY_TX_IQCAQL_CONTROL_1_IQCORR_I_Q_COFF_DELPT,
36186 @@ -856,6 +858,8 @@ static void ar9003_hw_tx_iq_cal_post_pro
36187 int i, ip, im, j;
36188 int nmeasurement;
36189
36190 + pax_track_stack();
36191 +
36192 for (i = 0; i < AR9300_MAX_CHAINS; i++) {
36193 if (ah->txchainmask & (1 << i))
36194 num_chains++;
36195 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_paprd.c linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_paprd.c
36196 --- linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-05-19 00:06:34.000000000 -0400
36197 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-05-22 19:36:31.000000000 -0400
36198 @@ -356,6 +356,8 @@ static bool create_pa_curve(u32 *data_L,
36199 int theta_low_bin = 0;
36200 int i;
36201
36202 + pax_track_stack();
36203 +
36204 /* disregard any bin that contains <= 16 samples */
36205 thresh_accum_cnt = 16;
36206 scale_factor = 5;
36207 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath9k/debug.c linux-2.6.39.3/drivers/net/wireless/ath/ath9k/debug.c
36208 --- linux-2.6.39.3/drivers/net/wireless/ath/ath9k/debug.c 2011-05-19 00:06:34.000000000 -0400
36209 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath9k/debug.c 2011-05-22 19:36:31.000000000 -0400
36210 @@ -335,6 +335,8 @@ static ssize_t read_file_interrupt(struc
36211 char buf[512];
36212 unsigned int len = 0;
36213
36214 + pax_track_stack();
36215 +
36216 if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) {
36217 len += snprintf(buf + len, sizeof(buf) - len,
36218 "%8s: %10u\n", "RXLP", sc->debug.stats.istats.rxlp);
36219 @@ -422,6 +424,8 @@ static ssize_t read_file_wiphy(struct fi
36220 u8 addr[ETH_ALEN];
36221 u32 tmp;
36222
36223 + pax_track_stack();
36224 +
36225 len += snprintf(buf + len, sizeof(buf) - len,
36226 "%s (chan=%d center-freq: %d MHz channel-type: %d (%s))\n",
36227 wiphy_name(sc->hw->wiphy),
36228 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc_drv_main.c linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc_drv_main.c
36229 --- linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc_drv_main.c 2011-05-19 00:06:34.000000000 -0400
36230 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc_drv_main.c 2011-05-22 19:36:31.000000000 -0400
36231 @@ -737,6 +737,8 @@ static ssize_t read_file_tgt_stats(struc
36232 unsigned int len = 0;
36233 int ret = 0;
36234
36235 + pax_track_stack();
36236 +
36237 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
36238
36239 WMI_CMD(WMI_TGT_STATS_CMDID);
36240 @@ -782,6 +784,8 @@ static ssize_t read_file_xmit(struct fil
36241 char buf[512];
36242 unsigned int len = 0;
36243
36244 + pax_track_stack();
36245 +
36246 len += snprintf(buf + len, sizeof(buf) - len,
36247 "%20s : %10u\n", "Buffers queued",
36248 priv->debug.tx_stats.buf_queued);
36249 @@ -831,6 +835,8 @@ static ssize_t read_file_recv(struct fil
36250 char buf[512];
36251 unsigned int len = 0;
36252
36253 + pax_track_stack();
36254 +
36255 len += snprintf(buf + len, sizeof(buf) - len,
36256 "%20s : %10u\n", "SKBs allocated",
36257 priv->debug.rx_stats.skb_allocated);
36258 @@ -1816,7 +1822,7 @@ static void ath9k_htc_set_coverage_class
36259 mutex_unlock(&priv->mutex);
36260 }
36261
36262 -struct ieee80211_ops ath9k_htc_ops = {
36263 +const struct ieee80211_ops ath9k_htc_ops = {
36264 .tx = ath9k_htc_tx,
36265 .start = ath9k_htc_start,
36266 .stop = ath9k_htc_stop,
36267 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc.h linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc.h
36268 --- linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc.h 2011-05-19 00:06:34.000000000 -0400
36269 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc.h 2011-05-22 19:36:31.000000000 -0400
36270 @@ -42,7 +42,7 @@
36271 #define TSF_TO_TU(_h, _l) \
36272 ((((u32)(_h)) << 22) | (((u32)(_l)) >> 10))
36273
36274 -extern struct ieee80211_ops ath9k_htc_ops;
36275 +extern const struct ieee80211_ops ath9k_htc_ops;
36276 extern int htc_modparam_nohwcrypt;
36277
36278 enum htc_phymode {
36279 diff -urNp linux-2.6.39.3/drivers/net/wireless/b43/debugfs.c linux-2.6.39.3/drivers/net/wireless/b43/debugfs.c
36280 --- linux-2.6.39.3/drivers/net/wireless/b43/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36281 +++ linux-2.6.39.3/drivers/net/wireless/b43/debugfs.c 2011-05-22 19:36:31.000000000 -0400
36282 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
36283 struct b43_debugfs_fops {
36284 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
36285 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
36286 - struct file_operations fops;
36287 + const struct file_operations fops;
36288 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
36289 size_t file_struct_offset;
36290 };
36291 diff -urNp linux-2.6.39.3/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.39.3/drivers/net/wireless/b43legacy/debugfs.c
36292 --- linux-2.6.39.3/drivers/net/wireless/b43legacy/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36293 +++ linux-2.6.39.3/drivers/net/wireless/b43legacy/debugfs.c 2011-05-22 19:36:31.000000000 -0400
36294 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
36295 struct b43legacy_debugfs_fops {
36296 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
36297 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
36298 - struct file_operations fops;
36299 + const struct file_operations fops;
36300 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
36301 size_t file_struct_offset;
36302 /* Take wl->irq_lock before calling read/write? */
36303 diff -urNp linux-2.6.39.3/drivers/net/wireless/ipw2x00/ipw2100.c linux-2.6.39.3/drivers/net/wireless/ipw2x00/ipw2100.c
36304 --- linux-2.6.39.3/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-19 00:06:34.000000000 -0400
36305 +++ linux-2.6.39.3/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-22 19:36:31.000000000 -0400
36306 @@ -2100,6 +2100,8 @@ static int ipw2100_set_essid(struct ipw2
36307 int err;
36308 DECLARE_SSID_BUF(ssid);
36309
36310 + pax_track_stack();
36311 +
36312 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
36313
36314 if (ssid_len)
36315 @@ -5449,6 +5451,8 @@ static int ipw2100_set_key(struct ipw210
36316 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
36317 int err;
36318
36319 + pax_track_stack();
36320 +
36321 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
36322 idx, keylen, len);
36323
36324 diff -urNp linux-2.6.39.3/drivers/net/wireless/ipw2x00/libipw_rx.c linux-2.6.39.3/drivers/net/wireless/ipw2x00/libipw_rx.c
36325 --- linux-2.6.39.3/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-19 00:06:34.000000000 -0400
36326 +++ linux-2.6.39.3/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-22 19:36:31.000000000 -0400
36327 @@ -1565,6 +1565,8 @@ static void libipw_process_probe_respons
36328 unsigned long flags;
36329 DECLARE_SSID_BUF(ssid);
36330
36331 + pax_track_stack();
36332 +
36333 LIBIPW_DEBUG_SCAN("'%s' (%pM"
36334 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
36335 print_ssid(ssid, info_element->data, info_element->len),
36336 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-3945.c linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-3945.c
36337 --- linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-3945.c 2011-05-19 00:06:34.000000000 -0400
36338 +++ linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-3945.c 2011-05-22 19:36:31.000000000 -0400
36339 @@ -2630,7 +2630,7 @@ static int iwl3945_load_bsm(struct iwl_p
36340 return 0;
36341 }
36342
36343 -static struct iwl_hcmd_ops iwl3945_hcmd = {
36344 +static const struct iwl_hcmd_ops iwl3945_hcmd = {
36345 .rxon_assoc = iwl3945_send_rxon_assoc,
36346 .commit_rxon = iwl3945_commit_rxon,
36347 };
36348 @@ -2675,7 +2675,7 @@ static const struct iwl_legacy_ops iwl39
36349 .manage_ibss_station = iwl3945_manage_ibss_station,
36350 };
36351
36352 -static struct iwl_hcmd_utils_ops iwl3945_hcmd_utils = {
36353 +static const struct iwl_hcmd_utils_ops iwl3945_hcmd_utils = {
36354 .get_hcmd_size = iwl3945_get_hcmd_size,
36355 .build_addsta_hcmd = iwl3945_build_addsta_hcmd,
36356 .request_scan = iwl3945_request_scan,
36357 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.c linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.c
36358 --- linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.c 2011-06-25 12:55:22.000000000 -0400
36359 +++ linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.c 2011-06-25 13:00:26.000000000 -0400
36360 @@ -1902,7 +1902,7 @@ static void iwl4965_rx_handler_setup(str
36361 priv->rx_handlers[BEACON_NOTIFICATION] = iwl4965_rx_beacon_notif;
36362 }
36363
36364 -static struct iwl_hcmd_ops iwl4965_hcmd = {
36365 +static const struct iwl_hcmd_ops iwl4965_hcmd = {
36366 .rxon_assoc = iwl4965_send_rxon_assoc,
36367 .commit_rxon = iwl4965_commit_rxon,
36368 .set_rxon_chain = iwl4965_set_rxon_chain,
36369 @@ -2054,7 +2054,7 @@ static void iwl4965_config_ap(struct iwl
36370 iwl4965_send_beacon_cmd(priv);
36371 }
36372
36373 -static struct iwl_hcmd_utils_ops iwl4965_hcmd_utils = {
36374 +static const struct iwl_hcmd_utils_ops iwl4965_hcmd_utils = {
36375 .get_hcmd_size = iwl4965_get_hcmd_size,
36376 .build_addsta_hcmd = iwl4965_build_addsta_hcmd,
36377 .request_scan = iwl4965_request_scan,
36378 @@ -2112,7 +2112,7 @@ static const struct iwl_legacy_ops iwl49
36379 .update_bcast_stations = iwl4965_update_bcast_stations,
36380 };
36381
36382 -struct ieee80211_ops iwl4965_hw_ops = {
36383 +const struct ieee80211_ops iwl4965_hw_ops = {
36384 .tx = iwl4965_mac_tx,
36385 .start = iwl4965_mac_start,
36386 .stop = iwl4965_mac_stop,
36387 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.h linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.h
36388 --- linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.h 2011-05-19 00:06:34.000000000 -0400
36389 +++ linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.h 2011-05-22 19:36:32.000000000 -0400
36390 @@ -70,7 +70,7 @@ extern struct iwl_cfg iwl4965_cfg;
36391
36392 extern struct iwl_mod_params iwl4965_mod_params;
36393
36394 -extern struct ieee80211_ops iwl4965_hw_ops;
36395 +extern const struct ieee80211_ops iwl4965_hw_ops;
36396
36397 /* tx queue */
36398 void iwl4965_free_tfds_in_queue(struct iwl_priv *priv,
36399 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-core.h linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-core.h
36400 --- linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-core.h 2011-06-25 12:55:22.000000000 -0400
36401 +++ linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-core.h 2011-06-25 13:00:26.000000000 -0400
36402 @@ -150,7 +150,7 @@ struct iwl_lib_ops {
36403 int (*set_channel_switch)(struct iwl_priv *priv,
36404 struct ieee80211_channel_switch *ch_switch);
36405 /* power management */
36406 - struct iwl_apm_ops apm_ops;
36407 + const struct iwl_apm_ops apm_ops;
36408
36409 /* power */
36410 int (*send_tx_power) (struct iwl_priv *priv);
36411 @@ -160,12 +160,12 @@ struct iwl_lib_ops {
36412 struct iwl_eeprom_ops eeprom_ops;
36413
36414 /* temperature */
36415 - struct iwl_temp_ops temp_ops;
36416 + const struct iwl_temp_ops temp_ops;
36417 /* check for plcp health */
36418 bool (*check_plcp_health)(struct iwl_priv *priv,
36419 struct iwl_rx_packet *pkt);
36420
36421 - struct iwl_debugfs_ops debugfs_ops;
36422 + const struct iwl_debugfs_ops debugfs_ops;
36423
36424 };
36425
36426 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-6000.c
36427 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-06-25 12:55:22.000000000 -0400
36428 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-06-25 13:00:26.000000000 -0400
36429 @@ -420,11 +420,11 @@ static struct iwl_lib_ops iwl6030_lib =
36430 }
36431 };
36432
36433 -static struct iwl_nic_ops iwl6050_nic_ops = {
36434 +static const struct iwl_nic_ops iwl6050_nic_ops = {
36435 .additional_nic_config = &iwl6050_additional_nic_config,
36436 };
36437
36438 -static struct iwl_nic_ops iwl6150_nic_ops = {
36439 +static const struct iwl_nic_ops iwl6150_nic_ops = {
36440 .additional_nic_config = &iwl6150_additional_nic_config,
36441 };
36442
36443 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn.h linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn.h
36444 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn.h 2011-05-19 00:06:34.000000000 -0400
36445 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn.h 2011-05-22 19:36:32.000000000 -0400
36446 @@ -109,9 +109,9 @@ extern struct iwl_cfg iwl230_bg_cfg;
36447 extern struct iwl_cfg iwl230_bgn_cfg;
36448
36449 extern struct iwl_mod_params iwlagn_mod_params;
36450 -extern struct iwl_hcmd_ops iwlagn_hcmd;
36451 -extern struct iwl_hcmd_ops iwlagn_bt_hcmd;
36452 -extern struct iwl_hcmd_utils_ops iwlagn_hcmd_utils;
36453 +extern const struct iwl_hcmd_ops iwlagn_hcmd;
36454 +extern const struct iwl_hcmd_ops iwlagn_bt_hcmd;
36455 +extern const struct iwl_hcmd_utils_ops iwlagn_hcmd_utils;
36456
36457 extern struct ieee80211_ops iwlagn_hw_ops;
36458 extern struct ieee80211_ops iwl4965_hw_ops;
36459 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c
36460 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c 2011-06-25 12:55:22.000000000 -0400
36461 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c 2011-06-25 13:00:26.000000000 -0400
36462 @@ -355,7 +355,7 @@ static int iwlagn_set_pan_params(struct
36463 return ret;
36464 }
36465
36466 -struct iwl_hcmd_ops iwlagn_hcmd = {
36467 +const struct iwl_hcmd_ops iwlagn_hcmd = {
36468 .rxon_assoc = iwlagn_send_rxon_assoc,
36469 .commit_rxon = iwlagn_commit_rxon,
36470 .set_rxon_chain = iwlagn_set_rxon_chain,
36471 @@ -364,7 +364,7 @@ struct iwl_hcmd_ops iwlagn_hcmd = {
36472 .set_pan_params = iwlagn_set_pan_params,
36473 };
36474
36475 -struct iwl_hcmd_ops iwlagn_bt_hcmd = {
36476 +const struct iwl_hcmd_ops iwlagn_bt_hcmd = {
36477 .rxon_assoc = iwlagn_send_rxon_assoc,
36478 .commit_rxon = iwlagn_commit_rxon,
36479 .set_rxon_chain = iwlagn_set_rxon_chain,
36480 @@ -373,7 +373,7 @@ struct iwl_hcmd_ops iwlagn_bt_hcmd = {
36481 .set_pan_params = iwlagn_set_pan_params,
36482 };
36483
36484 -struct iwl_hcmd_utils_ops iwlagn_hcmd_utils = {
36485 +const struct iwl_hcmd_utils_ops iwlagn_hcmd_utils = {
36486 .get_hcmd_size = iwlagn_get_hcmd_size,
36487 .build_addsta_hcmd = iwlagn_build_addsta_hcmd,
36488 .gain_computation = iwlagn_gain_computation,
36489 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
36490 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-19 00:06:34.000000000 -0400
36491 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-22 19:36:32.000000000 -0400
36492 @@ -883,6 +883,8 @@ static void rs_tx_status(void *priv_r, s
36493 struct iwl_station_priv *sta_priv = (void *)sta->drv_priv;
36494 struct iwl_rxon_context *ctx = sta_priv->common.ctx;
36495
36496 + pax_track_stack();
36497 +
36498 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
36499
36500 /* Treat uninitialized rate scaling data same as non-existing. */
36501 @@ -2894,6 +2896,8 @@ static void rs_fill_link_cmd(struct iwl_
36502 container_of(lq_sta, struct iwl_station_priv, lq_sta);
36503 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
36504
36505 + pax_track_stack();
36506 +
36507 /* Override starting rate (index 0) if needed for debug purposes */
36508 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
36509
36510 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-core.h linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-core.h
36511 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-core.h 2011-06-25 12:55:22.000000000 -0400
36512 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-core.h 2011-06-25 13:00:26.000000000 -0400
36513 @@ -198,28 +198,25 @@ struct iwl_lib_ops {
36514 int (*set_channel_switch)(struct iwl_priv *priv,
36515 struct ieee80211_channel_switch *ch_switch);
36516 /* power management */
36517 - struct iwl_apm_ops apm_ops;
36518 + const struct iwl_apm_ops apm_ops;
36519
36520 /* power */
36521 int (*send_tx_power) (struct iwl_priv *priv);
36522 void (*update_chain_flags)(struct iwl_priv *priv);
36523
36524 /* isr */
36525 - struct iwl_isr_ops isr_ops;
36526 + const struct iwl_isr_ops isr_ops;
36527
36528 /* eeprom operations (as defined in iwl-eeprom.h) */
36529 struct iwl_eeprom_ops eeprom_ops;
36530
36531 /* temperature */
36532 - struct iwl_temp_ops temp_ops;
36533 + const struct iwl_temp_ops temp_ops;
36534
36535 int (*txfifo_flush)(struct iwl_priv *priv, u16 flush_control);
36536 void (*dev_txfifo_flush)(struct iwl_priv *priv, u16 flush_control);
36537
36538 - struct iwl_debugfs_ops debugfs_ops;
36539 -
36540 - /* thermal throttling */
36541 - struct iwl_tt_ops tt_ops;
36542 + const struct iwl_debugfs_ops debugfs_ops;const struct iwl_tt_ops tt_ops;
36543 };
36544
36545 struct iwl_led_ops {
36546 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debugfs.c
36547 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-19 00:06:34.000000000 -0400
36548 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-22 19:36:32.000000000 -0400
36549 @@ -549,6 +549,8 @@ static ssize_t iwl_dbgfs_status_read(str
36550 int pos = 0;
36551 const size_t bufsz = sizeof(buf);
36552
36553 + pax_track_stack();
36554 +
36555 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
36556 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
36557 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_INT_ENABLED:\t %d\n",
36558 @@ -681,6 +683,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
36559 char buf[256 * NUM_IWL_RXON_CTX];
36560 const size_t bufsz = sizeof(buf);
36561
36562 + pax_track_stack();
36563 +
36564 for_each_context(priv, ctx) {
36565 pos += scnprintf(buf + pos, bufsz - pos, "context %d:\n",
36566 ctx->ctxid);
36567 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debug.h
36568 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-05-19 00:06:34.000000000 -0400
36569 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-05-22 19:36:32.000000000 -0400
36570 @@ -68,8 +68,8 @@ do {
36571 } while (0)
36572
36573 #else
36574 -#define IWL_DEBUG(__priv, level, fmt, args...)
36575 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
36576 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
36577 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
36578 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
36579 const void *p, u32 len)
36580 {}
36581 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/cfg80211.c linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/cfg80211.c
36582 --- linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/cfg80211.c 2011-05-19 00:06:34.000000000 -0400
36583 +++ linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/cfg80211.c 2011-05-22 19:36:32.000000000 -0400
36584 @@ -763,7 +763,7 @@ static int iwm_cfg80211_flush_pmksa(stru
36585 }
36586
36587
36588 -static struct cfg80211_ops iwm_cfg80211_ops = {
36589 +static const struct cfg80211_ops iwm_cfg80211_ops = {
36590 .change_virtual_intf = iwm_cfg80211_change_iface,
36591 .add_key = iwm_cfg80211_add_key,
36592 .get_key = iwm_cfg80211_get_key,
36593 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/debugfs.c
36594 --- linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36595 +++ linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-22 19:36:32.000000000 -0400
36596 @@ -327,6 +327,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
36597 int buf_len = 512;
36598 size_t len = 0;
36599
36600 + pax_track_stack();
36601 +
36602 if (*ppos != 0)
36603 return 0;
36604 if (count < sizeof(buf))
36605 diff -urNp linux-2.6.39.3/drivers/net/wireless/libertas/cfg.c linux-2.6.39.3/drivers/net/wireless/libertas/cfg.c
36606 --- linux-2.6.39.3/drivers/net/wireless/libertas/cfg.c 2011-05-19 00:06:34.000000000 -0400
36607 +++ linux-2.6.39.3/drivers/net/wireless/libertas/cfg.c 2011-05-22 19:36:32.000000000 -0400
36608 @@ -2003,7 +2003,7 @@ static int lbs_leave_ibss(struct wiphy *
36609 * Initialization
36610 */
36611
36612 -static struct cfg80211_ops lbs_cfg80211_ops = {
36613 +static const struct cfg80211_ops lbs_cfg80211_ops = {
36614 .set_channel = lbs_cfg_set_channel,
36615 .scan = lbs_cfg_scan,
36616 .connect = lbs_cfg_connect,
36617 diff -urNp linux-2.6.39.3/drivers/net/wireless/libertas/debugfs.c linux-2.6.39.3/drivers/net/wireless/libertas/debugfs.c
36618 --- linux-2.6.39.3/drivers/net/wireless/libertas/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36619 +++ linux-2.6.39.3/drivers/net/wireless/libertas/debugfs.c 2011-05-22 19:36:32.000000000 -0400
36620 @@ -702,7 +702,7 @@ out_unlock:
36621 struct lbs_debugfs_files {
36622 const char *name;
36623 int perm;
36624 - struct file_operations fops;
36625 + const struct file_operations fops;
36626 };
36627
36628 static const struct lbs_debugfs_files debugfs_files[] = {
36629 diff -urNp linux-2.6.39.3/drivers/net/wireless/rndis_wlan.c linux-2.6.39.3/drivers/net/wireless/rndis_wlan.c
36630 --- linux-2.6.39.3/drivers/net/wireless/rndis_wlan.c 2011-05-19 00:06:34.000000000 -0400
36631 +++ linux-2.6.39.3/drivers/net/wireless/rndis_wlan.c 2011-05-22 19:36:32.000000000 -0400
36632 @@ -1277,7 +1277,7 @@ static int set_rts_threshold(struct usbn
36633
36634 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
36635
36636 - if (rts_threshold < 0 || rts_threshold > 2347)
36637 + if (rts_threshold > 2347)
36638 rts_threshold = 2347;
36639
36640 tmp = cpu_to_le32(rts_threshold);
36641 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.c linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.c
36642 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.c 2011-05-19 00:06:34.000000000 -0400
36643 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.c 2011-05-22 19:36:32.000000000 -0400
36644 @@ -1869,7 +1869,7 @@ int rtl_pci_resume(struct pci_dev *pdev)
36645 }
36646 EXPORT_SYMBOL(rtl_pci_resume);
36647
36648 -struct rtl_intf_ops rtl_pci_ops = {
36649 +const struct rtl_intf_ops rtl_pci_ops = {
36650 .adapter_start = rtl_pci_start,
36651 .adapter_stop = rtl_pci_stop,
36652 .adapter_tx = rtl_pci_tx,
36653 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.h linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.h
36654 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.h 2011-05-19 00:06:34.000000000 -0400
36655 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.h 2011-05-22 19:36:32.000000000 -0400
36656 @@ -234,7 +234,7 @@ struct rtl_pci_priv {
36657
36658 int rtl_pci_reset_trx_ring(struct ieee80211_hw *hw);
36659
36660 -extern struct rtl_intf_ops rtl_pci_ops;
36661 +extern const struct rtl_intf_ops rtl_pci_ops;
36662
36663 int __devinit rtl_pci_probe(struct pci_dev *pdev,
36664 const struct pci_device_id *id);
36665 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c
36666 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-05-19 00:06:34.000000000 -0400
36667 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-05-22 19:36:32.000000000 -0400
36668 @@ -827,6 +827,8 @@ static bool _rtl92c_phy_sw_chnl_step_by_
36669 u8 rfpath;
36670 u8 num_total_rfpath = rtlphy->num_total_rfpath;
36671
36672 + pax_track_stack();
36673 +
36674 precommoncmdcnt = 0;
36675 _rtl92c_phy_set_sw_chnl_cmdarray(precommoncmd, precommoncmdcnt++,
36676 MAX_PRECMD_CNT,
36677 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c
36678 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c 2011-05-19 00:06:34.000000000 -0400
36679 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c 2011-05-22 19:36:32.000000000 -0400
36680 @@ -96,7 +96,7 @@ void rtl92c_deinit_sw_vars(struct ieee80
36681 }
36682 }
36683
36684 -static struct rtl_hal_ops rtl8192ce_hal_ops = {
36685 +static const struct rtl_hal_ops rtl8192ce_hal_ops = {
36686 .init_sw_vars = rtl92c_init_sw_vars,
36687 .deinit_sw_vars = rtl92c_deinit_sw_vars,
36688 .read_eeprom_info = rtl92ce_read_eeprom_info,
36689 @@ -151,7 +151,7 @@ static struct rtl_mod_params rtl92ce_mod
36690 .sw_crypto = 0,
36691 };
36692
36693 -static struct rtl_hal_cfg rtl92ce_hal_cfg = {
36694 +static const struct rtl_hal_cfg rtl92ce_hal_cfg = {
36695 .name = "rtl92c_pci",
36696 .fw_name = "rtlwifi/rtl8192cfw.bin",
36697 .ops = &rtl8192ce_hal_ops,
36698 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
36699 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c 2011-05-19 00:06:34.000000000 -0400
36700 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c 2011-05-22 19:36:32.000000000 -0400
36701 @@ -77,7 +77,7 @@ static void rtl92cu_deinit_sw_vars(struc
36702 }
36703 }
36704
36705 -static struct rtl_hal_ops rtl8192cu_hal_ops = {
36706 +static const struct rtl_hal_ops rtl8192cu_hal_ops = {
36707 .init_sw_vars = rtl92cu_init_sw_vars,
36708 .deinit_sw_vars = rtl92cu_deinit_sw_vars,
36709 .read_chip_version = rtl92c_read_chip_version,
36710 @@ -147,7 +147,7 @@ static struct rtl_hal_usbint_cfg rtl92cu
36711 .usb_mq_to_hwq = rtl8192cu_mq_to_hwq,
36712 };
36713
36714 -static struct rtl_hal_cfg rtl92cu_hal_cfg = {
36715 +static const struct rtl_hal_cfg rtl92cu_hal_cfg = {
36716 .name = "rtl92c_usb",
36717 .fw_name = "rtlwifi/rtl8192cufw.bin",
36718 .ops = &rtl8192cu_hal_ops,
36719 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/usb.c linux-2.6.39.3/drivers/net/wireless/rtlwifi/usb.c
36720 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/usb.c 2011-05-19 00:06:34.000000000 -0400
36721 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/usb.c 2011-05-22 19:36:32.000000000 -0400
36722 @@ -913,7 +913,7 @@ static bool rtl_usb_tx_chk_waitq_insert(
36723 return false;
36724 }
36725
36726 -static struct rtl_intf_ops rtl_usb_ops = {
36727 +static const struct rtl_intf_ops rtl_usb_ops = {
36728 .adapter_start = rtl_usb_start,
36729 .adapter_stop = rtl_usb_stop,
36730 .adapter_tx = rtl_usb_tx,
36731 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/wifi.h linux-2.6.39.3/drivers/net/wireless/rtlwifi/wifi.h
36732 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/wifi.h 2011-05-19 00:06:34.000000000 -0400
36733 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/wifi.h 2011-05-22 19:36:32.000000000 -0400
36734 @@ -1447,7 +1447,7 @@ struct rtl_hal_cfg {
36735 u8 bar_id;
36736 char *name;
36737 char *fw_name;
36738 - struct rtl_hal_ops *ops;
36739 + const struct rtl_hal_ops *ops;
36740 struct rtl_mod_params *mod_params;
36741 struct rtl_hal_usbint_cfg *usb_interface_cfg;
36742
36743 @@ -1533,7 +1533,7 @@ struct rtl_priv {
36744 *intf_ops : for diff interrface usb/pcie
36745 */
36746 struct rtl_hal_cfg *cfg;
36747 - struct rtl_intf_ops *intf_ops;
36748 + const struct rtl_intf_ops *intf_ops;
36749
36750 /*this var will be set by set_bit,
36751 and was used to indicate status of
36752 diff -urNp linux-2.6.39.3/drivers/net/wireless/wl12xx/spi.c linux-2.6.39.3/drivers/net/wireless/wl12xx/spi.c
36753 --- linux-2.6.39.3/drivers/net/wireless/wl12xx/spi.c 2011-05-19 00:06:34.000000000 -0400
36754 +++ linux-2.6.39.3/drivers/net/wireless/wl12xx/spi.c 2011-05-22 19:36:32.000000000 -0400
36755 @@ -280,6 +280,8 @@ static void wl1271_spi_raw_write(struct
36756 u32 chunk_len;
36757 int i;
36758
36759 + pax_track_stack();
36760 +
36761 WARN_ON(len > WL1271_AGGR_BUFFER_SIZE);
36762
36763 spi_message_init(&m);
36764 diff -urNp linux-2.6.39.3/drivers/net/xen-netback/interface.c linux-2.6.39.3/drivers/net/xen-netback/interface.c
36765 --- linux-2.6.39.3/drivers/net/xen-netback/interface.c 2011-05-19 00:06:34.000000000 -0400
36766 +++ linux-2.6.39.3/drivers/net/xen-netback/interface.c 2011-05-22 19:36:32.000000000 -0400
36767 @@ -273,7 +273,7 @@ static void xenvif_get_strings(struct ne
36768 }
36769 }
36770
36771 -static struct ethtool_ops xenvif_ethtool_ops = {
36772 +static const struct ethtool_ops xenvif_ethtool_ops = {
36773 .get_tx_csum = ethtool_op_get_tx_csum,
36774 .set_tx_csum = xenvif_set_tx_csum,
36775 .get_sg = ethtool_op_get_sg,
36776 diff -urNp linux-2.6.39.3/drivers/net/xilinx_emaclite.c linux-2.6.39.3/drivers/net/xilinx_emaclite.c
36777 --- linux-2.6.39.3/drivers/net/xilinx_emaclite.c 2011-05-19 00:06:34.000000000 -0400
36778 +++ linux-2.6.39.3/drivers/net/xilinx_emaclite.c 2011-05-22 19:36:32.000000000 -0400
36779 @@ -1085,7 +1085,7 @@ static bool get_bool(struct platform_dev
36780 }
36781 }
36782
36783 -static struct net_device_ops xemaclite_netdev_ops;
36784 +static const struct net_device_ops xemaclite_netdev_ops;
36785
36786 /**
36787 * xemaclite_of_probe - Probe method for the Emaclite device.
36788 @@ -1264,7 +1264,7 @@ xemaclite_poll_controller(struct net_dev
36789 }
36790 #endif
36791
36792 -static struct net_device_ops xemaclite_netdev_ops = {
36793 +static const struct net_device_ops xemaclite_netdev_ops = {
36794 .ndo_open = xemaclite_open,
36795 .ndo_stop = xemaclite_close,
36796 .ndo_start_xmit = xemaclite_send,
36797 diff -urNp linux-2.6.39.3/drivers/nfc/pn544.c linux-2.6.39.3/drivers/nfc/pn544.c
36798 --- linux-2.6.39.3/drivers/nfc/pn544.c 2011-05-19 00:06:34.000000000 -0400
36799 +++ linux-2.6.39.3/drivers/nfc/pn544.c 2011-05-22 19:36:32.000000000 -0400
36800 @@ -89,7 +89,7 @@ static ssize_t pn544_test(struct device
36801
36802 static int pn544_enable(struct pn544_info *info, int mode)
36803 {
36804 - struct pn544_nfc_platform_data *pdata;
36805 + const struct pn544_nfc_platform_data *pdata;
36806 struct i2c_client *client = info->i2c_dev;
36807
36808 int r;
36809 @@ -118,7 +118,7 @@ static int pn544_enable(struct pn544_inf
36810
36811 static void pn544_disable(struct pn544_info *info)
36812 {
36813 - struct pn544_nfc_platform_data *pdata;
36814 + const struct pn544_nfc_platform_data *pdata;
36815 struct i2c_client *client = info->i2c_dev;
36816
36817 pdata = client->dev.platform_data;
36818 @@ -509,7 +509,7 @@ static long pn544_ioctl(struct file *fil
36819 struct pn544_info *info = container_of(file->private_data,
36820 struct pn544_info, miscdev);
36821 struct i2c_client *client = info->i2c_dev;
36822 - struct pn544_nfc_platform_data *pdata;
36823 + const struct pn544_nfc_platform_data *pdata;
36824 unsigned int val;
36825 int r = 0;
36826
36827 @@ -715,7 +715,7 @@ static int __devinit pn544_probe(struct
36828 const struct i2c_device_id *id)
36829 {
36830 struct pn544_info *info;
36831 - struct pn544_nfc_platform_data *pdata;
36832 + const struct pn544_nfc_platform_data *pdata;
36833 int r = 0;
36834
36835 dev_dbg(&client->dev, "%s\n", __func__);
36836 diff -urNp linux-2.6.39.3/drivers/of/pdt.c linux-2.6.39.3/drivers/of/pdt.c
36837 --- linux-2.6.39.3/drivers/of/pdt.c 2011-05-19 00:06:34.000000000 -0400
36838 +++ linux-2.6.39.3/drivers/of/pdt.c 2011-05-22 19:36:32.000000000 -0400
36839 @@ -24,7 +24,7 @@
36840 #include <linux/of_pdt.h>
36841 #include <asm/prom.h>
36842
36843 -static struct of_pdt_ops *of_pdt_prom_ops __initdata;
36844 +static const struct of_pdt_ops *of_pdt_prom_ops;
36845
36846 void __initdata (*of_pdt_build_more)(struct device_node *dp,
36847 struct device_node ***nextp);
36848 diff -urNp linux-2.6.39.3/drivers/oprofile/buffer_sync.c linux-2.6.39.3/drivers/oprofile/buffer_sync.c
36849 --- linux-2.6.39.3/drivers/oprofile/buffer_sync.c 2011-06-25 12:55:22.000000000 -0400
36850 +++ linux-2.6.39.3/drivers/oprofile/buffer_sync.c 2011-06-25 13:00:26.000000000 -0400
36851 @@ -343,7 +343,7 @@ static void add_data(struct op_entry *en
36852 if (cookie == NO_COOKIE)
36853 offset = pc;
36854 if (cookie == INVALID_COOKIE) {
36855 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
36856 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
36857 offset = pc;
36858 }
36859 if (cookie != last_cookie) {
36860 @@ -387,14 +387,14 @@ add_sample(struct mm_struct *mm, struct
36861 /* add userspace sample */
36862
36863 if (!mm) {
36864 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
36865 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
36866 return 0;
36867 }
36868
36869 cookie = lookup_dcookie(mm, s->eip, &offset);
36870
36871 if (cookie == INVALID_COOKIE) {
36872 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
36873 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
36874 return 0;
36875 }
36876
36877 @@ -563,7 +563,7 @@ void sync_buffer(int cpu)
36878 /* ignore backtraces if failed to add a sample */
36879 if (state == sb_bt_start) {
36880 state = sb_bt_ignore;
36881 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
36882 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
36883 }
36884 }
36885 release_mm(mm);
36886 diff -urNp linux-2.6.39.3/drivers/oprofile/event_buffer.c linux-2.6.39.3/drivers/oprofile/event_buffer.c
36887 --- linux-2.6.39.3/drivers/oprofile/event_buffer.c 2011-05-19 00:06:34.000000000 -0400
36888 +++ linux-2.6.39.3/drivers/oprofile/event_buffer.c 2011-05-22 19:36:32.000000000 -0400
36889 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
36890 }
36891
36892 if (buffer_pos == buffer_size) {
36893 - atomic_inc(&oprofile_stats.event_lost_overflow);
36894 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
36895 return;
36896 }
36897
36898 diff -urNp linux-2.6.39.3/drivers/oprofile/oprof.c linux-2.6.39.3/drivers/oprofile/oprof.c
36899 --- linux-2.6.39.3/drivers/oprofile/oprof.c 2011-05-19 00:06:34.000000000 -0400
36900 +++ linux-2.6.39.3/drivers/oprofile/oprof.c 2011-05-22 19:36:32.000000000 -0400
36901 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
36902 if (oprofile_ops.switch_events())
36903 return;
36904
36905 - atomic_inc(&oprofile_stats.multiplex_counter);
36906 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
36907 start_switch_worker();
36908 }
36909
36910 diff -urNp linux-2.6.39.3/drivers/oprofile/oprofilefs.c linux-2.6.39.3/drivers/oprofile/oprofilefs.c
36911 --- linux-2.6.39.3/drivers/oprofile/oprofilefs.c 2011-05-19 00:06:34.000000000 -0400
36912 +++ linux-2.6.39.3/drivers/oprofile/oprofilefs.c 2011-05-22 19:36:32.000000000 -0400
36913 @@ -186,7 +186,7 @@ static const struct file_operations atom
36914
36915
36916 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
36917 - char const *name, atomic_t *val)
36918 + char const *name, atomic_unchecked_t *val)
36919 {
36920 return __oprofilefs_create_file(sb, root, name,
36921 &atomic_ro_fops, 0444, val);
36922 diff -urNp linux-2.6.39.3/drivers/oprofile/oprofile_stats.c linux-2.6.39.3/drivers/oprofile/oprofile_stats.c
36923 --- linux-2.6.39.3/drivers/oprofile/oprofile_stats.c 2011-05-19 00:06:34.000000000 -0400
36924 +++ linux-2.6.39.3/drivers/oprofile/oprofile_stats.c 2011-05-22 19:36:32.000000000 -0400
36925 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
36926 cpu_buf->sample_invalid_eip = 0;
36927 }
36928
36929 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
36930 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
36931 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
36932 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
36933 - atomic_set(&oprofile_stats.multiplex_counter, 0);
36934 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
36935 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
36936 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
36937 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
36938 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
36939 }
36940
36941
36942 diff -urNp linux-2.6.39.3/drivers/oprofile/oprofile_stats.h linux-2.6.39.3/drivers/oprofile/oprofile_stats.h
36943 --- linux-2.6.39.3/drivers/oprofile/oprofile_stats.h 2011-05-19 00:06:34.000000000 -0400
36944 +++ linux-2.6.39.3/drivers/oprofile/oprofile_stats.h 2011-05-22 19:36:32.000000000 -0400
36945 @@ -13,11 +13,11 @@
36946 #include <asm/atomic.h>
36947
36948 struct oprofile_stat_struct {
36949 - atomic_t sample_lost_no_mm;
36950 - atomic_t sample_lost_no_mapping;
36951 - atomic_t bt_lost_no_mapping;
36952 - atomic_t event_lost_overflow;
36953 - atomic_t multiplex_counter;
36954 + atomic_unchecked_t sample_lost_no_mm;
36955 + atomic_unchecked_t sample_lost_no_mapping;
36956 + atomic_unchecked_t bt_lost_no_mapping;
36957 + atomic_unchecked_t event_lost_overflow;
36958 + atomic_unchecked_t multiplex_counter;
36959 };
36960
36961 extern struct oprofile_stat_struct oprofile_stats;
36962 diff -urNp linux-2.6.39.3/drivers/parisc/dino.c linux-2.6.39.3/drivers/parisc/dino.c
36963 --- linux-2.6.39.3/drivers/parisc/dino.c 2011-05-19 00:06:34.000000000 -0400
36964 +++ linux-2.6.39.3/drivers/parisc/dino.c 2011-05-22 19:36:32.000000000 -0400
36965 @@ -238,7 +238,7 @@ static int dino_cfg_write(struct pci_bus
36966 return 0;
36967 }
36968
36969 -static struct pci_ops dino_cfg_ops = {
36970 +static const struct pci_ops dino_cfg_ops = {
36971 .read = dino_cfg_read,
36972 .write = dino_cfg_write,
36973 };
36974 diff -urNp linux-2.6.39.3/drivers/parisc/lba_pci.c linux-2.6.39.3/drivers/parisc/lba_pci.c
36975 --- linux-2.6.39.3/drivers/parisc/lba_pci.c 2011-05-19 00:06:34.000000000 -0400
36976 +++ linux-2.6.39.3/drivers/parisc/lba_pci.c 2011-05-22 19:36:32.000000000 -0400
36977 @@ -468,7 +468,7 @@ static int elroy_cfg_write(struct pci_bu
36978 }
36979
36980
36981 -static struct pci_ops elroy_cfg_ops = {
36982 +static const struct pci_ops elroy_cfg_ops = {
36983 .read = elroy_cfg_read,
36984 .write = elroy_cfg_write,
36985 };
36986 @@ -541,7 +541,7 @@ static int mercury_cfg_write(struct pci_
36987 return 0;
36988 }
36989
36990 -static struct pci_ops mercury_cfg_ops = {
36991 +static const struct pci_ops mercury_cfg_ops = {
36992 .read = mercury_cfg_read,
36993 .write = mercury_cfg_write,
36994 };
36995 @@ -1405,7 +1405,7 @@ lba_driver_probe(struct parisc_device *d
36996 {
36997 struct lba_device *lba_dev;
36998 struct pci_bus *lba_bus;
36999 - struct pci_ops *cfg_ops;
37000 + const struct pci_ops *cfg_ops;
37001 u32 func_class;
37002 void *tmp_obj;
37003 char *version;
37004 diff -urNp linux-2.6.39.3/drivers/parport/procfs.c linux-2.6.39.3/drivers/parport/procfs.c
37005 --- linux-2.6.39.3/drivers/parport/procfs.c 2011-05-19 00:06:34.000000000 -0400
37006 +++ linux-2.6.39.3/drivers/parport/procfs.c 2011-05-22 19:36:32.000000000 -0400
37007 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
37008
37009 *ppos += len;
37010
37011 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
37012 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
37013 }
37014
37015 #ifdef CONFIG_PARPORT_1284
37016 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
37017
37018 *ppos += len;
37019
37020 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
37021 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
37022 }
37023 #endif /* IEEE1284.3 support. */
37024
37025 diff -urNp linux-2.6.39.3/drivers/pci/access.c linux-2.6.39.3/drivers/pci/access.c
37026 --- linux-2.6.39.3/drivers/pci/access.c 2011-05-19 00:06:34.000000000 -0400
37027 +++ linux-2.6.39.3/drivers/pci/access.c 2011-05-22 19:36:32.000000000 -0400
37028 @@ -74,9 +74,9 @@ EXPORT_SYMBOL(pci_bus_write_config_dword
37029 *
37030 * Return previous raw operations
37031 */
37032 -struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, struct pci_ops *ops)
37033 +const struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, const struct pci_ops *ops)
37034 {
37035 - struct pci_ops *old_ops;
37036 + const struct pci_ops *old_ops;
37037 unsigned long flags;
37038
37039 raw_spin_lock_irqsave(&pci_lock, flags);
37040 diff -urNp linux-2.6.39.3/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.39.3/drivers/pci/hotplug/acpiphp_glue.c
37041 --- linux-2.6.39.3/drivers/pci/hotplug/acpiphp_glue.c 2011-05-19 00:06:34.000000000 -0400
37042 +++ linux-2.6.39.3/drivers/pci/hotplug/acpiphp_glue.c 2011-05-22 19:36:32.000000000 -0400
37043 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
37044 }
37045
37046
37047 -static struct acpi_dock_ops acpiphp_dock_ops = {
37048 +static const struct acpi_dock_ops acpiphp_dock_ops = {
37049 .handler = handle_hotplug_event_func,
37050 };
37051
37052 diff -urNp linux-2.6.39.3/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.39.3/drivers/pci/hotplug/cpqphp_nvram.c
37053 --- linux-2.6.39.3/drivers/pci/hotplug/cpqphp_nvram.c 2011-05-19 00:06:34.000000000 -0400
37054 +++ linux-2.6.39.3/drivers/pci/hotplug/cpqphp_nvram.c 2011-05-22 19:36:32.000000000 -0400
37055 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
37056
37057 void compaq_nvram_init (void __iomem *rom_start)
37058 {
37059 +
37060 +#ifndef CONFIG_PAX_KERNEXEC
37061 if (rom_start) {
37062 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
37063 }
37064 +#endif
37065 +
37066 dbg("int15 entry = %p\n", compaq_int15_entry_point);
37067
37068 /* initialize our int15 lock */
37069 diff -urNp linux-2.6.39.3/drivers/pci/hotplug/shpchp.h linux-2.6.39.3/drivers/pci/hotplug/shpchp.h
37070 --- linux-2.6.39.3/drivers/pci/hotplug/shpchp.h 2011-05-19 00:06:34.000000000 -0400
37071 +++ linux-2.6.39.3/drivers/pci/hotplug/shpchp.h 2011-05-22 19:36:32.000000000 -0400
37072 @@ -86,7 +86,7 @@ struct slot {
37073 u8 presence_save;
37074 u8 pwr_save;
37075 struct controller *ctrl;
37076 - struct hpc_ops *hpc_ops;
37077 + const struct hpc_ops *hpc_ops;
37078 struct hotplug_slot *hotplug_slot;
37079 struct list_head slot_list;
37080 struct delayed_work work; /* work for button event */
37081 @@ -107,7 +107,7 @@ struct controller {
37082 int slot_num_inc; /* 1 or -1 */
37083 struct pci_dev *pci_dev;
37084 struct list_head slot_list;
37085 - struct hpc_ops *hpc_ops;
37086 + const struct hpc_ops *hpc_ops;
37087 wait_queue_head_t queue; /* sleep & wake process */
37088 u8 slot_device_offset;
37089 u32 pcix_misc2_reg; /* for amd pogo errata */
37090 diff -urNp linux-2.6.39.3/drivers/pci/hotplug/shpchp_hpc.c linux-2.6.39.3/drivers/pci/hotplug/shpchp_hpc.c
37091 --- linux-2.6.39.3/drivers/pci/hotplug/shpchp_hpc.c 2011-05-19 00:06:34.000000000 -0400
37092 +++ linux-2.6.39.3/drivers/pci/hotplug/shpchp_hpc.c 2011-05-22 19:36:32.000000000 -0400
37093 @@ -910,7 +910,7 @@ static int shpc_get_max_bus_speed(struct
37094 return retval;
37095 }
37096
37097 -static struct hpc_ops shpchp_hpc_ops = {
37098 +static const struct hpc_ops shpchp_hpc_ops = {
37099 .power_on_slot = hpc_power_on_slot,
37100 .slot_enable = hpc_slot_enable,
37101 .slot_disable = hpc_slot_disable,
37102 diff -urNp linux-2.6.39.3/drivers/pci/intel-iommu.c linux-2.6.39.3/drivers/pci/intel-iommu.c
37103 --- linux-2.6.39.3/drivers/pci/intel-iommu.c 2011-06-25 12:55:22.000000000 -0400
37104 +++ linux-2.6.39.3/drivers/pci/intel-iommu.c 2011-06-25 13:00:26.000000000 -0400
37105 @@ -393,7 +393,7 @@ static int intel_iommu_strict;
37106 static DEFINE_SPINLOCK(device_domain_lock);
37107 static LIST_HEAD(device_domain_list);
37108
37109 -static struct iommu_ops intel_iommu_ops;
37110 +static const struct iommu_ops intel_iommu_ops;
37111
37112 static int __init intel_iommu_setup(char *str)
37113 {
37114 @@ -2964,7 +2964,7 @@ static int intel_mapping_error(struct de
37115 return !dma_addr;
37116 }
37117
37118 -struct dma_map_ops intel_dma_ops = {
37119 +const struct dma_map_ops intel_dma_ops = {
37120 .alloc_coherent = intel_alloc_coherent,
37121 .free_coherent = intel_free_coherent,
37122 .map_sg = intel_map_sg,
37123 @@ -3761,7 +3761,7 @@ static int intel_iommu_domain_has_cap(st
37124 return 0;
37125 }
37126
37127 -static struct iommu_ops intel_iommu_ops = {
37128 +static const struct iommu_ops intel_iommu_ops = {
37129 .domain_init = intel_iommu_domain_init,
37130 .domain_destroy = intel_iommu_domain_destroy,
37131 .attach_dev = intel_iommu_attach_device,
37132 diff -urNp linux-2.6.39.3/drivers/pci/pci-acpi.c linux-2.6.39.3/drivers/pci/pci-acpi.c
37133 --- linux-2.6.39.3/drivers/pci/pci-acpi.c 2011-05-19 00:06:34.000000000 -0400
37134 +++ linux-2.6.39.3/drivers/pci/pci-acpi.c 2011-05-22 19:36:32.000000000 -0400
37135 @@ -332,7 +332,7 @@ static int acpi_pci_run_wake(struct pci_
37136 return 0;
37137 }
37138
37139 -static struct pci_platform_pm_ops acpi_pci_platform_pm = {
37140 +static const struct pci_platform_pm_ops acpi_pci_platform_pm = {
37141 .is_manageable = acpi_pci_power_manageable,
37142 .set_state = acpi_pci_set_power_state,
37143 .choose_state = acpi_pci_choose_state,
37144 diff -urNp linux-2.6.39.3/drivers/pci/pci.c linux-2.6.39.3/drivers/pci/pci.c
37145 --- linux-2.6.39.3/drivers/pci/pci.c 2011-05-19 00:06:34.000000000 -0400
37146 +++ linux-2.6.39.3/drivers/pci/pci.c 2011-05-22 19:36:32.000000000 -0400
37147 @@ -480,9 +480,9 @@ pci_restore_bars(struct pci_dev *dev)
37148 pci_update_resource(dev, i);
37149 }
37150
37151 -static struct pci_platform_pm_ops *pci_platform_pm;
37152 +static const struct pci_platform_pm_ops *pci_platform_pm;
37153
37154 -int pci_set_platform_pm(struct pci_platform_pm_ops *ops)
37155 +int pci_set_platform_pm(const struct pci_platform_pm_ops *ops)
37156 {
37157 if (!ops->is_manageable || !ops->set_state || !ops->choose_state
37158 || !ops->sleep_wake || !ops->can_wakeup)
37159 diff -urNp linux-2.6.39.3/drivers/pci/pcie/aer/aerdrv_core.c linux-2.6.39.3/drivers/pci/pcie/aer/aerdrv_core.c
37160 --- linux-2.6.39.3/drivers/pci/pcie/aer/aerdrv_core.c 2011-05-19 00:06:34.000000000 -0400
37161 +++ linux-2.6.39.3/drivers/pci/pcie/aer/aerdrv_core.c 2011-05-22 19:36:32.000000000 -0400
37162 @@ -239,7 +239,7 @@ static bool find_source_device(struct pc
37163 static int report_error_detected(struct pci_dev *dev, void *data)
37164 {
37165 pci_ers_result_t vote;
37166 - struct pci_error_handlers *err_handler;
37167 + const struct pci_error_handlers *err_handler;
37168 struct aer_broadcast_data *result_data;
37169 result_data = (struct aer_broadcast_data *) data;
37170
37171 @@ -273,7 +273,7 @@ static int report_error_detected(struct
37172 static int report_mmio_enabled(struct pci_dev *dev, void *data)
37173 {
37174 pci_ers_result_t vote;
37175 - struct pci_error_handlers *err_handler;
37176 + const struct pci_error_handlers *err_handler;
37177 struct aer_broadcast_data *result_data;
37178 result_data = (struct aer_broadcast_data *) data;
37179
37180 @@ -291,7 +291,7 @@ static int report_mmio_enabled(struct pc
37181 static int report_slot_reset(struct pci_dev *dev, void *data)
37182 {
37183 pci_ers_result_t vote;
37184 - struct pci_error_handlers *err_handler;
37185 + const struct pci_error_handlers *err_handler;
37186 struct aer_broadcast_data *result_data;
37187 result_data = (struct aer_broadcast_data *) data;
37188
37189 @@ -308,7 +308,7 @@ static int report_slot_reset(struct pci_
37190
37191 static int report_resume(struct pci_dev *dev, void *data)
37192 {
37193 - struct pci_error_handlers *err_handler;
37194 + const struct pci_error_handlers *err_handler;
37195
37196 dev->error_state = pci_channel_io_normal;
37197
37198 diff -urNp linux-2.6.39.3/drivers/pci/pcie/aer/aer_inject.c linux-2.6.39.3/drivers/pci/pcie/aer/aer_inject.c
37199 --- linux-2.6.39.3/drivers/pci/pcie/aer/aer_inject.c 2011-05-19 00:06:34.000000000 -0400
37200 +++ linux-2.6.39.3/drivers/pci/pcie/aer/aer_inject.c 2011-05-22 19:36:32.000000000 -0400
37201 @@ -64,7 +64,7 @@ struct aer_error {
37202 struct pci_bus_ops {
37203 struct list_head list;
37204 struct pci_bus *bus;
37205 - struct pci_ops *ops;
37206 + const struct pci_ops *ops;
37207 };
37208
37209 static LIST_HEAD(einjected);
37210 @@ -110,7 +110,7 @@ static struct aer_error *__find_aer_erro
37211 }
37212
37213 /* inject_lock must be held before calling */
37214 -static struct pci_ops *__find_pci_bus_ops(struct pci_bus *bus)
37215 +static const struct pci_ops *__find_pci_bus_ops(struct pci_bus *bus)
37216 {
37217 struct pci_bus_ops *bus_ops;
37218
37219 @@ -187,7 +187,7 @@ static int pci_read_aer(struct pci_bus *
37220 u32 *sim;
37221 struct aer_error *err;
37222 unsigned long flags;
37223 - struct pci_ops *ops;
37224 + const struct pci_ops *ops;
37225 int domain;
37226
37227 spin_lock_irqsave(&inject_lock, flags);
37228 @@ -219,7 +219,7 @@ int pci_write_aer(struct pci_bus *bus, u
37229 struct aer_error *err;
37230 unsigned long flags;
37231 int rw1cs;
37232 - struct pci_ops *ops;
37233 + const struct pci_ops *ops;
37234 int domain;
37235
37236 spin_lock_irqsave(&inject_lock, flags);
37237 @@ -254,7 +254,7 @@ static struct pci_ops pci_ops_aer = {
37238
37239 static void pci_bus_ops_init(struct pci_bus_ops *bus_ops,
37240 struct pci_bus *bus,
37241 - struct pci_ops *ops)
37242 + const struct pci_ops *ops)
37243 {
37244 INIT_LIST_HEAD(&bus_ops->list);
37245 bus_ops->bus = bus;
37246 @@ -263,7 +263,7 @@ static void pci_bus_ops_init(struct pci_
37247
37248 static int pci_bus_set_aer_ops(struct pci_bus *bus)
37249 {
37250 - struct pci_ops *ops;
37251 + const struct pci_ops *ops;
37252 struct pci_bus_ops *bus_ops;
37253 unsigned long flags;
37254
37255 diff -urNp linux-2.6.39.3/drivers/pci/pcie/aspm.c linux-2.6.39.3/drivers/pci/pcie/aspm.c
37256 --- linux-2.6.39.3/drivers/pci/pcie/aspm.c 2011-05-19 00:06:34.000000000 -0400
37257 +++ linux-2.6.39.3/drivers/pci/pcie/aspm.c 2011-05-22 19:36:32.000000000 -0400
37258 @@ -27,9 +27,9 @@
37259 #define MODULE_PARAM_PREFIX "pcie_aspm."
37260
37261 /* Note: those are not register definitions */
37262 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
37263 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
37264 -#define ASPM_STATE_L1 (4) /* L1 state */
37265 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
37266 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
37267 +#define ASPM_STATE_L1 (4U) /* L1 state */
37268 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
37269 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
37270
37271 diff -urNp linux-2.6.39.3/drivers/pci/pci.h linux-2.6.39.3/drivers/pci/pci.h
37272 --- linux-2.6.39.3/drivers/pci/pci.h 2011-05-19 00:06:34.000000000 -0400
37273 +++ linux-2.6.39.3/drivers/pci/pci.h 2011-05-22 19:36:32.000000000 -0400
37274 @@ -65,7 +65,7 @@ struct pci_platform_pm_ops {
37275 int (*run_wake)(struct pci_dev *dev, bool enable);
37276 };
37277
37278 -extern int pci_set_platform_pm(struct pci_platform_pm_ops *ops);
37279 +extern int pci_set_platform_pm(const struct pci_platform_pm_ops *ops);
37280 extern void pci_update_current_state(struct pci_dev *dev, pci_power_t state);
37281 extern void pci_disable_enabled_device(struct pci_dev *dev);
37282 extern int pci_finish_runtime_suspend(struct pci_dev *dev);
37283 diff -urNp linux-2.6.39.3/drivers/pci/probe.c linux-2.6.39.3/drivers/pci/probe.c
37284 --- linux-2.6.39.3/drivers/pci/probe.c 2011-05-19 00:06:34.000000000 -0400
37285 +++ linux-2.6.39.3/drivers/pci/probe.c 2011-05-22 19:36:32.000000000 -0400
37286 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
37287 return ret;
37288 }
37289
37290 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
37291 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
37292 struct device_attribute *attr,
37293 char *buf)
37294 {
37295 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
37296 }
37297
37298 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
37299 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
37300 struct device_attribute *attr,
37301 char *buf)
37302 {
37303 @@ -165,7 +165,7 @@ int __pci_read_base(struct pci_dev *dev,
37304 u32 l, sz, mask;
37305 u16 orig_cmd;
37306
37307 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
37308 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
37309
37310 if (!dev->mmio_always_on) {
37311 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
37312 @@ -1407,7 +1407,7 @@ unsigned int __devinit pci_scan_child_bu
37313 }
37314
37315 struct pci_bus * pci_create_bus(struct device *parent,
37316 - int bus, struct pci_ops *ops, void *sysdata)
37317 + int bus, const struct pci_ops *ops, void *sysdata)
37318 {
37319 int error;
37320 struct pci_bus *b, *b2;
37321 @@ -1483,7 +1483,7 @@ err_out:
37322 }
37323
37324 struct pci_bus * __devinit pci_scan_bus_parented(struct device *parent,
37325 - int bus, struct pci_ops *ops, void *sysdata)
37326 + int bus, const struct pci_ops *ops, void *sysdata)
37327 {
37328 struct pci_bus *b;
37329
37330 diff -urNp linux-2.6.39.3/drivers/pci/proc.c linux-2.6.39.3/drivers/pci/proc.c
37331 --- linux-2.6.39.3/drivers/pci/proc.c 2011-05-19 00:06:34.000000000 -0400
37332 +++ linux-2.6.39.3/drivers/pci/proc.c 2011-05-22 19:41:37.000000000 -0400
37333 @@ -476,7 +476,16 @@ static const struct file_operations proc
37334 static int __init pci_proc_init(void)
37335 {
37336 struct pci_dev *dev = NULL;
37337 +
37338 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
37339 +#ifdef CONFIG_GRKERNSEC_PROC_USER
37340 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
37341 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37342 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
37343 +#endif
37344 +#else
37345 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
37346 +#endif
37347 proc_create("devices", 0, proc_bus_pci_dir,
37348 &proc_bus_pci_dev_operations);
37349 proc_initialized = 1;
37350 diff -urNp linux-2.6.39.3/drivers/pci/xen-pcifront.c linux-2.6.39.3/drivers/pci/xen-pcifront.c
37351 --- linux-2.6.39.3/drivers/pci/xen-pcifront.c 2011-05-19 00:06:34.000000000 -0400
37352 +++ linux-2.6.39.3/drivers/pci/xen-pcifront.c 2011-05-22 19:36:32.000000000 -0400
37353 @@ -187,6 +187,8 @@ static int pcifront_bus_read(struct pci_
37354 struct pcifront_sd *sd = bus->sysdata;
37355 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37356
37357 + pax_track_stack();
37358 +
37359 if (verbose_request)
37360 dev_info(&pdev->xdev->dev,
37361 "read dev=%04x:%02x:%02x.%01x - offset %x size %d\n",
37362 @@ -226,6 +228,8 @@ static int pcifront_bus_write(struct pci
37363 struct pcifront_sd *sd = bus->sysdata;
37364 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37365
37366 + pax_track_stack();
37367 +
37368 if (verbose_request)
37369 dev_info(&pdev->xdev->dev,
37370 "write dev=%04x:%02x:%02x.%01x - "
37371 @@ -236,7 +240,7 @@ static int pcifront_bus_write(struct pci
37372 return errno_to_pcibios_err(do_pci_op(pdev, &op));
37373 }
37374
37375 -struct pci_ops pcifront_bus_ops = {
37376 +const struct pci_ops pcifront_bus_ops = {
37377 .read = pcifront_bus_read,
37378 .write = pcifront_bus_write,
37379 };
37380 @@ -258,6 +262,8 @@ static int pci_frontend_enable_msix(stru
37381 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37382 struct msi_desc *entry;
37383
37384 + pax_track_stack();
37385 +
37386 if (nvec > SH_INFO_MAX_VEC) {
37387 dev_err(&dev->dev, "too much vector for pci frontend: %x."
37388 " Increase SH_INFO_MAX_VEC.\n", nvec);
37389 @@ -309,6 +315,8 @@ static void pci_frontend_disable_msix(st
37390 struct pcifront_sd *sd = dev->bus->sysdata;
37391 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37392
37393 + pax_track_stack();
37394 +
37395 err = do_pci_op(pdev, &op);
37396
37397 /* What should do for error ? */
37398 @@ -328,6 +336,8 @@ static int pci_frontend_enable_msi(struc
37399 struct pcifront_sd *sd = dev->bus->sysdata;
37400 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37401
37402 + pax_track_stack();
37403 +
37404 err = do_pci_op(pdev, &op);
37405 if (likely(!err)) {
37406 vector[0] = op.value;
37407 @@ -368,7 +378,7 @@ static void pci_frontend_disable_msi(str
37408 printk(KERN_DEBUG "get fake response frombackend\n");
37409 }
37410
37411 -static struct xen_pci_frontend_ops pci_frontend_ops = {
37412 +static const struct xen_pci_frontend_ops pci_frontend_ops = {
37413 .enable_msi = pci_frontend_enable_msi,
37414 .disable_msi = pci_frontend_disable_msi,
37415 .enable_msix = pci_frontend_enable_msix,
37416 diff -urNp linux-2.6.39.3/drivers/pcmcia/at91_cf.c linux-2.6.39.3/drivers/pcmcia/at91_cf.c
37417 --- linux-2.6.39.3/drivers/pcmcia/at91_cf.c 2011-05-19 00:06:34.000000000 -0400
37418 +++ linux-2.6.39.3/drivers/pcmcia/at91_cf.c 2011-05-22 19:36:32.000000000 -0400
37419 @@ -203,7 +203,7 @@ at91_cf_set_mem_map(struct pcmcia_socket
37420 return 0;
37421 }
37422
37423 -static struct pccard_operations at91_cf_ops = {
37424 +static const struct pccard_operations at91_cf_ops = {
37425 .init = at91_cf_ss_init,
37426 .suspend = at91_cf_ss_suspend,
37427 .get_status = at91_cf_get_status,
37428 diff -urNp linux-2.6.39.3/drivers/pcmcia/bfin_cf_pcmcia.c linux-2.6.39.3/drivers/pcmcia/bfin_cf_pcmcia.c
37429 --- linux-2.6.39.3/drivers/pcmcia/bfin_cf_pcmcia.c 2011-05-19 00:06:34.000000000 -0400
37430 +++ linux-2.6.39.3/drivers/pcmcia/bfin_cf_pcmcia.c 2011-05-22 19:36:32.000000000 -0400
37431 @@ -184,7 +184,7 @@ bfin_cf_set_mem_map(struct pcmcia_socket
37432 return 0;
37433 }
37434
37435 -static struct pccard_operations bfin_cf_ops = {
37436 +static const struct pccard_operations bfin_cf_ops = {
37437 .init = bfin_cf_ss_init,
37438 .suspend = bfin_cf_ss_suspend,
37439 .get_status = bfin_cf_get_status,
37440 diff -urNp linux-2.6.39.3/drivers/pcmcia/db1xxx_ss.c linux-2.6.39.3/drivers/pcmcia/db1xxx_ss.c
37441 --- linux-2.6.39.3/drivers/pcmcia/db1xxx_ss.c 2011-05-19 00:06:34.000000000 -0400
37442 +++ linux-2.6.39.3/drivers/pcmcia/db1xxx_ss.c 2011-05-22 19:36:32.000000000 -0400
37443 @@ -384,7 +384,7 @@ static int au1x00_pcmcia_set_mem_map(str
37444 return 0;
37445 }
37446
37447 -static struct pccard_operations db1x_pcmcia_operations = {
37448 +static const struct pccard_operations db1x_pcmcia_operations = {
37449 .init = db1x_pcmcia_sock_init,
37450 .suspend = db1x_pcmcia_sock_suspend,
37451 .get_status = db1x_pcmcia_get_status,
37452 diff -urNp linux-2.6.39.3/drivers/pcmcia/electra_cf.c linux-2.6.39.3/drivers/pcmcia/electra_cf.c
37453 --- linux-2.6.39.3/drivers/pcmcia/electra_cf.c 2011-05-19 00:06:34.000000000 -0400
37454 +++ linux-2.6.39.3/drivers/pcmcia/electra_cf.c 2011-05-22 19:36:32.000000000 -0400
37455 @@ -173,7 +173,7 @@ static int electra_cf_set_mem_map(struct
37456 return 0;
37457 }
37458
37459 -static struct pccard_operations electra_cf_ops = {
37460 +static const struct pccard_operations electra_cf_ops = {
37461 .init = electra_cf_ss_init,
37462 .get_status = electra_cf_get_status,
37463 .set_socket = electra_cf_set_socket,
37464 diff -urNp linux-2.6.39.3/drivers/pcmcia/m32r_cfc.c linux-2.6.39.3/drivers/pcmcia/m32r_cfc.c
37465 --- linux-2.6.39.3/drivers/pcmcia/m32r_cfc.c 2011-05-19 00:06:34.000000000 -0400
37466 +++ linux-2.6.39.3/drivers/pcmcia/m32r_cfc.c 2011-05-22 19:36:32.000000000 -0400
37467 @@ -674,7 +674,7 @@ static int pcc_init(struct pcmcia_socket
37468 return 0;
37469 }
37470
37471 -static struct pccard_operations pcc_operations = {
37472 +static const struct pccard_operations pcc_operations = {
37473 .init = pcc_init,
37474 .get_status = pcc_get_status,
37475 .set_socket = pcc_set_socket,
37476 diff -urNp linux-2.6.39.3/drivers/pcmcia/m32r_pcc.c linux-2.6.39.3/drivers/pcmcia/m32r_pcc.c
37477 --- linux-2.6.39.3/drivers/pcmcia/m32r_pcc.c 2011-05-19 00:06:34.000000000 -0400
37478 +++ linux-2.6.39.3/drivers/pcmcia/m32r_pcc.c 2011-05-22 19:36:32.000000000 -0400
37479 @@ -652,7 +652,7 @@ static int pcc_init(struct pcmcia_socket
37480 return 0;
37481 }
37482
37483 -static struct pccard_operations pcc_operations = {
37484 +static const struct pccard_operations pcc_operations = {
37485 .init = pcc_init,
37486 .get_status = pcc_get_status,
37487 .set_socket = pcc_set_socket,
37488 diff -urNp linux-2.6.39.3/drivers/pcmcia/m8xx_pcmcia.c linux-2.6.39.3/drivers/pcmcia/m8xx_pcmcia.c
37489 --- linux-2.6.39.3/drivers/pcmcia/m8xx_pcmcia.c 2011-05-19 00:06:34.000000000 -0400
37490 +++ linux-2.6.39.3/drivers/pcmcia/m8xx_pcmcia.c 2011-05-22 19:36:32.000000000 -0400
37491 @@ -1139,7 +1139,7 @@ static int m8xx_sock_suspend(struct pcmc
37492 return m8xx_set_socket(sock, &dead_socket);
37493 }
37494
37495 -static struct pccard_operations m8xx_services = {
37496 +static const struct pccard_operations m8xx_services = {
37497 .init = m8xx_sock_init,
37498 .suspend = m8xx_sock_suspend,
37499 .get_status = m8xx_get_status,
37500 diff -urNp linux-2.6.39.3/drivers/pcmcia/omap_cf.c linux-2.6.39.3/drivers/pcmcia/omap_cf.c
37501 --- linux-2.6.39.3/drivers/pcmcia/omap_cf.c 2011-05-19 00:06:34.000000000 -0400
37502 +++ linux-2.6.39.3/drivers/pcmcia/omap_cf.c 2011-05-22 19:36:32.000000000 -0400
37503 @@ -185,7 +185,7 @@ omap_cf_set_mem_map(struct pcmcia_socket
37504 return 0;
37505 }
37506
37507 -static struct pccard_operations omap_cf_ops = {
37508 +static const struct pccard_operations omap_cf_ops = {
37509 .init = omap_cf_ss_init,
37510 .suspend = omap_cf_ss_suspend,
37511 .get_status = omap_cf_get_status,
37512 diff -urNp linux-2.6.39.3/drivers/pcmcia/rsrc_iodyn.c linux-2.6.39.3/drivers/pcmcia/rsrc_iodyn.c
37513 --- linux-2.6.39.3/drivers/pcmcia/rsrc_iodyn.c 2011-05-19 00:06:34.000000000 -0400
37514 +++ linux-2.6.39.3/drivers/pcmcia/rsrc_iodyn.c 2011-05-22 19:36:32.000000000 -0400
37515 @@ -161,7 +161,7 @@ static int iodyn_find_io(struct pcmcia_s
37516 }
37517
37518
37519 -struct pccard_resource_ops pccard_iodyn_ops = {
37520 +const struct pccard_resource_ops pccard_iodyn_ops = {
37521 .validate_mem = NULL,
37522 .find_io = iodyn_find_io,
37523 .find_mem = NULL,
37524 diff -urNp linux-2.6.39.3/drivers/pcmcia/rsrc_mgr.c linux-2.6.39.3/drivers/pcmcia/rsrc_mgr.c
37525 --- linux-2.6.39.3/drivers/pcmcia/rsrc_mgr.c 2011-05-19 00:06:34.000000000 -0400
37526 +++ linux-2.6.39.3/drivers/pcmcia/rsrc_mgr.c 2011-05-22 19:36:32.000000000 -0400
37527 @@ -57,7 +57,7 @@ static int static_find_io(struct pcmcia_
37528 }
37529
37530
37531 -struct pccard_resource_ops pccard_static_ops = {
37532 +const struct pccard_resource_ops pccard_static_ops = {
37533 .validate_mem = NULL,
37534 .find_io = static_find_io,
37535 .find_mem = NULL,
37536 diff -urNp linux-2.6.39.3/drivers/pcmcia/vrc4171_card.c linux-2.6.39.3/drivers/pcmcia/vrc4171_card.c
37537 --- linux-2.6.39.3/drivers/pcmcia/vrc4171_card.c 2011-05-19 00:06:34.000000000 -0400
37538 +++ linux-2.6.39.3/drivers/pcmcia/vrc4171_card.c 2011-05-22 19:36:32.000000000 -0400
37539 @@ -479,7 +479,7 @@ static int pccard_set_mem_map(struct pcm
37540 return 0;
37541 }
37542
37543 -static struct pccard_operations vrc4171_pccard_operations = {
37544 +static const struct pccard_operations vrc4171_pccard_operations = {
37545 .init = pccard_init,
37546 .get_status = pccard_get_status,
37547 .set_socket = pccard_set_socket,
37548 diff -urNp linux-2.6.39.3/drivers/pcmcia/vrc4173_cardu.c linux-2.6.39.3/drivers/pcmcia/vrc4173_cardu.c
37549 --- linux-2.6.39.3/drivers/pcmcia/vrc4173_cardu.c 2011-05-19 00:06:34.000000000 -0400
37550 +++ linux-2.6.39.3/drivers/pcmcia/vrc4173_cardu.c 2011-05-22 19:36:32.000000000 -0400
37551 @@ -384,7 +384,7 @@ static void cardu_proc_setup(unsigned in
37552 {
37553 }
37554
37555 -static struct pccard_operations cardu_operations = {
37556 +static const struct pccard_operations cardu_operations = {
37557 .init = cardu_init,
37558 .register_callback = cardu_register_callback,
37559 .inquire_socket = cardu_inquire_socket,
37560 diff -urNp linux-2.6.39.3/drivers/pcmcia/xxs1500_ss.c linux-2.6.39.3/drivers/pcmcia/xxs1500_ss.c
37561 --- linux-2.6.39.3/drivers/pcmcia/xxs1500_ss.c 2011-05-19 00:06:34.000000000 -0400
37562 +++ linux-2.6.39.3/drivers/pcmcia/xxs1500_ss.c 2011-05-22 19:36:32.000000000 -0400
37563 @@ -196,7 +196,7 @@ static int au1x00_pcmcia_set_mem_map(str
37564 return 0;
37565 }
37566
37567 -static struct pccard_operations xxs1500_pcmcia_operations = {
37568 +static const struct pccard_operations xxs1500_pcmcia_operations = {
37569 .init = xxs1500_pcmcia_sock_init,
37570 .suspend = xxs1500_pcmcia_sock_suspend,
37571 .get_status = xxs1500_pcmcia_get_status,
37572 diff -urNp linux-2.6.39.3/drivers/platform/x86/acerhdf.c linux-2.6.39.3/drivers/platform/x86/acerhdf.c
37573 --- linux-2.6.39.3/drivers/platform/x86/acerhdf.c 2011-05-19 00:06:34.000000000 -0400
37574 +++ linux-2.6.39.3/drivers/platform/x86/acerhdf.c 2011-05-22 19:36:32.000000000 -0400
37575 @@ -406,7 +406,7 @@ static int acerhdf_get_crit_temp(struct
37576 }
37577
37578 /* bind callback functions to thermalzone */
37579 -static struct thermal_zone_device_ops acerhdf_dev_ops = {
37580 +static const struct thermal_zone_device_ops acerhdf_dev_ops = {
37581 .bind = acerhdf_bind,
37582 .unbind = acerhdf_unbind,
37583 .get_temp = acerhdf_get_ec_temp,
37584 @@ -481,7 +481,7 @@ err_out:
37585 }
37586
37587 /* bind fan callbacks to fan device */
37588 -static struct thermal_cooling_device_ops acerhdf_cooling_ops = {
37589 +static const struct thermal_cooling_device_ops acerhdf_cooling_ops = {
37590 .get_max_state = acerhdf_get_max_state,
37591 .get_cur_state = acerhdf_get_cur_state,
37592 .set_cur_state = acerhdf_set_cur_state,
37593 diff -urNp linux-2.6.39.3/drivers/platform/x86/ideapad-laptop.c linux-2.6.39.3/drivers/platform/x86/ideapad-laptop.c
37594 --- linux-2.6.39.3/drivers/platform/x86/ideapad-laptop.c 2011-05-19 00:06:34.000000000 -0400
37595 +++ linux-2.6.39.3/drivers/platform/x86/ideapad-laptop.c 2011-05-22 19:36:32.000000000 -0400
37596 @@ -207,7 +207,7 @@ static int ideapad_rfk_set(void *data, b
37597 return write_ec_cmd(ideapad_handle, opcode, !blocked);
37598 }
37599
37600 -static struct rfkill_ops ideapad_rfk_ops = {
37601 +static const struct rfkill_ops ideapad_rfk_ops = {
37602 .set_block = ideapad_rfk_set,
37603 };
37604
37605 diff -urNp linux-2.6.39.3/drivers/platform/x86/intel_menlow.c linux-2.6.39.3/drivers/platform/x86/intel_menlow.c
37606 --- linux-2.6.39.3/drivers/platform/x86/intel_menlow.c 2011-05-19 00:06:34.000000000 -0400
37607 +++ linux-2.6.39.3/drivers/platform/x86/intel_menlow.c 2011-05-22 19:36:32.000000000 -0400
37608 @@ -143,7 +143,7 @@ static int memory_set_cur_bandwidth(stru
37609 return 0;
37610 }
37611
37612 -static struct thermal_cooling_device_ops memory_cooling_ops = {
37613 +static const struct thermal_cooling_device_ops memory_cooling_ops = {
37614 .get_max_state = memory_get_max_bandwidth,
37615 .get_cur_state = memory_get_cur_bandwidth,
37616 .set_cur_state = memory_set_cur_bandwidth,
37617 diff -urNp linux-2.6.39.3/drivers/platform/x86/intel_mid_thermal.c linux-2.6.39.3/drivers/platform/x86/intel_mid_thermal.c
37618 --- linux-2.6.39.3/drivers/platform/x86/intel_mid_thermal.c 2011-05-19 00:06:34.000000000 -0400
37619 +++ linux-2.6.39.3/drivers/platform/x86/intel_mid_thermal.c 2011-05-22 19:36:32.000000000 -0400
37620 @@ -458,7 +458,7 @@ static int read_curr_temp(struct thermal
37621 }
37622
37623 /* Can't be const */
37624 -static struct thermal_zone_device_ops tzd_ops = {
37625 +static const struct thermal_zone_device_ops tzd_ops = {
37626 .get_temp = read_curr_temp,
37627 };
37628
37629 diff -urNp linux-2.6.39.3/drivers/platform/x86/samsung-laptop.c linux-2.6.39.3/drivers/platform/x86/samsung-laptop.c
37630 --- linux-2.6.39.3/drivers/platform/x86/samsung-laptop.c 2011-05-19 00:06:34.000000000 -0400
37631 +++ linux-2.6.39.3/drivers/platform/x86/samsung-laptop.c 2011-05-22 19:36:32.000000000 -0400
37632 @@ -419,7 +419,7 @@ static int rfkill_set(void *data, bool b
37633 return 0;
37634 }
37635
37636 -static struct rfkill_ops rfkill_ops = {
37637 +static const struct rfkill_ops rfkill_ops = {
37638 .set_block = rfkill_set,
37639 };
37640
37641 diff -urNp linux-2.6.39.3/drivers/pnp/pnpbios/bioscalls.c linux-2.6.39.3/drivers/pnp/pnpbios/bioscalls.c
37642 --- linux-2.6.39.3/drivers/pnp/pnpbios/bioscalls.c 2011-05-19 00:06:34.000000000 -0400
37643 +++ linux-2.6.39.3/drivers/pnp/pnpbios/bioscalls.c 2011-05-22 19:36:32.000000000 -0400
37644 @@ -59,7 +59,7 @@ do { \
37645 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
37646 } while(0)
37647
37648 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
37649 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
37650 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
37651
37652 /*
37653 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
37654
37655 cpu = get_cpu();
37656 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
37657 +
37658 + pax_open_kernel();
37659 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
37660 + pax_close_kernel();
37661
37662 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
37663 spin_lock_irqsave(&pnp_bios_lock, flags);
37664 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
37665 :"memory");
37666 spin_unlock_irqrestore(&pnp_bios_lock, flags);
37667
37668 + pax_open_kernel();
37669 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
37670 + pax_close_kernel();
37671 +
37672 put_cpu();
37673
37674 /* If we get here and this is set then the PnP BIOS faulted on us. */
37675 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
37676 return status;
37677 }
37678
37679 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
37680 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
37681 {
37682 int i;
37683
37684 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
37685 pnp_bios_callpoint.offset = header->fields.pm16offset;
37686 pnp_bios_callpoint.segment = PNP_CS16;
37687
37688 + pax_open_kernel();
37689 +
37690 for_each_possible_cpu(i) {
37691 struct desc_struct *gdt = get_cpu_gdt_table(i);
37692 if (!gdt)
37693 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
37694 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
37695 (unsigned long)__va(header->fields.pm16dseg));
37696 }
37697 +
37698 + pax_close_kernel();
37699 }
37700 diff -urNp linux-2.6.39.3/drivers/pnp/resource.c linux-2.6.39.3/drivers/pnp/resource.c
37701 --- linux-2.6.39.3/drivers/pnp/resource.c 2011-05-19 00:06:34.000000000 -0400
37702 +++ linux-2.6.39.3/drivers/pnp/resource.c 2011-05-22 19:36:32.000000000 -0400
37703 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
37704 return 1;
37705
37706 /* check if the resource is valid */
37707 - if (*irq < 0 || *irq > 15)
37708 + if (*irq > 15)
37709 return 0;
37710
37711 /* check if the resource is reserved */
37712 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
37713 return 1;
37714
37715 /* check if the resource is valid */
37716 - if (*dma < 0 || *dma == 4 || *dma > 7)
37717 + if (*dma == 4 || *dma > 7)
37718 return 0;
37719
37720 /* check if the resource is reserved */
37721 diff -urNp linux-2.6.39.3/drivers/power/max8925_power.c linux-2.6.39.3/drivers/power/max8925_power.c
37722 --- linux-2.6.39.3/drivers/power/max8925_power.c 2011-05-19 00:06:34.000000000 -0400
37723 +++ linux-2.6.39.3/drivers/power/max8925_power.c 2011-05-22 19:36:32.000000000 -0400
37724 @@ -426,7 +426,7 @@ static __devinit int max8925_power_probe
37725 {
37726 struct max8925_chip *chip = dev_get_drvdata(pdev->dev.parent);
37727 struct max8925_platform_data *max8925_pdata;
37728 - struct max8925_power_pdata *pdata = NULL;
37729 + const struct max8925_power_pdata *pdata = NULL;
37730 struct max8925_power_info *info;
37731 int ret;
37732
37733 diff -urNp linux-2.6.39.3/drivers/regulator/core.c linux-2.6.39.3/drivers/regulator/core.c
37734 --- linux-2.6.39.3/drivers/regulator/core.c 2011-05-19 00:06:34.000000000 -0400
37735 +++ linux-2.6.39.3/drivers/regulator/core.c 2011-05-22 19:36:32.000000000 -0400
37736 @@ -2883,7 +2883,7 @@ core_initcall(regulator_init);
37737 static int __init regulator_init_complete(void)
37738 {
37739 struct regulator_dev *rdev;
37740 - struct regulator_ops *ops;
37741 + const struct regulator_ops *ops;
37742 struct regulation_constraints *c;
37743 int enabled, ret;
37744
37745 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-at32ap700x.c linux-2.6.39.3/drivers/rtc/rtc-at32ap700x.c
37746 --- linux-2.6.39.3/drivers/rtc/rtc-at32ap700x.c 2011-05-19 00:06:34.000000000 -0400
37747 +++ linux-2.6.39.3/drivers/rtc/rtc-at32ap700x.c 2011-05-22 19:36:32.000000000 -0400
37748 @@ -187,7 +187,7 @@ static irqreturn_t at32_rtc_interrupt(in
37749 return ret;
37750 }
37751
37752 -static struct rtc_class_ops at32_rtc_ops = {
37753 +static const struct rtc_class_ops at32_rtc_ops = {
37754 .read_time = at32_rtc_readtime,
37755 .set_time = at32_rtc_settime,
37756 .read_alarm = at32_rtc_readalarm,
37757 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-au1xxx.c linux-2.6.39.3/drivers/rtc/rtc-au1xxx.c
37758 --- linux-2.6.39.3/drivers/rtc/rtc-au1xxx.c 2011-05-19 00:06:34.000000000 -0400
37759 +++ linux-2.6.39.3/drivers/rtc/rtc-au1xxx.c 2011-05-22 19:36:32.000000000 -0400
37760 @@ -57,7 +57,7 @@ static int au1xtoy_rtc_set_time(struct d
37761 return 0;
37762 }
37763
37764 -static struct rtc_class_ops au1xtoy_rtc_ops = {
37765 +static const struct rtc_class_ops au1xtoy_rtc_ops = {
37766 .read_time = au1xtoy_rtc_read_time,
37767 .set_time = au1xtoy_rtc_set_time,
37768 };
37769 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-bfin.c linux-2.6.39.3/drivers/rtc/rtc-bfin.c
37770 --- linux-2.6.39.3/drivers/rtc/rtc-bfin.c 2011-05-19 00:06:34.000000000 -0400
37771 +++ linux-2.6.39.3/drivers/rtc/rtc-bfin.c 2011-05-22 19:36:32.000000000 -0400
37772 @@ -333,7 +333,7 @@ static int bfin_rtc_proc(struct device *
37773 #undef yesno
37774 }
37775
37776 -static struct rtc_class_ops bfin_rtc_ops = {
37777 +static const struct rtc_class_ops bfin_rtc_ops = {
37778 .read_time = bfin_rtc_read_time,
37779 .set_time = bfin_rtc_set_time,
37780 .read_alarm = bfin_rtc_read_alarm,
37781 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-coh901331.c linux-2.6.39.3/drivers/rtc/rtc-coh901331.c
37782 --- linux-2.6.39.3/drivers/rtc/rtc-coh901331.c 2011-05-19 00:06:34.000000000 -0400
37783 +++ linux-2.6.39.3/drivers/rtc/rtc-coh901331.c 2011-05-22 19:36:32.000000000 -0400
37784 @@ -142,7 +142,7 @@ static int coh901331_alarm_irq_enable(st
37785 return 0;
37786 }
37787
37788 -static struct rtc_class_ops coh901331_ops = {
37789 +static const struct rtc_class_ops coh901331_ops = {
37790 .read_time = coh901331_read_time,
37791 .set_mmss = coh901331_set_mmss,
37792 .read_alarm = coh901331_read_alarm,
37793 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-davinci.c linux-2.6.39.3/drivers/rtc/rtc-davinci.c
37794 --- linux-2.6.39.3/drivers/rtc/rtc-davinci.c 2011-05-19 00:06:34.000000000 -0400
37795 +++ linux-2.6.39.3/drivers/rtc/rtc-davinci.c 2011-05-22 19:36:32.000000000 -0400
37796 @@ -469,7 +469,7 @@ static int davinci_rtc_set_alarm(struct
37797 return 0;
37798 }
37799
37800 -static struct rtc_class_ops davinci_rtc_ops = {
37801 +static const struct rtc_class_ops davinci_rtc_ops = {
37802 .ioctl = davinci_rtc_ioctl,
37803 .read_time = davinci_rtc_read_time,
37804 .set_time = davinci_rtc_set_time,
37805 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-dev.c linux-2.6.39.3/drivers/rtc/rtc-dev.c
37806 --- linux-2.6.39.3/drivers/rtc/rtc-dev.c 2011-05-19 00:06:34.000000000 -0400
37807 +++ linux-2.6.39.3/drivers/rtc/rtc-dev.c 2011-05-22 19:41:37.000000000 -0400
37808 @@ -14,6 +14,7 @@
37809 #include <linux/module.h>
37810 #include <linux/rtc.h>
37811 #include <linux/sched.h>
37812 +#include <linux/grsecurity.h>
37813 #include "rtc-core.h"
37814
37815 static dev_t rtc_devt;
37816 @@ -345,6 +346,8 @@ static long rtc_dev_ioctl(struct file *f
37817 if (copy_from_user(&tm, uarg, sizeof(tm)))
37818 return -EFAULT;
37819
37820 + gr_log_timechange();
37821 +
37822 return rtc_set_time(rtc, &tm);
37823
37824 case RTC_PIE_ON:
37825 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-dm355evm.c linux-2.6.39.3/drivers/rtc/rtc-dm355evm.c
37826 --- linux-2.6.39.3/drivers/rtc/rtc-dm355evm.c 2011-05-19 00:06:34.000000000 -0400
37827 +++ linux-2.6.39.3/drivers/rtc/rtc-dm355evm.c 2011-05-22 19:36:32.000000000 -0400
37828 @@ -115,7 +115,7 @@ static int dm355evm_rtc_set_time(struct
37829 return 0;
37830 }
37831
37832 -static struct rtc_class_ops dm355evm_rtc_ops = {
37833 +static const struct rtc_class_ops dm355evm_rtc_ops = {
37834 .read_time = dm355evm_rtc_read_time,
37835 .set_time = dm355evm_rtc_set_time,
37836 };
37837 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-ds1302.c linux-2.6.39.3/drivers/rtc/rtc-ds1302.c
37838 --- linux-2.6.39.3/drivers/rtc/rtc-ds1302.c 2011-05-19 00:06:34.000000000 -0400
37839 +++ linux-2.6.39.3/drivers/rtc/rtc-ds1302.c 2011-05-22 19:36:32.000000000 -0400
37840 @@ -199,7 +199,7 @@ static int ds1302_rtc_ioctl(struct devic
37841 return -ENOIOCTLCMD;
37842 }
37843
37844 -static struct rtc_class_ops ds1302_rtc_ops = {
37845 +static const struct rtc_class_ops ds1302_rtc_ops = {
37846 .read_time = ds1302_rtc_read_time,
37847 .set_time = ds1302_rtc_set_time,
37848 .ioctl = ds1302_rtc_ioctl,
37849 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-imxdi.c linux-2.6.39.3/drivers/rtc/rtc-imxdi.c
37850 --- linux-2.6.39.3/drivers/rtc/rtc-imxdi.c 2011-05-19 00:06:34.000000000 -0400
37851 +++ linux-2.6.39.3/drivers/rtc/rtc-imxdi.c 2011-05-22 19:36:32.000000000 -0400
37852 @@ -290,7 +290,7 @@ static int dryice_rtc_set_alarm(struct d
37853 return 0;
37854 }
37855
37856 -static struct rtc_class_ops dryice_rtc_ops = {
37857 +static const struct rtc_class_ops dryice_rtc_ops = {
37858 .read_time = dryice_rtc_read_time,
37859 .set_mmss = dryice_rtc_set_mmss,
37860 .alarm_irq_enable = dryice_rtc_alarm_irq_enable,
37861 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-jz4740.c linux-2.6.39.3/drivers/rtc/rtc-jz4740.c
37862 --- linux-2.6.39.3/drivers/rtc/rtc-jz4740.c 2011-05-19 00:06:34.000000000 -0400
37863 +++ linux-2.6.39.3/drivers/rtc/rtc-jz4740.c 2011-05-22 19:36:32.000000000 -0400
37864 @@ -174,7 +174,7 @@ static int jz4740_rtc_alarm_irq_enable(s
37865 return jz4740_rtc_ctrl_set_bits(rtc, JZ_RTC_CTRL_AF_IRQ, enable);
37866 }
37867
37868 -static struct rtc_class_ops jz4740_rtc_ops = {
37869 +static const struct rtc_class_ops jz4740_rtc_ops = {
37870 .read_time = jz4740_rtc_read_time,
37871 .set_mmss = jz4740_rtc_set_mmss,
37872 .read_alarm = jz4740_rtc_read_alarm,
37873 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-m41t80.c linux-2.6.39.3/drivers/rtc/rtc-m41t80.c
37874 --- linux-2.6.39.3/drivers/rtc/rtc-m41t80.c 2011-05-19 00:06:34.000000000 -0400
37875 +++ linux-2.6.39.3/drivers/rtc/rtc-m41t80.c 2011-05-22 19:36:32.000000000 -0400
37876 @@ -354,7 +354,7 @@ static int m41t80_rtc_read_alarm(struct
37877 return 0;
37878 }
37879
37880 -static struct rtc_class_ops m41t80_rtc_ops = {
37881 +static const struct rtc_class_ops m41t80_rtc_ops = {
37882 .read_time = m41t80_rtc_read_time,
37883 .set_time = m41t80_rtc_set_time,
37884 .read_alarm = m41t80_rtc_read_alarm,
37885 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-mxc.c linux-2.6.39.3/drivers/rtc/rtc-mxc.c
37886 --- linux-2.6.39.3/drivers/rtc/rtc-mxc.c 2011-05-19 00:06:34.000000000 -0400
37887 +++ linux-2.6.39.3/drivers/rtc/rtc-mxc.c 2011-05-22 19:36:32.000000000 -0400
37888 @@ -355,7 +355,7 @@ static int mxc_rtc_set_alarm(struct devi
37889 }
37890
37891 /* RTC layer */
37892 -static struct rtc_class_ops mxc_rtc_ops = {
37893 +static const struct rtc_class_ops mxc_rtc_ops = {
37894 .release = mxc_rtc_release,
37895 .read_time = mxc_rtc_read_time,
37896 .set_mmss = mxc_rtc_set_mmss,
37897 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-nuc900.c linux-2.6.39.3/drivers/rtc/rtc-nuc900.c
37898 --- linux-2.6.39.3/drivers/rtc/rtc-nuc900.c 2011-05-19 00:06:34.000000000 -0400
37899 +++ linux-2.6.39.3/drivers/rtc/rtc-nuc900.c 2011-05-22 19:36:32.000000000 -0400
37900 @@ -214,7 +214,7 @@ static int nuc900_rtc_set_alarm(struct d
37901 return 0;
37902 }
37903
37904 -static struct rtc_class_ops nuc900_rtc_ops = {
37905 +static const struct rtc_class_ops nuc900_rtc_ops = {
37906 .read_time = nuc900_rtc_read_time,
37907 .set_time = nuc900_rtc_set_time,
37908 .read_alarm = nuc900_rtc_read_alarm,
37909 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-omap.c linux-2.6.39.3/drivers/rtc/rtc-omap.c
37910 --- linux-2.6.39.3/drivers/rtc/rtc-omap.c 2011-05-19 00:06:34.000000000 -0400
37911 +++ linux-2.6.39.3/drivers/rtc/rtc-omap.c 2011-05-22 19:36:32.000000000 -0400
37912 @@ -274,7 +274,7 @@ static int omap_rtc_set_alarm(struct dev
37913 return 0;
37914 }
37915
37916 -static struct rtc_class_ops omap_rtc_ops = {
37917 +static const struct rtc_class_ops omap_rtc_ops = {
37918 .read_time = omap_rtc_read_time,
37919 .set_time = omap_rtc_set_time,
37920 .read_alarm = omap_rtc_read_alarm,
37921 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-pcf50633.c linux-2.6.39.3/drivers/rtc/rtc-pcf50633.c
37922 --- linux-2.6.39.3/drivers/rtc/rtc-pcf50633.c 2011-05-19 00:06:34.000000000 -0400
37923 +++ linux-2.6.39.3/drivers/rtc/rtc-pcf50633.c 2011-05-22 19:36:32.000000000 -0400
37924 @@ -238,7 +238,7 @@ static int pcf50633_rtc_set_alarm(struct
37925 return ret;
37926 }
37927
37928 -static struct rtc_class_ops pcf50633_rtc_ops = {
37929 +static const struct rtc_class_ops pcf50633_rtc_ops = {
37930 .read_time = pcf50633_rtc_read_time,
37931 .set_time = pcf50633_rtc_set_time,
37932 .read_alarm = pcf50633_rtc_read_alarm,
37933 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-pl031.c linux-2.6.39.3/drivers/rtc/rtc-pl031.c
37934 --- linux-2.6.39.3/drivers/rtc/rtc-pl031.c 2011-05-19 00:06:34.000000000 -0400
37935 +++ linux-2.6.39.3/drivers/rtc/rtc-pl031.c 2011-05-22 19:36:32.000000000 -0400
37936 @@ -374,7 +374,7 @@ err_req:
37937 }
37938
37939 /* Operations for the original ARM version */
37940 -static struct rtc_class_ops arm_pl031_ops = {
37941 +static const struct rtc_class_ops arm_pl031_ops = {
37942 .read_time = pl031_read_time,
37943 .set_time = pl031_set_time,
37944 .read_alarm = pl031_read_alarm,
37945 @@ -383,7 +383,7 @@ static struct rtc_class_ops arm_pl031_op
37946 };
37947
37948 /* The First ST derivative */
37949 -static struct rtc_class_ops stv1_pl031_ops = {
37950 +static const struct rtc_class_ops stv1_pl031_ops = {
37951 .read_time = pl031_read_time,
37952 .set_time = pl031_set_time,
37953 .read_alarm = pl031_read_alarm,
37954 @@ -392,7 +392,7 @@ static struct rtc_class_ops stv1_pl031_o
37955 };
37956
37957 /* And the second ST derivative */
37958 -static struct rtc_class_ops stv2_pl031_ops = {
37959 +static const struct rtc_class_ops stv2_pl031_ops = {
37960 .read_time = pl031_stv2_read_time,
37961 .set_time = pl031_stv2_set_time,
37962 .read_alarm = pl031_stv2_read_alarm,
37963 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-rx8025.c linux-2.6.39.3/drivers/rtc/rtc-rx8025.c
37964 --- linux-2.6.39.3/drivers/rtc/rtc-rx8025.c 2011-05-19 00:06:34.000000000 -0400
37965 +++ linux-2.6.39.3/drivers/rtc/rtc-rx8025.c 2011-05-22 19:36:32.000000000 -0400
37966 @@ -424,7 +424,7 @@ static int rx8025_alarm_irq_enable(struc
37967 return 0;
37968 }
37969
37970 -static struct rtc_class_ops rx8025_rtc_ops = {
37971 +static const struct rtc_class_ops rx8025_rtc_ops = {
37972 .read_time = rx8025_get_time,
37973 .set_time = rx8025_set_time,
37974 .read_alarm = rx8025_read_alarm,
37975 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-sh.c linux-2.6.39.3/drivers/rtc/rtc-sh.c
37976 --- linux-2.6.39.3/drivers/rtc/rtc-sh.c 2011-05-19 00:06:34.000000000 -0400
37977 +++ linux-2.6.39.3/drivers/rtc/rtc-sh.c 2011-05-22 19:36:32.000000000 -0400
37978 @@ -576,7 +576,7 @@ static int sh_rtc_set_alarm(struct devic
37979 return 0;
37980 }
37981
37982 -static struct rtc_class_ops sh_rtc_ops = {
37983 +static const struct rtc_class_ops sh_rtc_ops = {
37984 .read_time = sh_rtc_read_time,
37985 .set_time = sh_rtc_set_time,
37986 .read_alarm = sh_rtc_read_alarm,
37987 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-stmp3xxx.c linux-2.6.39.3/drivers/rtc/rtc-stmp3xxx.c
37988 --- linux-2.6.39.3/drivers/rtc/rtc-stmp3xxx.c 2011-05-19 00:06:34.000000000 -0400
37989 +++ linux-2.6.39.3/drivers/rtc/rtc-stmp3xxx.c 2011-05-22 19:36:32.000000000 -0400
37990 @@ -133,7 +133,7 @@ static int stmp3xxx_rtc_set_alarm(struct
37991 return 0;
37992 }
37993
37994 -static struct rtc_class_ops stmp3xxx_rtc_ops = {
37995 +static const struct rtc_class_ops stmp3xxx_rtc_ops = {
37996 .alarm_irq_enable =
37997 stmp3xxx_alarm_irq_enable,
37998 .read_time = stmp3xxx_rtc_gettime,
37999 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-tegra.c linux-2.6.39.3/drivers/rtc/rtc-tegra.c
38000 --- linux-2.6.39.3/drivers/rtc/rtc-tegra.c 2011-05-19 00:06:34.000000000 -0400
38001 +++ linux-2.6.39.3/drivers/rtc/rtc-tegra.c 2011-05-22 19:36:32.000000000 -0400
38002 @@ -294,7 +294,7 @@ static irqreturn_t tegra_rtc_irq_handler
38003 return IRQ_HANDLED;
38004 }
38005
38006 -static struct rtc_class_ops tegra_rtc_ops = {
38007 +static const struct rtc_class_ops tegra_rtc_ops = {
38008 .read_time = tegra_rtc_read_time,
38009 .set_time = tegra_rtc_set_time,
38010 .read_alarm = tegra_rtc_read_alarm,
38011 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-twl.c linux-2.6.39.3/drivers/rtc/rtc-twl.c
38012 --- linux-2.6.39.3/drivers/rtc/rtc-twl.c 2011-05-19 00:06:34.000000000 -0400
38013 +++ linux-2.6.39.3/drivers/rtc/rtc-twl.c 2011-05-22 19:36:32.000000000 -0400
38014 @@ -415,7 +415,7 @@ out:
38015 return ret;
38016 }
38017
38018 -static struct rtc_class_ops twl_rtc_ops = {
38019 +static const struct rtc_class_ops twl_rtc_ops = {
38020 .read_time = twl_rtc_read_time,
38021 .set_time = twl_rtc_set_time,
38022 .read_alarm = twl_rtc_read_alarm,
38023 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-v3020.c linux-2.6.39.3/drivers/rtc/rtc-v3020.c
38024 --- linux-2.6.39.3/drivers/rtc/rtc-v3020.c 2011-05-19 00:06:34.000000000 -0400
38025 +++ linux-2.6.39.3/drivers/rtc/rtc-v3020.c 2011-05-22 19:36:32.000000000 -0400
38026 @@ -62,7 +62,7 @@ struct v3020 {
38027 /* GPIO access */
38028 struct v3020_gpio *gpio;
38029
38030 - struct v3020_chip_ops *ops;
38031 + const struct v3020_chip_ops *ops;
38032
38033 struct rtc_device *rtc;
38034 };
38035 @@ -100,7 +100,7 @@ static unsigned char v3020_mmio_read_bit
38036 return !!(readl(chip->ioaddress) & (1 << chip->leftshift));
38037 }
38038
38039 -static struct v3020_chip_ops v3020_mmio_ops = {
38040 +static const struct v3020_chip_ops v3020_mmio_ops = {
38041 .map_io = v3020_mmio_map,
38042 .unmap_io = v3020_mmio_unmap,
38043 .read_bit = v3020_mmio_read_bit,
38044 @@ -177,7 +177,7 @@ static unsigned char v3020_gpio_read_bit
38045 return bit;
38046 }
38047
38048 -static struct v3020_chip_ops v3020_gpio_ops = {
38049 +static const struct v3020_chip_ops v3020_gpio_ops = {
38050 .map_io = v3020_gpio_map,
38051 .unmap_io = v3020_gpio_unmap,
38052 .read_bit = v3020_gpio_read_bit,
38053 diff -urNp linux-2.6.39.3/drivers/s390/char/con3270.c linux-2.6.39.3/drivers/s390/char/con3270.c
38054 --- linux-2.6.39.3/drivers/s390/char/con3270.c 2011-05-19 00:06:34.000000000 -0400
38055 +++ linux-2.6.39.3/drivers/s390/char/con3270.c 2011-05-22 19:36:32.000000000 -0400
38056 @@ -28,7 +28,7 @@
38057 #define CON3270_OUTPUT_BUFFER_SIZE 1024
38058 #define CON3270_STRING_PAGES 4
38059
38060 -static struct raw3270_fn con3270_fn;
38061 +static const struct raw3270_fn con3270_fn;
38062
38063 /*
38064 * Main 3270 console view data structure.
38065 @@ -413,7 +413,7 @@ con3270_irq(struct con3270 *cp, struct r
38066 }
38067
38068 /* Console view to a 3270 device. */
38069 -static struct raw3270_fn con3270_fn = {
38070 +static const struct raw3270_fn con3270_fn = {
38071 .activate = con3270_activate,
38072 .deactivate = con3270_deactivate,
38073 .intv = (void *) con3270_irq
38074 diff -urNp linux-2.6.39.3/drivers/s390/char/fs3270.c linux-2.6.39.3/drivers/s390/char/fs3270.c
38075 --- linux-2.6.39.3/drivers/s390/char/fs3270.c 2011-05-19 00:06:34.000000000 -0400
38076 +++ linux-2.6.39.3/drivers/s390/char/fs3270.c 2011-05-22 19:36:32.000000000 -0400
38077 @@ -24,7 +24,7 @@
38078 #include "raw3270.h"
38079 #include "ctrlchar.h"
38080
38081 -static struct raw3270_fn fs3270_fn;
38082 +static const struct raw3270_fn fs3270_fn;
38083
38084 struct fs3270 {
38085 struct raw3270_view view;
38086 @@ -413,7 +413,7 @@ fs3270_release(struct raw3270_view *view
38087 }
38088
38089 /* View to a 3270 device. Can be console, tty or fullscreen. */
38090 -static struct raw3270_fn fs3270_fn = {
38091 +static const struct raw3270_fn fs3270_fn = {
38092 .activate = fs3270_activate,
38093 .deactivate = fs3270_deactivate,
38094 .intv = (void *) fs3270_irq,
38095 diff -urNp linux-2.6.39.3/drivers/s390/char/raw3270.c linux-2.6.39.3/drivers/s390/char/raw3270.c
38096 --- linux-2.6.39.3/drivers/s390/char/raw3270.c 2011-05-19 00:06:34.000000000 -0400
38097 +++ linux-2.6.39.3/drivers/s390/char/raw3270.c 2011-05-22 19:36:32.000000000 -0400
38098 @@ -488,7 +488,7 @@ raw3270_init_irq(struct raw3270_view *vi
38099 return RAW3270_IO_DONE;
38100 }
38101
38102 -static struct raw3270_fn raw3270_init_fn = {
38103 +static const struct raw3270_fn raw3270_init_fn = {
38104 .intv = raw3270_init_irq
38105 };
38106
38107 diff -urNp linux-2.6.39.3/drivers/s390/char/tty3270.c linux-2.6.39.3/drivers/s390/char/tty3270.c
38108 --- linux-2.6.39.3/drivers/s390/char/tty3270.c 2011-05-19 00:06:34.000000000 -0400
38109 +++ linux-2.6.39.3/drivers/s390/char/tty3270.c 2011-05-22 19:36:32.000000000 -0400
38110 @@ -37,7 +37,7 @@
38111 struct tty_driver *tty3270_driver;
38112 static int tty3270_max_index;
38113
38114 -static struct raw3270_fn tty3270_fn;
38115 +static const struct raw3270_fn tty3270_fn;
38116
38117 struct tty3270_cell {
38118 unsigned char character;
38119 @@ -834,7 +834,7 @@ tty3270_del_views(void)
38120 }
38121 }
38122
38123 -static struct raw3270_fn tty3270_fn = {
38124 +static const struct raw3270_fn tty3270_fn = {
38125 .activate = tty3270_activate,
38126 .deactivate = tty3270_deactivate,
38127 .intv = (void *) tty3270_irq,
38128 diff -urNp linux-2.6.39.3/drivers/s390/cio/qdio_debug.c linux-2.6.39.3/drivers/s390/cio/qdio_debug.c
38129 --- linux-2.6.39.3/drivers/s390/cio/qdio_debug.c 2011-05-19 00:06:34.000000000 -0400
38130 +++ linux-2.6.39.3/drivers/s390/cio/qdio_debug.c 2011-05-22 19:36:32.000000000 -0400
38131 @@ -225,7 +225,7 @@ static int qperf_seq_open(struct inode *
38132 filp->f_path.dentry->d_inode->i_private);
38133 }
38134
38135 -static struct file_operations debugfs_perf_fops = {
38136 +static const struct file_operations debugfs_perf_fops = {
38137 .owner = THIS_MODULE,
38138 .open = qperf_seq_open,
38139 .read = seq_read,
38140 diff -urNp linux-2.6.39.3/drivers/s390/crypto/zcrypt_cex2a.c linux-2.6.39.3/drivers/s390/crypto/zcrypt_cex2a.c
38141 --- linux-2.6.39.3/drivers/s390/crypto/zcrypt_cex2a.c 2011-05-19 00:06:34.000000000 -0400
38142 +++ linux-2.6.39.3/drivers/s390/crypto/zcrypt_cex2a.c 2011-05-22 19:36:32.000000000 -0400
38143 @@ -415,7 +415,7 @@ out_free:
38144 /**
38145 * The crypto operations for a CEX2A card.
38146 */
38147 -static struct zcrypt_ops zcrypt_cex2a_ops = {
38148 +static const struct zcrypt_ops zcrypt_cex2a_ops = {
38149 .rsa_modexpo = zcrypt_cex2a_modexpo,
38150 .rsa_modexpo_crt = zcrypt_cex2a_modexpo_crt,
38151 };
38152 diff -urNp linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcica.c linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcica.c
38153 --- linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcica.c 2011-05-19 00:06:34.000000000 -0400
38154 +++ linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcica.c 2011-05-22 19:36:32.000000000 -0400
38155 @@ -347,7 +347,7 @@ out_free:
38156 /**
38157 * The crypto operations for a PCICA card.
38158 */
38159 -static struct zcrypt_ops zcrypt_pcica_ops = {
38160 +static const struct zcrypt_ops zcrypt_pcica_ops = {
38161 .rsa_modexpo = zcrypt_pcica_modexpo,
38162 .rsa_modexpo_crt = zcrypt_pcica_modexpo_crt,
38163 };
38164 diff -urNp linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcicc.c linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcicc.c
38165 --- linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcicc.c 2011-05-19 00:06:34.000000000 -0400
38166 +++ linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcicc.c 2011-05-22 19:36:32.000000000 -0400
38167 @@ -553,7 +553,7 @@ out_free:
38168 /**
38169 * The crypto operations for a PCICC card.
38170 */
38171 -static struct zcrypt_ops zcrypt_pcicc_ops = {
38172 +static const struct zcrypt_ops zcrypt_pcicc_ops = {
38173 .rsa_modexpo = zcrypt_pcicc_modexpo,
38174 .rsa_modexpo_crt = zcrypt_pcicc_modexpo_crt,
38175 };
38176 diff -urNp linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcixcc.c linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcixcc.c
38177 --- linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcixcc.c 2011-05-19 00:06:34.000000000 -0400
38178 +++ linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcixcc.c 2011-05-22 19:36:32.000000000 -0400
38179 @@ -851,13 +851,13 @@ static long zcrypt_pcixcc_rng(struct zcr
38180 /**
38181 * The crypto operations for a PCIXCC/CEX2C card.
38182 */
38183 -static struct zcrypt_ops zcrypt_pcixcc_ops = {
38184 +static const struct zcrypt_ops zcrypt_pcixcc_ops = {
38185 .rsa_modexpo = zcrypt_pcixcc_modexpo,
38186 .rsa_modexpo_crt = zcrypt_pcixcc_modexpo_crt,
38187 .send_cprb = zcrypt_pcixcc_send_cprb,
38188 };
38189
38190 -static struct zcrypt_ops zcrypt_pcixcc_with_rng_ops = {
38191 +static const struct zcrypt_ops zcrypt_pcixcc_with_rng_ops = {
38192 .rsa_modexpo = zcrypt_pcixcc_modexpo,
38193 .rsa_modexpo_crt = zcrypt_pcixcc_modexpo_crt,
38194 .send_cprb = zcrypt_pcixcc_send_cprb,
38195 diff -urNp linux-2.6.39.3/drivers/s390/kvm/kvm_virtio.c linux-2.6.39.3/drivers/s390/kvm/kvm_virtio.c
38196 --- linux-2.6.39.3/drivers/s390/kvm/kvm_virtio.c 2011-05-19 00:06:34.000000000 -0400
38197 +++ linux-2.6.39.3/drivers/s390/kvm/kvm_virtio.c 2011-05-22 19:36:32.000000000 -0400
38198 @@ -266,7 +266,7 @@ error:
38199 /*
38200 * The config ops structure as defined by virtio config
38201 */
38202 -static struct virtio_config_ops kvm_vq_configspace_ops = {
38203 +static const struct virtio_config_ops kvm_vq_configspace_ops = {
38204 .get_features = kvm_get_features,
38205 .finalize_features = kvm_finalize_features,
38206 .get = kvm_get,
38207 diff -urNp linux-2.6.39.3/drivers/s390/net/qeth_core.h linux-2.6.39.3/drivers/s390/net/qeth_core.h
38208 --- linux-2.6.39.3/drivers/s390/net/qeth_core.h 2011-05-19 00:06:34.000000000 -0400
38209 +++ linux-2.6.39.3/drivers/s390/net/qeth_core.h 2011-05-22 19:36:32.000000000 -0400
38210 @@ -743,7 +743,7 @@ struct qeth_card {
38211 struct qeth_qdio_info qdio;
38212 struct qeth_perf_stats perf_stats;
38213 int read_or_write_problem;
38214 - struct qeth_osn_info osn_info;
38215 + const struct qeth_osn_info osn_info;
38216 struct qeth_discipline discipline;
38217 atomic_t force_alloc_skb;
38218 struct service_level qeth_service_level;
38219 diff -urNp linux-2.6.39.3/drivers/scsi/53c700.c linux-2.6.39.3/drivers/scsi/53c700.c
38220 --- linux-2.6.39.3/drivers/scsi/53c700.c 2011-05-19 00:06:34.000000000 -0400
38221 +++ linux-2.6.39.3/drivers/scsi/53c700.c 2011-05-22 19:36:32.000000000 -0400
38222 @@ -2153,7 +2153,7 @@ EXPORT_SYMBOL(NCR_700_detect);
38223 EXPORT_SYMBOL(NCR_700_release);
38224 EXPORT_SYMBOL(NCR_700_intr);
38225
38226 -static struct spi_function_template NCR_700_transport_functions = {
38227 +static struct spi_function_template NCR_700_transport_functions = {
38228 .set_period = NCR_700_set_period,
38229 .show_period = 1,
38230 .set_offset = NCR_700_set_offset,
38231 diff -urNp linux-2.6.39.3/drivers/scsi/aacraid/commctrl.c linux-2.6.39.3/drivers/scsi/aacraid/commctrl.c
38232 --- linux-2.6.39.3/drivers/scsi/aacraid/commctrl.c 2011-05-19 00:06:34.000000000 -0400
38233 +++ linux-2.6.39.3/drivers/scsi/aacraid/commctrl.c 2011-05-22 19:36:32.000000000 -0400
38234 @@ -482,6 +482,7 @@ static int aac_send_raw_srb(struct aac_d
38235 u32 actual_fibsize64, actual_fibsize = 0;
38236 int i;
38237
38238 + pax_track_stack();
38239
38240 if (dev->in_reset) {
38241 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
38242 diff -urNp linux-2.6.39.3/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.39.3/drivers/scsi/aic94xx/aic94xx_init.c
38243 --- linux-2.6.39.3/drivers/scsi/aic94xx/aic94xx_init.c 2011-05-19 00:06:34.000000000 -0400
38244 +++ linux-2.6.39.3/drivers/scsi/aic94xx/aic94xx_init.c 2011-05-22 19:41:37.000000000 -0400
38245 @@ -486,7 +486,7 @@ static ssize_t asd_show_update_bios(stru
38246 flash_error_table[i].reason);
38247 }
38248
38249 -static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
38250 +static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
38251 asd_show_update_bios, asd_store_update_bios);
38252
38253 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
38254 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfa_core.c linux-2.6.39.3/drivers/scsi/bfa/bfa_core.c
38255 --- linux-2.6.39.3/drivers/scsi/bfa/bfa_core.c 2011-05-19 00:06:34.000000000 -0400
38256 +++ linux-2.6.39.3/drivers/scsi/bfa/bfa_core.c 2011-05-22 19:36:32.000000000 -0400
38257 @@ -24,7 +24,7 @@ BFA_TRC_FILE(HAL, CORE);
38258 /*
38259 * BFA module list terminated by NULL
38260 */
38261 -static struct bfa_module_s *hal_mods[] = {
38262 +static const struct bfa_module_s *hal_mods[] = {
38263 &hal_mod_sgpg,
38264 &hal_mod_fcport,
38265 &hal_mod_fcxp,
38266 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfad.c linux-2.6.39.3/drivers/scsi/bfa/bfad.c
38267 --- linux-2.6.39.3/drivers/scsi/bfa/bfad.c 2011-05-19 00:06:34.000000000 -0400
38268 +++ linux-2.6.39.3/drivers/scsi/bfa/bfad.c 2011-05-22 19:36:32.000000000 -0400
38269 @@ -1027,6 +1027,8 @@ bfad_start_ops(struct bfad_s *bfad) {
38270 struct bfad_vport_s *vport, *vport_new;
38271 struct bfa_fcs_driver_info_s driver_info;
38272
38273 + pax_track_stack();
38274 +
38275 /* Fill the driver_info info to fcs*/
38276 memset(&driver_info, 0, sizeof(driver_info));
38277 strncpy(driver_info.version, BFAD_DRIVER_VERSION,
38278 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs.c linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs.c
38279 --- linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs.c 2011-05-19 00:06:34.000000000 -0400
38280 +++ linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs.c 2011-05-22 19:36:32.000000000 -0400
38281 @@ -70,7 +70,7 @@ bfa_fcs_attach(struct bfa_fcs_s *fcs, st
38282 bfa_boolean_t min_cfg)
38283 {
38284 int i;
38285 - struct bfa_fcs_mod_s *mod;
38286 + const struct bfa_fcs_mod_s *mod;
38287
38288 fcs->bfa = bfa;
38289 fcs->bfad = bfad;
38290 @@ -93,7 +93,7 @@ void
38291 bfa_fcs_init(struct bfa_fcs_s *fcs)
38292 {
38293 int i, npbc_vports;
38294 - struct bfa_fcs_mod_s *mod;
38295 + const struct bfa_fcs_mod_s *mod;
38296 struct bfi_pbc_vport_s pbc_vports[BFI_PBC_MAX_VPORTS];
38297
38298 for (i = 0; i < sizeof(fcs_modules) / sizeof(fcs_modules[0]); i++) {
38299 @@ -140,7 +140,7 @@ bfa_fcs_driver_info_init(struct bfa_fcs_
38300 void
38301 bfa_fcs_exit(struct bfa_fcs_s *fcs)
38302 {
38303 - struct bfa_fcs_mod_s *mod;
38304 + const struct bfa_fcs_mod_s *mod;
38305 int nmods, i;
38306
38307 bfa_wc_init(&fcs->wc, bfa_fcs_exit_comp, fcs);
38308 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_lport.c linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_lport.c
38309 --- linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_lport.c 2011-05-19 00:06:34.000000000 -0400
38310 +++ linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_lport.c 2011-05-22 19:36:32.000000000 -0400
38311 @@ -1559,6 +1559,8 @@ bfa_fcs_lport_fdmi_build_rhba_pyld(struc
38312 u16 len, count;
38313 u16 templen;
38314
38315 + pax_track_stack();
38316 +
38317 /*
38318 * get hba attributes
38319 */
38320 @@ -1836,6 +1838,8 @@ bfa_fcs_lport_fdmi_build_portattr_block(
38321 u8 count = 0;
38322 u16 templen;
38323
38324 + pax_track_stack();
38325 +
38326 /*
38327 * get port attributes
38328 */
38329 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_rport.c linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_rport.c
38330 --- linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_rport.c 2011-05-19 00:06:34.000000000 -0400
38331 +++ linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_rport.c 2011-05-22 19:36:32.000000000 -0400
38332 @@ -1844,6 +1844,8 @@ bfa_fcs_rport_process_rpsc(struct bfa_fc
38333 struct fc_rpsc_speed_info_s speeds;
38334 struct bfa_port_attr_s pport_attr;
38335
38336 + pax_track_stack();
38337 +
38338 bfa_trc(port->fcs, rx_fchs->s_id);
38339 bfa_trc(port->fcs, rx_fchs->d_id);
38340
38341 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfa_modules.h linux-2.6.39.3/drivers/scsi/bfa/bfa_modules.h
38342 --- linux-2.6.39.3/drivers/scsi/bfa/bfa_modules.h 2011-05-19 00:06:34.000000000 -0400
38343 +++ linux-2.6.39.3/drivers/scsi/bfa/bfa_modules.h 2011-05-22 19:36:32.000000000 -0400
38344 @@ -68,8 +68,8 @@ enum {
38345 static void bfa_ ## __mod ## _stop(struct bfa_s *bfa); \
38346 static void bfa_ ## __mod ## _iocdisable(struct bfa_s *bfa); \
38347 \
38348 - extern struct bfa_module_s hal_mod_ ## __mod; \
38349 - struct bfa_module_s hal_mod_ ## __mod = { \
38350 + extern const struct bfa_module_s hal_mod_ ## __mod; \
38351 + const struct bfa_module_s hal_mod_ ## __mod = { \
38352 bfa_ ## __mod ## _meminfo, \
38353 bfa_ ## __mod ## _attach, \
38354 bfa_ ## __mod ## _detach, \
38355 @@ -116,12 +116,12 @@ struct bfa_s {
38356 };
38357
38358 extern bfa_boolean_t bfa_auto_recover;
38359 -extern struct bfa_module_s hal_mod_sgpg;
38360 -extern struct bfa_module_s hal_mod_fcport;
38361 -extern struct bfa_module_s hal_mod_fcxp;
38362 -extern struct bfa_module_s hal_mod_lps;
38363 -extern struct bfa_module_s hal_mod_uf;
38364 -extern struct bfa_module_s hal_mod_rport;
38365 -extern struct bfa_module_s hal_mod_fcpim;
38366 +extern const struct bfa_module_s hal_mod_sgpg;
38367 +extern const struct bfa_module_s hal_mod_fcport;
38368 +extern const struct bfa_module_s hal_mod_fcxp;
38369 +extern const struct bfa_module_s hal_mod_lps;
38370 +extern const struct bfa_module_s hal_mod_uf;
38371 +extern const struct bfa_module_s hal_mod_rport;
38372 +extern const struct bfa_module_s hal_mod_fcpim;
38373
38374 #endif /* __BFA_MODULES_H__ */
38375 diff -urNp linux-2.6.39.3/drivers/scsi/BusLogic.c linux-2.6.39.3/drivers/scsi/BusLogic.c
38376 --- linux-2.6.39.3/drivers/scsi/BusLogic.c 2011-05-19 00:06:34.000000000 -0400
38377 +++ linux-2.6.39.3/drivers/scsi/BusLogic.c 2011-05-22 19:36:32.000000000 -0400
38378 @@ -962,6 +962,8 @@ static int __init BusLogic_InitializeFla
38379 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
38380 *PrototypeHostAdapter)
38381 {
38382 + pax_track_stack();
38383 +
38384 /*
38385 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
38386 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
38387 diff -urNp linux-2.6.39.3/drivers/scsi/dpt_i2o.c linux-2.6.39.3/drivers/scsi/dpt_i2o.c
38388 --- linux-2.6.39.3/drivers/scsi/dpt_i2o.c 2011-05-19 00:06:34.000000000 -0400
38389 +++ linux-2.6.39.3/drivers/scsi/dpt_i2o.c 2011-05-22 19:36:32.000000000 -0400
38390 @@ -1811,6 +1811,8 @@ static int adpt_i2o_passthru(adpt_hba* p
38391 dma_addr_t addr;
38392 ulong flags = 0;
38393
38394 + pax_track_stack();
38395 +
38396 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
38397 // get user msg size in u32s
38398 if(get_user(size, &user_msg[0])){
38399 @@ -2317,6 +2319,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
38400 s32 rcode;
38401 dma_addr_t addr;
38402
38403 + pax_track_stack();
38404 +
38405 memset(msg, 0 , sizeof(msg));
38406 len = scsi_bufflen(cmd);
38407 direction = 0x00000000;
38408 diff -urNp linux-2.6.39.3/drivers/scsi/eata.c linux-2.6.39.3/drivers/scsi/eata.c
38409 --- linux-2.6.39.3/drivers/scsi/eata.c 2011-05-19 00:06:34.000000000 -0400
38410 +++ linux-2.6.39.3/drivers/scsi/eata.c 2011-05-22 19:36:32.000000000 -0400
38411 @@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
38412 struct hostdata *ha;
38413 char name[16];
38414
38415 + pax_track_stack();
38416 +
38417 sprintf(name, "%s%d", driver_name, j);
38418
38419 if (!request_region(port_base, REGION_SIZE, driver_name)) {
38420 diff -urNp linux-2.6.39.3/drivers/scsi/esp_scsi.c linux-2.6.39.3/drivers/scsi/esp_scsi.c
38421 --- linux-2.6.39.3/drivers/scsi/esp_scsi.c 2011-05-19 00:06:34.000000000 -0400
38422 +++ linux-2.6.39.3/drivers/scsi/esp_scsi.c 2011-05-22 19:36:32.000000000 -0400
38423 @@ -2680,7 +2680,7 @@ static void esp_set_width(struct scsi_ta
38424 tp->flags |= ESP_TGT_CHECK_NEGO;
38425 }
38426
38427 -static struct spi_function_template esp_transport_ops = {
38428 +static const struct spi_function_template esp_transport_ops = {
38429 .set_offset = esp_set_offset,
38430 .show_offset = 1,
38431 .set_period = esp_set_period,
38432 diff -urNp linux-2.6.39.3/drivers/scsi/fcoe/fcoe.c linux-2.6.39.3/drivers/scsi/fcoe/fcoe.c
38433 --- linux-2.6.39.3/drivers/scsi/fcoe/fcoe.c 2011-05-19 00:06:34.000000000 -0400
38434 +++ linux-2.6.39.3/drivers/scsi/fcoe/fcoe.c 2011-05-22 19:36:32.000000000 -0400
38435 @@ -138,7 +138,7 @@ static int fcoe_vport_disable(struct fc_
38436 static void fcoe_set_vport_symbolic_name(struct fc_vport *);
38437 static void fcoe_set_port_id(struct fc_lport *, u32, struct fc_frame *);
38438
38439 -static struct libfc_function_template fcoe_libfc_fcn_templ = {
38440 +static const struct libfc_function_template fcoe_libfc_fcn_templ = {
38441 .frame_send = fcoe_xmit,
38442 .ddp_setup = fcoe_ddp_setup,
38443 .ddp_done = fcoe_ddp_done,
38444 diff -urNp linux-2.6.39.3/drivers/scsi/fcoe/fcoe_ctlr.c linux-2.6.39.3/drivers/scsi/fcoe/fcoe_ctlr.c
38445 --- linux-2.6.39.3/drivers/scsi/fcoe/fcoe_ctlr.c 2011-05-19 00:06:34.000000000 -0400
38446 +++ linux-2.6.39.3/drivers/scsi/fcoe/fcoe_ctlr.c 2011-05-22 19:36:32.000000000 -0400
38447 @@ -1912,7 +1912,7 @@ static void fcoe_ctlr_vn_rport_callback(
38448 mutex_unlock(&fip->ctlr_mutex);
38449 }
38450
38451 -static struct fc_rport_operations fcoe_ctlr_vn_rport_ops = {
38452 +static const struct fc_rport_operations fcoe_ctlr_vn_rport_ops = {
38453 .event_callback = fcoe_ctlr_vn_rport_callback,
38454 };
38455
38456 @@ -2458,6 +2458,8 @@ static int fcoe_ctlr_vn_recv(struct fcoe
38457 } buf;
38458 int rc;
38459
38460 + pax_track_stack();
38461 +
38462 fiph = (struct fip_header *)skb->data;
38463 sub = fiph->fip_subcode;
38464
38465 diff -urNp linux-2.6.39.3/drivers/scsi/fnic/fnic_main.c linux-2.6.39.3/drivers/scsi/fnic/fnic_main.c
38466 --- linux-2.6.39.3/drivers/scsi/fnic/fnic_main.c 2011-05-19 00:06:34.000000000 -0400
38467 +++ linux-2.6.39.3/drivers/scsi/fnic/fnic_main.c 2011-05-22 19:36:32.000000000 -0400
38468 @@ -69,7 +69,7 @@ module_param(fnic_log_level, int, S_IRUG
38469 MODULE_PARM_DESC(fnic_log_level, "bit mask of fnic logging levels");
38470
38471
38472 -static struct libfc_function_template fnic_transport_template = {
38473 +static const struct libfc_function_template fnic_transport_template = {
38474 .frame_send = fnic_send,
38475 .lport_set_port_id = fnic_set_port_id,
38476 .fcp_abort_io = fnic_empty_scsi_cleanup,
38477 diff -urNp linux-2.6.39.3/drivers/scsi/gdth.c linux-2.6.39.3/drivers/scsi/gdth.c
38478 --- linux-2.6.39.3/drivers/scsi/gdth.c 2011-05-19 00:06:34.000000000 -0400
38479 +++ linux-2.6.39.3/drivers/scsi/gdth.c 2011-05-22 19:36:32.000000000 -0400
38480 @@ -4107,6 +4107,8 @@ static int ioc_lockdrv(void __user *arg)
38481 unsigned long flags;
38482 gdth_ha_str *ha;
38483
38484 + pax_track_stack();
38485 +
38486 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
38487 return -EFAULT;
38488 ha = gdth_find_ha(ldrv.ionode);
38489 @@ -4139,6 +4141,8 @@ static int ioc_resetdrv(void __user *arg
38490 gdth_ha_str *ha;
38491 int rval;
38492
38493 + pax_track_stack();
38494 +
38495 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
38496 res.number >= MAX_HDRIVES)
38497 return -EFAULT;
38498 @@ -4174,6 +4178,8 @@ static int ioc_general(void __user *arg,
38499 gdth_ha_str *ha;
38500 int rval;
38501
38502 + pax_track_stack();
38503 +
38504 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
38505 return -EFAULT;
38506 ha = gdth_find_ha(gen.ionode);
38507 @@ -4642,6 +4648,9 @@ static void gdth_flush(gdth_ha_str *ha)
38508 int i;
38509 gdth_cmd_str gdtcmd;
38510 char cmnd[MAX_COMMAND_SIZE];
38511 +
38512 + pax_track_stack();
38513 +
38514 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
38515
38516 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
38517 diff -urNp linux-2.6.39.3/drivers/scsi/gdth_proc.c linux-2.6.39.3/drivers/scsi/gdth_proc.c
38518 --- linux-2.6.39.3/drivers/scsi/gdth_proc.c 2011-05-19 00:06:34.000000000 -0400
38519 +++ linux-2.6.39.3/drivers/scsi/gdth_proc.c 2011-05-22 19:36:32.000000000 -0400
38520 @@ -47,6 +47,9 @@ static int gdth_set_asc_info(struct Scsi
38521 u64 paddr;
38522
38523 char cmnd[MAX_COMMAND_SIZE];
38524 +
38525 + pax_track_stack();
38526 +
38527 memset(cmnd, 0xff, 12);
38528 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
38529
38530 @@ -175,6 +178,8 @@ static int gdth_get_info(char *buffer,ch
38531 gdth_hget_str *phg;
38532 char cmnd[MAX_COMMAND_SIZE];
38533
38534 + pax_track_stack();
38535 +
38536 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
38537 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
38538 if (!gdtcmd || !estr)
38539 diff -urNp linux-2.6.39.3/drivers/scsi/hosts.c linux-2.6.39.3/drivers/scsi/hosts.c
38540 --- linux-2.6.39.3/drivers/scsi/hosts.c 2011-05-19 00:06:34.000000000 -0400
38541 +++ linux-2.6.39.3/drivers/scsi/hosts.c 2011-05-22 19:36:32.000000000 -0400
38542 @@ -42,7 +42,7 @@
38543 #include "scsi_logging.h"
38544
38545
38546 -static atomic_t scsi_host_next_hn; /* host_no for next new host */
38547 +static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
38548
38549
38550 static void scsi_host_cls_release(struct device *dev)
38551 @@ -354,7 +354,7 @@ struct Scsi_Host *scsi_host_alloc(struct
38552 * subtract one because we increment first then return, but we need to
38553 * know what the next host number was before increment
38554 */
38555 - shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
38556 + shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
38557 shost->dma_channel = 0xff;
38558
38559 /* These three are default values which can be overridden */
38560 diff -urNp linux-2.6.39.3/drivers/scsi/hpsa.h linux-2.6.39.3/drivers/scsi/hpsa.h
38561 --- linux-2.6.39.3/drivers/scsi/hpsa.h 2011-05-19 00:06:34.000000000 -0400
38562 +++ linux-2.6.39.3/drivers/scsi/hpsa.h 2011-05-22 19:36:32.000000000 -0400
38563 @@ -347,7 +347,7 @@ static struct access_method SA5_access =
38564 SA5_completed,
38565 };
38566
38567 -static struct access_method SA5_performant_access = {
38568 +static const struct access_method SA5_performant_access = {
38569 SA5_submit_command,
38570 SA5_performant_intr_mask,
38571 SA5_fifo_full,
38572 diff -urNp linux-2.6.39.3/drivers/scsi/hptiop.c linux-2.6.39.3/drivers/scsi/hptiop.c
38573 --- linux-2.6.39.3/drivers/scsi/hptiop.c 2011-05-19 00:06:34.000000000 -0400
38574 +++ linux-2.6.39.3/drivers/scsi/hptiop.c 2011-05-22 19:36:32.000000000 -0400
38575 @@ -1226,7 +1226,7 @@ static void hptiop_remove(struct pci_dev
38576 scsi_host_put(host);
38577 }
38578
38579 -static struct hptiop_adapter_ops hptiop_itl_ops = {
38580 +static const struct hptiop_adapter_ops hptiop_itl_ops = {
38581 .iop_wait_ready = iop_wait_ready_itl,
38582 .internal_memalloc = NULL,
38583 .internal_memfree = NULL,
38584 @@ -1241,7 +1241,7 @@ static struct hptiop_adapter_ops hptiop_
38585 .post_req = hptiop_post_req_itl,
38586 };
38587
38588 -static struct hptiop_adapter_ops hptiop_mv_ops = {
38589 +static const struct hptiop_adapter_ops hptiop_mv_ops = {
38590 .iop_wait_ready = iop_wait_ready_mv,
38591 .internal_memalloc = hptiop_internal_memalloc_mv,
38592 .internal_memfree = hptiop_internal_memfree_mv,
38593 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvfc.c linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvfc.c
38594 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvfc.c 2011-05-19 00:06:34.000000000 -0400
38595 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvfc.c 2011-05-22 19:36:32.000000000 -0400
38596 @@ -4881,7 +4881,7 @@ static struct vio_device_id ibmvfc_devic
38597 };
38598 MODULE_DEVICE_TABLE(vio, ibmvfc_device_table);
38599
38600 -static struct dev_pm_ops ibmvfc_pm_ops = {
38601 +static const struct dev_pm_ops ibmvfc_pm_ops = {
38602 .resume = ibmvfc_resume
38603 };
38604
38605 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.c linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.c
38606 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.c 2011-05-19 00:06:34.000000000 -0400
38607 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.c 2011-05-22 19:36:32.000000000 -0400
38608 @@ -104,7 +104,7 @@ static struct scsi_transport_template *i
38609
38610 #define IBMVSCSI_VERSION "1.5.9"
38611
38612 -static struct ibmvscsi_ops *ibmvscsi_ops;
38613 +static const struct ibmvscsi_ops *ibmvscsi_ops;
38614
38615 MODULE_DESCRIPTION("IBM Virtual SCSI");
38616 MODULE_AUTHOR("Dave Boutcher");
38617 @@ -2059,7 +2059,7 @@ static struct vio_device_id ibmvscsi_dev
38618 };
38619 MODULE_DEVICE_TABLE(vio, ibmvscsi_device_table);
38620
38621 -static struct dev_pm_ops ibmvscsi_pm_ops = {
38622 +static const struct dev_pm_ops ibmvscsi_pm_ops = {
38623 .resume = ibmvscsi_resume
38624 };
38625
38626 @@ -2075,7 +2075,7 @@ static struct vio_driver ibmvscsi_driver
38627 }
38628 };
38629
38630 -static struct srp_function_template ibmvscsi_transport_functions = {
38631 +static const struct srp_function_template ibmvscsi_transport_functions = {
38632 };
38633
38634 int __init ibmvscsi_module_init(void)
38635 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.h linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.h
38636 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.h 2011-05-19 00:06:34.000000000 -0400
38637 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.h 2011-05-22 19:36:32.000000000 -0400
38638 @@ -127,7 +127,7 @@ struct ibmvscsi_ops {
38639 int (*resume) (struct ibmvscsi_host_data *hostdata);
38640 };
38641
38642 -extern struct ibmvscsi_ops iseriesvscsi_ops;
38643 -extern struct ibmvscsi_ops rpavscsi_ops;
38644 +extern const struct ibmvscsi_ops iseriesvscsi_ops;
38645 +extern const struct ibmvscsi_ops rpavscsi_ops;
38646
38647 #endif /* IBMVSCSI_H */
38648 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvstgt.c linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvstgt.c
38649 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvstgt.c 2011-05-19 00:06:34.000000000 -0400
38650 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvstgt.c 2011-05-22 19:36:32.000000000 -0400
38651 @@ -951,7 +951,7 @@ static int get_system_info(void)
38652 return 0;
38653 }
38654
38655 -static struct srp_function_template ibmvstgt_transport_functions = {
38656 +static const struct srp_function_template ibmvstgt_transport_functions = {
38657 .tsk_mgmt_response = ibmvstgt_tsk_mgmt_response,
38658 .it_nexus_response = ibmvstgt_it_nexus_response,
38659 };
38660 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/iseries_vscsi.c linux-2.6.39.3/drivers/scsi/ibmvscsi/iseries_vscsi.c
38661 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/iseries_vscsi.c 2011-05-19 00:06:34.000000000 -0400
38662 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/iseries_vscsi.c 2011-05-22 19:36:32.000000000 -0400
38663 @@ -163,7 +163,7 @@ static int iseriesvscsi_resume(struct ib
38664 return 0;
38665 }
38666
38667 -struct ibmvscsi_ops iseriesvscsi_ops = {
38668 +const struct ibmvscsi_ops iseriesvscsi_ops = {
38669 .init_crq_queue = iseriesvscsi_init_crq_queue,
38670 .release_crq_queue = iseriesvscsi_release_crq_queue,
38671 .reset_crq_queue = iseriesvscsi_reset_crq_queue,
38672 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/rpa_vscsi.c linux-2.6.39.3/drivers/scsi/ibmvscsi/rpa_vscsi.c
38673 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/rpa_vscsi.c 2011-05-19 00:06:34.000000000 -0400
38674 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/rpa_vscsi.c 2011-05-22 19:36:32.000000000 -0400
38675 @@ -358,7 +358,7 @@ static int rpavscsi_resume(struct ibmvsc
38676 return 0;
38677 }
38678
38679 -struct ibmvscsi_ops rpavscsi_ops = {
38680 +const struct ibmvscsi_ops rpavscsi_ops = {
38681 .init_crq_queue = rpavscsi_init_crq_queue,
38682 .release_crq_queue = rpavscsi_release_crq_queue,
38683 .reset_crq_queue = rpavscsi_reset_crq_queue,
38684 diff -urNp linux-2.6.39.3/drivers/scsi/ipr.c linux-2.6.39.3/drivers/scsi/ipr.c
38685 --- linux-2.6.39.3/drivers/scsi/ipr.c 2011-05-19 00:06:34.000000000 -0400
38686 +++ linux-2.6.39.3/drivers/scsi/ipr.c 2011-05-22 19:36:32.000000000 -0400
38687 @@ -6210,7 +6210,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
38688 return true;
38689 }
38690
38691 -static struct ata_port_operations ipr_sata_ops = {
38692 +static const struct ata_port_operations ipr_sata_ops = {
38693 .phy_reset = ipr_ata_phy_reset,
38694 .hardreset = ipr_sata_reset,
38695 .post_internal_cmd = ipr_ata_post_internal,
38696 diff -urNp linux-2.6.39.3/drivers/scsi/libfc/fc_exch.c linux-2.6.39.3/drivers/scsi/libfc/fc_exch.c
38697 --- linux-2.6.39.3/drivers/scsi/libfc/fc_exch.c 2011-05-19 00:06:34.000000000 -0400
38698 +++ linux-2.6.39.3/drivers/scsi/libfc/fc_exch.c 2011-05-22 19:36:32.000000000 -0400
38699 @@ -105,12 +105,12 @@ struct fc_exch_mgr {
38700 * all together if not used XXX
38701 */
38702 struct {
38703 - atomic_t no_free_exch;
38704 - atomic_t no_free_exch_xid;
38705 - atomic_t xid_not_found;
38706 - atomic_t xid_busy;
38707 - atomic_t seq_not_found;
38708 - atomic_t non_bls_resp;
38709 + atomic_unchecked_t no_free_exch;
38710 + atomic_unchecked_t no_free_exch_xid;
38711 + atomic_unchecked_t xid_not_found;
38712 + atomic_unchecked_t xid_busy;
38713 + atomic_unchecked_t seq_not_found;
38714 + atomic_unchecked_t non_bls_resp;
38715 } stats;
38716 };
38717
38718 @@ -700,7 +700,7 @@ static struct fc_exch *fc_exch_em_alloc(
38719 /* allocate memory for exchange */
38720 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
38721 if (!ep) {
38722 - atomic_inc(&mp->stats.no_free_exch);
38723 + atomic_inc_unchecked(&mp->stats.no_free_exch);
38724 goto out;
38725 }
38726 memset(ep, 0, sizeof(*ep));
38727 @@ -761,7 +761,7 @@ out:
38728 return ep;
38729 err:
38730 spin_unlock_bh(&pool->lock);
38731 - atomic_inc(&mp->stats.no_free_exch_xid);
38732 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
38733 mempool_free(ep, mp->ep_pool);
38734 return NULL;
38735 }
38736 @@ -906,7 +906,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38737 xid = ntohs(fh->fh_ox_id); /* we originated exch */
38738 ep = fc_exch_find(mp, xid);
38739 if (!ep) {
38740 - atomic_inc(&mp->stats.xid_not_found);
38741 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38742 reject = FC_RJT_OX_ID;
38743 goto out;
38744 }
38745 @@ -936,7 +936,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38746 ep = fc_exch_find(mp, xid);
38747 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
38748 if (ep) {
38749 - atomic_inc(&mp->stats.xid_busy);
38750 + atomic_inc_unchecked(&mp->stats.xid_busy);
38751 reject = FC_RJT_RX_ID;
38752 goto rel;
38753 }
38754 @@ -947,7 +947,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38755 }
38756 xid = ep->xid; /* get our XID */
38757 } else if (!ep) {
38758 - atomic_inc(&mp->stats.xid_not_found);
38759 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38760 reject = FC_RJT_RX_ID; /* XID not found */
38761 goto out;
38762 }
38763 @@ -964,7 +964,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38764 } else {
38765 sp = &ep->seq;
38766 if (sp->id != fh->fh_seq_id) {
38767 - atomic_inc(&mp->stats.seq_not_found);
38768 + atomic_inc_unchecked(&mp->stats.seq_not_found);
38769 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
38770 goto rel;
38771 }
38772 @@ -1392,22 +1392,22 @@ static void fc_exch_recv_seq_resp(struct
38773
38774 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
38775 if (!ep) {
38776 - atomic_inc(&mp->stats.xid_not_found);
38777 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38778 goto out;
38779 }
38780 if (ep->esb_stat & ESB_ST_COMPLETE) {
38781 - atomic_inc(&mp->stats.xid_not_found);
38782 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38783 goto rel;
38784 }
38785 if (ep->rxid == FC_XID_UNKNOWN)
38786 ep->rxid = ntohs(fh->fh_rx_id);
38787 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
38788 - atomic_inc(&mp->stats.xid_not_found);
38789 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38790 goto rel;
38791 }
38792 if (ep->did != ntoh24(fh->fh_s_id) &&
38793 ep->did != FC_FID_FLOGI) {
38794 - atomic_inc(&mp->stats.xid_not_found);
38795 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38796 goto rel;
38797 }
38798 sof = fr_sof(fp);
38799 @@ -1416,7 +1416,7 @@ static void fc_exch_recv_seq_resp(struct
38800 sp->ssb_stat |= SSB_ST_RESP;
38801 sp->id = fh->fh_seq_id;
38802 } else if (sp->id != fh->fh_seq_id) {
38803 - atomic_inc(&mp->stats.seq_not_found);
38804 + atomic_inc_unchecked(&mp->stats.seq_not_found);
38805 goto rel;
38806 }
38807
38808 @@ -1479,9 +1479,9 @@ static void fc_exch_recv_resp(struct fc_
38809 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
38810
38811 if (!sp)
38812 - atomic_inc(&mp->stats.xid_not_found);
38813 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38814 else
38815 - atomic_inc(&mp->stats.non_bls_resp);
38816 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
38817
38818 fc_frame_free(fp);
38819 }
38820 diff -urNp linux-2.6.39.3/drivers/scsi/libfc/fc_lport.c linux-2.6.39.3/drivers/scsi/libfc/fc_lport.c
38821 --- linux-2.6.39.3/drivers/scsi/libfc/fc_lport.c 2011-05-19 00:06:34.000000000 -0400
38822 +++ linux-2.6.39.3/drivers/scsi/libfc/fc_lport.c 2011-05-22 19:36:32.000000000 -0400
38823 @@ -1299,7 +1299,7 @@ static void fc_lport_enter_ns(struct fc_
38824 fc_lport_error(lport, fp);
38825 }
38826
38827 -static struct fc_rport_operations fc_lport_rport_ops = {
38828 +static const struct fc_rport_operations fc_lport_rport_ops = {
38829 .event_callback = fc_lport_rport_callback,
38830 };
38831
38832 diff -urNp linux-2.6.39.3/drivers/scsi/libfc/fc_rport.c linux-2.6.39.3/drivers/scsi/libfc/fc_rport.c
38833 --- linux-2.6.39.3/drivers/scsi/libfc/fc_rport.c 2011-05-19 00:06:34.000000000 -0400
38834 +++ linux-2.6.39.3/drivers/scsi/libfc/fc_rport.c 2011-05-22 19:36:32.000000000 -0400
38835 @@ -256,7 +256,7 @@ static void fc_rport_work(struct work_st
38836 struct fc_rport_libfc_priv *rpriv;
38837 enum fc_rport_event event;
38838 struct fc_lport *lport = rdata->local_port;
38839 - struct fc_rport_operations *rport_ops;
38840 + const struct fc_rport_operations *rport_ops;
38841 struct fc_rport_identifiers ids;
38842 struct fc_rport *rport;
38843 struct fc4_prov *prov;
38844 diff -urNp linux-2.6.39.3/drivers/scsi/libsas/sas_ata.c linux-2.6.39.3/drivers/scsi/libsas/sas_ata.c
38845 --- linux-2.6.39.3/drivers/scsi/libsas/sas_ata.c 2011-05-19 00:06:34.000000000 -0400
38846 +++ linux-2.6.39.3/drivers/scsi/libsas/sas_ata.c 2011-05-22 19:36:32.000000000 -0400
38847 @@ -307,14 +307,14 @@ static void sas_ata_post_internal(struct
38848 }
38849 }
38850
38851 -static struct ata_port_operations sas_sata_ops = {
38852 +static const struct ata_port_operations sas_sata_ops = {
38853 .prereset = ata_std_prereset,
38854 .softreset = NULL,
38855 .hardreset = sas_ata_hard_reset,
38856 .postreset = ata_std_postreset,
38857 .error_handler = ata_std_error_handler,
38858 .post_internal_cmd = sas_ata_post_internal,
38859 - .qc_defer = ata_std_qc_defer,
38860 + .qc_defer = ata_std_qc_defer,
38861 .qc_prep = ata_noop_qc_prep,
38862 .qc_issue = sas_ata_qc_issue,
38863 .qc_fill_rtf = sas_ata_qc_fill_rtf,
38864 diff -urNp linux-2.6.39.3/drivers/scsi/lpfc/lpfc_debugfs.c linux-2.6.39.3/drivers/scsi/lpfc/lpfc_debugfs.c
38865 --- linux-2.6.39.3/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-19 00:06:34.000000000 -0400
38866 +++ linux-2.6.39.3/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-22 19:36:32.000000000 -0400
38867 @@ -104,7 +104,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_
38868
38869 #include <linux/debugfs.h>
38870
38871 -static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38872 +static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38873 static unsigned long lpfc_debugfs_start_time = 0L;
38874
38875 /* iDiag */
38876 @@ -141,7 +141,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
38877 lpfc_debugfs_enable = 0;
38878
38879 len = 0;
38880 - index = (atomic_read(&vport->disc_trc_cnt) + 1) &
38881 + index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
38882 (lpfc_debugfs_max_disc_trc - 1);
38883 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
38884 dtp = vport->disc_trc + i;
38885 @@ -202,7 +202,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
38886 lpfc_debugfs_enable = 0;
38887
38888 len = 0;
38889 - index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
38890 + index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
38891 (lpfc_debugfs_max_slow_ring_trc - 1);
38892 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
38893 dtp = phba->slow_ring_trc + i;
38894 @@ -380,6 +380,8 @@ lpfc_debugfs_dumpHBASlim_data(struct lpf
38895 uint32_t *ptr;
38896 char buffer[1024];
38897
38898 + pax_track_stack();
38899 +
38900 off = 0;
38901 spin_lock_irq(&phba->hbalock);
38902
38903 @@ -617,14 +619,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
38904 !vport || !vport->disc_trc)
38905 return;
38906
38907 - index = atomic_inc_return(&vport->disc_trc_cnt) &
38908 + index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
38909 (lpfc_debugfs_max_disc_trc - 1);
38910 dtp = vport->disc_trc + index;
38911 dtp->fmt = fmt;
38912 dtp->data1 = data1;
38913 dtp->data2 = data2;
38914 dtp->data3 = data3;
38915 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
38916 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
38917 dtp->jif = jiffies;
38918 #endif
38919 return;
38920 @@ -655,14 +657,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
38921 !phba || !phba->slow_ring_trc)
38922 return;
38923
38924 - index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
38925 + index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
38926 (lpfc_debugfs_max_slow_ring_trc - 1);
38927 dtp = phba->slow_ring_trc + index;
38928 dtp->fmt = fmt;
38929 dtp->data1 = data1;
38930 dtp->data2 = data2;
38931 dtp->data3 = data3;
38932 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
38933 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
38934 dtp->jif = jiffies;
38935 #endif
38936 return;
38937 @@ -2145,7 +2147,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
38938 "slow_ring buffer\n");
38939 goto debug_failed;
38940 }
38941 - atomic_set(&phba->slow_ring_trc_cnt, 0);
38942 + atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
38943 memset(phba->slow_ring_trc, 0,
38944 (sizeof(struct lpfc_debugfs_trc) *
38945 lpfc_debugfs_max_slow_ring_trc));
38946 @@ -2191,7 +2193,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
38947 "buffer\n");
38948 goto debug_failed;
38949 }
38950 - atomic_set(&vport->disc_trc_cnt, 0);
38951 + atomic_set_unchecked(&vport->disc_trc_cnt, 0);
38952
38953 snprintf(name, sizeof(name), "discovery_trace");
38954 vport->debug_disc_trc =
38955 diff -urNp linux-2.6.39.3/drivers/scsi/lpfc/lpfc.h linux-2.6.39.3/drivers/scsi/lpfc/lpfc.h
38956 --- linux-2.6.39.3/drivers/scsi/lpfc/lpfc.h 2011-05-19 00:06:34.000000000 -0400
38957 +++ linux-2.6.39.3/drivers/scsi/lpfc/lpfc.h 2011-05-22 19:36:32.000000000 -0400
38958 @@ -419,7 +419,7 @@ struct lpfc_vport {
38959 struct dentry *debug_nodelist;
38960 struct dentry *vport_debugfs_root;
38961 struct lpfc_debugfs_trc *disc_trc;
38962 - atomic_t disc_trc_cnt;
38963 + atomic_unchecked_t disc_trc_cnt;
38964 #endif
38965 uint8_t stat_data_enabled;
38966 uint8_t stat_data_blocked;
38967 @@ -785,8 +785,8 @@ struct lpfc_hba {
38968 struct timer_list fabric_block_timer;
38969 unsigned long bit_flags;
38970 #define FABRIC_COMANDS_BLOCKED 0
38971 - atomic_t num_rsrc_err;
38972 - atomic_t num_cmd_success;
38973 + atomic_unchecked_t num_rsrc_err;
38974 + atomic_unchecked_t num_cmd_success;
38975 unsigned long last_rsrc_error_time;
38976 unsigned long last_ramp_down_time;
38977 unsigned long last_ramp_up_time;
38978 @@ -800,7 +800,7 @@ struct lpfc_hba {
38979 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
38980 struct dentry *debug_slow_ring_trc;
38981 struct lpfc_debugfs_trc *slow_ring_trc;
38982 - atomic_t slow_ring_trc_cnt;
38983 + atomic_unchecked_t slow_ring_trc_cnt;
38984 /* iDiag debugfs sub-directory */
38985 struct dentry *idiag_root;
38986 struct dentry *idiag_pci_cfg;
38987 diff -urNp linux-2.6.39.3/drivers/scsi/lpfc/lpfc_scsi.c linux-2.6.39.3/drivers/scsi/lpfc/lpfc_scsi.c
38988 --- linux-2.6.39.3/drivers/scsi/lpfc/lpfc_scsi.c 2011-05-19 00:06:34.000000000 -0400
38989 +++ linux-2.6.39.3/drivers/scsi/lpfc/lpfc_scsi.c 2011-05-22 19:36:32.000000000 -0400
38990 @@ -297,7 +297,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
38991 uint32_t evt_posted;
38992
38993 spin_lock_irqsave(&phba->hbalock, flags);
38994 - atomic_inc(&phba->num_rsrc_err);
38995 + atomic_inc_unchecked(&phba->num_rsrc_err);
38996 phba->last_rsrc_error_time = jiffies;
38997
38998 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
38999 @@ -338,7 +338,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
39000 unsigned long flags;
39001 struct lpfc_hba *phba = vport->phba;
39002 uint32_t evt_posted;
39003 - atomic_inc(&phba->num_cmd_success);
39004 + atomic_inc_unchecked(&phba->num_cmd_success);
39005
39006 if (vport->cfg_lun_queue_depth <= queue_depth)
39007 return;
39008 @@ -382,8 +382,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
39009 unsigned long num_rsrc_err, num_cmd_success;
39010 int i;
39011
39012 - num_rsrc_err = atomic_read(&phba->num_rsrc_err);
39013 - num_cmd_success = atomic_read(&phba->num_cmd_success);
39014 + num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
39015 + num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
39016
39017 vports = lpfc_create_vport_work_array(phba);
39018 if (vports != NULL)
39019 @@ -403,8 +403,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
39020 }
39021 }
39022 lpfc_destroy_vport_work_array(phba, vports);
39023 - atomic_set(&phba->num_rsrc_err, 0);
39024 - atomic_set(&phba->num_cmd_success, 0);
39025 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
39026 + atomic_set_unchecked(&phba->num_cmd_success, 0);
39027 }
39028
39029 /**
39030 @@ -438,8 +438,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
39031 }
39032 }
39033 lpfc_destroy_vport_work_array(phba, vports);
39034 - atomic_set(&phba->num_rsrc_err, 0);
39035 - atomic_set(&phba->num_cmd_success, 0);
39036 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
39037 + atomic_set_unchecked(&phba->num_cmd_success, 0);
39038 }
39039
39040 /**
39041 diff -urNp linux-2.6.39.3/drivers/scsi/mac_esp.c linux-2.6.39.3/drivers/scsi/mac_esp.c
39042 --- linux-2.6.39.3/drivers/scsi/mac_esp.c 2011-05-19 00:06:34.000000000 -0400
39043 +++ linux-2.6.39.3/drivers/scsi/mac_esp.c 2011-05-22 19:36:32.000000000 -0400
39044 @@ -473,7 +473,7 @@ static irqreturn_t mac_scsi_esp_intr(int
39045 return IRQ_HANDLED;
39046 }
39047
39048 -static struct esp_driver_ops mac_esp_ops = {
39049 +static const struct esp_driver_ops mac_esp_ops = {
39050 .esp_write8 = mac_esp_write8,
39051 .esp_read8 = mac_esp_read8,
39052 .map_single = mac_esp_map_single,
39053 diff -urNp linux-2.6.39.3/drivers/scsi/megaraid/megaraid_mbox.c linux-2.6.39.3/drivers/scsi/megaraid/megaraid_mbox.c
39054 --- linux-2.6.39.3/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-19 00:06:34.000000000 -0400
39055 +++ linux-2.6.39.3/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-22 19:36:32.000000000 -0400
39056 @@ -3510,6 +3510,8 @@ megaraid_cmm_register(adapter_t *adapter
39057 int rval;
39058 int i;
39059
39060 + pax_track_stack();
39061 +
39062 // Allocate memory for the base list of scb for management module.
39063 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
39064
39065 diff -urNp linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_base.c linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_base.c
39066 --- linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_base.c 2011-05-19 00:06:34.000000000 -0400
39067 +++ linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_base.c 2011-05-22 19:36:32.000000000 -0400
39068 @@ -366,7 +366,7 @@ megasas_check_reset_xscale(struct megasa
39069 return 0;
39070 }
39071
39072 -static struct megasas_instance_template megasas_instance_template_xscale = {
39073 +static const struct megasas_instance_template megasas_instance_template_xscale = {
39074
39075 .fire_cmd = megasas_fire_cmd_xscale,
39076 .enable_intr = megasas_enable_intr_xscale,
39077 @@ -497,7 +497,7 @@ megasas_check_reset_ppc(struct megasas_i
39078 {
39079 return 0;
39080 }
39081 -static struct megasas_instance_template megasas_instance_template_ppc = {
39082 +static const struct megasas_instance_template megasas_instance_template_ppc = {
39083
39084 .fire_cmd = megasas_fire_cmd_ppc,
39085 .enable_intr = megasas_enable_intr_ppc,
39086 @@ -623,7 +623,7 @@ megasas_check_reset_skinny(struct megasa
39087 return 0;
39088 }
39089
39090 -static struct megasas_instance_template megasas_instance_template_skinny = {
39091 +static const struct megasas_instance_template megasas_instance_template_skinny = {
39092
39093 .fire_cmd = megasas_fire_cmd_skinny,
39094 .enable_intr = megasas_enable_intr_skinny,
39095 @@ -810,7 +810,7 @@ megasas_check_reset_gen2(struct megasas_
39096 return 0;
39097 }
39098
39099 -static struct megasas_instance_template megasas_instance_template_gen2 = {
39100 +static const struct megasas_instance_template megasas_instance_template_gen2 = {
39101
39102 .fire_cmd = megasas_fire_cmd_gen2,
39103 .enable_intr = megasas_enable_intr_gen2,
39104 @@ -834,7 +834,7 @@ static struct megasas_instance_template
39105 /*
39106 * Template added for TB (Fusion)
39107 */
39108 -extern struct megasas_instance_template megasas_instance_template_fusion;
39109 +extern const struct megasas_instance_template megasas_instance_template_fusion;
39110
39111 /**
39112 * megasas_issue_polled - Issues a polling command
39113 diff -urNp linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_fusion.c linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_fusion.c
39114 --- linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_fusion.c 2011-05-19 00:06:34.000000000 -0400
39115 +++ linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_fusion.c 2011-05-22 19:36:32.000000000 -0400
39116 @@ -2236,7 +2236,7 @@ void megasas_fusion_ocr_wq(struct work_s
39117 megasas_reset_fusion(instance->host);
39118 }
39119
39120 -struct megasas_instance_template megasas_instance_template_fusion = {
39121 +const struct megasas_instance_template megasas_instance_template_fusion = {
39122 .fire_cmd = megasas_fire_cmd_fusion,
39123 .enable_intr = megasas_enable_intr_fusion,
39124 .disable_intr = megasas_disable_intr_fusion,
39125 diff -urNp linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas.h linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas.h
39126 --- linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas.h 2011-05-19 00:06:34.000000000 -0400
39127 +++ linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas.h 2011-05-22 19:36:32.000000000 -0400
39128 @@ -1330,7 +1330,7 @@ struct megasas_instance {
39129 atomic_t fw_outstanding;
39130 atomic_t fw_reset_no_pci_access;
39131
39132 - struct megasas_instance_template *instancet;
39133 + const struct megasas_instance_template *instancet;
39134 struct tasklet_struct isr_tasklet;
39135 struct work_struct work_init;
39136
39137 diff -urNp linux-2.6.39.3/drivers/scsi/ncr53c8xx.c linux-2.6.39.3/drivers/scsi/ncr53c8xx.c
39138 --- linux-2.6.39.3/drivers/scsi/ncr53c8xx.c 2011-05-19 00:06:34.000000000 -0400
39139 +++ linux-2.6.39.3/drivers/scsi/ncr53c8xx.c 2011-05-22 19:36:32.000000000 -0400
39140 @@ -8606,7 +8606,7 @@ static void ncr53c8xx_get_signalling(str
39141 spi_signalling(shost) = type;
39142 }
39143
39144 -static struct spi_function_template ncr53c8xx_transport_functions = {
39145 +static struct spi_function_template ncr53c8xx_transport_functions = {
39146 .set_period = ncr53c8xx_set_period,
39147 .show_period = 1,
39148 .set_offset = ncr53c8xx_set_offset,
39149 diff -urNp linux-2.6.39.3/drivers/scsi/osd/osd_initiator.c linux-2.6.39.3/drivers/scsi/osd/osd_initiator.c
39150 --- linux-2.6.39.3/drivers/scsi/osd/osd_initiator.c 2011-05-19 00:06:34.000000000 -0400
39151 +++ linux-2.6.39.3/drivers/scsi/osd/osd_initiator.c 2011-05-22 19:36:32.000000000 -0400
39152 @@ -97,6 +97,8 @@ static int _osd_get_print_system_info(st
39153 int nelem = ARRAY_SIZE(get_attrs), a = 0;
39154 int ret;
39155
39156 + pax_track_stack();
39157 +
39158 or = osd_start_request(od, GFP_KERNEL);
39159 if (!or)
39160 return -ENOMEM;
39161 diff -urNp linux-2.6.39.3/drivers/scsi/pmcraid.c linux-2.6.39.3/drivers/scsi/pmcraid.c
39162 --- linux-2.6.39.3/drivers/scsi/pmcraid.c 2011-05-19 00:06:34.000000000 -0400
39163 +++ linux-2.6.39.3/drivers/scsi/pmcraid.c 2011-05-22 19:36:32.000000000 -0400
39164 @@ -201,8 +201,8 @@ static int pmcraid_slave_alloc(struct sc
39165 res->scsi_dev = scsi_dev;
39166 scsi_dev->hostdata = res;
39167 res->change_detected = 0;
39168 - atomic_set(&res->read_failures, 0);
39169 - atomic_set(&res->write_failures, 0);
39170 + atomic_set_unchecked(&res->read_failures, 0);
39171 + atomic_set_unchecked(&res->write_failures, 0);
39172 rc = 0;
39173 }
39174 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
39175 @@ -2677,9 +2677,9 @@ static int pmcraid_error_handler(struct
39176
39177 /* If this was a SCSI read/write command keep count of errors */
39178 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
39179 - atomic_inc(&res->read_failures);
39180 + atomic_inc_unchecked(&res->read_failures);
39181 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
39182 - atomic_inc(&res->write_failures);
39183 + atomic_inc_unchecked(&res->write_failures);
39184
39185 if (!RES_IS_GSCSI(res->cfg_entry) &&
39186 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
39187 @@ -3535,7 +3535,7 @@ static int pmcraid_queuecommand_lck(
39188 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
39189 * hrrq_id assigned here in queuecommand
39190 */
39191 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
39192 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
39193 pinstance->num_hrrq;
39194 cmd->cmd_done = pmcraid_io_done;
39195
39196 @@ -3860,7 +3860,7 @@ static long pmcraid_ioctl_passthrough(
39197 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
39198 * hrrq_id assigned here in queuecommand
39199 */
39200 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
39201 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
39202 pinstance->num_hrrq;
39203
39204 if (request_size) {
39205 @@ -4495,7 +4495,7 @@ static void pmcraid_worker_function(stru
39206
39207 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
39208 /* add resources only after host is added into system */
39209 - if (!atomic_read(&pinstance->expose_resources))
39210 + if (!atomic_read_unchecked(&pinstance->expose_resources))
39211 return;
39212
39213 fw_version = be16_to_cpu(pinstance->inq_data->fw_version);
39214 @@ -5329,8 +5329,8 @@ static int __devinit pmcraid_init_instan
39215 init_waitqueue_head(&pinstance->reset_wait_q);
39216
39217 atomic_set(&pinstance->outstanding_cmds, 0);
39218 - atomic_set(&pinstance->last_message_id, 0);
39219 - atomic_set(&pinstance->expose_resources, 0);
39220 + atomic_set_unchecked(&pinstance->last_message_id, 0);
39221 + atomic_set_unchecked(&pinstance->expose_resources, 0);
39222
39223 INIT_LIST_HEAD(&pinstance->free_res_q);
39224 INIT_LIST_HEAD(&pinstance->used_res_q);
39225 @@ -6045,7 +6045,7 @@ static int __devinit pmcraid_probe(
39226 /* Schedule worker thread to handle CCN and take care of adding and
39227 * removing devices to OS
39228 */
39229 - atomic_set(&pinstance->expose_resources, 1);
39230 + atomic_set_unchecked(&pinstance->expose_resources, 1);
39231 schedule_work(&pinstance->worker_q);
39232 return rc;
39233
39234 diff -urNp linux-2.6.39.3/drivers/scsi/pmcraid.h linux-2.6.39.3/drivers/scsi/pmcraid.h
39235 --- linux-2.6.39.3/drivers/scsi/pmcraid.h 2011-05-19 00:06:34.000000000 -0400
39236 +++ linux-2.6.39.3/drivers/scsi/pmcraid.h 2011-05-22 19:36:32.000000000 -0400
39237 @@ -750,7 +750,7 @@ struct pmcraid_instance {
39238 struct pmcraid_isr_param hrrq_vector[PMCRAID_NUM_MSIX_VECTORS];
39239
39240 /* Message id as filled in last fired IOARCB, used to identify HRRQ */
39241 - atomic_t last_message_id;
39242 + atomic_unchecked_t last_message_id;
39243
39244 /* configuration table */
39245 struct pmcraid_config_table *cfg_table;
39246 @@ -779,7 +779,7 @@ struct pmcraid_instance {
39247 atomic_t outstanding_cmds;
39248
39249 /* should add/delete resources to mid-layer now ?*/
39250 - atomic_t expose_resources;
39251 + atomic_unchecked_t expose_resources;
39252
39253
39254
39255 @@ -815,8 +815,8 @@ struct pmcraid_resource_entry {
39256 struct pmcraid_config_table_entry_ext cfg_entry_ext;
39257 };
39258 struct scsi_device *scsi_dev; /* Link scsi_device structure */
39259 - atomic_t read_failures; /* count of failed READ commands */
39260 - atomic_t write_failures; /* count of failed WRITE commands */
39261 + atomic_unchecked_t read_failures; /* count of failed READ commands */
39262 + atomic_unchecked_t write_failures; /* count of failed WRITE commands */
39263
39264 /* To indicate add/delete/modify during CCN */
39265 u8 change_detected;
39266 diff -urNp linux-2.6.39.3/drivers/scsi/qla2xxx/qla_os.c linux-2.6.39.3/drivers/scsi/qla2xxx/qla_os.c
39267 --- linux-2.6.39.3/drivers/scsi/qla2xxx/qla_os.c 2011-06-03 00:04:14.000000000 -0400
39268 +++ linux-2.6.39.3/drivers/scsi/qla2xxx/qla_os.c 2011-06-03 00:32:06.000000000 -0400
39269 @@ -4103,7 +4103,7 @@ static struct pci_driver qla2xxx_pci_dri
39270 .err_handler = &qla2xxx_err_handler,
39271 };
39272
39273 -static struct file_operations apidev_fops = {
39274 +static const struct file_operations apidev_fops = {
39275 .owner = THIS_MODULE,
39276 .llseek = noop_llseek,
39277 };
39278 diff -urNp linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_def.h linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_def.h
39279 --- linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_def.h 2011-05-19 00:06:34.000000000 -0400
39280 +++ linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_def.h 2011-05-22 19:36:32.000000000 -0400
39281 @@ -256,7 +256,7 @@ struct ddb_entry {
39282 atomic_t retry_relogin_timer; /* Min Time between relogins
39283 * (4000 only) */
39284 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
39285 - atomic_t relogin_retry_count; /* Num of times relogin has been
39286 + atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
39287 * retried */
39288
39289 uint16_t port;
39290 diff -urNp linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_init.c linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_init.c
39291 --- linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_init.c 2011-05-19 00:06:34.000000000 -0400
39292 +++ linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_init.c 2011-05-22 19:36:32.000000000 -0400
39293 @@ -680,7 +680,7 @@ static struct ddb_entry * qla4xxx_alloc_
39294 ddb_entry->fw_ddb_index = fw_ddb_index;
39295 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
39296 atomic_set(&ddb_entry->relogin_timer, 0);
39297 - atomic_set(&ddb_entry->relogin_retry_count, 0);
39298 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
39299 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
39300 list_add_tail(&ddb_entry->list, &ha->ddb_list);
39301 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
39302 @@ -1433,7 +1433,7 @@ int qla4xxx_process_ddb_changed(struct s
39303 if ((ddb_entry->fw_ddb_device_state == DDB_DS_SESSION_ACTIVE) &&
39304 (atomic_read(&ddb_entry->state) != DDB_STATE_ONLINE)) {
39305 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
39306 - atomic_set(&ddb_entry->relogin_retry_count, 0);
39307 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
39308 atomic_set(&ddb_entry->relogin_timer, 0);
39309 clear_bit(DF_RELOGIN, &ddb_entry->flags);
39310 iscsi_unblock_session(ddb_entry->sess);
39311 diff -urNp linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_os.c linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_os.c
39312 --- linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_os.c 2011-05-19 00:06:34.000000000 -0400
39313 +++ linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_os.c 2011-05-22 19:36:32.000000000 -0400
39314 @@ -802,13 +802,13 @@ static void qla4xxx_timer(struct scsi_ql
39315 ddb_entry->fw_ddb_device_state ==
39316 DDB_DS_SESSION_FAILED) {
39317 /* Reset retry relogin timer */
39318 - atomic_inc(&ddb_entry->relogin_retry_count);
39319 + atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
39320 DEBUG2(printk("scsi%ld: ddb [%d] relogin"
39321 " timed out-retrying"
39322 " relogin (%d)\n",
39323 ha->host_no,
39324 ddb_entry->fw_ddb_index,
39325 - atomic_read(&ddb_entry->
39326 + atomic_read_unchecked(&ddb_entry->
39327 relogin_retry_count))
39328 );
39329 start_dpc++;
39330 diff -urNp linux-2.6.39.3/drivers/scsi/scsi.c linux-2.6.39.3/drivers/scsi/scsi.c
39331 --- linux-2.6.39.3/drivers/scsi/scsi.c 2011-05-19 00:06:34.000000000 -0400
39332 +++ linux-2.6.39.3/drivers/scsi/scsi.c 2011-05-22 19:36:32.000000000 -0400
39333 @@ -655,7 +655,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
39334 unsigned long timeout;
39335 int rtn = 0;
39336
39337 - atomic_inc(&cmd->device->iorequest_cnt);
39338 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
39339
39340 /* check if the device is still usable */
39341 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
39342 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_debug.c linux-2.6.39.3/drivers/scsi/scsi_debug.c
39343 --- linux-2.6.39.3/drivers/scsi/scsi_debug.c 2011-05-19 00:06:34.000000000 -0400
39344 +++ linux-2.6.39.3/drivers/scsi/scsi_debug.c 2011-05-22 19:36:32.000000000 -0400
39345 @@ -1493,6 +1493,8 @@ static int resp_mode_select(struct scsi_
39346 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
39347 unsigned char *cmd = (unsigned char *)scp->cmnd;
39348
39349 + pax_track_stack();
39350 +
39351 if ((errsts = check_readiness(scp, 1, devip)))
39352 return errsts;
39353 memset(arr, 0, sizeof(arr));
39354 @@ -1590,6 +1592,8 @@ static int resp_log_sense(struct scsi_cm
39355 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
39356 unsigned char *cmd = (unsigned char *)scp->cmnd;
39357
39358 + pax_track_stack();
39359 +
39360 if ((errsts = check_readiness(scp, 1, devip)))
39361 return errsts;
39362 memset(arr, 0, sizeof(arr));
39363 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_lib.c linux-2.6.39.3/drivers/scsi/scsi_lib.c
39364 --- linux-2.6.39.3/drivers/scsi/scsi_lib.c 2011-05-19 00:06:34.000000000 -0400
39365 +++ linux-2.6.39.3/drivers/scsi/scsi_lib.c 2011-05-22 19:36:32.000000000 -0400
39366 @@ -1410,7 +1410,7 @@ static void scsi_kill_request(struct req
39367 shost = sdev->host;
39368 scsi_init_cmd_errh(cmd);
39369 cmd->result = DID_NO_CONNECT << 16;
39370 - atomic_inc(&cmd->device->iorequest_cnt);
39371 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
39372
39373 /*
39374 * SCSI request completion path will do scsi_device_unbusy(),
39375 @@ -1436,9 +1436,9 @@ static void scsi_softirq_done(struct req
39376
39377 INIT_LIST_HEAD(&cmd->eh_entry);
39378
39379 - atomic_inc(&cmd->device->iodone_cnt);
39380 + atomic_inc_unchecked(&cmd->device->iodone_cnt);
39381 if (cmd->result)
39382 - atomic_inc(&cmd->device->ioerr_cnt);
39383 + atomic_inc_unchecked(&cmd->device->ioerr_cnt);
39384
39385 disposition = scsi_decide_disposition(cmd);
39386 if (disposition != SUCCESS &&
39387 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_sysfs.c linux-2.6.39.3/drivers/scsi/scsi_sysfs.c
39388 --- linux-2.6.39.3/drivers/scsi/scsi_sysfs.c 2011-06-25 12:55:22.000000000 -0400
39389 +++ linux-2.6.39.3/drivers/scsi/scsi_sysfs.c 2011-06-25 13:00:26.000000000 -0400
39390 @@ -622,7 +622,7 @@ show_iostat_##field(struct device *dev,
39391 char *buf) \
39392 { \
39393 struct scsi_device *sdev = to_scsi_device(dev); \
39394 - unsigned long long count = atomic_read(&sdev->field); \
39395 + unsigned long long count = atomic_read_unchecked(&sdev->field); \
39396 return snprintf(buf, 20, "0x%llx\n", count); \
39397 } \
39398 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
39399 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_transport_fc.c linux-2.6.39.3/drivers/scsi/scsi_transport_fc.c
39400 --- linux-2.6.39.3/drivers/scsi/scsi_transport_fc.c 2011-05-19 00:06:34.000000000 -0400
39401 +++ linux-2.6.39.3/drivers/scsi/scsi_transport_fc.c 2011-05-22 19:36:32.000000000 -0400
39402 @@ -485,7 +485,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_
39403 * Netlink Infrastructure
39404 */
39405
39406 -static atomic_t fc_event_seq;
39407 +static atomic_unchecked_t fc_event_seq;
39408
39409 /**
39410 * fc_get_event_number - Obtain the next sequential FC event number
39411 @@ -498,7 +498,7 @@ static atomic_t fc_event_seq;
39412 u32
39413 fc_get_event_number(void)
39414 {
39415 - return atomic_add_return(1, &fc_event_seq);
39416 + return atomic_add_return_unchecked(1, &fc_event_seq);
39417 }
39418 EXPORT_SYMBOL(fc_get_event_number);
39419
39420 @@ -646,7 +646,7 @@ static __init int fc_transport_init(void
39421 {
39422 int error;
39423
39424 - atomic_set(&fc_event_seq, 0);
39425 + atomic_set_unchecked(&fc_event_seq, 0);
39426
39427 error = transport_class_register(&fc_host_class);
39428 if (error)
39429 @@ -836,7 +836,7 @@ static int fc_str_to_dev_loss(const char
39430 char *cp;
39431
39432 *val = simple_strtoul(buf, &cp, 0);
39433 - if ((*cp && (*cp != '\n')) || (*val < 0))
39434 + if (*cp && (*cp != '\n'))
39435 return -EINVAL;
39436 /*
39437 * Check for overflow; dev_loss_tmo is u32
39438 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_transport_iscsi.c linux-2.6.39.3/drivers/scsi/scsi_transport_iscsi.c
39439 --- linux-2.6.39.3/drivers/scsi/scsi_transport_iscsi.c 2011-05-19 00:06:34.000000000 -0400
39440 +++ linux-2.6.39.3/drivers/scsi/scsi_transport_iscsi.c 2011-05-22 19:36:32.000000000 -0400
39441 @@ -83,7 +83,7 @@ struct iscsi_internal {
39442 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
39443 };
39444
39445 -static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
39446 +static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
39447 static struct workqueue_struct *iscsi_eh_timer_workq;
39448
39449 /*
39450 @@ -761,7 +761,7 @@ int iscsi_add_session(struct iscsi_cls_s
39451 int err;
39452
39453 ihost = shost->shost_data;
39454 - session->sid = atomic_add_return(1, &iscsi_session_nr);
39455 + session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
39456
39457 if (id == ISCSI_MAX_TARGET) {
39458 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
39459 @@ -2200,7 +2200,7 @@ static __init int iscsi_transport_init(v
39460 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
39461 ISCSI_TRANSPORT_VERSION);
39462
39463 - atomic_set(&iscsi_session_nr, 0);
39464 + atomic_set_unchecked(&iscsi_session_nr, 0);
39465
39466 err = class_register(&iscsi_transport_class);
39467 if (err)
39468 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_transport_srp.c linux-2.6.39.3/drivers/scsi/scsi_transport_srp.c
39469 --- linux-2.6.39.3/drivers/scsi/scsi_transport_srp.c 2011-05-19 00:06:34.000000000 -0400
39470 +++ linux-2.6.39.3/drivers/scsi/scsi_transport_srp.c 2011-05-22 19:36:32.000000000 -0400
39471 @@ -33,7 +33,7 @@
39472 #include "scsi_transport_srp_internal.h"
39473
39474 struct srp_host_attrs {
39475 - atomic_t next_port_id;
39476 + atomic_unchecked_t next_port_id;
39477 };
39478 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
39479
39480 @@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
39481 struct Scsi_Host *shost = dev_to_shost(dev);
39482 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
39483
39484 - atomic_set(&srp_host->next_port_id, 0);
39485 + atomic_set_unchecked(&srp_host->next_port_id, 0);
39486 return 0;
39487 }
39488
39489 @@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
39490 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
39491 rport->roles = ids->roles;
39492
39493 - id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
39494 + id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
39495 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
39496
39497 transport_setup_device(&rport->dev);
39498 diff -urNp linux-2.6.39.3/drivers/scsi/sg.c linux-2.6.39.3/drivers/scsi/sg.c
39499 --- linux-2.6.39.3/drivers/scsi/sg.c 2011-05-19 00:06:34.000000000 -0400
39500 +++ linux-2.6.39.3/drivers/scsi/sg.c 2011-05-22 19:36:32.000000000 -0400
39501 @@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
39502 const struct file_operations * fops;
39503 };
39504
39505 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
39506 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
39507 {"allow_dio", &adio_fops},
39508 {"debug", &debug_fops},
39509 {"def_reserved_size", &dressz_fops},
39510 @@ -2325,7 +2325,7 @@ sg_proc_init(void)
39511 {
39512 int k, mask;
39513 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
39514 - struct sg_proc_leaf * leaf;
39515 + const struct sg_proc_leaf * leaf;
39516
39517 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
39518 if (!sg_proc_sgp)
39519 diff -urNp linux-2.6.39.3/drivers/scsi/sym53c8xx_2/sym_glue.c linux-2.6.39.3/drivers/scsi/sym53c8xx_2/sym_glue.c
39520 --- linux-2.6.39.3/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-19 00:06:34.000000000 -0400
39521 +++ linux-2.6.39.3/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-22 19:36:32.000000000 -0400
39522 @@ -1756,6 +1756,8 @@ static int __devinit sym2_probe(struct p
39523 int do_iounmap = 0;
39524 int do_disable_device = 1;
39525
39526 + pax_track_stack();
39527 +
39528 memset(&sym_dev, 0, sizeof(sym_dev));
39529 memset(&nvram, 0, sizeof(nvram));
39530 sym_dev.pdev = pdev;
39531 diff -urNp linux-2.6.39.3/drivers/scsi/vmw_pvscsi.c linux-2.6.39.3/drivers/scsi/vmw_pvscsi.c
39532 --- linux-2.6.39.3/drivers/scsi/vmw_pvscsi.c 2011-05-19 00:06:34.000000000 -0400
39533 +++ linux-2.6.39.3/drivers/scsi/vmw_pvscsi.c 2011-05-22 19:36:32.000000000 -0400
39534 @@ -447,6 +447,8 @@ static void pvscsi_setup_all_rings(const
39535 dma_addr_t base;
39536 unsigned i;
39537
39538 + pax_track_stack();
39539 +
39540 cmd.ringsStatePPN = adapter->ringStatePA >> PAGE_SHIFT;
39541 cmd.reqRingNumPages = adapter->req_pages;
39542 cmd.cmpRingNumPages = adapter->cmp_pages;
39543 diff -urNp linux-2.6.39.3/drivers/sh/clk/cpg.c linux-2.6.39.3/drivers/sh/clk/cpg.c
39544 --- linux-2.6.39.3/drivers/sh/clk/cpg.c 2011-06-03 00:04:14.000000000 -0400
39545 +++ linux-2.6.39.3/drivers/sh/clk/cpg.c 2011-06-03 00:32:06.000000000 -0400
39546 @@ -26,7 +26,7 @@ static void sh_clk_mstp32_disable(struct
39547 clk->enable_reg);
39548 }
39549
39550 -static struct clk_ops sh_clk_mstp32_clk_ops = {
39551 +static const struct clk_ops sh_clk_mstp32_clk_ops = {
39552 .enable = sh_clk_mstp32_enable,
39553 .disable = sh_clk_mstp32_disable,
39554 .recalc = followparent_recalc,
39555 @@ -150,7 +150,7 @@ static void sh_clk_div6_disable(struct c
39556 __raw_writel(value, clk->enable_reg);
39557 }
39558
39559 -static struct clk_ops sh_clk_div6_clk_ops = {
39560 +static const struct clk_ops sh_clk_div6_clk_ops = {
39561 .recalc = sh_clk_div6_recalc,
39562 .round_rate = sh_clk_div_round_rate,
39563 .set_rate = sh_clk_div6_set_rate,
39564 @@ -158,7 +158,7 @@ static struct clk_ops sh_clk_div6_clk_op
39565 .disable = sh_clk_div6_disable,
39566 };
39567
39568 -static struct clk_ops sh_clk_div6_reparent_clk_ops = {
39569 +static const struct clk_ops sh_clk_div6_reparent_clk_ops = {
39570 .recalc = sh_clk_div6_recalc,
39571 .round_rate = sh_clk_div_round_rate,
39572 .set_rate = sh_clk_div6_set_rate,
39573 @@ -282,13 +282,13 @@ static void sh_clk_div4_disable(struct c
39574 __raw_writel(__raw_readl(clk->enable_reg) | (1 << 8), clk->enable_reg);
39575 }
39576
39577 -static struct clk_ops sh_clk_div4_clk_ops = {
39578 +static const struct clk_ops sh_clk_div4_clk_ops = {
39579 .recalc = sh_clk_div4_recalc,
39580 .set_rate = sh_clk_div4_set_rate,
39581 .round_rate = sh_clk_div_round_rate,
39582 };
39583
39584 -static struct clk_ops sh_clk_div4_enable_clk_ops = {
39585 +static const struct clk_ops sh_clk_div4_enable_clk_ops = {
39586 .recalc = sh_clk_div4_recalc,
39587 .set_rate = sh_clk_div4_set_rate,
39588 .round_rate = sh_clk_div_round_rate,
39589 @@ -296,7 +296,7 @@ static struct clk_ops sh_clk_div4_enable
39590 .disable = sh_clk_div4_disable,
39591 };
39592
39593 -static struct clk_ops sh_clk_div4_reparent_clk_ops = {
39594 +static const struct clk_ops sh_clk_div4_reparent_clk_ops = {
39595 .recalc = sh_clk_div4_recalc,
39596 .set_rate = sh_clk_div4_set_rate,
39597 .round_rate = sh_clk_div_round_rate,
39598 diff -urNp linux-2.6.39.3/drivers/spi/dw_spi.h linux-2.6.39.3/drivers/spi/dw_spi.h
39599 --- linux-2.6.39.3/drivers/spi/dw_spi.h 2011-05-19 00:06:34.000000000 -0400
39600 +++ linux-2.6.39.3/drivers/spi/dw_spi.h 2011-05-22 19:36:32.000000000 -0400
39601 @@ -151,7 +151,7 @@ struct dw_spi {
39602 int dma_chan_done;
39603 struct device *dma_dev;
39604 dma_addr_t dma_addr; /* phy address of the Data register */
39605 - struct dw_spi_dma_ops *dma_ops;
39606 + const struct dw_spi_dma_ops *dma_ops;
39607 void *dma_priv; /* platform relate info */
39608 struct pci_dev *dmac;
39609
39610 diff -urNp linux-2.6.39.3/drivers/spi/dw_spi_mid.c linux-2.6.39.3/drivers/spi/dw_spi_mid.c
39611 --- linux-2.6.39.3/drivers/spi/dw_spi_mid.c 2011-05-19 00:06:34.000000000 -0400
39612 +++ linux-2.6.39.3/drivers/spi/dw_spi_mid.c 2011-05-22 19:36:32.000000000 -0400
39613 @@ -180,7 +180,7 @@ static int mid_spi_dma_transfer(struct d
39614 return 0;
39615 }
39616
39617 -static struct dw_spi_dma_ops mid_dma_ops = {
39618 +static const struct dw_spi_dma_ops mid_dma_ops = {
39619 .dma_init = mid_spi_dma_init,
39620 .dma_exit = mid_spi_dma_exit,
39621 .dma_transfer = mid_spi_dma_transfer,
39622 diff -urNp linux-2.6.39.3/drivers/spi/spi.c linux-2.6.39.3/drivers/spi/spi.c
39623 --- linux-2.6.39.3/drivers/spi/spi.c 2011-05-19 00:06:34.000000000 -0400
39624 +++ linux-2.6.39.3/drivers/spi/spi.c 2011-05-22 19:36:32.000000000 -0400
39625 @@ -1023,7 +1023,7 @@ int spi_bus_unlock(struct spi_master *ma
39626 EXPORT_SYMBOL_GPL(spi_bus_unlock);
39627
39628 /* portable code must never pass more than 32 bytes */
39629 -#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
39630 +#define SPI_BUFSIZ max(32U,SMP_CACHE_BYTES)
39631
39632 static u8 *buf;
39633
39634 diff -urNp linux-2.6.39.3/drivers/ssb/driver_pcicore.c linux-2.6.39.3/drivers/ssb/driver_pcicore.c
39635 --- linux-2.6.39.3/drivers/ssb/driver_pcicore.c 2011-05-19 00:06:34.000000000 -0400
39636 +++ linux-2.6.39.3/drivers/ssb/driver_pcicore.c 2011-05-22 19:36:32.000000000 -0400
39637 @@ -223,7 +223,7 @@ static int ssb_pcicore_write_config(stru
39638 return err ? PCIBIOS_DEVICE_NOT_FOUND : PCIBIOS_SUCCESSFUL;
39639 }
39640
39641 -static struct pci_ops ssb_pcicore_pciops = {
39642 +static const struct pci_ops ssb_pcicore_pciops = {
39643 .read = ssb_pcicore_read_config,
39644 .write = ssb_pcicore_write_config,
39645 };
39646 diff -urNp linux-2.6.39.3/drivers/staging/ath6kl/os/linux/cfg80211.c linux-2.6.39.3/drivers/staging/ath6kl/os/linux/cfg80211.c
39647 --- linux-2.6.39.3/drivers/staging/ath6kl/os/linux/cfg80211.c 2011-05-19 00:06:34.000000000 -0400
39648 +++ linux-2.6.39.3/drivers/staging/ath6kl/os/linux/cfg80211.c 2011-05-22 19:36:32.000000000 -0400
39649 @@ -1391,8 +1391,7 @@ u32 cipher_suites[] = {
39650 WLAN_CIPHER_SUITE_CCMP,
39651 };
39652
39653 -static struct
39654 -cfg80211_ops ar6k_cfg80211_ops = {
39655 +static const struct cfg80211_ops ar6k_cfg80211_ops = {
39656 .change_virtual_intf = ar6k_cfg80211_change_iface,
39657 .add_virtual_intf = ar6k_cfg80211_add_virtual_intf,
39658 .del_virtual_intf = ar6k_cfg80211_del_virtual_intf,
39659 diff -urNp linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
39660 --- linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-05-19 00:06:34.000000000 -0400
39661 +++ linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-05-22 19:36:32.000000000 -0400
39662 @@ -857,14 +857,14 @@ static void dhd_op_if(dhd_if_t *ifp)
39663 free_netdev(ifp->net);
39664 }
39665 /* Allocate etherdev, including space for private structure */
39666 - ifp->net = alloc_etherdev(sizeof(dhd));
39667 + ifp->net = alloc_etherdev(sizeof(*dhd));
39668 if (!ifp->net) {
39669 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
39670 ret = -ENOMEM;
39671 }
39672 if (ret == 0) {
39673 strcpy(ifp->net->name, ifp->name);
39674 - memcpy(netdev_priv(ifp->net), &dhd, sizeof(dhd));
39675 + memcpy(netdev_priv(ifp->net), dhd, sizeof(*dhd));
39676 err = dhd_net_attach(&dhd->pub, ifp->idx);
39677 if (err != 0) {
39678 DHD_ERROR(("%s: dhd_net_attach failed, "
39679 @@ -1500,7 +1500,7 @@ static void dhd_ethtool_get_drvinfo(stru
39680 sprintf(info->bus_info, "%s", dev_name(&wl_cfg80211_get_sdio_func()->dev));
39681 }
39682
39683 -struct ethtool_ops dhd_ethtool_ops = {
39684 +const struct ethtool_ops dhd_ethtool_ops = {
39685 .get_drvinfo = dhd_ethtool_get_drvinfo
39686 };
39687
39688 @@ -1923,7 +1923,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
39689 strcpy(nv_path, nvram_path);
39690
39691 /* Allocate etherdev, including space for private structure */
39692 - net = alloc_etherdev(sizeof(dhd));
39693 + net = alloc_etherdev(sizeof(*dhd));
39694 if (!net) {
39695 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
39696 goto fail;
39697 @@ -1939,7 +1939,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
39698 /*
39699 * Save the dhd_info into the priv
39700 */
39701 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
39702 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
39703
39704 /* Set network interface name if it was provided as module parameter */
39705 if (iface_name[0]) {
39706 @@ -2056,7 +2056,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
39707 /*
39708 * Save the dhd_info into the priv
39709 */
39710 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
39711 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
39712
39713 #if defined(CUSTOMER_HW2) && defined(CONFIG_WIFI_CONTROL_FUNC)
39714 g_bus = bus;
39715 @@ -2206,7 +2206,7 @@ dhd_iovar(dhd_pub_t *pub, int ifidx, cha
39716 return ret;
39717 }
39718
39719 -static struct net_device_ops dhd_ops_pri = {
39720 +static const struct net_device_ops dhd_ops_pri = {
39721 .ndo_open = dhd_open,
39722 .ndo_stop = dhd_stop,
39723 .ndo_get_stats = dhd_get_stats,
39724 diff -urNp linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c
39725 --- linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c 2011-05-19 00:06:34.000000000 -0400
39726 +++ linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c 2011-05-22 19:36:32.000000000 -0400
39727 @@ -2109,7 +2109,7 @@ wl_cfg80211_flush_pmksa(struct wiphy *wi
39728
39729 }
39730
39731 -static struct cfg80211_ops wl_cfg80211_ops = {
39732 +static const struct cfg80211_ops wl_cfg80211_ops = {
39733 .change_virtual_intf = wl_cfg80211_change_iface,
39734 .scan = wl_cfg80211_scan,
39735 .set_wiphy_params = wl_cfg80211_set_wiphy_params,
39736 diff -urNp linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_iw.c linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_iw.c
39737 --- linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-05-19 00:06:34.000000000 -0400
39738 +++ linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-05-22 19:36:32.000000000 -0400
39739 @@ -495,7 +495,7 @@ wl_iw_get_range(struct net_device *dev,
39740 list = (wl_u32_list_t *) channels;
39741
39742 dwrq->length = sizeof(struct iw_range);
39743 - memset(range, 0, sizeof(range));
39744 + memset(range, 0, sizeof(*range));
39745
39746 range->min_nwid = range->max_nwid = 0;
39747
39748 diff -urNp linux-2.6.39.3/drivers/staging/comedi/comedi_fops.c linux-2.6.39.3/drivers/staging/comedi/comedi_fops.c
39749 --- linux-2.6.39.3/drivers/staging/comedi/comedi_fops.c 2011-05-19 00:06:34.000000000 -0400
39750 +++ linux-2.6.39.3/drivers/staging/comedi/comedi_fops.c 2011-05-22 19:36:32.000000000 -0400
39751 @@ -1445,7 +1445,7 @@ static void comedi_unmap(struct vm_area_
39752 mutex_unlock(&dev->mutex);
39753 }
39754
39755 -static struct vm_operations_struct comedi_vm_ops = {
39756 +static const struct vm_operations_struct comedi_vm_ops = {
39757 .close = comedi_unmap,
39758 };
39759
39760 diff -urNp linux-2.6.39.3/drivers/staging/cx25821/cx25821-alsa.c linux-2.6.39.3/drivers/staging/cx25821/cx25821-alsa.c
39761 --- linux-2.6.39.3/drivers/staging/cx25821/cx25821-alsa.c 2011-05-19 00:06:34.000000000 -0400
39762 +++ linux-2.6.39.3/drivers/staging/cx25821/cx25821-alsa.c 2011-05-22 19:36:32.000000000 -0400
39763 @@ -586,7 +586,7 @@ static struct page *snd_cx25821_page(str
39764 /*
39765 * operators
39766 */
39767 -static struct snd_pcm_ops snd_cx25821_pcm_ops = {
39768 +static const struct snd_pcm_ops snd_cx25821_pcm_ops = {
39769 .open = snd_cx25821_pcm_open,
39770 .close = snd_cx25821_close,
39771 .ioctl = snd_pcm_lib_ioctl,
39772 diff -urNp linux-2.6.39.3/drivers/staging/cx25821/cx25821-i2c.c linux-2.6.39.3/drivers/staging/cx25821/cx25821-i2c.c
39773 --- linux-2.6.39.3/drivers/staging/cx25821/cx25821-i2c.c 2011-05-19 00:06:34.000000000 -0400
39774 +++ linux-2.6.39.3/drivers/staging/cx25821/cx25821-i2c.c 2011-05-22 19:36:32.000000000 -0400
39775 @@ -282,7 +282,7 @@ static u32 cx25821_functionality(struct
39776 I2C_FUNC_SMBUS_READ_WORD_DATA | I2C_FUNC_SMBUS_WRITE_WORD_DATA;
39777 }
39778
39779 -static struct i2c_algorithm cx25821_i2c_algo_template = {
39780 +static const struct i2c_algorithm cx25821_i2c_algo_template = {
39781 .master_xfer = i2c_xfer,
39782 .functionality = cx25821_functionality,
39783 #ifdef NEED_ALGO_CONTROL
39784 diff -urNp linux-2.6.39.3/drivers/staging/et131x/et1310_tx.c linux-2.6.39.3/drivers/staging/et131x/et1310_tx.c
39785 --- linux-2.6.39.3/drivers/staging/et131x/et1310_tx.c 2011-05-19 00:06:34.000000000 -0400
39786 +++ linux-2.6.39.3/drivers/staging/et131x/et1310_tx.c 2011-05-22 19:36:32.000000000 -0400
39787 @@ -635,11 +635,11 @@ inline void et131x_free_send_packet(stru
39788 struct net_device_stats *stats = &etdev->net_stats;
39789
39790 if (tcb->flags & fMP_DEST_BROAD)
39791 - atomic_inc(&etdev->Stats.brdcstxmt);
39792 + atomic_inc_unchecked(&etdev->Stats.brdcstxmt);
39793 else if (tcb->flags & fMP_DEST_MULTI)
39794 - atomic_inc(&etdev->Stats.multixmt);
39795 + atomic_inc_unchecked(&etdev->Stats.multixmt);
39796 else
39797 - atomic_inc(&etdev->Stats.unixmt);
39798 + atomic_inc_unchecked(&etdev->Stats.unixmt);
39799
39800 if (tcb->skb) {
39801 stats->tx_bytes += tcb->skb->len;
39802 diff -urNp linux-2.6.39.3/drivers/staging/et131x/et131x_adapter.h linux-2.6.39.3/drivers/staging/et131x/et131x_adapter.h
39803 --- linux-2.6.39.3/drivers/staging/et131x/et131x_adapter.h 2011-05-19 00:06:34.000000000 -0400
39804 +++ linux-2.6.39.3/drivers/staging/et131x/et131x_adapter.h 2011-05-22 19:36:32.000000000 -0400
39805 @@ -110,11 +110,11 @@ typedef struct _ce_stats_t {
39806 * operations
39807 */
39808 u32 unircv; /* # multicast packets received */
39809 - atomic_t unixmt; /* # multicast packets for Tx */
39810 + atomic_unchecked_t unixmt; /* # multicast packets for Tx */
39811 u32 multircv; /* # multicast packets received */
39812 - atomic_t multixmt; /* # multicast packets for Tx */
39813 + atomic_unchecked_t multixmt; /* # multicast packets for Tx */
39814 u32 brdcstrcv; /* # broadcast packets received */
39815 - atomic_t brdcstxmt; /* # broadcast packets for Tx */
39816 + atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
39817 u32 norcvbuf; /* # Rx packets discarded */
39818 u32 noxmtbuf; /* # Tx packets discarded */
39819
39820 diff -urNp linux-2.6.39.3/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c linux-2.6.39.3/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c
39821 --- linux-2.6.39.3/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-05-19 00:06:34.000000000 -0400
39822 +++ linux-2.6.39.3/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-05-22 19:36:32.000000000 -0400
39823 @@ -55,7 +55,7 @@ int numofmsgbuf = 0;
39824 //
39825 // Table of entry-point routines for char device
39826 //
39827 -static struct file_operations ft1000fops =
39828 +static const struct file_operations ft1000fops =
39829 {
39830 .unlocked_ioctl = ft1000_ioctl,
39831 .poll = ft1000_poll_dev,
39832 diff -urNp linux-2.6.39.3/drivers/staging/generic_serial/rio/rio_linux.c linux-2.6.39.3/drivers/staging/generic_serial/rio/rio_linux.c
39833 --- linux-2.6.39.3/drivers/staging/generic_serial/rio/rio_linux.c 2011-05-19 00:06:34.000000000 -0400
39834 +++ linux-2.6.39.3/drivers/staging/generic_serial/rio/rio_linux.c 2011-05-22 19:36:32.000000000 -0400
39835 @@ -221,7 +221,7 @@ module_param(rio_poll, int, 0);
39836 module_param(rio_debug, int, 0644);
39837 module_param(rio_irqmask, long, 0);
39838
39839 -static struct real_driver rio_real_driver = {
39840 +static const struct real_driver rio_real_driver = {
39841 rio_disable_tx_interrupts,
39842 rio_enable_tx_interrupts,
39843 rio_disable_rx_interrupts,
39844 diff -urNp linux-2.6.39.3/drivers/staging/generic_serial/ser_a2232.c linux-2.6.39.3/drivers/staging/generic_serial/ser_a2232.c
39845 --- linux-2.6.39.3/drivers/staging/generic_serial/ser_a2232.c 2011-05-19 00:06:34.000000000 -0400
39846 +++ linux-2.6.39.3/drivers/staging/generic_serial/ser_a2232.c 2011-05-22 19:36:32.000000000 -0400
39847 @@ -144,7 +144,7 @@ static int a2232_open(struct tty_struct
39848 /*---------------------------------------------------------------------------
39849 * Interface from generic_serial.c back here
39850 *--------------------------------------------------------------------------*/
39851 -static struct real_driver a2232_real_driver = {
39852 +static const struct real_driver a2232_real_driver = {
39853 a2232_disable_tx_interrupts,
39854 a2232_enable_tx_interrupts,
39855 a2232_disable_rx_interrupts,
39856 diff -urNp linux-2.6.39.3/drivers/staging/generic_serial/sx.c linux-2.6.39.3/drivers/staging/generic_serial/sx.c
39857 --- linux-2.6.39.3/drivers/staging/generic_serial/sx.c 2011-05-19 00:06:34.000000000 -0400
39858 +++ linux-2.6.39.3/drivers/staging/generic_serial/sx.c 2011-05-22 19:36:32.000000000 -0400
39859 @@ -355,7 +355,7 @@ module_param(sx_irqmask, int, 0);
39860
39861 MODULE_LICENSE("GPL");
39862
39863 -static struct real_driver sx_real_driver = {
39864 +static const struct real_driver sx_real_driver = {
39865 sx_disable_tx_interrupts,
39866 sx_enable_tx_interrupts,
39867 sx_disable_rx_interrupts,
39868 diff -urNp linux-2.6.39.3/drivers/staging/generic_serial/vme_scc.c linux-2.6.39.3/drivers/staging/generic_serial/vme_scc.c
39869 --- linux-2.6.39.3/drivers/staging/generic_serial/vme_scc.c 2011-05-19 00:06:34.000000000 -0400
39870 +++ linux-2.6.39.3/drivers/staging/generic_serial/vme_scc.c 2011-05-22 19:36:32.000000000 -0400
39871 @@ -94,7 +94,7 @@ static struct scc_port scc_ports[2];
39872 * Interface from generic_serial.c back here
39873 *--------------------------------------------------------------------------*/
39874
39875 -static struct real_driver scc_real_driver = {
39876 +static const struct real_driver scc_real_driver = {
39877 scc_disable_tx_interrupts,
39878 scc_enable_tx_interrupts,
39879 scc_disable_rx_interrupts,
39880 diff -urNp linux-2.6.39.3/drivers/staging/gma500/psb_fb.c linux-2.6.39.3/drivers/staging/gma500/psb_fb.c
39881 --- linux-2.6.39.3/drivers/staging/gma500/psb_fb.c 2011-06-25 12:55:22.000000000 -0400
39882 +++ linux-2.6.39.3/drivers/staging/gma500/psb_fb.c 2011-06-25 13:00:26.000000000 -0400
39883 @@ -230,7 +230,7 @@ static void psbfb_vm_close(struct vm_are
39884 DRM_DEBUG("vm_close\n");
39885 }
39886
39887 -static struct vm_operations_struct psbfb_vm_ops = {
39888 +static const struct vm_operations_struct psbfb_vm_ops = {
39889 .fault = psbfb_vm_fault,
39890 .open = psbfb_vm_open,
39891 .close = psbfb_vm_close
39892 diff -urNp linux-2.6.39.3/drivers/staging/go7007/go7007-i2c.c linux-2.6.39.3/drivers/staging/go7007/go7007-i2c.c
39893 --- linux-2.6.39.3/drivers/staging/go7007/go7007-i2c.c 2011-05-19 00:06:34.000000000 -0400
39894 +++ linux-2.6.39.3/drivers/staging/go7007/go7007-i2c.c 2011-05-22 19:36:32.000000000 -0400
39895 @@ -198,7 +198,7 @@ static u32 go7007_functionality(struct i
39896 return I2C_FUNC_SMBUS_BYTE_DATA;
39897 }
39898
39899 -static struct i2c_algorithm go7007_algo = {
39900 +static const struct i2c_algorithm go7007_algo = {
39901 .smbus_xfer = go7007_smbus_xfer,
39902 .master_xfer = go7007_i2c_master_xfer,
39903 .functionality = go7007_functionality,
39904 diff -urNp linux-2.6.39.3/drivers/staging/go7007/go7007-usb.c linux-2.6.39.3/drivers/staging/go7007/go7007-usb.c
39905 --- linux-2.6.39.3/drivers/staging/go7007/go7007-usb.c 2011-05-19 00:06:34.000000000 -0400
39906 +++ linux-2.6.39.3/drivers/staging/go7007/go7007-usb.c 2011-05-22 19:36:32.000000000 -0400
39907 @@ -849,7 +849,7 @@ static int go7007_usb_send_firmware(stru
39908 &transferred, timeout);
39909 }
39910
39911 -static struct go7007_hpi_ops go7007_usb_ezusb_hpi_ops = {
39912 +static const struct go7007_hpi_ops go7007_usb_ezusb_hpi_ops = {
39913 .interface_reset = go7007_usb_interface_reset,
39914 .write_interrupt = go7007_usb_ezusb_write_interrupt,
39915 .read_interrupt = go7007_usb_read_interrupt,
39916 @@ -858,7 +858,7 @@ static struct go7007_hpi_ops go7007_usb_
39917 .send_firmware = go7007_usb_send_firmware,
39918 };
39919
39920 -static struct go7007_hpi_ops go7007_usb_onboard_hpi_ops = {
39921 +static const struct go7007_hpi_ops go7007_usb_onboard_hpi_ops = {
39922 .interface_reset = go7007_usb_interface_reset,
39923 .write_interrupt = go7007_usb_onboard_write_interrupt,
39924 .read_interrupt = go7007_usb_read_interrupt,
39925 @@ -950,7 +950,7 @@ static u32 go7007_usb_functionality(stru
39926 return (I2C_FUNC_SMBUS_EMUL) & ~I2C_FUNC_SMBUS_QUICK;
39927 }
39928
39929 -static struct i2c_algorithm go7007_usb_algo = {
39930 +static const struct i2c_algorithm go7007_usb_algo = {
39931 .master_xfer = go7007_usb_i2c_master_xfer,
39932 .functionality = go7007_usb_functionality,
39933 };
39934 diff -urNp linux-2.6.39.3/drivers/staging/go7007/go7007-v4l2.c linux-2.6.39.3/drivers/staging/go7007/go7007-v4l2.c
39935 --- linux-2.6.39.3/drivers/staging/go7007/go7007-v4l2.c 2011-05-19 00:06:34.000000000 -0400
39936 +++ linux-2.6.39.3/drivers/staging/go7007/go7007-v4l2.c 2011-05-22 19:36:32.000000000 -0400
39937 @@ -1672,7 +1672,7 @@ static int go7007_vm_fault(struct vm_are
39938 return 0;
39939 }
39940
39941 -static struct vm_operations_struct go7007_vm_ops = {
39942 +static const struct vm_operations_struct go7007_vm_ops = {
39943 .open = go7007_vm_open,
39944 .close = go7007_vm_close,
39945 .fault = go7007_vm_fault,
39946 diff -urNp linux-2.6.39.3/drivers/staging/go7007/saa7134-go7007.c linux-2.6.39.3/drivers/staging/go7007/saa7134-go7007.c
39947 --- linux-2.6.39.3/drivers/staging/go7007/saa7134-go7007.c 2011-05-19 00:06:34.000000000 -0400
39948 +++ linux-2.6.39.3/drivers/staging/go7007/saa7134-go7007.c 2011-05-22 19:36:32.000000000 -0400
39949 @@ -421,7 +421,7 @@ static int saa7134_go7007_send_command(s
39950
39951 }
39952
39953 -static struct go7007_hpi_ops saa7134_go7007_hpi_ops = {
39954 +static const struct go7007_hpi_ops saa7134_go7007_hpi_ops = {
39955 .interface_reset = saa7134_go7007_interface_reset,
39956 .write_interrupt = saa7134_go7007_write_interrupt,
39957 .read_interrupt = saa7134_go7007_read_interrupt,
39958 diff -urNp linux-2.6.39.3/drivers/staging/go7007/snd-go7007.c linux-2.6.39.3/drivers/staging/go7007/snd-go7007.c
39959 --- linux-2.6.39.3/drivers/staging/go7007/snd-go7007.c 2011-05-19 00:06:34.000000000 -0400
39960 +++ linux-2.6.39.3/drivers/staging/go7007/snd-go7007.c 2011-05-22 19:36:32.000000000 -0400
39961 @@ -204,7 +204,7 @@ static struct page *go7007_snd_pcm_page(
39962 return vmalloc_to_page(substream->runtime->dma_area + offset);
39963 }
39964
39965 -static struct snd_pcm_ops go7007_snd_capture_ops = {
39966 +static const struct snd_pcm_ops go7007_snd_capture_ops = {
39967 .open = go7007_snd_capture_open,
39968 .close = go7007_snd_capture_close,
39969 .ioctl = snd_pcm_lib_ioctl,
39970 @@ -227,7 +227,7 @@ static int go7007_snd_free(struct snd_de
39971 return 0;
39972 }
39973
39974 -static struct snd_device_ops go7007_snd_device_ops = {
39975 +static const struct snd_device_ops go7007_snd_device_ops = {
39976 .dev_free = go7007_snd_free,
39977 };
39978
39979 diff -urNp linux-2.6.39.3/drivers/staging/hv/channel.c linux-2.6.39.3/drivers/staging/hv/channel.c
39980 --- linux-2.6.39.3/drivers/staging/hv/channel.c 2011-05-19 00:06:34.000000000 -0400
39981 +++ linux-2.6.39.3/drivers/staging/hv/channel.c 2011-05-22 19:36:32.000000000 -0400
39982 @@ -509,8 +509,8 @@ int vmbus_establish_gpadl(struct vmbus_c
39983 unsigned long flags;
39984 int ret = 0;
39985
39986 - next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle);
39987 - atomic_inc(&vmbus_connection.next_gpadl_handle);
39988 + next_gpadl_handle = atomic_read_unchecked(&vmbus_connection.next_gpadl_handle);
39989 + atomic_inc_unchecked(&vmbus_connection.next_gpadl_handle);
39990
39991 ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount);
39992 if (ret)
39993 diff -urNp linux-2.6.39.3/drivers/staging/hv/hv.c linux-2.6.39.3/drivers/staging/hv/hv.c
39994 --- linux-2.6.39.3/drivers/staging/hv/hv.c 2011-05-19 00:06:34.000000000 -0400
39995 +++ linux-2.6.39.3/drivers/staging/hv/hv.c 2011-05-22 19:36:32.000000000 -0400
39996 @@ -163,7 +163,7 @@ static u64 do_hypercall(u64 control, voi
39997 u64 output_address = (output) ? virt_to_phys(output) : 0;
39998 u32 output_address_hi = output_address >> 32;
39999 u32 output_address_lo = output_address & 0xFFFFFFFF;
40000 - volatile void *hypercall_page = hv_context.hypercall_page;
40001 + volatile void *hypercall_page = ktva_ktla(hv_context.hypercall_page);
40002
40003 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
40004 control, input, output);
40005 diff -urNp linux-2.6.39.3/drivers/staging/hv/rndis_filter.c linux-2.6.39.3/drivers/staging/hv/rndis_filter.c
40006 --- linux-2.6.39.3/drivers/staging/hv/rndis_filter.c 2011-05-19 00:06:34.000000000 -0400
40007 +++ linux-2.6.39.3/drivers/staging/hv/rndis_filter.c 2011-05-22 19:36:32.000000000 -0400
40008 @@ -49,7 +49,7 @@ struct rndis_device {
40009
40010 enum rndis_device_state state;
40011 u32 link_stat;
40012 - atomic_t new_req_id;
40013 + atomic_unchecked_t new_req_id;
40014
40015 spinlock_t request_lock;
40016 struct list_head req_list;
40017 @@ -144,7 +144,7 @@ static struct rndis_request *get_rndis_r
40018 * template
40019 */
40020 set = &rndis_msg->msg.set_req;
40021 - set->req_id = atomic_inc_return(&dev->new_req_id);
40022 + set->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
40023
40024 /* Add to the request list */
40025 spin_lock_irqsave(&dev->request_lock, flags);
40026 @@ -709,7 +709,7 @@ static void rndis_filter_halt_device(str
40027
40028 /* Setup the rndis set */
40029 halt = &request->request_msg.msg.halt_req;
40030 - halt->req_id = atomic_inc_return(&dev->new_req_id);
40031 + halt->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
40032
40033 /* Ignore return since this msg is optional. */
40034 rndis_filter_send_request(dev, request);
40035 diff -urNp linux-2.6.39.3/drivers/staging/hv/vmbus_drv.c linux-2.6.39.3/drivers/staging/hv/vmbus_drv.c
40036 --- linux-2.6.39.3/drivers/staging/hv/vmbus_drv.c 2011-05-19 00:06:34.000000000 -0400
40037 +++ linux-2.6.39.3/drivers/staging/hv/vmbus_drv.c 2011-05-22 19:36:32.000000000 -0400
40038 @@ -661,14 +661,14 @@ int vmbus_child_device_register(struct h
40039 {
40040 int ret = 0;
40041
40042 - static atomic_t device_num = ATOMIC_INIT(0);
40043 + static atomic_unchecked_t device_num = ATOMIC_INIT(0);
40044
40045 DPRINT_DBG(VMBUS_DRV, "child device (%p) registering",
40046 child_device_obj);
40047
40048 /* Set the device name. Otherwise, device_register() will fail. */
40049 dev_set_name(&child_device_obj->device, "vmbus_0_%d",
40050 - atomic_inc_return(&device_num));
40051 + atomic_inc_return_unchecked(&device_num));
40052
40053 /* The new device belongs to this bus */
40054 child_device_obj->device.bus = &vmbus_drv.bus; /* device->dev.bus; */
40055 diff -urNp linux-2.6.39.3/drivers/staging/hv/vmbus_private.h linux-2.6.39.3/drivers/staging/hv/vmbus_private.h
40056 --- linux-2.6.39.3/drivers/staging/hv/vmbus_private.h 2011-05-19 00:06:34.000000000 -0400
40057 +++ linux-2.6.39.3/drivers/staging/hv/vmbus_private.h 2011-05-22 19:36:32.000000000 -0400
40058 @@ -58,7 +58,7 @@ enum vmbus_connect_state {
40059 struct vmbus_connection {
40060 enum vmbus_connect_state conn_state;
40061
40062 - atomic_t next_gpadl_handle;
40063 + atomic_unchecked_t next_gpadl_handle;
40064
40065 /*
40066 * Represents channel interrupts. Each bit position represents a
40067 diff -urNp linux-2.6.39.3/drivers/staging/iio/ring_generic.h linux-2.6.39.3/drivers/staging/iio/ring_generic.h
40068 --- linux-2.6.39.3/drivers/staging/iio/ring_generic.h 2011-05-19 00:06:34.000000000 -0400
40069 +++ linux-2.6.39.3/drivers/staging/iio/ring_generic.h 2011-05-25 16:55:27.000000000 -0400
40070 @@ -134,7 +134,7 @@ struct iio_ring_buffer {
40071 struct iio_handler access_handler;
40072 struct iio_event_interface ev_int;
40073 struct iio_shared_ev_pointer shared_ev_pointer;
40074 - struct iio_ring_access_funcs access;
40075 + struct iio_ring_access_funcs access;
40076 int (*preenable)(struct iio_dev *);
40077 int (*postenable)(struct iio_dev *);
40078 int (*predisable)(struct iio_dev *);
40079 diff -urNp linux-2.6.39.3/drivers/staging/intel_sst/intelmid_ctrl.c linux-2.6.39.3/drivers/staging/intel_sst/intelmid_ctrl.c
40080 --- linux-2.6.39.3/drivers/staging/intel_sst/intelmid_ctrl.c 2011-05-19 00:06:34.000000000 -0400
40081 +++ linux-2.6.39.3/drivers/staging/intel_sst/intelmid_ctrl.c 2011-05-22 19:36:32.000000000 -0400
40082 @@ -494,7 +494,7 @@ static int snd_intelmad_device_set(struc
40083 struct snd_intelmad *intelmaddata;
40084 struct snd_pmic_ops *scard_ops;
40085 int ret_val = 0, vendor, status;
40086 - struct intel_sst_pcm_control *pcm_control;
40087 + const struct intel_sst_pcm_control *pcm_control;
40088
40089 pr_debug("snd_intelmad_device_set called\n");
40090
40091 diff -urNp linux-2.6.39.3/drivers/staging/intel_sst/intel_sst_drv_interface.c linux-2.6.39.3/drivers/staging/intel_sst/intel_sst_drv_interface.c
40092 --- linux-2.6.39.3/drivers/staging/intel_sst/intel_sst_drv_interface.c 2011-05-19 00:06:34.000000000 -0400
40093 +++ linux-2.6.39.3/drivers/staging/intel_sst/intel_sst_drv_interface.c 2011-05-22 19:36:32.000000000 -0400
40094 @@ -470,7 +470,7 @@ int sst_device_control(int cmd, void *ar
40095 }
40096
40097
40098 -struct intel_sst_pcm_control pcm_ops = {
40099 +const struct intel_sst_pcm_control pcm_ops = {
40100 .open = sst_open_pcm_stream,
40101 .device_control = sst_device_control,
40102 .close = sst_close_pcm_stream,
40103 diff -urNp linux-2.6.39.3/drivers/staging/line6/capture.c linux-2.6.39.3/drivers/staging/line6/capture.c
40104 --- linux-2.6.39.3/drivers/staging/line6/capture.c 2011-05-19 00:06:34.000000000 -0400
40105 +++ linux-2.6.39.3/drivers/staging/line6/capture.c 2011-05-22 19:36:32.000000000 -0400
40106 @@ -378,7 +378,7 @@ snd_line6_capture_pointer(struct snd_pcm
40107 }
40108
40109 /* capture operators */
40110 -struct snd_pcm_ops snd_line6_capture_ops = {
40111 +const struct snd_pcm_ops snd_line6_capture_ops = {
40112 .open = snd_line6_capture_open,
40113 .close = snd_line6_capture_close,
40114 .ioctl = snd_pcm_lib_ioctl,
40115 diff -urNp linux-2.6.39.3/drivers/staging/line6/capture.h linux-2.6.39.3/drivers/staging/line6/capture.h
40116 --- linux-2.6.39.3/drivers/staging/line6/capture.h 2011-05-19 00:06:34.000000000 -0400
40117 +++ linux-2.6.39.3/drivers/staging/line6/capture.h 2011-05-22 19:36:32.000000000 -0400
40118 @@ -17,7 +17,7 @@
40119 #include "driver.h"
40120 #include "pcm.h"
40121
40122 -extern struct snd_pcm_ops snd_line6_capture_ops;
40123 +extern const struct snd_pcm_ops snd_line6_capture_ops;
40124
40125 extern void line6_capture_copy(struct snd_line6_pcm *line6pcm, char *fbuf,
40126 int fsize);
40127 diff -urNp linux-2.6.39.3/drivers/staging/line6/midi.c linux-2.6.39.3/drivers/staging/line6/midi.c
40128 --- linux-2.6.39.3/drivers/staging/line6/midi.c 2011-05-19 00:06:34.000000000 -0400
40129 +++ linux-2.6.39.3/drivers/staging/line6/midi.c 2011-05-22 19:36:32.000000000 -0400
40130 @@ -239,14 +239,14 @@ static void line6_midi_input_trigger(str
40131 line6->line6midi->substream_receive = 0;
40132 }
40133
40134 -static struct snd_rawmidi_ops line6_midi_output_ops = {
40135 +static const struct snd_rawmidi_ops line6_midi_output_ops = {
40136 .open = line6_midi_output_open,
40137 .close = line6_midi_output_close,
40138 .trigger = line6_midi_output_trigger,
40139 .drain = line6_midi_output_drain,
40140 };
40141
40142 -static struct snd_rawmidi_ops line6_midi_input_ops = {
40143 +static const struct snd_rawmidi_ops line6_midi_input_ops = {
40144 .open = line6_midi_input_open,
40145 .close = line6_midi_input_close,
40146 .trigger = line6_midi_input_trigger,
40147 @@ -373,7 +373,7 @@ static int snd_line6_midi_free(struct sn
40148 */
40149 int line6_init_midi(struct usb_line6 *line6)
40150 {
40151 - static struct snd_device_ops midi_ops = {
40152 + static const struct snd_device_ops midi_ops = {
40153 .dev_free = snd_line6_midi_free,
40154 };
40155
40156 diff -urNp linux-2.6.39.3/drivers/staging/line6/pcm.c linux-2.6.39.3/drivers/staging/line6/pcm.c
40157 --- linux-2.6.39.3/drivers/staging/line6/pcm.c 2011-05-19 00:06:34.000000000 -0400
40158 +++ linux-2.6.39.3/drivers/staging/line6/pcm.c 2011-05-22 19:36:32.000000000 -0400
40159 @@ -384,7 +384,7 @@ void line6_pcm_disconnect(struct snd_lin
40160 int line6_init_pcm(struct usb_line6 *line6,
40161 struct line6_pcm_properties *properties)
40162 {
40163 - static struct snd_device_ops pcm_ops = {
40164 + static const struct snd_device_ops pcm_ops = {
40165 .dev_free = snd_line6_pcm_free,
40166 };
40167
40168 diff -urNp linux-2.6.39.3/drivers/staging/line6/playback.c linux-2.6.39.3/drivers/staging/line6/playback.c
40169 --- linux-2.6.39.3/drivers/staging/line6/playback.c 2011-05-19 00:06:34.000000000 -0400
40170 +++ linux-2.6.39.3/drivers/staging/line6/playback.c 2011-05-22 19:36:32.000000000 -0400
40171 @@ -536,7 +536,7 @@ snd_line6_playback_pointer(struct snd_pc
40172 }
40173
40174 /* playback operators */
40175 -struct snd_pcm_ops snd_line6_playback_ops = {
40176 +const struct snd_pcm_ops snd_line6_playback_ops = {
40177 .open = snd_line6_playback_open,
40178 .close = snd_line6_playback_close,
40179 .ioctl = snd_pcm_lib_ioctl,
40180 diff -urNp linux-2.6.39.3/drivers/staging/line6/playback.h linux-2.6.39.3/drivers/staging/line6/playback.h
40181 --- linux-2.6.39.3/drivers/staging/line6/playback.h 2011-05-19 00:06:34.000000000 -0400
40182 +++ linux-2.6.39.3/drivers/staging/line6/playback.h 2011-05-22 19:36:32.000000000 -0400
40183 @@ -27,7 +27,7 @@
40184 */
40185 #define USE_CLEAR_BUFFER_WORKAROUND 1
40186
40187 -extern struct snd_pcm_ops snd_line6_playback_ops;
40188 +extern const struct snd_pcm_ops snd_line6_playback_ops;
40189
40190 extern int line6_create_audio_out_urbs(struct snd_line6_pcm *line6pcm);
40191 extern int line6_submit_audio_out_all_urbs(struct snd_line6_pcm *line6pcm);
40192 diff -urNp linux-2.6.39.3/drivers/staging/msm/staging-devices.c linux-2.6.39.3/drivers/staging/msm/staging-devices.c
40193 --- linux-2.6.39.3/drivers/staging/msm/staging-devices.c 2011-05-19 00:06:34.000000000 -0400
40194 +++ linux-2.6.39.3/drivers/staging/msm/staging-devices.c 2011-05-22 19:36:32.000000000 -0400
40195 @@ -211,7 +211,7 @@ static int msm_fb_lcdc_gpio_config(int o
40196 }
40197
40198
40199 -static struct lcdc_platform_data lcdc_pdata = {
40200 +static const struct lcdc_platform_data lcdc_pdata = {
40201 .lcdc_gpio_config = msm_fb_lcdc_gpio_config,
40202 };
40203
40204 diff -urNp linux-2.6.39.3/drivers/staging/octeon/ethernet.c linux-2.6.39.3/drivers/staging/octeon/ethernet.c
40205 --- linux-2.6.39.3/drivers/staging/octeon/ethernet.c 2011-05-19 00:06:34.000000000 -0400
40206 +++ linux-2.6.39.3/drivers/staging/octeon/ethernet.c 2011-05-22 19:36:32.000000000 -0400
40207 @@ -258,11 +258,11 @@ static struct net_device_stats *cvm_oct_
40208 * since the RX tasklet also increments it.
40209 */
40210 #ifdef CONFIG_64BIT
40211 - atomic64_add(rx_status.dropped_packets,
40212 - (atomic64_t *)&priv->stats.rx_dropped);
40213 + atomic64_add_unchecked(rx_status.dropped_packets,
40214 + (atomic64_unchecked_t *)&priv->stats.rx_dropped);
40215 #else
40216 - atomic_add(rx_status.dropped_packets,
40217 - (atomic_t *)&priv->stats.rx_dropped);
40218 + atomic_add_unchecked(rx_status.dropped_packets,
40219 + (atomic_unchecked_t *)&priv->stats.rx_dropped);
40220 #endif
40221 }
40222
40223 diff -urNp linux-2.6.39.3/drivers/staging/octeon/ethernet-rx.c linux-2.6.39.3/drivers/staging/octeon/ethernet-rx.c
40224 --- linux-2.6.39.3/drivers/staging/octeon/ethernet-rx.c 2011-05-19 00:06:34.000000000 -0400
40225 +++ linux-2.6.39.3/drivers/staging/octeon/ethernet-rx.c 2011-05-22 19:36:32.000000000 -0400
40226 @@ -417,11 +417,11 @@ static int cvm_oct_napi_poll(struct napi
40227 /* Increment RX stats for virtual ports */
40228 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
40229 #ifdef CONFIG_64BIT
40230 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
40231 - atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
40232 + atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
40233 + atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
40234 #else
40235 - atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
40236 - atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
40237 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
40238 + atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
40239 #endif
40240 }
40241 netif_receive_skb(skb);
40242 @@ -433,9 +433,9 @@ static int cvm_oct_napi_poll(struct napi
40243 dev->name);
40244 */
40245 #ifdef CONFIG_64BIT
40246 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
40247 + atomic64_unchecked_add(1, (atomic64_unchecked_t *)&priv->stats.rx_dropped);
40248 #else
40249 - atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
40250 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_dropped);
40251 #endif
40252 dev_kfree_skb_irq(skb);
40253 }
40254 diff -urNp linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.c linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.c
40255 --- linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.c 2011-05-19 00:06:34.000000000 -0400
40256 +++ linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.c 2011-05-22 19:36:32.000000000 -0400
40257 @@ -43,7 +43,7 @@ module_param(noinit, int, 0444);
40258 static int useaa = 1;
40259 module_param(useaa, int, 0444);
40260
40261 -static struct dcon_platform_data *pdata;
40262 +static const struct dcon_platform_data *pdata;
40263
40264 /* I2C structures */
40265
40266 diff -urNp linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.h linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.h
40267 --- linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.h 2011-05-19 00:06:34.000000000 -0400
40268 +++ linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.h 2011-05-22 19:36:32.000000000 -0400
40269 @@ -92,11 +92,11 @@ struct dcon_platform_data {
40270 extern irqreturn_t dcon_interrupt(int irq, void *id);
40271
40272 #ifdef CONFIG_FB_OLPC_DCON_1
40273 -extern struct dcon_platform_data dcon_pdata_xo_1;
40274 +extern const struct dcon_platform_data dcon_pdata_xo_1;
40275 #endif
40276
40277 #ifdef CONFIG_FB_OLPC_DCON_1_5
40278 -extern struct dcon_platform_data dcon_pdata_xo_1_5;
40279 +extern const struct dcon_platform_data dcon_pdata_xo_1_5;
40280 #endif
40281
40282 #endif
40283 diff -urNp linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c
40284 --- linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c 2011-05-19 00:06:34.000000000 -0400
40285 +++ linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c 2011-05-22 19:36:32.000000000 -0400
40286 @@ -185,7 +185,7 @@ static u8 dcon_read_status_xo_1_5(void)
40287 return status;
40288 }
40289
40290 -struct dcon_platform_data dcon_pdata_xo_1_5 = {
40291 +const struct dcon_platform_data dcon_pdata_xo_1_5 = {
40292 .init = dcon_init_xo_1_5,
40293 .bus_stabilize_wiggle = dcon_wiggle_xo_1_5,
40294 .set_dconload = dcon_set_dconload_xo_1_5,
40295 diff -urNp linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c
40296 --- linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c 2011-05-19 00:06:34.000000000 -0400
40297 +++ linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c 2011-05-22 19:36:32.000000000 -0400
40298 @@ -196,7 +196,7 @@ static u8 dcon_read_status_xo_1(void)
40299 return status;
40300 }
40301
40302 -struct dcon_platform_data dcon_pdata_xo_1 = {
40303 +const struct dcon_platform_data dcon_pdata_xo_1 = {
40304 .init = dcon_init_xo_1,
40305 .bus_stabilize_wiggle = dcon_wiggle_xo_1,
40306 .set_dconload = dcon_set_dconload_1,
40307 diff -urNp linux-2.6.39.3/drivers/staging/phison/phison.c linux-2.6.39.3/drivers/staging/phison/phison.c
40308 --- linux-2.6.39.3/drivers/staging/phison/phison.c 2011-05-19 00:06:34.000000000 -0400
40309 +++ linux-2.6.39.3/drivers/staging/phison/phison.c 2011-05-22 19:36:32.000000000 -0400
40310 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
40311 ATA_BMDMA_SHT(DRV_NAME),
40312 };
40313
40314 -static struct ata_port_operations phison_ops = {
40315 +static const struct ata_port_operations phison_ops = {
40316 .inherits = &ata_bmdma_port_ops,
40317 .prereset = phison_pre_reset,
40318 };
40319 diff -urNp linux-2.6.39.3/drivers/staging/pohmelfs/inode.c linux-2.6.39.3/drivers/staging/pohmelfs/inode.c
40320 --- linux-2.6.39.3/drivers/staging/pohmelfs/inode.c 2011-05-19 00:06:34.000000000 -0400
40321 +++ linux-2.6.39.3/drivers/staging/pohmelfs/inode.c 2011-05-22 19:36:32.000000000 -0400
40322 @@ -1855,7 +1855,7 @@ static int pohmelfs_fill_super(struct su
40323 mutex_init(&psb->mcache_lock);
40324 psb->mcache_root = RB_ROOT;
40325 psb->mcache_timeout = msecs_to_jiffies(5000);
40326 - atomic_long_set(&psb->mcache_gen, 0);
40327 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
40328
40329 psb->trans_max_pages = 100;
40330
40331 @@ -1870,7 +1870,7 @@ static int pohmelfs_fill_super(struct su
40332 INIT_LIST_HEAD(&psb->crypto_ready_list);
40333 INIT_LIST_HEAD(&psb->crypto_active_list);
40334
40335 - atomic_set(&psb->trans_gen, 1);
40336 + atomic_set_unchecked(&psb->trans_gen, 1);
40337 atomic_long_set(&psb->total_inodes, 0);
40338
40339 mutex_init(&psb->state_lock);
40340 diff -urNp linux-2.6.39.3/drivers/staging/pohmelfs/mcache.c linux-2.6.39.3/drivers/staging/pohmelfs/mcache.c
40341 --- linux-2.6.39.3/drivers/staging/pohmelfs/mcache.c 2011-05-19 00:06:34.000000000 -0400
40342 +++ linux-2.6.39.3/drivers/staging/pohmelfs/mcache.c 2011-05-22 19:36:32.000000000 -0400
40343 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
40344 m->data = data;
40345 m->start = start;
40346 m->size = size;
40347 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
40348 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
40349
40350 mutex_lock(&psb->mcache_lock);
40351 err = pohmelfs_mcache_insert(psb, m);
40352 diff -urNp linux-2.6.39.3/drivers/staging/pohmelfs/netfs.h linux-2.6.39.3/drivers/staging/pohmelfs/netfs.h
40353 --- linux-2.6.39.3/drivers/staging/pohmelfs/netfs.h 2011-05-19 00:06:34.000000000 -0400
40354 +++ linux-2.6.39.3/drivers/staging/pohmelfs/netfs.h 2011-05-22 19:36:32.000000000 -0400
40355 @@ -571,14 +571,14 @@ struct pohmelfs_config;
40356 struct pohmelfs_sb {
40357 struct rb_root mcache_root;
40358 struct mutex mcache_lock;
40359 - atomic_long_t mcache_gen;
40360 + atomic_long_unchecked_t mcache_gen;
40361 unsigned long mcache_timeout;
40362
40363 unsigned int idx;
40364
40365 unsigned int trans_retries;
40366
40367 - atomic_t trans_gen;
40368 + atomic_unchecked_t trans_gen;
40369
40370 unsigned int crypto_attached_size;
40371 unsigned int crypto_align_size;
40372 diff -urNp linux-2.6.39.3/drivers/staging/pohmelfs/trans.c linux-2.6.39.3/drivers/staging/pohmelfs/trans.c
40373 --- linux-2.6.39.3/drivers/staging/pohmelfs/trans.c 2011-05-19 00:06:34.000000000 -0400
40374 +++ linux-2.6.39.3/drivers/staging/pohmelfs/trans.c 2011-05-22 19:36:32.000000000 -0400
40375 @@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
40376 int err;
40377 struct netfs_cmd *cmd = t->iovec.iov_base;
40378
40379 - t->gen = atomic_inc_return(&psb->trans_gen);
40380 + t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
40381
40382 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
40383 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
40384 diff -urNp linux-2.6.39.3/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.39.3/drivers/staging/rtl8192u/ieee80211/proc.c
40385 --- linux-2.6.39.3/drivers/staging/rtl8192u/ieee80211/proc.c 2011-05-19 00:06:34.000000000 -0400
40386 +++ linux-2.6.39.3/drivers/staging/rtl8192u/ieee80211/proc.c 2011-05-22 19:36:32.000000000 -0400
40387 @@ -87,7 +87,7 @@ static int c_show(struct seq_file *m, vo
40388 return 0;
40389 }
40390
40391 -static struct seq_operations crypto_seq_ops = {
40392 +static const struct seq_operations crypto_seq_ops = {
40393 .start = c_start,
40394 .next = c_next,
40395 .stop = c_stop,
40396 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
40397 return seq_open(file, &crypto_seq_ops);
40398 }
40399
40400 -static struct file_operations proc_crypto_ops = {
40401 +static const struct file_operations proc_crypto_ops = {
40402 .open = crypto_info_open,
40403 .read = seq_read,
40404 .llseek = seq_lseek,
40405 diff -urNp linux-2.6.39.3/drivers/staging/rtl8712/rtl871x_io.h linux-2.6.39.3/drivers/staging/rtl8712/rtl871x_io.h
40406 --- linux-2.6.39.3/drivers/staging/rtl8712/rtl871x_io.h 2011-05-19 00:06:34.000000000 -0400
40407 +++ linux-2.6.39.3/drivers/staging/rtl8712/rtl871x_io.h 2011-05-22 19:36:32.000000000 -0400
40408 @@ -107,7 +107,7 @@ struct intf_hdl {
40409 void (*intf_hdl_unload)(u8 *priv);
40410 void (*intf_hdl_open)(u8 *priv);
40411 void (*intf_hdl_close)(u8 *priv);
40412 - struct _io_ops io_ops;
40413 + const struct _io_ops io_ops;
40414 };
40415
40416 struct reg_protocol_rd {
40417 diff -urNp linux-2.6.39.3/drivers/staging/solo6x10/g723.c linux-2.6.39.3/drivers/staging/solo6x10/g723.c
40418 --- linux-2.6.39.3/drivers/staging/solo6x10/g723.c 2011-05-19 00:06:34.000000000 -0400
40419 +++ linux-2.6.39.3/drivers/staging/solo6x10/g723.c 2011-05-22 19:36:32.000000000 -0400
40420 @@ -237,7 +237,7 @@ static int snd_solo_pcm_copy(struct snd_
40421 return 0;
40422 }
40423
40424 -static struct snd_pcm_ops snd_solo_pcm_ops = {
40425 +static const struct snd_pcm_ops snd_solo_pcm_ops = {
40426 .open = snd_solo_pcm_open,
40427 .close = snd_solo_pcm_close,
40428 .ioctl = snd_pcm_lib_ioctl,
40429 @@ -334,7 +334,7 @@ static int solo_snd_pcm_init(struct solo
40430
40431 int solo_g723_init(struct solo_dev *solo_dev)
40432 {
40433 - static struct snd_device_ops ops = { NULL };
40434 + static const struct snd_device_ops ops = { NULL };
40435 struct snd_card *card;
40436 struct snd_kcontrol_new kctl;
40437 char name[32];
40438 diff -urNp linux-2.6.39.3/drivers/staging/spectra/ffsport.c linux-2.6.39.3/drivers/staging/spectra/ffsport.c
40439 --- linux-2.6.39.3/drivers/staging/spectra/ffsport.c 2011-05-19 00:06:34.000000000 -0400
40440 +++ linux-2.6.39.3/drivers/staging/spectra/ffsport.c 2011-05-22 19:36:32.000000000 -0400
40441 @@ -604,7 +604,7 @@ int GLOB_SBD_unlocked_ioctl(struct block
40442 return ret;
40443 }
40444
40445 -static struct block_device_operations GLOB_SBD_ops = {
40446 +static const struct block_device_operations GLOB_SBD_ops = {
40447 .owner = THIS_MODULE,
40448 .open = GLOB_SBD_open,
40449 .release = GLOB_SBD_release,
40450 diff -urNp linux-2.6.39.3/drivers/staging/tm6000/tm6000-alsa.c linux-2.6.39.3/drivers/staging/tm6000/tm6000-alsa.c
40451 --- linux-2.6.39.3/drivers/staging/tm6000/tm6000-alsa.c 2011-05-19 00:06:34.000000000 -0400
40452 +++ linux-2.6.39.3/drivers/staging/tm6000/tm6000-alsa.c 2011-05-22 19:36:32.000000000 -0400
40453 @@ -380,7 +380,7 @@ static snd_pcm_uframes_t snd_tm6000_poin
40454 /*
40455 * operators
40456 */
40457 -static struct snd_pcm_ops snd_tm6000_pcm_ops = {
40458 +static const struct snd_pcm_ops snd_tm6000_pcm_ops = {
40459 .open = snd_tm6000_pcm_open,
40460 .close = snd_tm6000_close,
40461 .ioctl = snd_pcm_lib_ioctl,
40462 diff -urNp linux-2.6.39.3/drivers/staging/tty/istallion.c linux-2.6.39.3/drivers/staging/tty/istallion.c
40463 --- linux-2.6.39.3/drivers/staging/tty/istallion.c 2011-05-19 00:06:34.000000000 -0400
40464 +++ linux-2.6.39.3/drivers/staging/tty/istallion.c 2011-05-22 20:49:07.000000000 -0400
40465 @@ -186,7 +186,6 @@ static struct ktermios stli_deftermios
40466 * re-used for each stats call.
40467 */
40468 static comstats_t stli_comstats;
40469 -static combrd_t stli_brdstats;
40470 static struct asystats stli_cdkstats;
40471
40472 /*****************************************************************************/
40473 @@ -4003,6 +4002,7 @@ out:
40474
40475 static int stli_getbrdstats(combrd_t __user *bp)
40476 {
40477 + combrd_t stli_brdstats;
40478 struct stlibrd *brdp;
40479 unsigned int i;
40480
40481 @@ -4226,6 +4226,8 @@ static int stli_getportstruct(struct stl
40482 struct stliport stli_dummyport;
40483 struct stliport *portp;
40484
40485 + pax_track_stack();
40486 +
40487 if (copy_from_user(&stli_dummyport, arg, sizeof(struct stliport)))
40488 return -EFAULT;
40489 portp = stli_getport(stli_dummyport.brdnr, stli_dummyport.panelnr,
40490 @@ -4248,6 +4250,8 @@ static int stli_getbrdstruct(struct stli
40491 struct stlibrd stli_dummybrd;
40492 struct stlibrd *brdp;
40493
40494 + pax_track_stack();
40495 +
40496 if (copy_from_user(&stli_dummybrd, arg, sizeof(struct stlibrd)))
40497 return -EFAULT;
40498 if (stli_dummybrd.brdnr >= STL_MAXBRDS)
40499 diff -urNp linux-2.6.39.3/drivers/staging/tty/stallion.c linux-2.6.39.3/drivers/staging/tty/stallion.c
40500 --- linux-2.6.39.3/drivers/staging/tty/stallion.c 2011-05-19 00:06:34.000000000 -0400
40501 +++ linux-2.6.39.3/drivers/staging/tty/stallion.c 2011-05-22 19:36:32.000000000 -0400
40502 @@ -2406,6 +2406,8 @@ static int stl_getportstruct(struct stlp
40503 struct stlport stl_dummyport;
40504 struct stlport *portp;
40505
40506 + pax_track_stack();
40507 +
40508 if (copy_from_user(&stl_dummyport, arg, sizeof(struct stlport)))
40509 return -EFAULT;
40510 portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr,
40511 diff -urNp linux-2.6.39.3/drivers/staging/usbip/vhci.h linux-2.6.39.3/drivers/staging/usbip/vhci.h
40512 --- linux-2.6.39.3/drivers/staging/usbip/vhci.h 2011-05-19 00:06:34.000000000 -0400
40513 +++ linux-2.6.39.3/drivers/staging/usbip/vhci.h 2011-05-22 19:36:32.000000000 -0400
40514 @@ -92,7 +92,7 @@ struct vhci_hcd {
40515 unsigned resuming:1;
40516 unsigned long re_timeout;
40517
40518 - atomic_t seqnum;
40519 + atomic_unchecked_t seqnum;
40520
40521 /*
40522 * NOTE:
40523 diff -urNp linux-2.6.39.3/drivers/staging/usbip/vhci_hcd.c linux-2.6.39.3/drivers/staging/usbip/vhci_hcd.c
40524 --- linux-2.6.39.3/drivers/staging/usbip/vhci_hcd.c 2011-05-19 00:06:34.000000000 -0400
40525 +++ linux-2.6.39.3/drivers/staging/usbip/vhci_hcd.c 2011-05-22 19:36:32.000000000 -0400
40526 @@ -536,7 +536,7 @@ static void vhci_tx_urb(struct urb *urb)
40527 return;
40528 }
40529
40530 - priv->seqnum = atomic_inc_return(&the_controller->seqnum);
40531 + priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
40532 if (priv->seqnum == 0xffff)
40533 usbip_uinfo("seqnum max\n");
40534
40535 @@ -795,7 +795,7 @@ static int vhci_urb_dequeue(struct usb_h
40536 return -ENOMEM;
40537 }
40538
40539 - unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
40540 + unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
40541 if (unlink->seqnum == 0xffff)
40542 usbip_uinfo("seqnum max\n");
40543
40544 @@ -992,7 +992,7 @@ static int vhci_start(struct usb_hcd *hc
40545 vdev->rhport = rhport;
40546 }
40547
40548 - atomic_set(&vhci->seqnum, 0);
40549 + atomic_set_unchecked(&vhci->seqnum, 0);
40550 spin_lock_init(&vhci->lock);
40551
40552
40553 diff -urNp linux-2.6.39.3/drivers/staging/usbip/vhci_rx.c linux-2.6.39.3/drivers/staging/usbip/vhci_rx.c
40554 --- linux-2.6.39.3/drivers/staging/usbip/vhci_rx.c 2011-05-19 00:06:34.000000000 -0400
40555 +++ linux-2.6.39.3/drivers/staging/usbip/vhci_rx.c 2011-05-22 19:36:32.000000000 -0400
40556 @@ -81,7 +81,7 @@ static void vhci_recv_ret_submit(struct
40557 usbip_uerr("cannot find a urb of seqnum %u\n",
40558 pdu->base.seqnum);
40559 usbip_uinfo("max seqnum %d\n",
40560 - atomic_read(&the_controller->seqnum));
40561 + atomic_read_unchecked(&the_controller->seqnum));
40562 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
40563 return;
40564 }
40565 diff -urNp linux-2.6.39.3/drivers/staging/vme/devices/vme_user.c linux-2.6.39.3/drivers/staging/vme/devices/vme_user.c
40566 --- linux-2.6.39.3/drivers/staging/vme/devices/vme_user.c 2011-05-19 00:06:34.000000000 -0400
40567 +++ linux-2.6.39.3/drivers/staging/vme/devices/vme_user.c 2011-05-22 19:36:32.000000000 -0400
40568 @@ -138,7 +138,7 @@ static long vme_user_unlocked_ioctl(stru
40569 static int __devinit vme_user_probe(struct device *, int, int);
40570 static int __devexit vme_user_remove(struct device *, int, int);
40571
40572 -static struct file_operations vme_user_fops = {
40573 +static const struct file_operations vme_user_fops = {
40574 .open = vme_user_open,
40575 .release = vme_user_release,
40576 .read = vme_user_read,
40577 diff -urNp linux-2.6.39.3/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c linux-2.6.39.3/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c
40578 --- linux-2.6.39.3/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-05-19 00:06:34.000000000 -0400
40579 +++ linux-2.6.39.3/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-05-22 19:36:32.000000000 -0400
40580 @@ -426,7 +426,7 @@ int cyasblkdev_revalidate_disk(struct ge
40581
40582
40583 /*standard block device driver interface */
40584 -static struct block_device_operations cyasblkdev_bdops = {
40585 +static const struct block_device_operations cyasblkdev_bdops = {
40586 .open = cyasblkdev_blk_open,
40587 .release = cyasblkdev_blk_release,
40588 .ioctl = cyasblkdev_blk_ioctl,
40589 diff -urNp linux-2.6.39.3/drivers/staging/wlags49_h2/wl_netdev.c linux-2.6.39.3/drivers/staging/wlags49_h2/wl_netdev.c
40590 --- linux-2.6.39.3/drivers/staging/wlags49_h2/wl_netdev.c 2011-05-19 00:06:34.000000000 -0400
40591 +++ linux-2.6.39.3/drivers/staging/wlags49_h2/wl_netdev.c 2011-05-22 19:36:32.000000000 -0400
40592 @@ -474,7 +474,7 @@ static void wl_get_drvinfo(struct net_de
40593 }
40594 } // wl_get_drvinfo
40595
40596 -static struct ethtool_ops wl_ethtool_ops = {
40597 +static const struct ethtool_ops wl_ethtool_ops = {
40598 .get_drvinfo = wl_get_drvinfo,
40599 .get_link = ethtool_op_get_link,
40600 };
40601 diff -urNp linux-2.6.39.3/drivers/staging/wlan-ng/hfa384x_usb.c linux-2.6.39.3/drivers/staging/wlan-ng/hfa384x_usb.c
40602 --- linux-2.6.39.3/drivers/staging/wlan-ng/hfa384x_usb.c 2011-05-19 00:06:34.000000000 -0400
40603 +++ linux-2.6.39.3/drivers/staging/wlan-ng/hfa384x_usb.c 2011-05-22 19:36:32.000000000 -0400
40604 @@ -671,7 +671,7 @@ struct usbctlx_cmd_completor {
40605 hfa384x_cmdresult_t *result;
40606 };
40607
40608 -static inline int usbctlx_cmd_completor_fn(struct usbctlx_completor *head)
40609 +static inline int usbctlx_cmd_completor_fn(const struct usbctlx_completor *head)
40610 {
40611 struct usbctlx_cmd_completor *complete;
40612
40613 @@ -705,7 +705,7 @@ struct usbctlx_rrid_completor {
40614 unsigned int riddatalen;
40615 };
40616
40617 -static int usbctlx_rrid_completor_fn(struct usbctlx_completor *head)
40618 +static int usbctlx_rrid_completor_fn(const struct usbctlx_completor *head)
40619 {
40620 struct usbctlx_rrid_completor *complete;
40621 hfa384x_rridresult_t rridresult;
40622 @@ -768,7 +768,7 @@ struct usbctlx_rmem_completor {
40623 };
40624 typedef struct usbctlx_rmem_completor usbctlx_rmem_completor_t;
40625
40626 -static int usbctlx_rmem_completor_fn(struct usbctlx_completor *head)
40627 +static int usbctlx_rmem_completor_fn(const struct usbctlx_completor *head)
40628 {
40629 usbctlx_rmem_completor_t *complete = (usbctlx_rmem_completor_t *) head;
40630
40631 diff -urNp linux-2.6.39.3/drivers/staging/zcache/tmem.c linux-2.6.39.3/drivers/staging/zcache/tmem.c
40632 --- linux-2.6.39.3/drivers/staging/zcache/tmem.c 2011-05-19 00:06:34.000000000 -0400
40633 +++ linux-2.6.39.3/drivers/staging/zcache/tmem.c 2011-05-22 19:36:32.000000000 -0400
40634 @@ -39,7 +39,7 @@
40635 * A tmem host implementation must use this function to register callbacks
40636 * for memory allocation.
40637 */
40638 -static struct tmem_hostops tmem_hostops;
40639 +static const struct tmem_hostops tmem_hostops;
40640
40641 static void tmem_objnode_tree_init(void);
40642
40643 @@ -53,7 +53,7 @@ void tmem_register_hostops(struct tmem_h
40644 * A tmem host implementation must use this function to register
40645 * callbacks for a page-accessible memory (PAM) implementation
40646 */
40647 -static struct tmem_pamops tmem_pamops;
40648 +static const struct tmem_pamops tmem_pamops;
40649
40650 void tmem_register_pamops(struct tmem_pamops *m)
40651 {
40652 diff -urNp linux-2.6.39.3/drivers/staging/zcache/zcache.c linux-2.6.39.3/drivers/staging/zcache/zcache.c
40653 --- linux-2.6.39.3/drivers/staging/zcache/zcache.c 2011-05-19 00:06:34.000000000 -0400
40654 +++ linux-2.6.39.3/drivers/staging/zcache/zcache.c 2011-05-22 19:36:32.000000000 -0400
40655 @@ -882,7 +882,7 @@ static void zcache_obj_free(struct tmem_
40656 kmem_cache_free(zcache_obj_cache, obj);
40657 }
40658
40659 -static struct tmem_hostops zcache_hostops = {
40660 +static const struct tmem_hostops zcache_hostops = {
40661 .obj_alloc = zcache_obj_alloc,
40662 .obj_free = zcache_obj_free,
40663 .objnode_alloc = zcache_objnode_alloc,
40664 @@ -987,7 +987,7 @@ static void zcache_pampd_free(void *pamp
40665 }
40666 }
40667
40668 -static struct tmem_pamops zcache_pamops = {
40669 +static const struct tmem_pamops zcache_pamops = {
40670 .create = zcache_pampd_create,
40671 .get_data = zcache_pampd_get_data,
40672 .free = zcache_pampd_free,
40673 diff -urNp linux-2.6.39.3/drivers/target/target_core_alua.c linux-2.6.39.3/drivers/target/target_core_alua.c
40674 --- linux-2.6.39.3/drivers/target/target_core_alua.c 2011-05-19 00:06:34.000000000 -0400
40675 +++ linux-2.6.39.3/drivers/target/target_core_alua.c 2011-05-22 19:36:32.000000000 -0400
40676 @@ -675,6 +675,8 @@ static int core_alua_update_tpg_primary_
40677 char path[ALUA_METADATA_PATH_LEN];
40678 int len;
40679
40680 + pax_track_stack();
40681 +
40682 memset(path, 0, ALUA_METADATA_PATH_LEN);
40683
40684 len = snprintf(md_buf, tg_pt_gp->tg_pt_gp_md_buf_len,
40685 @@ -938,6 +940,8 @@ static int core_alua_update_tpg_secondar
40686 char path[ALUA_METADATA_PATH_LEN], wwn[ALUA_SECONDARY_METADATA_WWN_LEN];
40687 int len;
40688
40689 + pax_track_stack();
40690 +
40691 memset(path, 0, ALUA_METADATA_PATH_LEN);
40692 memset(wwn, 0, ALUA_SECONDARY_METADATA_WWN_LEN);
40693
40694 diff -urNp linux-2.6.39.3/drivers/target/target_core_cdb.c linux-2.6.39.3/drivers/target/target_core_cdb.c
40695 --- linux-2.6.39.3/drivers/target/target_core_cdb.c 2011-05-19 00:06:34.000000000 -0400
40696 +++ linux-2.6.39.3/drivers/target/target_core_cdb.c 2011-05-22 19:36:32.000000000 -0400
40697 @@ -838,6 +838,8 @@ target_emulate_modesense(struct se_cmd *
40698 int length = 0;
40699 unsigned char buf[SE_MODE_PAGE_BUF];
40700
40701 + pax_track_stack();
40702 +
40703 memset(buf, 0, SE_MODE_PAGE_BUF);
40704
40705 switch (cdb[2] & 0x3f) {
40706 diff -urNp linux-2.6.39.3/drivers/target/target_core_configfs.c linux-2.6.39.3/drivers/target/target_core_configfs.c
40707 --- linux-2.6.39.3/drivers/target/target_core_configfs.c 2011-05-19 00:06:34.000000000 -0400
40708 +++ linux-2.6.39.3/drivers/target/target_core_configfs.c 2011-05-22 19:36:32.000000000 -0400
40709 @@ -1280,6 +1280,8 @@ static ssize_t target_core_dev_pr_show_a
40710 ssize_t len = 0;
40711 int reg_count = 0, prf_isid;
40712
40713 + pax_track_stack();
40714 +
40715 if (!(su_dev->se_dev_ptr))
40716 return -ENODEV;
40717
40718 @@ -2682,7 +2684,7 @@ static void target_core_alua_drop_tg_pt_
40719 config_item_put(item);
40720 }
40721
40722 -static struct configfs_group_operations target_core_alua_tg_pt_gps_group_ops = {
40723 +static const struct configfs_group_operations target_core_alua_tg_pt_gps_group_ops = {
40724 .make_group = &target_core_alua_create_tg_pt_gp,
40725 .drop_item = &target_core_alua_drop_tg_pt_gp,
40726 };
40727 @@ -2726,7 +2728,7 @@ static void target_core_stat_rmdir(
40728 return;
40729 }
40730
40731 -static struct configfs_group_operations target_core_stat_group_ops = {
40732 +static const struct configfs_group_operations target_core_stat_group_ops = {
40733 .make_group = &target_core_stat_mkdir,
40734 .drop_item = &target_core_stat_rmdir,
40735 };
40736 @@ -2939,7 +2941,7 @@ static void target_core_drop_subdev(
40737 mutex_unlock(&hba->hba_access_mutex);
40738 }
40739
40740 -static struct configfs_group_operations target_core_hba_group_ops = {
40741 +static const struct configfs_group_operations target_core_hba_group_ops = {
40742 .make_group = target_core_make_subdev,
40743 .drop_item = target_core_drop_subdev,
40744 };
40745 @@ -3117,7 +3119,7 @@ static void target_core_call_delhbafromt
40746 config_item_put(item);
40747 }
40748
40749 -static struct configfs_group_operations target_core_group_ops = {
40750 +static const struct configfs_group_operations target_core_group_ops = {
40751 .make_group = target_core_call_addhbatotarget,
40752 .drop_item = target_core_call_delhbafromtarget,
40753 };
40754 diff -urNp linux-2.6.39.3/drivers/target/target_core_fabric_configfs.c linux-2.6.39.3/drivers/target/target_core_fabric_configfs.c
40755 --- linux-2.6.39.3/drivers/target/target_core_fabric_configfs.c 2011-05-19 00:06:34.000000000 -0400
40756 +++ linux-2.6.39.3/drivers/target/target_core_fabric_configfs.c 2011-05-22 19:36:32.000000000 -0400
40757 @@ -1174,7 +1174,7 @@ static void target_fabric_drop_wwn(
40758 config_item_put(item);
40759 }
40760
40761 -static struct configfs_group_operations target_fabric_wwn_group_ops = {
40762 +static const struct configfs_group_operations target_fabric_wwn_group_ops = {
40763 .make_group = target_fabric_make_wwn,
40764 .drop_item = target_fabric_drop_wwn,
40765 };
40766 diff -urNp linux-2.6.39.3/drivers/target/target_core_pr.c linux-2.6.39.3/drivers/target/target_core_pr.c
40767 --- linux-2.6.39.3/drivers/target/target_core_pr.c 2011-05-19 00:06:34.000000000 -0400
40768 +++ linux-2.6.39.3/drivers/target/target_core_pr.c 2011-05-22 19:36:32.000000000 -0400
40769 @@ -918,6 +918,8 @@ static int __core_scsi3_check_aptpl_regi
40770 unsigned char t_port[PR_APTPL_MAX_TPORT_LEN];
40771 u16 tpgt;
40772
40773 + pax_track_stack();
40774 +
40775 memset(i_port, 0, PR_APTPL_MAX_IPORT_LEN);
40776 memset(t_port, 0, PR_APTPL_MAX_TPORT_LEN);
40777 /*
40778 @@ -1861,6 +1863,8 @@ static int __core_scsi3_update_aptpl_buf
40779 ssize_t len = 0;
40780 int reg_count = 0;
40781
40782 + pax_track_stack();
40783 +
40784 memset(buf, 0, pr_aptpl_buf_len);
40785 /*
40786 * Called to clear metadata once APTPL has been deactivated.
40787 @@ -1983,6 +1987,8 @@ static int __core_scsi3_write_aptpl_to_f
40788 char path[512];
40789 int ret;
40790
40791 + pax_track_stack();
40792 +
40793 memset(iov, 0, sizeof(struct iovec));
40794 memset(path, 0, 512);
40795
40796 diff -urNp linux-2.6.39.3/drivers/target/target_core_tmr.c linux-2.6.39.3/drivers/target/target_core_tmr.c
40797 --- linux-2.6.39.3/drivers/target/target_core_tmr.c 2011-06-03 00:04:14.000000000 -0400
40798 +++ linux-2.6.39.3/drivers/target/target_core_tmr.c 2011-06-03 00:32:07.000000000 -0400
40799 @@ -263,7 +263,7 @@ int core_tmr_lun_reset(
40800 CMD_TFO(cmd)->get_task_tag(cmd), cmd->pr_res_key,
40801 T_TASK(cmd)->t_task_cdbs,
40802 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
40803 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
40804 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
40805 atomic_read(&T_TASK(cmd)->t_transport_active),
40806 atomic_read(&T_TASK(cmd)->t_transport_stop),
40807 atomic_read(&T_TASK(cmd)->t_transport_sent));
40808 @@ -305,7 +305,7 @@ int core_tmr_lun_reset(
40809 DEBUG_LR("LUN_RESET: got t_transport_active = 1 for"
40810 " task: %p, t_fe_count: %d dev: %p\n", task,
40811 fe_count, dev);
40812 - atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
40813 + atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
40814 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock,
40815 flags);
40816 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
40817 @@ -315,7 +315,7 @@ int core_tmr_lun_reset(
40818 }
40819 DEBUG_LR("LUN_RESET: Got t_transport_active = 0 for task: %p,"
40820 " t_fe_count: %d dev: %p\n", task, fe_count, dev);
40821 - atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
40822 + atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
40823 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock, flags);
40824 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
40825
40826 diff -urNp linux-2.6.39.3/drivers/target/target_core_transport.c linux-2.6.39.3/drivers/target/target_core_transport.c
40827 --- linux-2.6.39.3/drivers/target/target_core_transport.c 2011-06-03 00:04:14.000000000 -0400
40828 +++ linux-2.6.39.3/drivers/target/target_core_transport.c 2011-06-03 00:32:07.000000000 -0400
40829 @@ -1681,7 +1681,7 @@ struct se_device *transport_add_device_t
40830
40831 dev->queue_depth = dev_limits->queue_depth;
40832 atomic_set(&dev->depth_left, dev->queue_depth);
40833 - atomic_set(&dev->dev_ordered_id, 0);
40834 + atomic_set_unchecked(&dev->dev_ordered_id, 0);
40835
40836 se_dev_set_default_attribs(dev, dev_limits);
40837
40838 @@ -1882,7 +1882,7 @@ static int transport_check_alloc_task_at
40839 * Used to determine when ORDERED commands should go from
40840 * Dormant to Active status.
40841 */
40842 - cmd->se_ordered_id = atomic_inc_return(&SE_DEV(cmd)->dev_ordered_id);
40843 + cmd->se_ordered_id = atomic_inc_return_unchecked(&SE_DEV(cmd)->dev_ordered_id);
40844 smp_mb__after_atomic_inc();
40845 DEBUG_STA("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n",
40846 cmd->se_ordered_id, cmd->sam_task_attr,
40847 @@ -2169,7 +2169,7 @@ static void transport_generic_request_fa
40848 " t_transport_active: %d t_transport_stop: %d"
40849 " t_transport_sent: %d\n", T_TASK(cmd)->t_task_cdbs,
40850 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
40851 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
40852 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
40853 atomic_read(&T_TASK(cmd)->t_task_cdbs_ex_left),
40854 atomic_read(&T_TASK(cmd)->t_transport_active),
40855 atomic_read(&T_TASK(cmd)->t_transport_stop),
40856 @@ -2673,9 +2673,9 @@ check_depth:
40857 spin_lock_irqsave(&T_TASK(cmd)->t_state_lock, flags);
40858 atomic_set(&task->task_active, 1);
40859 atomic_set(&task->task_sent, 1);
40860 - atomic_inc(&T_TASK(cmd)->t_task_cdbs_sent);
40861 + atomic_inc_unchecked(&T_TASK(cmd)->t_task_cdbs_sent);
40862
40863 - if (atomic_read(&T_TASK(cmd)->t_task_cdbs_sent) ==
40864 + if (atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent) ==
40865 T_TASK(cmd)->t_task_cdbs)
40866 atomic_set(&cmd->transport_sent, 1);
40867
40868 @@ -5568,7 +5568,7 @@ static void transport_generic_wait_for_t
40869 atomic_set(&T_TASK(cmd)->transport_lun_stop, 0);
40870 }
40871 if (!atomic_read(&T_TASK(cmd)->t_transport_active) ||
40872 - atomic_read(&T_TASK(cmd)->t_transport_aborted))
40873 + atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted))
40874 goto remove;
40875
40876 atomic_set(&T_TASK(cmd)->t_transport_stop, 1);
40877 @@ -5797,7 +5797,7 @@ int transport_check_aborted_status(struc
40878 {
40879 int ret = 0;
40880
40881 - if (atomic_read(&T_TASK(cmd)->t_transport_aborted) != 0) {
40882 + if (atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted) != 0) {
40883 if (!(send_status) ||
40884 (cmd->se_cmd_flags & SCF_SENT_DELAYED_TAS))
40885 return 1;
40886 @@ -5825,7 +5825,7 @@ void transport_send_task_abort(struct se
40887 */
40888 if (cmd->data_direction == DMA_TO_DEVICE) {
40889 if (CMD_TFO(cmd)->write_pending_status(cmd) != 0) {
40890 - atomic_inc(&T_TASK(cmd)->t_transport_aborted);
40891 + atomic_inc_unchecked(&T_TASK(cmd)->t_transport_aborted);
40892 smp_mb__after_atomic_inc();
40893 cmd->scsi_status = SAM_STAT_TASK_ABORTED;
40894 transport_new_cmd_failure(cmd);
40895 @@ -5949,7 +5949,7 @@ static void transport_processing_shutdow
40896 CMD_TFO(cmd)->get_task_tag(cmd),
40897 T_TASK(cmd)->t_task_cdbs,
40898 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
40899 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
40900 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
40901 atomic_read(&T_TASK(cmd)->t_transport_active),
40902 atomic_read(&T_TASK(cmd)->t_transport_stop),
40903 atomic_read(&T_TASK(cmd)->t_transport_sent));
40904 diff -urNp linux-2.6.39.3/drivers/telephony/ixj.c linux-2.6.39.3/drivers/telephony/ixj.c
40905 --- linux-2.6.39.3/drivers/telephony/ixj.c 2011-05-19 00:06:34.000000000 -0400
40906 +++ linux-2.6.39.3/drivers/telephony/ixj.c 2011-05-22 19:36:32.000000000 -0400
40907 @@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
40908 bool mContinue;
40909 char *pIn, *pOut;
40910
40911 + pax_track_stack();
40912 +
40913 if (!SCI_Prepare(j))
40914 return 0;
40915
40916 diff -urNp linux-2.6.39.3/drivers/tty/hvc/hvc_console.h linux-2.6.39.3/drivers/tty/hvc/hvc_console.h
40917 --- linux-2.6.39.3/drivers/tty/hvc/hvc_console.h 2011-05-19 00:06:34.000000000 -0400
40918 +++ linux-2.6.39.3/drivers/tty/hvc/hvc_console.h 2011-05-22 19:36:32.000000000 -0400
40919 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
40920 /* register a vterm for hvc tty operation (module_init or hotplug add) */
40921 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
40922 const struct hv_ops *ops, int outbuf_size);
40923 +
40924 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
40925 extern int hvc_remove(struct hvc_struct *hp);
40926
40927 diff -urNp linux-2.6.39.3/drivers/tty/hvc/hvc_iucv.c linux-2.6.39.3/drivers/tty/hvc/hvc_iucv.c
40928 --- linux-2.6.39.3/drivers/tty/hvc/hvc_iucv.c 2011-05-19 00:06:34.000000000 -0400
40929 +++ linux-2.6.39.3/drivers/tty/hvc/hvc_iucv.c 2011-05-22 19:36:32.000000000 -0400
40930 @@ -1203,7 +1203,7 @@ static int param_get_vmidfilter(char *bu
40931
40932 #define param_check_vmidfilter(name, p) __param_check(name, p, void)
40933
40934 -static struct kernel_param_ops param_ops_vmidfilter = {
40935 +static const struct kernel_param_ops param_ops_vmidfilter = {
40936 .set = param_set_vmidfilter,
40937 .get = param_get_vmidfilter,
40938 };
40939 diff -urNp linux-2.6.39.3/drivers/tty/hvc/hvcs.c linux-2.6.39.3/drivers/tty/hvc/hvcs.c
40940 --- linux-2.6.39.3/drivers/tty/hvc/hvcs.c 2011-05-19 00:06:34.000000000 -0400
40941 +++ linux-2.6.39.3/drivers/tty/hvc/hvcs.c 2011-05-22 19:36:32.000000000 -0400
40942 @@ -83,6 +83,7 @@
40943 #include <asm/hvcserver.h>
40944 #include <asm/uaccess.h>
40945 #include <asm/vio.h>
40946 +#include <asm/local.h>
40947
40948 /*
40949 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
40950 @@ -270,7 +271,7 @@ struct hvcs_struct {
40951 unsigned int index;
40952
40953 struct tty_struct *tty;
40954 - int open_count;
40955 + local_t open_count;
40956
40957 /*
40958 * Used to tell the driver kernel_thread what operations need to take
40959 @@ -422,7 +423,7 @@ static ssize_t hvcs_vterm_state_store(st
40960
40961 spin_lock_irqsave(&hvcsd->lock, flags);
40962
40963 - if (hvcsd->open_count > 0) {
40964 + if (local_read(&hvcsd->open_count) > 0) {
40965 spin_unlock_irqrestore(&hvcsd->lock, flags);
40966 printk(KERN_INFO "HVCS: vterm state unchanged. "
40967 "The hvcs device node is still in use.\n");
40968 @@ -1145,7 +1146,7 @@ static int hvcs_open(struct tty_struct *
40969 if ((retval = hvcs_partner_connect(hvcsd)))
40970 goto error_release;
40971
40972 - hvcsd->open_count = 1;
40973 + local_set(&hvcsd->open_count, 1);
40974 hvcsd->tty = tty;
40975 tty->driver_data = hvcsd;
40976
40977 @@ -1179,7 +1180,7 @@ fast_open:
40978
40979 spin_lock_irqsave(&hvcsd->lock, flags);
40980 kref_get(&hvcsd->kref);
40981 - hvcsd->open_count++;
40982 + local_inc(&hvcsd->open_count);
40983 hvcsd->todo_mask |= HVCS_SCHED_READ;
40984 spin_unlock_irqrestore(&hvcsd->lock, flags);
40985
40986 @@ -1223,7 +1224,7 @@ static void hvcs_close(struct tty_struct
40987 hvcsd = tty->driver_data;
40988
40989 spin_lock_irqsave(&hvcsd->lock, flags);
40990 - if (--hvcsd->open_count == 0) {
40991 + if (local_dec_and_test(&hvcsd->open_count)) {
40992
40993 vio_disable_interrupts(hvcsd->vdev);
40994
40995 @@ -1249,10 +1250,10 @@ static void hvcs_close(struct tty_struct
40996 free_irq(irq, hvcsd);
40997 kref_put(&hvcsd->kref, destroy_hvcs_struct);
40998 return;
40999 - } else if (hvcsd->open_count < 0) {
41000 + } else if (local_read(&hvcsd->open_count) < 0) {
41001 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
41002 " is missmanaged.\n",
41003 - hvcsd->vdev->unit_address, hvcsd->open_count);
41004 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
41005 }
41006
41007 spin_unlock_irqrestore(&hvcsd->lock, flags);
41008 @@ -1268,7 +1269,7 @@ static void hvcs_hangup(struct tty_struc
41009
41010 spin_lock_irqsave(&hvcsd->lock, flags);
41011 /* Preserve this so that we know how many kref refs to put */
41012 - temp_open_count = hvcsd->open_count;
41013 + temp_open_count = local_read(&hvcsd->open_count);
41014
41015 /*
41016 * Don't kref put inside the spinlock because the destruction
41017 @@ -1283,7 +1284,7 @@ static void hvcs_hangup(struct tty_struc
41018 hvcsd->tty->driver_data = NULL;
41019 hvcsd->tty = NULL;
41020
41021 - hvcsd->open_count = 0;
41022 + local_set(&hvcsd->open_count, 0);
41023
41024 /* This will drop any buffered data on the floor which is OK in a hangup
41025 * scenario. */
41026 @@ -1354,7 +1355,7 @@ static int hvcs_write(struct tty_struct
41027 * the middle of a write operation? This is a crummy place to do this
41028 * but we want to keep it all in the spinlock.
41029 */
41030 - if (hvcsd->open_count <= 0) {
41031 + if (local_read(&hvcsd->open_count) <= 0) {
41032 spin_unlock_irqrestore(&hvcsd->lock, flags);
41033 return -ENODEV;
41034 }
41035 @@ -1428,7 +1429,7 @@ static int hvcs_write_room(struct tty_st
41036 {
41037 struct hvcs_struct *hvcsd = tty->driver_data;
41038
41039 - if (!hvcsd || hvcsd->open_count <= 0)
41040 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
41041 return 0;
41042
41043 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
41044 diff -urNp linux-2.6.39.3/drivers/tty/hvc/hvc_xen.c linux-2.6.39.3/drivers/tty/hvc/hvc_xen.c
41045 --- linux-2.6.39.3/drivers/tty/hvc/hvc_xen.c 2011-05-19 00:06:34.000000000 -0400
41046 +++ linux-2.6.39.3/drivers/tty/hvc/hvc_xen.c 2011-05-22 19:36:32.000000000 -0400
41047 @@ -123,7 +123,7 @@ static int domU_read_console(uint32_t vt
41048 return recv;
41049 }
41050
41051 -static struct hv_ops domU_hvc_ops = {
41052 +static const struct hv_ops domU_hvc_ops = {
41053 .get_chars = domU_read_console,
41054 .put_chars = domU_write_console,
41055 .notifier_add = notifier_add_irq,
41056 @@ -149,7 +149,7 @@ static int dom0_write_console(uint32_t v
41057 return len;
41058 }
41059
41060 -static struct hv_ops dom0_hvc_ops = {
41061 +static const struct hv_ops dom0_hvc_ops = {
41062 .get_chars = dom0_read_console,
41063 .put_chars = dom0_write_console,
41064 .notifier_add = notifier_add_irq,
41065 @@ -160,7 +160,7 @@ static struct hv_ops dom0_hvc_ops = {
41066 static int __init xen_hvc_init(void)
41067 {
41068 struct hvc_struct *hp;
41069 - struct hv_ops *ops;
41070 + const struct hv_ops *ops;
41071
41072 if (!xen_pv_domain())
41073 return -ENODEV;
41074 @@ -205,7 +205,7 @@ static void __exit xen_hvc_fini(void)
41075
41076 static int xen_cons_init(void)
41077 {
41078 - struct hv_ops *ops;
41079 + const struct hv_ops *ops;
41080
41081 if (!xen_pv_domain())
41082 return 0;
41083 diff -urNp linux-2.6.39.3/drivers/tty/ipwireless/tty.c linux-2.6.39.3/drivers/tty/ipwireless/tty.c
41084 --- linux-2.6.39.3/drivers/tty/ipwireless/tty.c 2011-05-19 00:06:34.000000000 -0400
41085 +++ linux-2.6.39.3/drivers/tty/ipwireless/tty.c 2011-05-22 19:36:32.000000000 -0400
41086 @@ -29,6 +29,7 @@
41087 #include <linux/tty_driver.h>
41088 #include <linux/tty_flip.h>
41089 #include <linux/uaccess.h>
41090 +#include <asm/local.h>
41091
41092 #include "tty.h"
41093 #include "network.h"
41094 @@ -51,7 +52,7 @@ struct ipw_tty {
41095 int tty_type;
41096 struct ipw_network *network;
41097 struct tty_struct *linux_tty;
41098 - int open_count;
41099 + local_t open_count;
41100 unsigned int control_lines;
41101 struct mutex ipw_tty_mutex;
41102 int tx_bytes_queued;
41103 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
41104 mutex_unlock(&tty->ipw_tty_mutex);
41105 return -ENODEV;
41106 }
41107 - if (tty->open_count == 0)
41108 + if (local_read(&tty->open_count) == 0)
41109 tty->tx_bytes_queued = 0;
41110
41111 - tty->open_count++;
41112 + local_inc(&tty->open_count);
41113
41114 tty->linux_tty = linux_tty;
41115 linux_tty->driver_data = tty;
41116 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
41117
41118 static void do_ipw_close(struct ipw_tty *tty)
41119 {
41120 - tty->open_count--;
41121 -
41122 - if (tty->open_count == 0) {
41123 + if (local_dec_return(&tty->open_count) == 0) {
41124 struct tty_struct *linux_tty = tty->linux_tty;
41125
41126 if (linux_tty != NULL) {
41127 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
41128 return;
41129
41130 mutex_lock(&tty->ipw_tty_mutex);
41131 - if (tty->open_count == 0) {
41132 + if (local_read(&tty->open_count) == 0) {
41133 mutex_unlock(&tty->ipw_tty_mutex);
41134 return;
41135 }
41136 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
41137 return;
41138 }
41139
41140 - if (!tty->open_count) {
41141 + if (!local_read(&tty->open_count)) {
41142 mutex_unlock(&tty->ipw_tty_mutex);
41143 return;
41144 }
41145 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
41146 return -ENODEV;
41147
41148 mutex_lock(&tty->ipw_tty_mutex);
41149 - if (!tty->open_count) {
41150 + if (!local_read(&tty->open_count)) {
41151 mutex_unlock(&tty->ipw_tty_mutex);
41152 return -EINVAL;
41153 }
41154 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
41155 if (!tty)
41156 return -ENODEV;
41157
41158 - if (!tty->open_count)
41159 + if (!local_read(&tty->open_count))
41160 return -EINVAL;
41161
41162 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
41163 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
41164 if (!tty)
41165 return 0;
41166
41167 - if (!tty->open_count)
41168 + if (!local_read(&tty->open_count))
41169 return 0;
41170
41171 return tty->tx_bytes_queued;
41172 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
41173 if (!tty)
41174 return -ENODEV;
41175
41176 - if (!tty->open_count)
41177 + if (!local_read(&tty->open_count))
41178 return -EINVAL;
41179
41180 return get_control_lines(tty);
41181 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
41182 if (!tty)
41183 return -ENODEV;
41184
41185 - if (!tty->open_count)
41186 + if (!local_read(&tty->open_count))
41187 return -EINVAL;
41188
41189 return set_control_lines(tty, set, clear);
41190 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
41191 if (!tty)
41192 return -ENODEV;
41193
41194 - if (!tty->open_count)
41195 + if (!local_read(&tty->open_count))
41196 return -EINVAL;
41197
41198 /* FIXME: Exactly how is the tty object locked here .. */
41199 @@ -582,7 +581,7 @@ void ipwireless_tty_free(struct ipw_tty
41200 against a parallel ioctl etc */
41201 mutex_lock(&ttyj->ipw_tty_mutex);
41202 }
41203 - while (ttyj->open_count)
41204 + while (local_read(&ttyj->open_count))
41205 do_ipw_close(ttyj);
41206 ipwireless_disassociate_network_ttys(network,
41207 ttyj->channel_idx);
41208 diff -urNp linux-2.6.39.3/drivers/tty/mxser.c linux-2.6.39.3/drivers/tty/mxser.c
41209 --- linux-2.6.39.3/drivers/tty/mxser.c 2011-05-19 00:06:34.000000000 -0400
41210 +++ linux-2.6.39.3/drivers/tty/mxser.c 2011-05-22 19:36:32.000000000 -0400
41211 @@ -2340,7 +2340,7 @@ static const struct tty_operations mxser
41212 .get_icount = mxser_get_icount,
41213 };
41214
41215 -struct tty_port_operations mxser_port_ops = {
41216 +const struct tty_port_operations mxser_port_ops = {
41217 .carrier_raised = mxser_carrier_raised,
41218 .dtr_rts = mxser_dtr_rts,
41219 .activate = mxser_activate,
41220 diff -urNp linux-2.6.39.3/drivers/tty/n_gsm.c linux-2.6.39.3/drivers/tty/n_gsm.c
41221 --- linux-2.6.39.3/drivers/tty/n_gsm.c 2011-05-19 00:06:34.000000000 -0400
41222 +++ linux-2.6.39.3/drivers/tty/n_gsm.c 2011-05-22 19:36:32.000000000 -0400
41223 @@ -1588,7 +1588,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
41224 return NULL;
41225 spin_lock_init(&dlci->lock);
41226 dlci->fifo = &dlci->_fifo;
41227 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
41228 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
41229 kfree(dlci);
41230 return NULL;
41231 }
41232 diff -urNp linux-2.6.39.3/drivers/tty/n_tty.c linux-2.6.39.3/drivers/tty/n_tty.c
41233 --- linux-2.6.39.3/drivers/tty/n_tty.c 2011-05-19 00:06:34.000000000 -0400
41234 +++ linux-2.6.39.3/drivers/tty/n_tty.c 2011-05-22 19:36:32.000000000 -0400
41235 @@ -2122,6 +2122,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
41236 {
41237 *ops = tty_ldisc_N_TTY;
41238 ops->owner = NULL;
41239 - ops->refcount = ops->flags = 0;
41240 + atomic_set(&ops->refcount, 0);
41241 + ops->flags = 0;
41242 }
41243 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
41244 diff -urNp linux-2.6.39.3/drivers/tty/pty.c linux-2.6.39.3/drivers/tty/pty.c
41245 --- linux-2.6.39.3/drivers/tty/pty.c 2011-05-19 00:06:34.000000000 -0400
41246 +++ linux-2.6.39.3/drivers/tty/pty.c 2011-05-22 19:36:32.000000000 -0400
41247 @@ -699,7 +699,18 @@ out:
41248 return retval;
41249 }
41250
41251 -static struct file_operations ptmx_fops;
41252 +static const struct file_operations ptmx_fops = {
41253 + .llseek = no_llseek,
41254 + .read = tty_read,
41255 + .write = tty_write,
41256 + .poll = tty_poll,
41257 + .unlocked_ioctl = tty_ioctl,
41258 + .compat_ioctl = tty_compat_ioctl,
41259 + .open = ptmx_open,
41260 + .release = tty_release,
41261 + .fasync = tty_fasync,
41262 +};
41263 +
41264
41265 static void __init unix98_pty_init(void)
41266 {
41267 @@ -752,10 +763,6 @@ static void __init unix98_pty_init(void)
41268
41269 register_sysctl_table(pty_root_table);
41270
41271 - /* Now create the /dev/ptmx special device */
41272 - tty_default_fops(&ptmx_fops);
41273 - ptmx_fops.open = ptmx_open;
41274 -
41275 cdev_init(&ptmx_cdev, &ptmx_fops);
41276 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
41277 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
41278 diff -urNp linux-2.6.39.3/drivers/tty/rocket.c linux-2.6.39.3/drivers/tty/rocket.c
41279 --- linux-2.6.39.3/drivers/tty/rocket.c 2011-05-19 00:06:34.000000000 -0400
41280 +++ linux-2.6.39.3/drivers/tty/rocket.c 2011-05-22 19:36:32.000000000 -0400
41281 @@ -1277,6 +1277,8 @@ static int get_ports(struct r_port *info
41282 struct rocket_ports tmp;
41283 int board;
41284
41285 + pax_track_stack();
41286 +
41287 if (!retports)
41288 return -EFAULT;
41289 memset(&tmp, 0, sizeof (tmp));
41290 diff -urNp linux-2.6.39.3/drivers/tty/serial/21285.c linux-2.6.39.3/drivers/tty/serial/21285.c
41291 --- linux-2.6.39.3/drivers/tty/serial/21285.c 2011-05-19 00:06:34.000000000 -0400
41292 +++ linux-2.6.39.3/drivers/tty/serial/21285.c 2011-05-22 19:36:32.000000000 -0400
41293 @@ -340,7 +340,7 @@ static int serial21285_verify_port(struc
41294 return ret;
41295 }
41296
41297 -static struct uart_ops serial21285_ops = {
41298 +static const struct uart_ops serial21285_ops = {
41299 .tx_empty = serial21285_tx_empty,
41300 .get_mctrl = serial21285_get_mctrl,
41301 .set_mctrl = serial21285_set_mctrl,
41302 diff -urNp linux-2.6.39.3/drivers/tty/serial/8250.c linux-2.6.39.3/drivers/tty/serial/8250.c
41303 --- linux-2.6.39.3/drivers/tty/serial/8250.c 2011-05-19 00:06:34.000000000 -0400
41304 +++ linux-2.6.39.3/drivers/tty/serial/8250.c 2011-05-22 19:36:32.000000000 -0400
41305 @@ -2708,7 +2708,7 @@ serial8250_type(struct uart_port *port)
41306 return uart_config[type].name;
41307 }
41308
41309 -static struct uart_ops serial8250_pops = {
41310 +static const struct uart_ops serial8250_pops = {
41311 .tx_empty = serial8250_tx_empty,
41312 .set_mctrl = serial8250_set_mctrl,
41313 .get_mctrl = serial8250_get_mctrl,
41314 diff -urNp linux-2.6.39.3/drivers/tty/serial/altera_jtaguart.c linux-2.6.39.3/drivers/tty/serial/altera_jtaguart.c
41315 --- linux-2.6.39.3/drivers/tty/serial/altera_jtaguart.c 2011-05-19 00:06:34.000000000 -0400
41316 +++ linux-2.6.39.3/drivers/tty/serial/altera_jtaguart.c 2011-05-22 19:36:32.000000000 -0400
41317 @@ -281,7 +281,7 @@ static int altera_jtaguart_verify_port(s
41318 /*
41319 * Define the basic serial functions we support.
41320 */
41321 -static struct uart_ops altera_jtaguart_ops = {
41322 +static const struct uart_ops altera_jtaguart_ops = {
41323 .tx_empty = altera_jtaguart_tx_empty,
41324 .get_mctrl = altera_jtaguart_get_mctrl,
41325 .set_mctrl = altera_jtaguart_set_mctrl,
41326 diff -urNp linux-2.6.39.3/drivers/tty/serial/altera_uart.c linux-2.6.39.3/drivers/tty/serial/altera_uart.c
41327 --- linux-2.6.39.3/drivers/tty/serial/altera_uart.c 2011-05-19 00:06:34.000000000 -0400
41328 +++ linux-2.6.39.3/drivers/tty/serial/altera_uart.c 2011-05-22 19:36:32.000000000 -0400
41329 @@ -380,7 +380,7 @@ static int altera_uart_verify_port(struc
41330 /*
41331 * Define the basic serial functions we support.
41332 */
41333 -static struct uart_ops altera_uart_ops = {
41334 +static const struct uart_ops altera_uart_ops = {
41335 .tx_empty = altera_uart_tx_empty,
41336 .get_mctrl = altera_uart_get_mctrl,
41337 .set_mctrl = altera_uart_set_mctrl,
41338 diff -urNp linux-2.6.39.3/drivers/tty/serial/amba-pl010.c linux-2.6.39.3/drivers/tty/serial/amba-pl010.c
41339 --- linux-2.6.39.3/drivers/tty/serial/amba-pl010.c 2011-05-19 00:06:34.000000000 -0400
41340 +++ linux-2.6.39.3/drivers/tty/serial/amba-pl010.c 2011-05-22 19:36:32.000000000 -0400
41341 @@ -529,7 +529,7 @@ static int pl010_verify_port(struct uart
41342 return ret;
41343 }
41344
41345 -static struct uart_ops amba_pl010_pops = {
41346 +static const struct uart_ops amba_pl010_pops = {
41347 .tx_empty = pl010_tx_empty,
41348 .set_mctrl = pl010_set_mctrl,
41349 .get_mctrl = pl010_get_mctrl,
41350 diff -urNp linux-2.6.39.3/drivers/tty/serial/amba-pl011.c linux-2.6.39.3/drivers/tty/serial/amba-pl011.c
41351 --- linux-2.6.39.3/drivers/tty/serial/amba-pl011.c 2011-05-19 00:06:34.000000000 -0400
41352 +++ linux-2.6.39.3/drivers/tty/serial/amba-pl011.c 2011-05-22 19:36:32.000000000 -0400
41353 @@ -1581,7 +1581,7 @@ static int pl010_verify_port(struct uart
41354 return ret;
41355 }
41356
41357 -static struct uart_ops amba_pl011_pops = {
41358 +static const struct uart_ops amba_pl011_pops = {
41359 .tx_empty = pl01x_tx_empty,
41360 .set_mctrl = pl011_set_mctrl,
41361 .get_mctrl = pl01x_get_mctrl,
41362 diff -urNp linux-2.6.39.3/drivers/tty/serial/apbuart.c linux-2.6.39.3/drivers/tty/serial/apbuart.c
41363 --- linux-2.6.39.3/drivers/tty/serial/apbuart.c 2011-05-19 00:06:34.000000000 -0400
41364 +++ linux-2.6.39.3/drivers/tty/serial/apbuart.c 2011-05-22 19:36:32.000000000 -0400
41365 @@ -328,7 +328,7 @@ static int apbuart_verify_port(struct ua
41366 return ret;
41367 }
41368
41369 -static struct uart_ops grlib_apbuart_ops = {
41370 +static const struct uart_ops grlib_apbuart_ops = {
41371 .tx_empty = apbuart_tx_empty,
41372 .set_mctrl = apbuart_set_mctrl,
41373 .get_mctrl = apbuart_get_mctrl,
41374 diff -urNp linux-2.6.39.3/drivers/tty/serial/atmel_serial.c linux-2.6.39.3/drivers/tty/serial/atmel_serial.c
41375 --- linux-2.6.39.3/drivers/tty/serial/atmel_serial.c 2011-05-19 00:06:34.000000000 -0400
41376 +++ linux-2.6.39.3/drivers/tty/serial/atmel_serial.c 2011-05-22 19:36:32.000000000 -0400
41377 @@ -1382,7 +1382,7 @@ atmel_ioctl(struct uart_port *port, unsi
41378
41379
41380
41381 -static struct uart_ops atmel_pops = {
41382 +static const struct uart_ops atmel_pops = {
41383 .tx_empty = atmel_tx_empty,
41384 .set_mctrl = atmel_set_mctrl,
41385 .get_mctrl = atmel_get_mctrl,
41386 diff -urNp linux-2.6.39.3/drivers/tty/serial/bcm63xx_uart.c linux-2.6.39.3/drivers/tty/serial/bcm63xx_uart.c
41387 --- linux-2.6.39.3/drivers/tty/serial/bcm63xx_uart.c 2011-05-19 00:06:34.000000000 -0400
41388 +++ linux-2.6.39.3/drivers/tty/serial/bcm63xx_uart.c 2011-05-22 19:36:32.000000000 -0400
41389 @@ -636,7 +636,7 @@ static int bcm_uart_verify_port(struct u
41390 }
41391
41392 /* serial core callbacks */
41393 -static struct uart_ops bcm_uart_ops = {
41394 +static const struct uart_ops bcm_uart_ops = {
41395 .tx_empty = bcm_uart_tx_empty,
41396 .get_mctrl = bcm_uart_get_mctrl,
41397 .set_mctrl = bcm_uart_set_mctrl,
41398 diff -urNp linux-2.6.39.3/drivers/tty/serial/bfin_5xx.c linux-2.6.39.3/drivers/tty/serial/bfin_5xx.c
41399 --- linux-2.6.39.3/drivers/tty/serial/bfin_5xx.c 2011-05-19 00:06:34.000000000 -0400
41400 +++ linux-2.6.39.3/drivers/tty/serial/bfin_5xx.c 2011-05-22 19:36:32.000000000 -0400
41401 @@ -1036,7 +1036,7 @@ static int bfin_kgdboc_port_startup(stru
41402 }
41403 #endif
41404
41405 -static struct uart_ops bfin_serial_pops = {
41406 +static const struct uart_ops bfin_serial_pops = {
41407 .tx_empty = bfin_serial_tx_empty,
41408 .set_mctrl = bfin_serial_set_mctrl,
41409 .get_mctrl = bfin_serial_get_mctrl,
41410 diff -urNp linux-2.6.39.3/drivers/tty/serial/bfin_sport_uart.c linux-2.6.39.3/drivers/tty/serial/bfin_sport_uart.c
41411 --- linux-2.6.39.3/drivers/tty/serial/bfin_sport_uart.c 2011-05-19 00:06:34.000000000 -0400
41412 +++ linux-2.6.39.3/drivers/tty/serial/bfin_sport_uart.c 2011-05-22 19:36:32.000000000 -0400
41413 @@ -571,7 +571,7 @@ static void sport_set_termios(struct uar
41414 spin_unlock_irqrestore(&up->port.lock, flags);
41415 }
41416
41417 -struct uart_ops sport_uart_ops = {
41418 +const struct uart_ops sport_uart_ops = {
41419 .tx_empty = sport_tx_empty,
41420 .set_mctrl = sport_set_mctrl,
41421 .get_mctrl = sport_get_mctrl,
41422 diff -urNp linux-2.6.39.3/drivers/tty/serial/clps711x.c linux-2.6.39.3/drivers/tty/serial/clps711x.c
41423 --- linux-2.6.39.3/drivers/tty/serial/clps711x.c 2011-05-19 00:06:34.000000000 -0400
41424 +++ linux-2.6.39.3/drivers/tty/serial/clps711x.c 2011-05-22 19:36:32.000000000 -0400
41425 @@ -380,7 +380,7 @@ static int clps711xuart_request_port(str
41426 return 0;
41427 }
41428
41429 -static struct uart_ops clps711x_pops = {
41430 +static const struct uart_ops clps711x_pops = {
41431 .tx_empty = clps711xuart_tx_empty,
41432 .set_mctrl = clps711xuart_set_mctrl_null,
41433 .get_mctrl = clps711xuart_get_mctrl,
41434 diff -urNp linux-2.6.39.3/drivers/tty/serial/cpm_uart/cpm_uart_core.c linux-2.6.39.3/drivers/tty/serial/cpm_uart/cpm_uart_core.c
41435 --- linux-2.6.39.3/drivers/tty/serial/cpm_uart/cpm_uart_core.c 2011-05-19 00:06:34.000000000 -0400
41436 +++ linux-2.6.39.3/drivers/tty/serial/cpm_uart/cpm_uart_core.c 2011-05-22 19:36:32.000000000 -0400
41437 @@ -1099,7 +1099,7 @@ static void cpm_put_poll_char(struct uar
41438 }
41439 #endif /* CONFIG_CONSOLE_POLL */
41440
41441 -static struct uart_ops cpm_uart_pops = {
41442 +static const struct uart_ops cpm_uart_pops = {
41443 .tx_empty = cpm_uart_tx_empty,
41444 .set_mctrl = cpm_uart_set_mctrl,
41445 .get_mctrl = cpm_uart_get_mctrl,
41446 diff -urNp linux-2.6.39.3/drivers/tty/serial/dz.c linux-2.6.39.3/drivers/tty/serial/dz.c
41447 --- linux-2.6.39.3/drivers/tty/serial/dz.c 2011-05-19 00:06:34.000000000 -0400
41448 +++ linux-2.6.39.3/drivers/tty/serial/dz.c 2011-05-22 19:36:32.000000000 -0400
41449 @@ -746,7 +746,7 @@ static int dz_verify_port(struct uart_po
41450 return ret;
41451 }
41452
41453 -static struct uart_ops dz_ops = {
41454 +static const struct uart_ops dz_ops = {
41455 .tx_empty = dz_tx_empty,
41456 .get_mctrl = dz_get_mctrl,
41457 .set_mctrl = dz_set_mctrl,
41458 diff -urNp linux-2.6.39.3/drivers/tty/serial/imx.c linux-2.6.39.3/drivers/tty/serial/imx.c
41459 --- linux-2.6.39.3/drivers/tty/serial/imx.c 2011-05-19 00:06:34.000000000 -0400
41460 +++ linux-2.6.39.3/drivers/tty/serial/imx.c 2011-05-22 19:36:32.000000000 -0400
41461 @@ -1018,7 +1018,7 @@ imx_verify_port(struct uart_port *port,
41462 return ret;
41463 }
41464
41465 -static struct uart_ops imx_pops = {
41466 +static const struct uart_ops imx_pops = {
41467 .tx_empty = imx_tx_empty,
41468 .set_mctrl = imx_set_mctrl,
41469 .get_mctrl = imx_get_mctrl,
41470 diff -urNp linux-2.6.39.3/drivers/tty/serial/ioc3_serial.c linux-2.6.39.3/drivers/tty/serial/ioc3_serial.c
41471 --- linux-2.6.39.3/drivers/tty/serial/ioc3_serial.c 2011-05-19 00:06:34.000000000 -0400
41472 +++ linux-2.6.39.3/drivers/tty/serial/ioc3_serial.c 2011-05-22 19:36:32.000000000 -0400
41473 @@ -1874,7 +1874,7 @@ static int ic3_request_port(struct uart_
41474 }
41475
41476 /* Associate the uart functions above - given to serial core */
41477 -static struct uart_ops ioc3_ops = {
41478 +static const struct uart_ops ioc3_ops = {
41479 .tx_empty = ic3_tx_empty,
41480 .set_mctrl = ic3_set_mctrl,
41481 .get_mctrl = ic3_get_mctrl,
41482 diff -urNp linux-2.6.39.3/drivers/tty/serial/ioc4_serial.c linux-2.6.39.3/drivers/tty/serial/ioc4_serial.c
41483 --- linux-2.6.39.3/drivers/tty/serial/ioc4_serial.c 2011-05-19 00:06:34.000000000 -0400
41484 +++ linux-2.6.39.3/drivers/tty/serial/ioc4_serial.c 2011-05-22 19:36:32.000000000 -0400
41485 @@ -2593,7 +2593,7 @@ static int ic4_request_port(struct uart_
41486
41487 /* Associate the uart functions above - given to serial core */
41488
41489 -static struct uart_ops ioc4_ops = {
41490 +static const struct uart_ops ioc4_ops = {
41491 .tx_empty = ic4_tx_empty,
41492 .set_mctrl = ic4_set_mctrl,
41493 .get_mctrl = ic4_get_mctrl,
41494 diff -urNp linux-2.6.39.3/drivers/tty/serial/ip22zilog.c linux-2.6.39.3/drivers/tty/serial/ip22zilog.c
41495 --- linux-2.6.39.3/drivers/tty/serial/ip22zilog.c 2011-05-19 00:06:34.000000000 -0400
41496 +++ linux-2.6.39.3/drivers/tty/serial/ip22zilog.c 2011-05-22 19:36:32.000000000 -0400
41497 @@ -928,7 +928,7 @@ static int ip22zilog_verify_port(struct
41498 return -EINVAL;
41499 }
41500
41501 -static struct uart_ops ip22zilog_pops = {
41502 +static const struct uart_ops ip22zilog_pops = {
41503 .tx_empty = ip22zilog_tx_empty,
41504 .set_mctrl = ip22zilog_set_mctrl,
41505 .get_mctrl = ip22zilog_get_mctrl,
41506 diff -urNp linux-2.6.39.3/drivers/tty/serial/kgdboc.c linux-2.6.39.3/drivers/tty/serial/kgdboc.c
41507 --- linux-2.6.39.3/drivers/tty/serial/kgdboc.c 2011-05-19 00:06:34.000000000 -0400
41508 +++ linux-2.6.39.3/drivers/tty/serial/kgdboc.c 2011-05-22 19:36:32.000000000 -0400
41509 @@ -22,7 +22,7 @@
41510
41511 #define MAX_CONFIG_LEN 40
41512
41513 -static struct kgdb_io kgdboc_io_ops;
41514 +static struct kgdb_io kgdboc_io_ops; /* cannot be const, see configure_kgdboc() */
41515
41516 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
41517 static int configured = -1;
41518 @@ -293,7 +293,7 @@ static void kgdboc_post_exp_handler(void
41519 kgdboc_restore_input();
41520 }
41521
41522 -static struct kgdb_io kgdboc_io_ops = {
41523 +static struct kgdb_io kgdboc_io_ops = { /* cannot be const, see configure_kgdboc() */
41524 .name = "kgdboc",
41525 .read_char = kgdboc_get_char,
41526 .write_char = kgdboc_put_char,
41527 diff -urNp linux-2.6.39.3/drivers/tty/serial/m32r_sio.c linux-2.6.39.3/drivers/tty/serial/m32r_sio.c
41528 --- linux-2.6.39.3/drivers/tty/serial/m32r_sio.c 2011-05-19 00:06:34.000000000 -0400
41529 +++ linux-2.6.39.3/drivers/tty/serial/m32r_sio.c 2011-05-22 19:36:32.000000000 -0400
41530 @@ -939,7 +939,7 @@ m32r_sio_type(struct uart_port *port)
41531 return uart_config[type].name;
41532 }
41533
41534 -static struct uart_ops m32r_sio_pops = {
41535 +static const struct uart_ops m32r_sio_pops = {
41536 .tx_empty = m32r_sio_tx_empty,
41537 .set_mctrl = m32r_sio_set_mctrl,
41538 .get_mctrl = m32r_sio_get_mctrl,
41539 diff -urNp linux-2.6.39.3/drivers/tty/serial/max3100.c linux-2.6.39.3/drivers/tty/serial/max3100.c
41540 --- linux-2.6.39.3/drivers/tty/serial/max3100.c 2011-05-19 00:06:34.000000000 -0400
41541 +++ linux-2.6.39.3/drivers/tty/serial/max3100.c 2011-05-22 19:36:32.000000000 -0400
41542 @@ -710,7 +710,7 @@ static void max3100_break_ctl(struct uar
41543 dev_dbg(&s->spi->dev, "%s\n", __func__);
41544 }
41545
41546 -static struct uart_ops max3100_ops = {
41547 +static const struct uart_ops max3100_ops = {
41548 .tx_empty = max3100_tx_empty,
41549 .set_mctrl = max3100_set_mctrl,
41550 .get_mctrl = max3100_get_mctrl,
41551 diff -urNp linux-2.6.39.3/drivers/tty/serial/max3107.c linux-2.6.39.3/drivers/tty/serial/max3107.c
41552 --- linux-2.6.39.3/drivers/tty/serial/max3107.c 2011-05-19 00:06:34.000000000 -0400
41553 +++ linux-2.6.39.3/drivers/tty/serial/max3107.c 2011-05-22 19:36:32.000000000 -0400
41554 @@ -910,7 +910,7 @@ static void max3107_break_ctl(struct uar
41555
41556
41557 /* Port functions */
41558 -static struct uart_ops max3107_ops = {
41559 +static const struct uart_ops max3107_ops = {
41560 .tx_empty = max3107_tx_empty,
41561 .set_mctrl = max3107_set_mctrl,
41562 .get_mctrl = max3107_get_mctrl,
41563 diff -urNp linux-2.6.39.3/drivers/tty/serial/mfd.c linux-2.6.39.3/drivers/tty/serial/mfd.c
41564 --- linux-2.6.39.3/drivers/tty/serial/mfd.c 2011-05-19 00:06:34.000000000 -0400
41565 +++ linux-2.6.39.3/drivers/tty/serial/mfd.c 2011-05-22 19:36:32.000000000 -0400
41566 @@ -1178,7 +1178,7 @@ static struct console serial_hsu_console
41567 };
41568 #endif
41569
41570 -struct uart_ops serial_hsu_pops = {
41571 +const struct uart_ops serial_hsu_pops = {
41572 .tx_empty = serial_hsu_tx_empty,
41573 .set_mctrl = serial_hsu_set_mctrl,
41574 .get_mctrl = serial_hsu_get_mctrl,
41575 diff -urNp linux-2.6.39.3/drivers/tty/serial/mpc52xx_uart.c linux-2.6.39.3/drivers/tty/serial/mpc52xx_uart.c
41576 --- linux-2.6.39.3/drivers/tty/serial/mpc52xx_uart.c 2011-05-19 00:06:34.000000000 -0400
41577 +++ linux-2.6.39.3/drivers/tty/serial/mpc52xx_uart.c 2011-05-22 19:36:32.000000000 -0400
41578 @@ -283,7 +283,7 @@ static irqreturn_t mpc52xx_psc_handle_ir
41579 return mpc5xxx_uart_process_int(port);
41580 }
41581
41582 -static struct psc_ops mpc52xx_psc_ops = {
41583 +static const struct psc_ops mpc52xx_psc_ops = {
41584 .fifo_init = mpc52xx_psc_fifo_init,
41585 .raw_rx_rdy = mpc52xx_psc_raw_rx_rdy,
41586 .raw_tx_rdy = mpc52xx_psc_raw_tx_rdy,
41587 @@ -304,7 +304,7 @@ static struct psc_ops mpc52xx_psc_ops =
41588 .handle_irq = mpc52xx_psc_handle_irq,
41589 };
41590
41591 -static struct psc_ops mpc5200b_psc_ops = {
41592 +static const struct psc_ops mpc5200b_psc_ops = {
41593 .fifo_init = mpc52xx_psc_fifo_init,
41594 .raw_rx_rdy = mpc52xx_psc_raw_rx_rdy,
41595 .raw_tx_rdy = mpc52xx_psc_raw_tx_rdy,
41596 @@ -571,7 +571,7 @@ static void mpc512x_psc_get_irq(struct u
41597 port->irq = psc_fifoc_irq;
41598 }
41599
41600 -static struct psc_ops mpc512x_psc_ops = {
41601 +static const struct psc_ops mpc512x_psc_ops = {
41602 .fifo_init = mpc512x_psc_fifo_init,
41603 .raw_rx_rdy = mpc512x_psc_raw_rx_rdy,
41604 .raw_tx_rdy = mpc512x_psc_raw_tx_rdy,
41605 @@ -596,7 +596,7 @@ static struct psc_ops mpc512x_psc_ops =
41606 };
41607 #endif
41608
41609 -static struct psc_ops *psc_ops;
41610 +static const struct psc_ops *psc_ops;
41611
41612 /* ======================================================================== */
41613 /* UART operations */
41614 @@ -905,7 +905,7 @@ mpc52xx_uart_verify_port(struct uart_por
41615 }
41616
41617
41618 -static struct uart_ops mpc52xx_uart_ops = {
41619 +static const struct uart_ops mpc52xx_uart_ops = {
41620 .tx_empty = mpc52xx_uart_tx_empty,
41621 .set_mctrl = mpc52xx_uart_set_mctrl,
41622 .get_mctrl = mpc52xx_uart_get_mctrl,
41623 diff -urNp linux-2.6.39.3/drivers/tty/serial/mpsc.c linux-2.6.39.3/drivers/tty/serial/mpsc.c
41624 --- linux-2.6.39.3/drivers/tty/serial/mpsc.c 2011-05-19 00:06:34.000000000 -0400
41625 +++ linux-2.6.39.3/drivers/tty/serial/mpsc.c 2011-05-22 19:36:32.000000000 -0400
41626 @@ -1663,7 +1663,7 @@ static void mpsc_put_poll_char(struct ua
41627 }
41628 #endif
41629
41630 -static struct uart_ops mpsc_pops = {
41631 +static const struct uart_ops mpsc_pops = {
41632 .tx_empty = mpsc_tx_empty,
41633 .set_mctrl = mpsc_set_mctrl,
41634 .get_mctrl = mpsc_get_mctrl,
41635 diff -urNp linux-2.6.39.3/drivers/tty/serial/mrst_max3110.c linux-2.6.39.3/drivers/tty/serial/mrst_max3110.c
41636 --- linux-2.6.39.3/drivers/tty/serial/mrst_max3110.c 2011-05-19 00:06:34.000000000 -0400
41637 +++ linux-2.6.39.3/drivers/tty/serial/mrst_max3110.c 2011-05-22 19:36:32.000000000 -0400
41638 @@ -393,6 +393,8 @@ static void max3110_con_receive(struct u
41639 int loop = 1, num, total = 0;
41640 u8 recv_buf[512], *pbuf;
41641
41642 + pax_track_stack();
41643 +
41644 pbuf = recv_buf;
41645 do {
41646 num = max3110_read_multi(max, pbuf);
41647 @@ -726,7 +728,7 @@ static void serial_m3110_enable_ms(struc
41648 {
41649 }
41650
41651 -struct uart_ops serial_m3110_ops = {
41652 +const struct uart_ops serial_m3110_ops = {
41653 .tx_empty = serial_m3110_tx_empty,
41654 .set_mctrl = serial_m3110_set_mctrl,
41655 .get_mctrl = serial_m3110_get_mctrl,
41656 diff -urNp linux-2.6.39.3/drivers/tty/serial/msm_serial.c linux-2.6.39.3/drivers/tty/serial/msm_serial.c
41657 --- linux-2.6.39.3/drivers/tty/serial/msm_serial.c 2011-05-19 00:06:34.000000000 -0400
41658 +++ linux-2.6.39.3/drivers/tty/serial/msm_serial.c 2011-05-22 19:36:32.000000000 -0400
41659 @@ -702,7 +702,7 @@ static void msm_power(struct uart_port *
41660 }
41661 }
41662
41663 -static struct uart_ops msm_uart_pops = {
41664 +static const struct uart_ops msm_uart_pops = {
41665 .tx_empty = msm_tx_empty,
41666 .set_mctrl = msm_set_mctrl,
41667 .get_mctrl = msm_get_mctrl,
41668 diff -urNp linux-2.6.39.3/drivers/tty/serial/msm_serial_hs.c linux-2.6.39.3/drivers/tty/serial/msm_serial_hs.c
41669 --- linux-2.6.39.3/drivers/tty/serial/msm_serial_hs.c 2011-05-19 00:06:34.000000000 -0400
41670 +++ linux-2.6.39.3/drivers/tty/serial/msm_serial_hs.c 2011-05-22 19:36:32.000000000 -0400
41671 @@ -360,7 +360,7 @@ struct msm_hs_port {
41672 static struct msm_hs_port q_uart_port[UARTDM_NR];
41673 static struct platform_driver msm_serial_hs_platform_driver;
41674 static struct uart_driver msm_hs_driver;
41675 -static struct uart_ops msm_hs_ops;
41676 +static const struct uart_ops msm_hs_ops;
41677 static struct workqueue_struct *msm_hs_workqueue;
41678
41679 #define UARTDM_TO_MSM(uart_port) \
41680 @@ -1856,7 +1856,7 @@ static struct uart_driver msm_hs_driver
41681 .cons = 0,
41682 };
41683
41684 -static struct uart_ops msm_hs_ops = {
41685 +static const struct uart_ops msm_hs_ops = {
41686 .tx_empty = msm_hs_tx_empty,
41687 .set_mctrl = msm_hs_set_mctrl_locked,
41688 .get_mctrl = msm_hs_get_mctrl_locked,
41689 diff -urNp linux-2.6.39.3/drivers/tty/serial/mux.c linux-2.6.39.3/drivers/tty/serial/mux.c
41690 --- linux-2.6.39.3/drivers/tty/serial/mux.c 2011-05-19 00:06:34.000000000 -0400
41691 +++ linux-2.6.39.3/drivers/tty/serial/mux.c 2011-05-22 19:36:32.000000000 -0400
41692 @@ -442,7 +442,7 @@ static struct console mux_console = {
41693 #define MUX_CONSOLE NULL
41694 #endif
41695
41696 -static struct uart_ops mux_pops = {
41697 +static const struct uart_ops mux_pops = {
41698 .tx_empty = mux_tx_empty,
41699 .set_mctrl = mux_set_mctrl,
41700 .get_mctrl = mux_get_mctrl,
41701 diff -urNp linux-2.6.39.3/drivers/tty/serial/mxs-auart.c linux-2.6.39.3/drivers/tty/serial/mxs-auart.c
41702 --- linux-2.6.39.3/drivers/tty/serial/mxs-auart.c 2011-05-19 00:06:34.000000000 -0400
41703 +++ linux-2.6.39.3/drivers/tty/serial/mxs-auart.c 2011-05-22 19:36:32.000000000 -0400
41704 @@ -499,7 +499,7 @@ static void mxs_auart_enable_ms(struct u
41705 /* just empty */
41706 }
41707
41708 -static struct uart_ops mxs_auart_ops = {
41709 +static const struct uart_ops mxs_auart_ops = {
41710 .tx_empty = mxs_auart_tx_empty,
41711 .start_tx = mxs_auart_start_tx,
41712 .stop_tx = mxs_auart_stop_tx,
41713 diff -urNp linux-2.6.39.3/drivers/tty/serial/netx-serial.c linux-2.6.39.3/drivers/tty/serial/netx-serial.c
41714 --- linux-2.6.39.3/drivers/tty/serial/netx-serial.c 2011-05-19 00:06:34.000000000 -0400
41715 +++ linux-2.6.39.3/drivers/tty/serial/netx-serial.c 2011-05-22 19:36:32.000000000 -0400
41716 @@ -464,7 +464,7 @@ netx_verify_port(struct uart_port *port,
41717 return ret;
41718 }
41719
41720 -static struct uart_ops netx_pops = {
41721 +static const struct uart_ops netx_pops = {
41722 .tx_empty = netx_tx_empty,
41723 .set_mctrl = netx_set_mctrl,
41724 .get_mctrl = netx_get_mctrl,
41725 diff -urNp linux-2.6.39.3/drivers/tty/serial/nwpserial.c linux-2.6.39.3/drivers/tty/serial/nwpserial.c
41726 --- linux-2.6.39.3/drivers/tty/serial/nwpserial.c 2011-05-19 00:06:34.000000000 -0400
41727 +++ linux-2.6.39.3/drivers/tty/serial/nwpserial.c 2011-05-22 19:36:32.000000000 -0400
41728 @@ -303,7 +303,7 @@ static unsigned int nwpserial_tx_empty(s
41729 return ret & UART_LSR_TEMT ? TIOCSER_TEMT : 0;
41730 }
41731
41732 -static struct uart_ops nwpserial_pops = {
41733 +static const struct uart_ops nwpserial_pops = {
41734 .tx_empty = nwpserial_tx_empty,
41735 .set_mctrl = nwpserial_set_mctrl,
41736 .get_mctrl = nwpserial_get_mctrl,
41737 diff -urNp linux-2.6.39.3/drivers/tty/serial/omap-serial.c linux-2.6.39.3/drivers/tty/serial/omap-serial.c
41738 --- linux-2.6.39.3/drivers/tty/serial/omap-serial.c 2011-05-19 00:06:34.000000000 -0400
41739 +++ linux-2.6.39.3/drivers/tty/serial/omap-serial.c 2011-05-22 19:36:32.000000000 -0400
41740 @@ -1029,7 +1029,7 @@ static inline void serial_omap_add_conso
41741
41742 #endif
41743
41744 -static struct uart_ops serial_omap_pops = {
41745 +static const struct uart_ops serial_omap_pops = {
41746 .tx_empty = serial_omap_tx_empty,
41747 .set_mctrl = serial_omap_set_mctrl,
41748 .get_mctrl = serial_omap_get_mctrl,
41749 diff -urNp linux-2.6.39.3/drivers/tty/serial/pch_uart.c linux-2.6.39.3/drivers/tty/serial/pch_uart.c
41750 --- linux-2.6.39.3/drivers/tty/serial/pch_uart.c 2011-07-09 09:18:51.000000000 -0400
41751 +++ linux-2.6.39.3/drivers/tty/serial/pch_uart.c 2011-07-09 09:19:18.000000000 -0400
41752 @@ -1351,7 +1351,7 @@ static int pch_uart_verify_port(struct u
41753 return 0;
41754 }
41755
41756 -static struct uart_ops pch_uart_ops = {
41757 +static const struct uart_ops pch_uart_ops = {
41758 .tx_empty = pch_uart_tx_empty,
41759 .set_mctrl = pch_uart_set_mctrl,
41760 .get_mctrl = pch_uart_get_mctrl,
41761 diff -urNp linux-2.6.39.3/drivers/tty/serial/pmac_zilog.c linux-2.6.39.3/drivers/tty/serial/pmac_zilog.c
41762 --- linux-2.6.39.3/drivers/tty/serial/pmac_zilog.c 2011-05-19 00:06:34.000000000 -0400
41763 +++ linux-2.6.39.3/drivers/tty/serial/pmac_zilog.c 2011-05-22 19:36:32.000000000 -0400
41764 @@ -1427,7 +1427,7 @@ static void pmz_poll_put_char(struct uar
41765
41766 #endif /* CONFIG_CONSOLE_POLL */
41767
41768 -static struct uart_ops pmz_pops = {
41769 +static const struct uart_ops pmz_pops = {
41770 .tx_empty = pmz_tx_empty,
41771 .set_mctrl = pmz_set_mctrl,
41772 .get_mctrl = pmz_get_mctrl,
41773 diff -urNp linux-2.6.39.3/drivers/tty/serial/pnx8xxx_uart.c linux-2.6.39.3/drivers/tty/serial/pnx8xxx_uart.c
41774 --- linux-2.6.39.3/drivers/tty/serial/pnx8xxx_uart.c 2011-05-19 00:06:34.000000000 -0400
41775 +++ linux-2.6.39.3/drivers/tty/serial/pnx8xxx_uart.c 2011-05-22 19:36:32.000000000 -0400
41776 @@ -614,7 +614,7 @@ pnx8xxx_verify_port(struct uart_port *po
41777 return ret;
41778 }
41779
41780 -static struct uart_ops pnx8xxx_pops = {
41781 +static const struct uart_ops pnx8xxx_pops = {
41782 .tx_empty = pnx8xxx_tx_empty,
41783 .set_mctrl = pnx8xxx_set_mctrl,
41784 .get_mctrl = pnx8xxx_get_mctrl,
41785 diff -urNp linux-2.6.39.3/drivers/tty/serial/pxa.c linux-2.6.39.3/drivers/tty/serial/pxa.c
41786 --- linux-2.6.39.3/drivers/tty/serial/pxa.c 2011-05-19 00:06:34.000000000 -0400
41787 +++ linux-2.6.39.3/drivers/tty/serial/pxa.c 2011-05-22 19:36:32.000000000 -0400
41788 @@ -706,7 +706,7 @@ static struct console serial_pxa_console
41789 #define PXA_CONSOLE NULL
41790 #endif
41791
41792 -struct uart_ops serial_pxa_pops = {
41793 +const struct uart_ops serial_pxa_pops = {
41794 .tx_empty = serial_pxa_tx_empty,
41795 .set_mctrl = serial_pxa_set_mctrl,
41796 .get_mctrl = serial_pxa_get_mctrl,
41797 diff -urNp linux-2.6.39.3/drivers/tty/serial/sa1100.c linux-2.6.39.3/drivers/tty/serial/sa1100.c
41798 --- linux-2.6.39.3/drivers/tty/serial/sa1100.c 2011-05-19 00:06:34.000000000 -0400
41799 +++ linux-2.6.39.3/drivers/tty/serial/sa1100.c 2011-05-22 19:36:32.000000000 -0400
41800 @@ -577,7 +577,7 @@ sa1100_verify_port(struct uart_port *por
41801 return ret;
41802 }
41803
41804 -static struct uart_ops sa1100_pops = {
41805 +static const struct uart_ops sa1100_pops = {
41806 .tx_empty = sa1100_tx_empty,
41807 .set_mctrl = sa1100_set_mctrl,
41808 .get_mctrl = sa1100_get_mctrl,
41809 diff -urNp linux-2.6.39.3/drivers/tty/serial/samsung.c linux-2.6.39.3/drivers/tty/serial/samsung.c
41810 --- linux-2.6.39.3/drivers/tty/serial/samsung.c 2011-05-19 00:06:34.000000000 -0400
41811 +++ linux-2.6.39.3/drivers/tty/serial/samsung.c 2011-05-22 19:36:32.000000000 -0400
41812 @@ -860,7 +860,7 @@ static struct console s3c24xx_serial_con
41813 #define S3C24XX_SERIAL_CONSOLE NULL
41814 #endif
41815
41816 -static struct uart_ops s3c24xx_serial_ops = {
41817 +static const struct uart_ops s3c24xx_serial_ops = {
41818 .pm = s3c24xx_serial_pm,
41819 .tx_empty = s3c24xx_serial_tx_empty,
41820 .get_mctrl = s3c24xx_serial_get_mctrl,
41821 diff -urNp linux-2.6.39.3/drivers/tty/serial/sc26xx.c linux-2.6.39.3/drivers/tty/serial/sc26xx.c
41822 --- linux-2.6.39.3/drivers/tty/serial/sc26xx.c 2011-05-19 00:06:34.000000000 -0400
41823 +++ linux-2.6.39.3/drivers/tty/serial/sc26xx.c 2011-05-22 19:36:32.000000000 -0400
41824 @@ -515,7 +515,7 @@ static int sc26xx_verify_port(struct uar
41825 return -EINVAL;
41826 }
41827
41828 -static struct uart_ops sc26xx_ops = {
41829 +static const struct uart_ops sc26xx_ops = {
41830 .tx_empty = sc26xx_tx_empty,
41831 .set_mctrl = sc26xx_set_mctrl,
41832 .get_mctrl = sc26xx_get_mctrl,
41833 diff -urNp linux-2.6.39.3/drivers/tty/serial/serial_ks8695.c linux-2.6.39.3/drivers/tty/serial/serial_ks8695.c
41834 --- linux-2.6.39.3/drivers/tty/serial/serial_ks8695.c 2011-05-19 00:06:34.000000000 -0400
41835 +++ linux-2.6.39.3/drivers/tty/serial/serial_ks8695.c 2011-05-22 19:36:32.000000000 -0400
41836 @@ -528,7 +528,7 @@ static int ks8695uart_verify_port(struct
41837 return ret;
41838 }
41839
41840 -static struct uart_ops ks8695uart_pops = {
41841 +static const struct uart_ops ks8695uart_pops = {
41842 .tx_empty = ks8695uart_tx_empty,
41843 .set_mctrl = ks8695uart_set_mctrl,
41844 .get_mctrl = ks8695uart_get_mctrl,
41845 diff -urNp linux-2.6.39.3/drivers/tty/serial/serial_txx9.c linux-2.6.39.3/drivers/tty/serial/serial_txx9.c
41846 --- linux-2.6.39.3/drivers/tty/serial/serial_txx9.c 2011-05-19 00:06:34.000000000 -0400
41847 +++ linux-2.6.39.3/drivers/tty/serial/serial_txx9.c 2011-05-22 19:36:32.000000000 -0400
41848 @@ -857,7 +857,7 @@ serial_txx9_type(struct uart_port *port)
41849 return "txx9";
41850 }
41851
41852 -static struct uart_ops serial_txx9_pops = {
41853 +static const struct uart_ops serial_txx9_pops = {
41854 .tx_empty = serial_txx9_tx_empty,
41855 .set_mctrl = serial_txx9_set_mctrl,
41856 .get_mctrl = serial_txx9_get_mctrl,
41857 diff -urNp linux-2.6.39.3/drivers/tty/serial/sn_console.c linux-2.6.39.3/drivers/tty/serial/sn_console.c
41858 --- linux-2.6.39.3/drivers/tty/serial/sn_console.c 2011-05-19 00:06:34.000000000 -0400
41859 +++ linux-2.6.39.3/drivers/tty/serial/sn_console.c 2011-05-22 19:36:32.000000000 -0400
41860 @@ -388,7 +388,7 @@ static void snp_config_port(struct uart_
41861
41862 /* Associate the uart functions above - given to serial core */
41863
41864 -static struct uart_ops sn_console_ops = {
41865 +static const struct uart_ops sn_console_ops = {
41866 .tx_empty = snp_tx_empty,
41867 .set_mctrl = snp_set_mctrl,
41868 .get_mctrl = snp_get_mctrl,
41869 diff -urNp linux-2.6.39.3/drivers/tty/serial/sunhv.c linux-2.6.39.3/drivers/tty/serial/sunhv.c
41870 --- linux-2.6.39.3/drivers/tty/serial/sunhv.c 2011-05-19 00:06:34.000000000 -0400
41871 +++ linux-2.6.39.3/drivers/tty/serial/sunhv.c 2011-05-22 19:36:32.000000000 -0400
41872 @@ -168,12 +168,12 @@ struct sunhv_ops {
41873 int (*receive_chars)(struct uart_port *port, struct tty_struct *tty);
41874 };
41875
41876 -static struct sunhv_ops bychar_ops = {
41877 +static const struct sunhv_ops bychar_ops = {
41878 .transmit_chars = transmit_chars_putchar,
41879 .receive_chars = receive_chars_getchar,
41880 };
41881
41882 -static struct sunhv_ops bywrite_ops = {
41883 +static const struct sunhv_ops bywrite_ops = {
41884 .transmit_chars = transmit_chars_write,
41885 .receive_chars = receive_chars_read,
41886 };
41887 @@ -370,7 +370,7 @@ static int sunhv_verify_port(struct uart
41888 return -EINVAL;
41889 }
41890
41891 -static struct uart_ops sunhv_pops = {
41892 +static const struct uart_ops sunhv_pops = {
41893 .tx_empty = sunhv_tx_empty,
41894 .set_mctrl = sunhv_set_mctrl,
41895 .get_mctrl = sunhv_get_mctrl,
41896 diff -urNp linux-2.6.39.3/drivers/tty/serial/sunsab.c linux-2.6.39.3/drivers/tty/serial/sunsab.c
41897 --- linux-2.6.39.3/drivers/tty/serial/sunsab.c 2011-05-19 00:06:34.000000000 -0400
41898 +++ linux-2.6.39.3/drivers/tty/serial/sunsab.c 2011-05-22 19:36:32.000000000 -0400
41899 @@ -804,7 +804,7 @@ static int sunsab_verify_port(struct uar
41900 return -EINVAL;
41901 }
41902
41903 -static struct uart_ops sunsab_pops = {
41904 +static const struct uart_ops sunsab_pops = {
41905 .tx_empty = sunsab_tx_empty,
41906 .set_mctrl = sunsab_set_mctrl,
41907 .get_mctrl = sunsab_get_mctrl,
41908 diff -urNp linux-2.6.39.3/drivers/tty/serial/sunsu.c linux-2.6.39.3/drivers/tty/serial/sunsu.c
41909 --- linux-2.6.39.3/drivers/tty/serial/sunsu.c 2011-05-19 00:06:34.000000000 -0400
41910 +++ linux-2.6.39.3/drivers/tty/serial/sunsu.c 2011-05-22 19:36:32.000000000 -0400
41911 @@ -946,7 +946,7 @@ sunsu_type(struct uart_port *port)
41912 return uart_config[type].name;
41913 }
41914
41915 -static struct uart_ops sunsu_pops = {
41916 +static const struct uart_ops sunsu_pops = {
41917 .tx_empty = sunsu_tx_empty,
41918 .set_mctrl = sunsu_set_mctrl,
41919 .get_mctrl = sunsu_get_mctrl,
41920 diff -urNp linux-2.6.39.3/drivers/tty/serial/sunzilog.c linux-2.6.39.3/drivers/tty/serial/sunzilog.c
41921 --- linux-2.6.39.3/drivers/tty/serial/sunzilog.c 2011-05-19 00:06:34.000000000 -0400
41922 +++ linux-2.6.39.3/drivers/tty/serial/sunzilog.c 2011-05-22 19:36:32.000000000 -0400
41923 @@ -1042,7 +1042,7 @@ static void sunzilog_put_poll_char(struc
41924 }
41925 #endif /* CONFIG_CONSOLE_POLL */
41926
41927 -static struct uart_ops sunzilog_pops = {
41928 +static const struct uart_ops sunzilog_pops = {
41929 .tx_empty = sunzilog_tx_empty,
41930 .set_mctrl = sunzilog_set_mctrl,
41931 .get_mctrl = sunzilog_get_mctrl,
41932 diff -urNp linux-2.6.39.3/drivers/tty/serial/timbuart.c linux-2.6.39.3/drivers/tty/serial/timbuart.c
41933 --- linux-2.6.39.3/drivers/tty/serial/timbuart.c 2011-05-19 00:06:34.000000000 -0400
41934 +++ linux-2.6.39.3/drivers/tty/serial/timbuart.c 2011-05-22 19:36:32.000000000 -0400
41935 @@ -394,7 +394,7 @@ static int timbuart_verify_port(struct u
41936 return -EINVAL;
41937 }
41938
41939 -static struct uart_ops timbuart_ops = {
41940 +static const struct uart_ops timbuart_ops = {
41941 .tx_empty = timbuart_tx_empty,
41942 .set_mctrl = timbuart_set_mctrl,
41943 .get_mctrl = timbuart_get_mctrl,
41944 diff -urNp linux-2.6.39.3/drivers/tty/serial/uartlite.c linux-2.6.39.3/drivers/tty/serial/uartlite.c
41945 --- linux-2.6.39.3/drivers/tty/serial/uartlite.c 2011-05-19 00:06:34.000000000 -0400
41946 +++ linux-2.6.39.3/drivers/tty/serial/uartlite.c 2011-05-22 19:36:32.000000000 -0400
41947 @@ -331,7 +331,7 @@ static void ulite_put_poll_char(struct u
41948 }
41949 #endif
41950
41951 -static struct uart_ops ulite_ops = {
41952 +static const struct uart_ops ulite_ops = {
41953 .tx_empty = ulite_tx_empty,
41954 .set_mctrl = ulite_set_mctrl,
41955 .get_mctrl = ulite_get_mctrl,
41956 diff -urNp linux-2.6.39.3/drivers/tty/serial/ucc_uart.c linux-2.6.39.3/drivers/tty/serial/ucc_uart.c
41957 --- linux-2.6.39.3/drivers/tty/serial/ucc_uart.c 2011-05-19 00:06:34.000000000 -0400
41958 +++ linux-2.6.39.3/drivers/tty/serial/ucc_uart.c 2011-05-22 19:36:32.000000000 -0400
41959 @@ -1088,7 +1088,7 @@ static int qe_uart_verify_port(struct ua
41960 *
41961 * Details on these functions can be found in Documentation/serial/driver
41962 */
41963 -static struct uart_ops qe_uart_pops = {
41964 +static const struct uart_ops qe_uart_pops = {
41965 .tx_empty = qe_uart_tx_empty,
41966 .set_mctrl = qe_uart_set_mctrl,
41967 .get_mctrl = qe_uart_get_mctrl,
41968 diff -urNp linux-2.6.39.3/drivers/tty/serial/vr41xx_siu.c linux-2.6.39.3/drivers/tty/serial/vr41xx_siu.c
41969 --- linux-2.6.39.3/drivers/tty/serial/vr41xx_siu.c 2011-05-19 00:06:34.000000000 -0400
41970 +++ linux-2.6.39.3/drivers/tty/serial/vr41xx_siu.c 2011-05-22 19:36:32.000000000 -0400
41971 @@ -683,7 +683,7 @@ static int siu_verify_port(struct uart_p
41972 return 0;
41973 }
41974
41975 -static struct uart_ops siu_uart_ops = {
41976 +static const struct uart_ops siu_uart_ops = {
41977 .tx_empty = siu_tx_empty,
41978 .set_mctrl = siu_set_mctrl,
41979 .get_mctrl = siu_get_mctrl,
41980 diff -urNp linux-2.6.39.3/drivers/tty/serial/vt8500_serial.c linux-2.6.39.3/drivers/tty/serial/vt8500_serial.c
41981 --- linux-2.6.39.3/drivers/tty/serial/vt8500_serial.c 2011-05-19 00:06:34.000000000 -0400
41982 +++ linux-2.6.39.3/drivers/tty/serial/vt8500_serial.c 2011-05-22 19:36:32.000000000 -0400
41983 @@ -519,7 +519,7 @@ static struct console vt8500_console = {
41984 #define VT8500_CONSOLE NULL
41985 #endif
41986
41987 -static struct uart_ops vt8500_uart_pops = {
41988 +static const struct uart_ops vt8500_uart_pops = {
41989 .tx_empty = vt8500_tx_empty,
41990 .set_mctrl = vt8500_set_mctrl,
41991 .get_mctrl = vt8500_get_mctrl,
41992 diff -urNp linux-2.6.39.3/drivers/tty/serial/zs.c linux-2.6.39.3/drivers/tty/serial/zs.c
41993 --- linux-2.6.39.3/drivers/tty/serial/zs.c 2011-05-19 00:06:34.000000000 -0400
41994 +++ linux-2.6.39.3/drivers/tty/serial/zs.c 2011-05-22 19:36:32.000000000 -0400
41995 @@ -1044,7 +1044,7 @@ static int zs_verify_port(struct uart_po
41996 }
41997
41998
41999 -static struct uart_ops zs_ops = {
42000 +static const struct uart_ops zs_ops = {
42001 .tx_empty = zs_tx_empty,
42002 .set_mctrl = zs_set_mctrl,
42003 .get_mctrl = zs_get_mctrl,
42004 diff -urNp linux-2.6.39.3/drivers/tty/tty_io.c linux-2.6.39.3/drivers/tty/tty_io.c
42005 --- linux-2.6.39.3/drivers/tty/tty_io.c 2011-05-19 00:06:34.000000000 -0400
42006 +++ linux-2.6.39.3/drivers/tty/tty_io.c 2011-05-22 19:36:32.000000000 -0400
42007 @@ -139,21 +139,11 @@ EXPORT_SYMBOL(tty_mutex);
42008 /* Spinlock to protect the tty->tty_files list */
42009 DEFINE_SPINLOCK(tty_files_lock);
42010
42011 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
42012 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
42013 ssize_t redirected_tty_write(struct file *, const char __user *,
42014 size_t, loff_t *);
42015 -static unsigned int tty_poll(struct file *, poll_table *);
42016 static int tty_open(struct inode *, struct file *);
42017 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
42018 -#ifdef CONFIG_COMPAT
42019 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
42020 - unsigned long arg);
42021 -#else
42022 -#define tty_compat_ioctl NULL
42023 -#endif
42024 static int __tty_fasync(int fd, struct file *filp, int on);
42025 -static int tty_fasync(int fd, struct file *filp, int on);
42026 static void release_tty(struct tty_struct *tty, int idx);
42027 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
42028 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
42029 @@ -937,7 +927,7 @@ EXPORT_SYMBOL(start_tty);
42030 * read calls may be outstanding in parallel.
42031 */
42032
42033 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
42034 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
42035 loff_t *ppos)
42036 {
42037 int i;
42038 @@ -963,6 +953,8 @@ static ssize_t tty_read(struct file *fil
42039 return i;
42040 }
42041
42042 +EXPORT_SYMBOL(tty_read);
42043 +
42044 void tty_write_unlock(struct tty_struct *tty)
42045 {
42046 mutex_unlock(&tty->atomic_write_lock);
42047 @@ -1112,7 +1104,7 @@ void tty_write_message(struct tty_struct
42048 * write method will not be invoked in parallel for each device.
42049 */
42050
42051 -static ssize_t tty_write(struct file *file, const char __user *buf,
42052 +ssize_t tty_write(struct file *file, const char __user *buf,
42053 size_t count, loff_t *ppos)
42054 {
42055 struct inode *inode = file->f_path.dentry->d_inode;
42056 @@ -1138,6 +1130,8 @@ static ssize_t tty_write(struct file *fi
42057 return ret;
42058 }
42059
42060 +EXPORT_SYMBOL(tty_write);
42061 +
42062 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
42063 size_t count, loff_t *ppos)
42064 {
42065 @@ -1777,6 +1771,8 @@ int tty_release(struct inode *inode, str
42066 return 0;
42067 }
42068
42069 +EXPORT_SYMBOL(tty_release);
42070 +
42071 /**
42072 * tty_open - open a tty device
42073 * @inode: inode of device file
42074 @@ -1968,7 +1964,7 @@ got_driver:
42075 * may be re-entered freely by other callers.
42076 */
42077
42078 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
42079 +unsigned int tty_poll(struct file *filp, poll_table *wait)
42080 {
42081 struct tty_struct *tty = file_tty(filp);
42082 struct tty_ldisc *ld;
42083 @@ -1984,6 +1980,8 @@ static unsigned int tty_poll(struct file
42084 return ret;
42085 }
42086
42087 +EXPORT_SYMBOL(tty_poll);
42088 +
42089 static int __tty_fasync(int fd, struct file *filp, int on)
42090 {
42091 struct tty_struct *tty = file_tty(filp);
42092 @@ -2025,7 +2023,7 @@ out:
42093 return retval;
42094 }
42095
42096 -static int tty_fasync(int fd, struct file *filp, int on)
42097 +int tty_fasync(int fd, struct file *filp, int on)
42098 {
42099 int retval;
42100 tty_lock();
42101 @@ -2034,6 +2032,8 @@ static int tty_fasync(int fd, struct fil
42102 return retval;
42103 }
42104
42105 +EXPORT_SYMBOL(tty_fasync);
42106 +
42107 /**
42108 * tiocsti - fake input character
42109 * @tty: tty to fake input into
42110 @@ -2695,8 +2695,10 @@ long tty_ioctl(struct file *file, unsign
42111 return retval;
42112 }
42113
42114 +EXPORT_SYMBOL(tty_ioctl);
42115 +
42116 #ifdef CONFIG_COMPAT
42117 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
42118 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
42119 unsigned long arg)
42120 {
42121 struct inode *inode = file->f_dentry->d_inode;
42122 @@ -2720,6 +2722,9 @@ static long tty_compat_ioctl(struct file
42123
42124 return retval;
42125 }
42126 +
42127 +EXPORT_SYMBOL(tty_compat_ioctl);
42128 +
42129 #endif
42130
42131 /*
42132 @@ -3198,11 +3203,6 @@ struct tty_struct *get_current_tty(void)
42133 }
42134 EXPORT_SYMBOL_GPL(get_current_tty);
42135
42136 -void tty_default_fops(struct file_operations *fops)
42137 -{
42138 - *fops = tty_fops;
42139 -}
42140 -
42141 /*
42142 * Initialize the console device. This is called *early*, so
42143 * we can't necessarily depend on lots of kernel help here.
42144 diff -urNp linux-2.6.39.3/drivers/tty/tty_ldisc.c linux-2.6.39.3/drivers/tty/tty_ldisc.c
42145 --- linux-2.6.39.3/drivers/tty/tty_ldisc.c 2011-07-09 09:18:51.000000000 -0400
42146 +++ linux-2.6.39.3/drivers/tty/tty_ldisc.c 2011-07-09 09:19:18.000000000 -0400
42147 @@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
42148 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
42149 struct tty_ldisc_ops *ldo = ld->ops;
42150
42151 - ldo->refcount--;
42152 + atomic_dec(&ldo->refcount);
42153 module_put(ldo->owner);
42154 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
42155
42156 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
42157 spin_lock_irqsave(&tty_ldisc_lock, flags);
42158 tty_ldiscs[disc] = new_ldisc;
42159 new_ldisc->num = disc;
42160 - new_ldisc->refcount = 0;
42161 + atomic_set(&new_ldisc->refcount, 0);
42162 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
42163
42164 return ret;
42165 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
42166 return -EINVAL;
42167
42168 spin_lock_irqsave(&tty_ldisc_lock, flags);
42169 - if (tty_ldiscs[disc]->refcount)
42170 + if (atomic_read(&tty_ldiscs[disc]->refcount))
42171 ret = -EBUSY;
42172 else
42173 tty_ldiscs[disc] = NULL;
42174 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
42175 if (ldops) {
42176 ret = ERR_PTR(-EAGAIN);
42177 if (try_module_get(ldops->owner)) {
42178 - ldops->refcount++;
42179 + atomic_inc(&ldops->refcount);
42180 ret = ldops;
42181 }
42182 }
42183 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
42184 unsigned long flags;
42185
42186 spin_lock_irqsave(&tty_ldisc_lock, flags);
42187 - ldops->refcount--;
42188 + atomic_dec(&ldops->refcount);
42189 module_put(ldops->owner);
42190 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
42191 }
42192 diff -urNp linux-2.6.39.3/drivers/tty/vt/keyboard.c linux-2.6.39.3/drivers/tty/vt/keyboard.c
42193 --- linux-2.6.39.3/drivers/tty/vt/keyboard.c 2011-05-19 00:06:34.000000000 -0400
42194 +++ linux-2.6.39.3/drivers/tty/vt/keyboard.c 2011-05-22 20:32:43.000000000 -0400
42195 @@ -658,6 +658,16 @@ static void k_spec(struct vc_data *vc, u
42196 kbd->kbdmode == VC_OFF) &&
42197 value != KVAL(K_SAK))
42198 return; /* SAK is allowed even in raw mode */
42199 +
42200 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
42201 + {
42202 + void *func = fn_handler[value];
42203 + if (func == fn_show_state || func == fn_show_ptregs ||
42204 + func == fn_show_mem)
42205 + return;
42206 + }
42207 +#endif
42208 +
42209 fn_handler[value](vc);
42210 }
42211
42212 diff -urNp linux-2.6.39.3/drivers/tty/vt/vt.c linux-2.6.39.3/drivers/tty/vt/vt.c
42213 --- linux-2.6.39.3/drivers/tty/vt/vt.c 2011-05-19 00:06:34.000000000 -0400
42214 +++ linux-2.6.39.3/drivers/tty/vt/vt.c 2011-05-22 19:36:32.000000000 -0400
42215 @@ -261,7 +261,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
42216
42217 static void notify_write(struct vc_data *vc, unsigned int unicode)
42218 {
42219 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
42220 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
42221 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, &param);
42222 }
42223
42224 diff -urNp linux-2.6.39.3/drivers/tty/vt/vt_ioctl.c linux-2.6.39.3/drivers/tty/vt/vt_ioctl.c
42225 --- linux-2.6.39.3/drivers/tty/vt/vt_ioctl.c 2011-05-19 00:06:34.000000000 -0400
42226 +++ linux-2.6.39.3/drivers/tty/vt/vt_ioctl.c 2011-05-22 19:41:37.000000000 -0400
42227 @@ -209,9 +209,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
42228 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
42229 return -EFAULT;
42230
42231 - if (!capable(CAP_SYS_TTY_CONFIG))
42232 - perm = 0;
42233 -
42234 switch (cmd) {
42235 case KDGKBENT:
42236 key_map = key_maps[s];
42237 @@ -223,6 +220,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
42238 val = (i ? K_HOLE : K_NOSUCHMAP);
42239 return put_user(val, &user_kbe->kb_value);
42240 case KDSKBENT:
42241 + if (!capable(CAP_SYS_TTY_CONFIG))
42242 + perm = 0;
42243 +
42244 if (!perm)
42245 return -EPERM;
42246 if (!i && v == K_NOSUCHMAP) {
42247 @@ -324,9 +324,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
42248 int i, j, k;
42249 int ret;
42250
42251 - if (!capable(CAP_SYS_TTY_CONFIG))
42252 - perm = 0;
42253 -
42254 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
42255 if (!kbs) {
42256 ret = -ENOMEM;
42257 @@ -360,6 +357,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
42258 kfree(kbs);
42259 return ((p && *p) ? -EOVERFLOW : 0);
42260 case KDSKBSENT:
42261 + if (!capable(CAP_SYS_TTY_CONFIG))
42262 + perm = 0;
42263 +
42264 if (!perm) {
42265 ret = -EPERM;
42266 goto reterr;
42267 diff -urNp linux-2.6.39.3/drivers/uio/uio.c linux-2.6.39.3/drivers/uio/uio.c
42268 --- linux-2.6.39.3/drivers/uio/uio.c 2011-05-19 00:06:34.000000000 -0400
42269 +++ linux-2.6.39.3/drivers/uio/uio.c 2011-05-22 19:36:32.000000000 -0400
42270 @@ -25,6 +25,7 @@
42271 #include <linux/kobject.h>
42272 #include <linux/cdev.h>
42273 #include <linux/uio_driver.h>
42274 +#include <asm/local.h>
42275
42276 #define UIO_MAX_DEVICES (1U << MINORBITS)
42277
42278 @@ -32,10 +33,10 @@ struct uio_device {
42279 struct module *owner;
42280 struct device *dev;
42281 int minor;
42282 - atomic_t event;
42283 + atomic_unchecked_t event;
42284 struct fasync_struct *async_queue;
42285 wait_queue_head_t wait;
42286 - int vma_count;
42287 + local_t vma_count;
42288 struct uio_info *info;
42289 struct kobject *map_dir;
42290 struct kobject *portio_dir;
42291 @@ -242,7 +243,7 @@ static ssize_t show_event(struct device
42292 struct device_attribute *attr, char *buf)
42293 {
42294 struct uio_device *idev = dev_get_drvdata(dev);
42295 - return sprintf(buf, "%u\n", (unsigned int)atomic_read(&idev->event));
42296 + return sprintf(buf, "%u\n", (unsigned int)atomic_read_unchecked(&idev->event));
42297 }
42298
42299 static struct device_attribute uio_class_attributes[] = {
42300 @@ -402,7 +403,7 @@ void uio_event_notify(struct uio_info *i
42301 {
42302 struct uio_device *idev = info->uio_dev;
42303
42304 - atomic_inc(&idev->event);
42305 + atomic_inc_unchecked(&idev->event);
42306 wake_up_interruptible(&idev->wait);
42307 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
42308 }
42309 @@ -455,7 +456,7 @@ static int uio_open(struct inode *inode,
42310 }
42311
42312 listener->dev = idev;
42313 - listener->event_count = atomic_read(&idev->event);
42314 + listener->event_count = atomic_read_unchecked(&idev->event);
42315 filep->private_data = listener;
42316
42317 if (idev->info->open) {
42318 @@ -506,7 +507,7 @@ static unsigned int uio_poll(struct file
42319 return -EIO;
42320
42321 poll_wait(filep, &idev->wait, wait);
42322 - if (listener->event_count != atomic_read(&idev->event))
42323 + if (listener->event_count != atomic_read_unchecked(&idev->event))
42324 return POLLIN | POLLRDNORM;
42325 return 0;
42326 }
42327 @@ -531,7 +532,7 @@ static ssize_t uio_read(struct file *fil
42328 do {
42329 set_current_state(TASK_INTERRUPTIBLE);
42330
42331 - event_count = atomic_read(&idev->event);
42332 + event_count = atomic_read_unchecked(&idev->event);
42333 if (event_count != listener->event_count) {
42334 if (copy_to_user(buf, &event_count, count))
42335 retval = -EFAULT;
42336 @@ -602,13 +603,13 @@ static int uio_find_mem_index(struct vm_
42337 static void uio_vma_open(struct vm_area_struct *vma)
42338 {
42339 struct uio_device *idev = vma->vm_private_data;
42340 - idev->vma_count++;
42341 + local_inc(&idev->vma_count);
42342 }
42343
42344 static void uio_vma_close(struct vm_area_struct *vma)
42345 {
42346 struct uio_device *idev = vma->vm_private_data;
42347 - idev->vma_count--;
42348 + local_dec(&idev->vma_count);
42349 }
42350
42351 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
42352 @@ -819,7 +820,7 @@ int __uio_register_device(struct module
42353 idev->owner = owner;
42354 idev->info = info;
42355 init_waitqueue_head(&idev->wait);
42356 - atomic_set(&idev->event, 0);
42357 + atomic_set_unchecked(&idev->event, 0);
42358
42359 ret = uio_get_minor(idev);
42360 if (ret)
42361 diff -urNp linux-2.6.39.3/drivers/usb/atm/cxacru.c linux-2.6.39.3/drivers/usb/atm/cxacru.c
42362 --- linux-2.6.39.3/drivers/usb/atm/cxacru.c 2011-05-19 00:06:34.000000000 -0400
42363 +++ linux-2.6.39.3/drivers/usb/atm/cxacru.c 2011-05-22 19:36:32.000000000 -0400
42364 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
42365 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
42366 if (ret < 2)
42367 return -EINVAL;
42368 - if (index < 0 || index > 0x7f)
42369 + if (index > 0x7f)
42370 return -EINVAL;
42371 pos += tmp;
42372
42373 diff -urNp linux-2.6.39.3/drivers/usb/atm/usbatm.c linux-2.6.39.3/drivers/usb/atm/usbatm.c
42374 --- linux-2.6.39.3/drivers/usb/atm/usbatm.c 2011-05-19 00:06:34.000000000 -0400
42375 +++ linux-2.6.39.3/drivers/usb/atm/usbatm.c 2011-05-22 19:36:32.000000000 -0400
42376 @@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
42377 if (printk_ratelimit())
42378 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
42379 __func__, vpi, vci);
42380 - atomic_inc(&vcc->stats->rx_err);
42381 + atomic_inc_unchecked(&vcc->stats->rx_err);
42382 return;
42383 }
42384
42385 @@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
42386 if (length > ATM_MAX_AAL5_PDU) {
42387 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
42388 __func__, length, vcc);
42389 - atomic_inc(&vcc->stats->rx_err);
42390 + atomic_inc_unchecked(&vcc->stats->rx_err);
42391 goto out;
42392 }
42393
42394 @@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
42395 if (sarb->len < pdu_length) {
42396 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
42397 __func__, pdu_length, sarb->len, vcc);
42398 - atomic_inc(&vcc->stats->rx_err);
42399 + atomic_inc_unchecked(&vcc->stats->rx_err);
42400 goto out;
42401 }
42402
42403 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
42404 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
42405 __func__, vcc);
42406 - atomic_inc(&vcc->stats->rx_err);
42407 + atomic_inc_unchecked(&vcc->stats->rx_err);
42408 goto out;
42409 }
42410
42411 @@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
42412 if (printk_ratelimit())
42413 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
42414 __func__, length);
42415 - atomic_inc(&vcc->stats->rx_drop);
42416 + atomic_inc_unchecked(&vcc->stats->rx_drop);
42417 goto out;
42418 }
42419
42420 @@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
42421
42422 vcc->push(vcc, skb);
42423
42424 - atomic_inc(&vcc->stats->rx);
42425 + atomic_inc_unchecked(&vcc->stats->rx);
42426 out:
42427 skb_trim(sarb, 0);
42428 }
42429 @@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
42430 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
42431
42432 usbatm_pop(vcc, skb);
42433 - atomic_inc(&vcc->stats->tx);
42434 + atomic_inc_unchecked(&vcc->stats->tx);
42435
42436 skb = skb_dequeue(&instance->sndqueue);
42437 }
42438 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
42439 if (!left--)
42440 return sprintf(page,
42441 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
42442 - atomic_read(&atm_dev->stats.aal5.tx),
42443 - atomic_read(&atm_dev->stats.aal5.tx_err),
42444 - atomic_read(&atm_dev->stats.aal5.rx),
42445 - atomic_read(&atm_dev->stats.aal5.rx_err),
42446 - atomic_read(&atm_dev->stats.aal5.rx_drop));
42447 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
42448 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
42449 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
42450 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
42451 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
42452
42453 if (!left--) {
42454 if (instance->disconnected)
42455 diff -urNp linux-2.6.39.3/drivers/usb/core/devices.c linux-2.6.39.3/drivers/usb/core/devices.c
42456 --- linux-2.6.39.3/drivers/usb/core/devices.c 2011-05-19 00:06:34.000000000 -0400
42457 +++ linux-2.6.39.3/drivers/usb/core/devices.c 2011-05-22 19:36:32.000000000 -0400
42458 @@ -126,7 +126,7 @@ static const char *format_endpt =
42459 * time it gets called.
42460 */
42461 static struct device_connect_event {
42462 - atomic_t count;
42463 + atomic_unchecked_t count;
42464 wait_queue_head_t wait;
42465 } device_event = {
42466 .count = ATOMIC_INIT(1),
42467 @@ -164,7 +164,7 @@ static const struct class_info clas_info
42468
42469 void usbfs_conn_disc_event(void)
42470 {
42471 - atomic_add(2, &device_event.count);
42472 + atomic_add_unchecked(2, &device_event.count);
42473 wake_up(&device_event.wait);
42474 }
42475
42476 @@ -648,7 +648,7 @@ static unsigned int usb_device_poll(stru
42477
42478 poll_wait(file, &device_event.wait, wait);
42479
42480 - event_count = atomic_read(&device_event.count);
42481 + event_count = atomic_read_unchecked(&device_event.count);
42482 if (file->f_version != event_count) {
42483 file->f_version = event_count;
42484 return POLLIN | POLLRDNORM;
42485 diff -urNp linux-2.6.39.3/drivers/usb/core/hcd.c linux-2.6.39.3/drivers/usb/core/hcd.c
42486 --- linux-2.6.39.3/drivers/usb/core/hcd.c 2011-06-03 00:04:14.000000000 -0400
42487 +++ linux-2.6.39.3/drivers/usb/core/hcd.c 2011-06-03 00:32:07.000000000 -0400
42488 @@ -2574,7 +2574,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
42489
42490 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
42491
42492 -struct usb_mon_operations *mon_ops;
42493 +const struct usb_mon_operations *mon_ops;
42494
42495 /*
42496 * The registration is unlocked.
42497 @@ -2584,7 +2584,7 @@ struct usb_mon_operations *mon_ops;
42498 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
42499 */
42500
42501 -int usb_mon_register (struct usb_mon_operations *ops)
42502 +int usb_mon_register (const struct usb_mon_operations *ops)
42503 {
42504
42505 if (mon_ops)
42506 diff -urNp linux-2.6.39.3/drivers/usb/core/message.c linux-2.6.39.3/drivers/usb/core/message.c
42507 --- linux-2.6.39.3/drivers/usb/core/message.c 2011-07-09 09:18:51.000000000 -0400
42508 +++ linux-2.6.39.3/drivers/usb/core/message.c 2011-07-09 09:19:18.000000000 -0400
42509 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
42510 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
42511 if (buf) {
42512 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
42513 - if (len > 0) {
42514 - smallbuf = kmalloc(++len, GFP_NOIO);
42515 + if (len++ > 0) {
42516 + smallbuf = kmalloc(len, GFP_NOIO);
42517 if (!smallbuf)
42518 return buf;
42519 memcpy(smallbuf, buf, len);
42520 diff -urNp linux-2.6.39.3/drivers/usb/early/ehci-dbgp.c linux-2.6.39.3/drivers/usb/early/ehci-dbgp.c
42521 --- linux-2.6.39.3/drivers/usb/early/ehci-dbgp.c 2011-05-19 00:06:34.000000000 -0400
42522 +++ linux-2.6.39.3/drivers/usb/early/ehci-dbgp.c 2011-05-22 19:36:32.000000000 -0400
42523 @@ -96,7 +96,7 @@ static inline u32 dbgp_len_update(u32 x,
42524 }
42525
42526 #ifdef CONFIG_KGDB
42527 -static struct kgdb_io kgdbdbgp_io_ops;
42528 +static struct kgdb_io kgdbdbgp_io_ops; /* cannot be const, see kgdbdbgp_parse_config */
42529 #define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
42530 #else
42531 #define dbgp_kgdb_mode (0)
42532 @@ -1026,7 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
42533 early_dbgp_write(NULL, &chr, 1);
42534 }
42535
42536 -static struct kgdb_io kgdbdbgp_io_ops = {
42537 +static struct kgdb_io kgdbdbgp_io_ops = { /* cannot be const, see kgdbdbgp_parse_config() */
42538 .name = "kgdbdbgp",
42539 .read_char = kgdbdbgp_read_char,
42540 .write_char = kgdbdbgp_write_char,
42541 diff -urNp linux-2.6.39.3/drivers/usb/gadget/fsl_qe_udc.c linux-2.6.39.3/drivers/usb/gadget/fsl_qe_udc.c
42542 --- linux-2.6.39.3/drivers/usb/gadget/fsl_qe_udc.c 2011-05-19 00:06:34.000000000 -0400
42543 +++ linux-2.6.39.3/drivers/usb/gadget/fsl_qe_udc.c 2011-05-22 19:36:32.000000000 -0400
42544 @@ -1859,7 +1859,7 @@ out:
42545 return status;
42546 }
42547
42548 -static struct usb_ep_ops qe_ep_ops = {
42549 +static const struct usb_ep_ops qe_ep_ops = {
42550 .enable = qe_ep_enable,
42551 .disable = qe_ep_disable,
42552
42553 @@ -1928,7 +1928,7 @@ static int qe_pullup(struct usb_gadget *
42554 }
42555
42556 /* defined in usb_gadget.h */
42557 -static struct usb_gadget_ops qe_gadget_ops = {
42558 +static const struct usb_gadget_ops qe_gadget_ops = {
42559 .get_frame = qe_get_frame,
42560 .wakeup = qe_wakeup,
42561 /* .set_selfpowered = qe_set_selfpowered,*/ /* always selfpowered */
42562 diff -urNp linux-2.6.39.3/drivers/usb/gadget/fsl_udc_core.c linux-2.6.39.3/drivers/usb/gadget/fsl_udc_core.c
42563 --- linux-2.6.39.3/drivers/usb/gadget/fsl_udc_core.c 2011-05-19 00:06:34.000000000 -0400
42564 +++ linux-2.6.39.3/drivers/usb/gadget/fsl_udc_core.c 2011-05-22 19:36:32.000000000 -0400
42565 @@ -1003,7 +1003,7 @@ static void fsl_ep_fifo_flush(struct usb
42566 } while (fsl_readl(&dr_regs->endptstatus) & bits);
42567 }
42568
42569 -static struct usb_ep_ops fsl_ep_ops = {
42570 +static const struct usb_ep_ops fsl_ep_ops = {
42571 .enable = fsl_ep_enable,
42572 .disable = fsl_ep_disable,
42573
42574 @@ -1114,7 +1114,7 @@ static int fsl_pullup(struct usb_gadget
42575 }
42576
42577 /* defined in gadget.h */
42578 -static struct usb_gadget_ops fsl_gadget_ops = {
42579 +static const struct usb_gadget_ops fsl_gadget_ops = {
42580 .get_frame = fsl_get_frame,
42581 .wakeup = fsl_wakeup,
42582 /* .set_selfpowered = fsl_set_selfpowered, */ /* Always selfpowered */
42583 diff -urNp linux-2.6.39.3/drivers/usb/gadget/fusb300_udc.c linux-2.6.39.3/drivers/usb/gadget/fusb300_udc.c
42584 --- linux-2.6.39.3/drivers/usb/gadget/fusb300_udc.c 2011-05-19 00:06:34.000000000 -0400
42585 +++ linux-2.6.39.3/drivers/usb/gadget/fusb300_udc.c 2011-05-22 19:36:32.000000000 -0400
42586 @@ -527,7 +527,7 @@ static void fusb300_fifo_flush(struct us
42587 {
42588 }
42589
42590 -static struct usb_ep_ops fusb300_ep_ops = {
42591 +static const struct usb_ep_ops fusb300_ep_ops = {
42592 .enable = fusb300_enable,
42593 .disable = fusb300_disable,
42594
42595 @@ -1570,7 +1570,7 @@ static int fusb300_udc_pullup(struct usb
42596 return 0;
42597 }
42598
42599 -static struct usb_gadget_ops fusb300_gadget_ops = {
42600 +static const struct usb_gadget_ops fusb300_gadget_ops = {
42601 .pullup = fusb300_udc_pullup,
42602 };
42603
42604 diff -urNp linux-2.6.39.3/drivers/usb/gadget/goku_udc.c linux-2.6.39.3/drivers/usb/gadget/goku_udc.c
42605 --- linux-2.6.39.3/drivers/usb/gadget/goku_udc.c 2011-05-19 00:06:34.000000000 -0400
42606 +++ linux-2.6.39.3/drivers/usb/gadget/goku_udc.c 2011-05-22 19:36:32.000000000 -0400
42607 @@ -973,7 +973,7 @@ static void goku_fifo_flush(struct usb_e
42608 command(regs, COMMAND_FIFO_CLEAR, ep->num);
42609 }
42610
42611 -static struct usb_ep_ops goku_ep_ops = {
42612 +static const struct usb_ep_ops goku_ep_ops = {
42613 .enable = goku_ep_enable,
42614 .disable = goku_ep_disable,
42615
42616 diff -urNp linux-2.6.39.3/drivers/usb/gadget/imx_udc.c linux-2.6.39.3/drivers/usb/gadget/imx_udc.c
42617 --- linux-2.6.39.3/drivers/usb/gadget/imx_udc.c 2011-05-19 00:06:34.000000000 -0400
42618 +++ linux-2.6.39.3/drivers/usb/gadget/imx_udc.c 2011-05-22 19:36:32.000000000 -0400
42619 @@ -937,7 +937,7 @@ static void imx_ep_fifo_flush(struct usb
42620 local_irq_restore(flags);
42621 }
42622
42623 -static struct usb_ep_ops imx_ep_ops = {
42624 +static const struct usb_ep_ops imx_ep_ops = {
42625 .enable = imx_ep_enable,
42626 .disable = imx_ep_disable,
42627
42628 diff -urNp linux-2.6.39.3/drivers/usb/gadget/m66592-udc.c linux-2.6.39.3/drivers/usb/gadget/m66592-udc.c
42629 --- linux-2.6.39.3/drivers/usb/gadget/m66592-udc.c 2011-05-19 00:06:34.000000000 -0400
42630 +++ linux-2.6.39.3/drivers/usb/gadget/m66592-udc.c 2011-05-22 19:36:32.000000000 -0400
42631 @@ -1437,7 +1437,7 @@ static void m66592_fifo_flush(struct usb
42632 spin_unlock_irqrestore(&ep->m66592->lock, flags);
42633 }
42634
42635 -static struct usb_ep_ops m66592_ep_ops = {
42636 +static const struct usb_ep_ops m66592_ep_ops = {
42637 .enable = m66592_enable,
42638 .disable = m66592_disable,
42639
42640 @@ -1542,7 +1542,7 @@ static int m66592_get_frame(struct usb_g
42641 return m66592_read(m66592, M66592_FRMNUM) & 0x03FF;
42642 }
42643
42644 -static struct usb_gadget_ops m66592_gadget_ops = {
42645 +static const struct usb_gadget_ops m66592_gadget_ops = {
42646 .get_frame = m66592_get_frame,
42647 };
42648
42649 diff -urNp linux-2.6.39.3/drivers/usb/gadget/mv_udc_core.c linux-2.6.39.3/drivers/usb/gadget/mv_udc_core.c
42650 --- linux-2.6.39.3/drivers/usb/gadget/mv_udc_core.c 2011-05-19 00:06:34.000000000 -0400
42651 +++ linux-2.6.39.3/drivers/usb/gadget/mv_udc_core.c 2011-05-22 19:36:32.000000000 -0400
42652 @@ -972,7 +972,7 @@ static int mv_ep_set_wedge(struct usb_ep
42653 return mv_ep_set_halt_wedge(_ep, 1, 1);
42654 }
42655
42656 -static struct usb_ep_ops mv_ep_ops = {
42657 +static const struct usb_ep_ops mv_ep_ops = {
42658 .enable = mv_ep_enable,
42659 .disable = mv_ep_disable,
42660
42661 diff -urNp linux-2.6.39.3/drivers/usb/gadget/omap_udc.c linux-2.6.39.3/drivers/usb/gadget/omap_udc.c
42662 --- linux-2.6.39.3/drivers/usb/gadget/omap_udc.c 2011-05-19 00:06:34.000000000 -0400
42663 +++ linux-2.6.39.3/drivers/usb/gadget/omap_udc.c 2011-05-22 19:36:32.000000000 -0400
42664 @@ -1177,7 +1177,7 @@ done:
42665 return status;
42666 }
42667
42668 -static struct usb_ep_ops omap_ep_ops = {
42669 +static const struct usb_ep_ops omap_ep_ops = {
42670 .enable = omap_ep_enable,
42671 .disable = omap_ep_disable,
42672
42673 @@ -1374,7 +1374,7 @@ static int omap_pullup(struct usb_gadget
42674 return 0;
42675 }
42676
42677 -static struct usb_gadget_ops omap_gadget_ops = {
42678 +static const struct usb_gadget_ops omap_gadget_ops = {
42679 .get_frame = omap_get_frame,
42680 .wakeup = omap_wakeup,
42681 .set_selfpowered = omap_set_selfpowered,
42682 diff -urNp linux-2.6.39.3/drivers/usb/gadget/pxa25x_udc.c linux-2.6.39.3/drivers/usb/gadget/pxa25x_udc.c
42683 --- linux-2.6.39.3/drivers/usb/gadget/pxa25x_udc.c 2011-05-19 00:06:34.000000000 -0400
42684 +++ linux-2.6.39.3/drivers/usb/gadget/pxa25x_udc.c 2011-05-22 19:36:32.000000000 -0400
42685 @@ -896,7 +896,7 @@ static void pxa25x_ep_fifo_flush(struct
42686 }
42687
42688
42689 -static struct usb_ep_ops pxa25x_ep_ops = {
42690 +static const struct usb_ep_ops pxa25x_ep_ops = {
42691 .enable = pxa25x_ep_enable,
42692 .disable = pxa25x_ep_disable,
42693
42694 diff -urNp linux-2.6.39.3/drivers/usb/gadget/pxa27x_udc.c linux-2.6.39.3/drivers/usb/gadget/pxa27x_udc.c
42695 --- linux-2.6.39.3/drivers/usb/gadget/pxa27x_udc.c 2011-05-19 00:06:34.000000000 -0400
42696 +++ linux-2.6.39.3/drivers/usb/gadget/pxa27x_udc.c 2011-05-22 19:36:32.000000000 -0400
42697 @@ -1491,7 +1491,7 @@ static int pxa_ep_disable(struct usb_ep
42698 return 0;
42699 }
42700
42701 -static struct usb_ep_ops pxa_ep_ops = {
42702 +static const struct usb_ep_ops pxa_ep_ops = {
42703 .enable = pxa_ep_enable,
42704 .disable = pxa_ep_disable,
42705
42706 diff -urNp linux-2.6.39.3/drivers/usb/gadget/r8a66597-udc.c linux-2.6.39.3/drivers/usb/gadget/r8a66597-udc.c
42707 --- linux-2.6.39.3/drivers/usb/gadget/r8a66597-udc.c 2011-05-19 00:06:34.000000000 -0400
42708 +++ linux-2.6.39.3/drivers/usb/gadget/r8a66597-udc.c 2011-05-22 19:36:32.000000000 -0400
42709 @@ -1392,7 +1392,7 @@ static void r8a66597_fifo_flush(struct u
42710 spin_unlock_irqrestore(&ep->r8a66597->lock, flags);
42711 }
42712
42713 -static struct usb_ep_ops r8a66597_ep_ops = {
42714 +static const struct usb_ep_ops r8a66597_ep_ops = {
42715 .enable = r8a66597_enable,
42716 .disable = r8a66597_disable,
42717
42718 @@ -1497,7 +1497,7 @@ static int r8a66597_get_frame(struct usb
42719 return r8a66597_read(r8a66597, FRMNUM) & 0x03FF;
42720 }
42721
42722 -static struct usb_gadget_ops r8a66597_gadget_ops = {
42723 +static const struct usb_gadget_ops r8a66597_gadget_ops = {
42724 .get_frame = r8a66597_get_frame,
42725 };
42726
42727 diff -urNp linux-2.6.39.3/drivers/usb/gadget/s3c-hsotg.c linux-2.6.39.3/drivers/usb/gadget/s3c-hsotg.c
42728 --- linux-2.6.39.3/drivers/usb/gadget/s3c-hsotg.c 2011-05-19 00:06:34.000000000 -0400
42729 +++ linux-2.6.39.3/drivers/usb/gadget/s3c-hsotg.c 2011-05-22 19:36:32.000000000 -0400
42730 @@ -2461,7 +2461,7 @@ static int s3c_hsotg_ep_sethalt(struct u
42731 return 0;
42732 }
42733
42734 -static struct usb_ep_ops s3c_hsotg_ep_ops = {
42735 +static const struct usb_ep_ops s3c_hsotg_ep_ops = {
42736 .enable = s3c_hsotg_ep_enable,
42737 .disable = s3c_hsotg_ep_disable,
42738 .alloc_request = s3c_hsotg_ep_alloc_request,
42739 @@ -2725,7 +2725,7 @@ static int s3c_hsotg_gadget_getframe(str
42740 return s3c_hsotg_read_frameno(to_hsotg(gadget));
42741 }
42742
42743 -static struct usb_gadget_ops s3c_hsotg_gadget_ops = {
42744 +static const struct usb_gadget_ops s3c_hsotg_gadget_ops = {
42745 .get_frame = s3c_hsotg_gadget_getframe,
42746 };
42747
42748 diff -urNp linux-2.6.39.3/drivers/usb/gadget/uvc_queue.c linux-2.6.39.3/drivers/usb/gadget/uvc_queue.c
42749 --- linux-2.6.39.3/drivers/usb/gadget/uvc_queue.c 2011-05-19 00:06:34.000000000 -0400
42750 +++ linux-2.6.39.3/drivers/usb/gadget/uvc_queue.c 2011-05-22 19:36:32.000000000 -0400
42751 @@ -400,7 +400,7 @@ static void uvc_vm_close(struct vm_area_
42752 buffer->vma_use_count--;
42753 }
42754
42755 -static struct vm_operations_struct uvc_vm_ops = {
42756 +static const struct vm_operations_struct uvc_vm_ops = {
42757 .open = uvc_vm_open,
42758 .close = uvc_vm_close,
42759 };
42760 diff -urNp linux-2.6.39.3/drivers/usb/host/ehci-fsl.c linux-2.6.39.3/drivers/usb/host/ehci-fsl.c
42761 --- linux-2.6.39.3/drivers/usb/host/ehci-fsl.c 2011-05-19 00:06:34.000000000 -0400
42762 +++ linux-2.6.39.3/drivers/usb/host/ehci-fsl.c 2011-05-22 19:36:32.000000000 -0400
42763 @@ -380,7 +380,7 @@ static int ehci_fsl_drv_restore(struct d
42764 return 0;
42765 }
42766
42767 -static struct dev_pm_ops ehci_fsl_pm_ops = {
42768 +static const struct dev_pm_ops ehci_fsl_pm_ops = {
42769 .suspend = ehci_fsl_drv_suspend,
42770 .resume = ehci_fsl_drv_resume,
42771 .restore = ehci_fsl_drv_restore,
42772 diff -urNp linux-2.6.39.3/drivers/usb/host/xhci-mem.c linux-2.6.39.3/drivers/usb/host/xhci-mem.c
42773 --- linux-2.6.39.3/drivers/usb/host/xhci-mem.c 2011-06-25 12:55:23.000000000 -0400
42774 +++ linux-2.6.39.3/drivers/usb/host/xhci-mem.c 2011-06-25 13:00:26.000000000 -0400
42775 @@ -1680,6 +1680,8 @@ static int xhci_check_trb_in_td_math(str
42776 unsigned int num_tests;
42777 int i, ret;
42778
42779 + pax_track_stack();
42780 +
42781 num_tests = ARRAY_SIZE(simple_test_vector);
42782 for (i = 0; i < num_tests; i++) {
42783 ret = xhci_test_trb_in_td(xhci,
42784 diff -urNp linux-2.6.39.3/drivers/usb/mon/mon_main.c linux-2.6.39.3/drivers/usb/mon/mon_main.c
42785 --- linux-2.6.39.3/drivers/usb/mon/mon_main.c 2011-05-19 00:06:34.000000000 -0400
42786 +++ linux-2.6.39.3/drivers/usb/mon/mon_main.c 2011-05-22 19:36:32.000000000 -0400
42787 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
42788 /*
42789 * Ops
42790 */
42791 -static struct usb_mon_operations mon_ops_0 = {
42792 +static const struct usb_mon_operations mon_ops_0 = {
42793 .urb_submit = mon_submit,
42794 .urb_submit_error = mon_submit_error,
42795 .urb_complete = mon_complete,
42796 diff -urNp linux-2.6.39.3/drivers/usb/musb/cppi_dma.h linux-2.6.39.3/drivers/usb/musb/cppi_dma.h
42797 --- linux-2.6.39.3/drivers/usb/musb/cppi_dma.h 2011-05-19 00:06:34.000000000 -0400
42798 +++ linux-2.6.39.3/drivers/usb/musb/cppi_dma.h 2011-05-22 19:36:32.000000000 -0400
42799 @@ -113,7 +113,7 @@ struct cppi_channel {
42800
42801 /* CPPI DMA controller object */
42802 struct cppi {
42803 - struct dma_controller controller;
42804 + const struct dma_controller controller;
42805 struct musb *musb;
42806 void __iomem *mregs; /* Mentor regs */
42807 void __iomem *tibase; /* TI/CPPI regs */
42808 diff -urNp linux-2.6.39.3/drivers/usb/otg/msm_otg.c linux-2.6.39.3/drivers/usb/otg/msm_otg.c
42809 --- linux-2.6.39.3/drivers/usb/otg/msm_otg.c 2011-05-19 00:06:34.000000000 -0400
42810 +++ linux-2.6.39.3/drivers/usb/otg/msm_otg.c 2011-05-22 19:36:32.000000000 -0400
42811 @@ -95,7 +95,7 @@ static int ulpi_write(struct otg_transce
42812 return 0;
42813 }
42814
42815 -static struct otg_io_access_ops msm_otg_io_ops = {
42816 +static const struct otg_io_access_ops msm_otg_io_ops = {
42817 .read = ulpi_read,
42818 .write = ulpi_write,
42819 };
42820 diff -urNp linux-2.6.39.3/drivers/usb/otg/ulpi_viewport.c linux-2.6.39.3/drivers/usb/otg/ulpi_viewport.c
42821 --- linux-2.6.39.3/drivers/usb/otg/ulpi_viewport.c 2011-05-19 00:06:34.000000000 -0400
42822 +++ linux-2.6.39.3/drivers/usb/otg/ulpi_viewport.c 2011-05-22 19:36:32.000000000 -0400
42823 @@ -74,7 +74,7 @@ static int ulpi_viewport_write(struct ot
42824 return ulpi_viewport_wait(view, ULPI_VIEW_RUN);
42825 }
42826
42827 -struct otg_io_access_ops ulpi_viewport_access_ops = {
42828 +const struct otg_io_access_ops ulpi_viewport_access_ops = {
42829 .read = ulpi_viewport_read,
42830 .write = ulpi_viewport_write,
42831 };
42832 diff -urNp linux-2.6.39.3/drivers/usb/serial/ftdi_sio.c linux-2.6.39.3/drivers/usb/serial/ftdi_sio.c
42833 --- linux-2.6.39.3/drivers/usb/serial/ftdi_sio.c 2011-07-09 09:18:51.000000000 -0400
42834 +++ linux-2.6.39.3/drivers/usb/serial/ftdi_sio.c 2011-07-09 09:19:18.000000000 -0400
42835 @@ -104,27 +104,27 @@ static int ftdi_stmclite_probe(struct
42836 static void ftdi_USB_UIRT_setup(struct ftdi_private *priv);
42837 static void ftdi_HE_TIRA1_setup(struct ftdi_private *priv);
42838
42839 -static struct ftdi_sio_quirk ftdi_jtag_quirk = {
42840 +static const struct ftdi_sio_quirk ftdi_jtag_quirk = {
42841 .probe = ftdi_jtag_probe,
42842 };
42843
42844 -static struct ftdi_sio_quirk ftdi_mtxorb_hack_quirk = {
42845 +static const struct ftdi_sio_quirk ftdi_mtxorb_hack_quirk = {
42846 .probe = ftdi_mtxorb_hack_setup,
42847 };
42848
42849 -static struct ftdi_sio_quirk ftdi_NDI_device_quirk = {
42850 +static const struct ftdi_sio_quirk ftdi_NDI_device_quirk = {
42851 .probe = ftdi_NDI_device_setup,
42852 };
42853
42854 -static struct ftdi_sio_quirk ftdi_USB_UIRT_quirk = {
42855 +static const struct ftdi_sio_quirk ftdi_USB_UIRT_quirk = {
42856 .port_probe = ftdi_USB_UIRT_setup,
42857 };
42858
42859 -static struct ftdi_sio_quirk ftdi_HE_TIRA1_quirk = {
42860 +static const struct ftdi_sio_quirk ftdi_HE_TIRA1_quirk = {
42861 .port_probe = ftdi_HE_TIRA1_setup,
42862 };
42863
42864 -static struct ftdi_sio_quirk ftdi_stmclite_quirk = {
42865 +static const struct ftdi_sio_quirk ftdi_stmclite_quirk = {
42866 .probe = ftdi_stmclite_probe,
42867 };
42868
42869 diff -urNp linux-2.6.39.3/drivers/usb/wusbcore/wa-hc.h linux-2.6.39.3/drivers/usb/wusbcore/wa-hc.h
42870 --- linux-2.6.39.3/drivers/usb/wusbcore/wa-hc.h 2011-05-19 00:06:34.000000000 -0400
42871 +++ linux-2.6.39.3/drivers/usb/wusbcore/wa-hc.h 2011-05-22 19:36:32.000000000 -0400
42872 @@ -192,7 +192,7 @@ struct wahc {
42873 struct list_head xfer_delayed_list;
42874 spinlock_t xfer_list_lock;
42875 struct work_struct xfer_work;
42876 - atomic_t xfer_id_count;
42877 + atomic_unchecked_t xfer_id_count;
42878 };
42879
42880
42881 @@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
42882 INIT_LIST_HEAD(&wa->xfer_delayed_list);
42883 spin_lock_init(&wa->xfer_list_lock);
42884 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
42885 - atomic_set(&wa->xfer_id_count, 1);
42886 + atomic_set_unchecked(&wa->xfer_id_count, 1);
42887 }
42888
42889 /**
42890 diff -urNp linux-2.6.39.3/drivers/usb/wusbcore/wa-xfer.c linux-2.6.39.3/drivers/usb/wusbcore/wa-xfer.c
42891 --- linux-2.6.39.3/drivers/usb/wusbcore/wa-xfer.c 2011-05-19 00:06:34.000000000 -0400
42892 +++ linux-2.6.39.3/drivers/usb/wusbcore/wa-xfer.c 2011-05-22 19:36:32.000000000 -0400
42893 @@ -294,7 +294,7 @@ out:
42894 */
42895 static void wa_xfer_id_init(struct wa_xfer *xfer)
42896 {
42897 - xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
42898 + xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
42899 }
42900
42901 /*
42902 diff -urNp linux-2.6.39.3/drivers/vhost/vhost.c linux-2.6.39.3/drivers/vhost/vhost.c
42903 --- linux-2.6.39.3/drivers/vhost/vhost.c 2011-05-19 00:06:34.000000000 -0400
42904 +++ linux-2.6.39.3/drivers/vhost/vhost.c 2011-05-22 19:36:32.000000000 -0400
42905 @@ -580,7 +580,7 @@ static int init_used(struct vhost_virtqu
42906 return get_user(vq->last_used_idx, &used->idx);
42907 }
42908
42909 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
42910 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
42911 {
42912 struct file *eventfp, *filep = NULL,
42913 *pollstart = NULL, *pollstop = NULL;
42914 diff -urNp linux-2.6.39.3/drivers/video/backlight/corgi_lcd.c linux-2.6.39.3/drivers/video/backlight/corgi_lcd.c
42915 --- linux-2.6.39.3/drivers/video/backlight/corgi_lcd.c 2011-05-19 00:06:34.000000000 -0400
42916 +++ linux-2.6.39.3/drivers/video/backlight/corgi_lcd.c 2011-05-22 19:36:32.000000000 -0400
42917 @@ -383,7 +383,7 @@ static int corgi_lcd_get_power(struct lc
42918 return lcd->power;
42919 }
42920
42921 -static struct lcd_ops corgi_lcd_ops = {
42922 +static const struct lcd_ops corgi_lcd_ops = {
42923 .get_power = corgi_lcd_get_power,
42924 .set_power = corgi_lcd_set_power,
42925 .set_mode = corgi_lcd_set_mode,
42926 diff -urNp linux-2.6.39.3/drivers/video/backlight/cr_bllcd.c linux-2.6.39.3/drivers/video/backlight/cr_bllcd.c
42927 --- linux-2.6.39.3/drivers/video/backlight/cr_bllcd.c 2011-05-19 00:06:34.000000000 -0400
42928 +++ linux-2.6.39.3/drivers/video/backlight/cr_bllcd.c 2011-05-22 19:36:32.000000000 -0400
42929 @@ -165,7 +165,7 @@ static int cr_lcd_set_power(struct lcd_d
42930 return 0;
42931 }
42932
42933 -static struct lcd_ops cr_lcd_ops = {
42934 +static const struct lcd_ops cr_lcd_ops = {
42935 .set_power = cr_lcd_set_power,
42936 };
42937
42938 diff -urNp linux-2.6.39.3/drivers/video/backlight/ili9320.c linux-2.6.39.3/drivers/video/backlight/ili9320.c
42939 --- linux-2.6.39.3/drivers/video/backlight/ili9320.c 2011-05-19 00:06:34.000000000 -0400
42940 +++ linux-2.6.39.3/drivers/video/backlight/ili9320.c 2011-05-22 19:36:32.000000000 -0400
42941 @@ -166,7 +166,7 @@ static int ili9320_get_power(struct lcd_
42942 return lcd->power;
42943 }
42944
42945 -static struct lcd_ops ili9320_ops = {
42946 +static const struct lcd_ops ili9320_ops = {
42947 .get_power = ili9320_get_power,
42948 .set_power = ili9320_set_power,
42949 };
42950 diff -urNp linux-2.6.39.3/drivers/video/backlight/jornada720_lcd.c linux-2.6.39.3/drivers/video/backlight/jornada720_lcd.c
42951 --- linux-2.6.39.3/drivers/video/backlight/jornada720_lcd.c 2011-05-19 00:06:34.000000000 -0400
42952 +++ linux-2.6.39.3/drivers/video/backlight/jornada720_lcd.c 2011-05-22 19:36:32.000000000 -0400
42953 @@ -87,7 +87,7 @@ static int jornada_lcd_set_power(struct
42954 return 0;
42955 }
42956
42957 -static struct lcd_ops jornada_lcd_props = {
42958 +static const struct lcd_ops jornada_lcd_props = {
42959 .get_contrast = jornada_lcd_get_contrast,
42960 .set_contrast = jornada_lcd_set_contrast,
42961 .get_power = jornada_lcd_get_power,
42962 diff -urNp linux-2.6.39.3/drivers/video/backlight/l4f00242t03.c linux-2.6.39.3/drivers/video/backlight/l4f00242t03.c
42963 --- linux-2.6.39.3/drivers/video/backlight/l4f00242t03.c 2011-05-19 00:06:34.000000000 -0400
42964 +++ linux-2.6.39.3/drivers/video/backlight/l4f00242t03.c 2011-05-22 19:36:32.000000000 -0400
42965 @@ -149,7 +149,7 @@ static int l4f00242t03_lcd_power_set(str
42966 return 0;
42967 }
42968
42969 -static struct lcd_ops l4f_ops = {
42970 +static const struct lcd_ops l4f_ops = {
42971 .set_power = l4f00242t03_lcd_power_set,
42972 .get_power = l4f00242t03_lcd_power_get,
42973 };
42974 diff -urNp linux-2.6.39.3/drivers/video/backlight/lcd.c linux-2.6.39.3/drivers/video/backlight/lcd.c
42975 --- linux-2.6.39.3/drivers/video/backlight/lcd.c 2011-05-19 00:06:34.000000000 -0400
42976 +++ linux-2.6.39.3/drivers/video/backlight/lcd.c 2011-05-22 19:36:32.000000000 -0400
42977 @@ -192,7 +192,7 @@ static struct device_attribute lcd_devic
42978 * or a pointer to the newly allocated device.
42979 */
42980 struct lcd_device *lcd_device_register(const char *name, struct device *parent,
42981 - void *devdata, struct lcd_ops *ops)
42982 + void *devdata, const struct lcd_ops *ops)
42983 {
42984 struct lcd_device *new_ld;
42985 int rc;
42986 diff -urNp linux-2.6.39.3/drivers/video/backlight/ld9040.c linux-2.6.39.3/drivers/video/backlight/ld9040.c
42987 --- linux-2.6.39.3/drivers/video/backlight/ld9040.c 2011-05-19 00:06:34.000000000 -0400
42988 +++ linux-2.6.39.3/drivers/video/backlight/ld9040.c 2011-05-22 19:36:32.000000000 -0400
42989 @@ -651,7 +651,7 @@ static int ld9040_set_brightness(struct
42990 return ret;
42991 }
42992
42993 -static struct lcd_ops ld9040_lcd_ops = {
42994 +static const struct lcd_ops ld9040_lcd_ops = {
42995 .set_power = ld9040_set_power,
42996 .get_power = ld9040_get_power,
42997 };
42998 diff -urNp linux-2.6.39.3/drivers/video/backlight/lms283gf05.c linux-2.6.39.3/drivers/video/backlight/lms283gf05.c
42999 --- linux-2.6.39.3/drivers/video/backlight/lms283gf05.c 2011-05-19 00:06:34.000000000 -0400
43000 +++ linux-2.6.39.3/drivers/video/backlight/lms283gf05.c 2011-05-22 19:36:32.000000000 -0400
43001 @@ -144,7 +144,7 @@ static int lms283gf05_power_set(struct l
43002 return 0;
43003 }
43004
43005 -static struct lcd_ops lms_ops = {
43006 +static const struct lcd_ops lms_ops = {
43007 .set_power = lms283gf05_power_set,
43008 .get_power = NULL,
43009 };
43010 diff -urNp linux-2.6.39.3/drivers/video/backlight/ltv350qv.c linux-2.6.39.3/drivers/video/backlight/ltv350qv.c
43011 --- linux-2.6.39.3/drivers/video/backlight/ltv350qv.c 2011-05-19 00:06:34.000000000 -0400
43012 +++ linux-2.6.39.3/drivers/video/backlight/ltv350qv.c 2011-05-22 19:36:32.000000000 -0400
43013 @@ -221,7 +221,7 @@ static int ltv350qv_get_power(struct lcd
43014 return lcd->power;
43015 }
43016
43017 -static struct lcd_ops ltv_ops = {
43018 +static const struct lcd_ops ltv_ops = {
43019 .get_power = ltv350qv_get_power,
43020 .set_power = ltv350qv_set_power,
43021 };
43022 diff -urNp linux-2.6.39.3/drivers/video/backlight/platform_lcd.c linux-2.6.39.3/drivers/video/backlight/platform_lcd.c
43023 --- linux-2.6.39.3/drivers/video/backlight/platform_lcd.c 2011-05-19 00:06:34.000000000 -0400
43024 +++ linux-2.6.39.3/drivers/video/backlight/platform_lcd.c 2011-05-22 19:36:32.000000000 -0400
43025 @@ -66,7 +66,7 @@ static int platform_lcd_match(struct lcd
43026 return plcd->us->parent == info->device;
43027 }
43028
43029 -static struct lcd_ops platform_lcd_ops = {
43030 +static const struct lcd_ops platform_lcd_ops = {
43031 .get_power = platform_lcd_get_power,
43032 .set_power = platform_lcd_set_power,
43033 .check_fb = platform_lcd_match,
43034 diff -urNp linux-2.6.39.3/drivers/video/backlight/s6e63m0.c linux-2.6.39.3/drivers/video/backlight/s6e63m0.c
43035 --- linux-2.6.39.3/drivers/video/backlight/s6e63m0.c 2011-05-19 00:06:34.000000000 -0400
43036 +++ linux-2.6.39.3/drivers/video/backlight/s6e63m0.c 2011-05-22 19:36:32.000000000 -0400
43037 @@ -644,7 +644,7 @@ static int s6e63m0_set_brightness(struct
43038 return ret;
43039 }
43040
43041 -static struct lcd_ops s6e63m0_lcd_ops = {
43042 +static const struct lcd_ops s6e63m0_lcd_ops = {
43043 .set_power = s6e63m0_set_power,
43044 .get_power = s6e63m0_get_power,
43045 };
43046 diff -urNp linux-2.6.39.3/drivers/video/backlight/tdo24m.c linux-2.6.39.3/drivers/video/backlight/tdo24m.c
43047 --- linux-2.6.39.3/drivers/video/backlight/tdo24m.c 2011-05-19 00:06:34.000000000 -0400
43048 +++ linux-2.6.39.3/drivers/video/backlight/tdo24m.c 2011-05-22 19:36:32.000000000 -0400
43049 @@ -322,7 +322,7 @@ static int tdo24m_set_mode(struct lcd_de
43050 return lcd->adj_mode(lcd, mode);
43051 }
43052
43053 -static struct lcd_ops tdo24m_ops = {
43054 +static const struct lcd_ops tdo24m_ops = {
43055 .get_power = tdo24m_get_power,
43056 .set_power = tdo24m_set_power,
43057 .set_mode = tdo24m_set_mode,
43058 diff -urNp linux-2.6.39.3/drivers/video/backlight/tosa_lcd.c linux-2.6.39.3/drivers/video/backlight/tosa_lcd.c
43059 --- linux-2.6.39.3/drivers/video/backlight/tosa_lcd.c 2011-05-19 00:06:34.000000000 -0400
43060 +++ linux-2.6.39.3/drivers/video/backlight/tosa_lcd.c 2011-05-22 19:36:32.000000000 -0400
43061 @@ -163,7 +163,7 @@ static int tosa_lcd_set_mode(struct lcd_
43062 return 0;
43063 }
43064
43065 -static struct lcd_ops tosa_lcd_ops = {
43066 +static const struct lcd_ops tosa_lcd_ops = {
43067 .set_power = tosa_lcd_set_power,
43068 .get_power = tosa_lcd_get_power,
43069 .set_mode = tosa_lcd_set_mode,
43070 diff -urNp linux-2.6.39.3/drivers/video/bf537-lq035.c linux-2.6.39.3/drivers/video/bf537-lq035.c
43071 --- linux-2.6.39.3/drivers/video/bf537-lq035.c 2011-05-19 00:06:34.000000000 -0400
43072 +++ linux-2.6.39.3/drivers/video/bf537-lq035.c 2011-05-22 19:36:32.000000000 -0400
43073 @@ -682,7 +682,7 @@ static int bfin_lcd_check_fb(struct lcd_
43074 return 0;
43075 }
43076
43077 -static struct lcd_ops bfin_lcd_ops = {
43078 +static const struct lcd_ops bfin_lcd_ops = {
43079 .get_power = bfin_lcd_get_power,
43080 .set_power = bfin_lcd_set_power,
43081 .get_contrast = bfin_lcd_get_contrast,
43082 diff -urNp linux-2.6.39.3/drivers/video/bf54x-lq043fb.c linux-2.6.39.3/drivers/video/bf54x-lq043fb.c
43083 --- linux-2.6.39.3/drivers/video/bf54x-lq043fb.c 2011-05-19 00:06:34.000000000 -0400
43084 +++ linux-2.6.39.3/drivers/video/bf54x-lq043fb.c 2011-05-22 19:36:32.000000000 -0400
43085 @@ -467,7 +467,7 @@ static int bfin_lcd_check_fb(struct lcd_
43086 return 0;
43087 }
43088
43089 -static struct lcd_ops bfin_lcd_ops = {
43090 +static const struct lcd_ops bfin_lcd_ops = {
43091 .get_power = bfin_lcd_get_power,
43092 .set_power = bfin_lcd_set_power,
43093 .get_contrast = bfin_lcd_get_contrast,
43094 diff -urNp linux-2.6.39.3/drivers/video/bfin-t350mcqb-fb.c linux-2.6.39.3/drivers/video/bfin-t350mcqb-fb.c
43095 --- linux-2.6.39.3/drivers/video/bfin-t350mcqb-fb.c 2011-05-19 00:06:34.000000000 -0400
43096 +++ linux-2.6.39.3/drivers/video/bfin-t350mcqb-fb.c 2011-05-22 19:36:32.000000000 -0400
43097 @@ -387,7 +387,7 @@ static int bfin_lcd_check_fb(struct lcd_
43098 return 0;
43099 }
43100
43101 -static struct lcd_ops bfin_lcd_ops = {
43102 +static const struct lcd_ops bfin_lcd_ops = {
43103 .get_power = bfin_lcd_get_power,
43104 .set_power = bfin_lcd_set_power,
43105 .get_contrast = bfin_lcd_get_contrast,
43106 diff -urNp linux-2.6.39.3/drivers/video/fbcmap.c linux-2.6.39.3/drivers/video/fbcmap.c
43107 --- linux-2.6.39.3/drivers/video/fbcmap.c 2011-05-19 00:06:34.000000000 -0400
43108 +++ linux-2.6.39.3/drivers/video/fbcmap.c 2011-05-22 19:36:32.000000000 -0400
43109 @@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
43110 rc = -ENODEV;
43111 goto out;
43112 }
43113 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
43114 - !info->fbops->fb_setcmap)) {
43115 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
43116 rc = -EINVAL;
43117 goto out1;
43118 }
43119 diff -urNp linux-2.6.39.3/drivers/video/fbmem.c linux-2.6.39.3/drivers/video/fbmem.c
43120 --- linux-2.6.39.3/drivers/video/fbmem.c 2011-05-19 00:06:34.000000000 -0400
43121 +++ linux-2.6.39.3/drivers/video/fbmem.c 2011-05-22 19:36:32.000000000 -0400
43122 @@ -428,7 +428,7 @@ static void fb_do_show_logo(struct fb_in
43123 image->dx += image->width + 8;
43124 }
43125 } else if (rotate == FB_ROTATE_UD) {
43126 - for (x = 0; x < num && image->dx >= 0; x++) {
43127 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
43128 info->fbops->fb_imageblit(info, image);
43129 image->dx -= image->width + 8;
43130 }
43131 @@ -440,7 +440,7 @@ static void fb_do_show_logo(struct fb_in
43132 image->dy += image->height + 8;
43133 }
43134 } else if (rotate == FB_ROTATE_CCW) {
43135 - for (x = 0; x < num && image->dy >= 0; x++) {
43136 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
43137 info->fbops->fb_imageblit(info, image);
43138 image->dy -= image->height + 8;
43139 }
43140 @@ -939,6 +939,8 @@ fb_set_var(struct fb_info *info, struct
43141 int flags = info->flags;
43142 int ret = 0;
43143
43144 + pax_track_stack();
43145 +
43146 if (var->activate & FB_ACTIVATE_INV_MODE) {
43147 struct fb_videomode mode1, mode2;
43148
43149 @@ -1064,6 +1066,8 @@ static long do_fb_ioctl(struct fb_info *
43150 void __user *argp = (void __user *)arg;
43151 long ret = 0;
43152
43153 + pax_track_stack();
43154 +
43155 switch (cmd) {
43156 case FBIOGET_VSCREENINFO:
43157 if (!lock_fb_info(info))
43158 @@ -1143,7 +1147,7 @@ static long do_fb_ioctl(struct fb_info *
43159 return -EFAULT;
43160 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
43161 return -EINVAL;
43162 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
43163 + if (con2fb.framebuffer >= FB_MAX)
43164 return -EINVAL;
43165 if (!registered_fb[con2fb.framebuffer])
43166 request_module("fb%d", con2fb.framebuffer);
43167 diff -urNp linux-2.6.39.3/drivers/video/geode/display_gx1.c linux-2.6.39.3/drivers/video/geode/display_gx1.c
43168 --- linux-2.6.39.3/drivers/video/geode/display_gx1.c 2011-05-19 00:06:34.000000000 -0400
43169 +++ linux-2.6.39.3/drivers/video/geode/display_gx1.c 2011-05-22 19:36:32.000000000 -0400
43170 @@ -208,7 +208,7 @@ static void gx1_set_hw_palette_reg(struc
43171 writel(val, par->dc_regs + DC_PAL_DATA);
43172 }
43173
43174 -struct geode_dc_ops gx1_dc_ops = {
43175 +const struct geode_dc_ops gx1_dc_ops = {
43176 .set_mode = gx1_set_mode,
43177 .set_palette_reg = gx1_set_hw_palette_reg,
43178 };
43179 diff -urNp linux-2.6.39.3/drivers/video/geode/display_gx1.h linux-2.6.39.3/drivers/video/geode/display_gx1.h
43180 --- linux-2.6.39.3/drivers/video/geode/display_gx1.h 2011-05-19 00:06:34.000000000 -0400
43181 +++ linux-2.6.39.3/drivers/video/geode/display_gx1.h 2011-05-22 19:36:32.000000000 -0400
43182 @@ -18,7 +18,7 @@
43183 unsigned gx1_gx_base(void);
43184 int gx1_frame_buffer_size(void);
43185
43186 -extern struct geode_dc_ops gx1_dc_ops;
43187 +extern const struct geode_dc_ops gx1_dc_ops;
43188
43189 /* GX1 configuration I/O registers */
43190
43191 diff -urNp linux-2.6.39.3/drivers/video/geode/geodefb.h linux-2.6.39.3/drivers/video/geode/geodefb.h
43192 --- linux-2.6.39.3/drivers/video/geode/geodefb.h 2011-05-19 00:06:34.000000000 -0400
43193 +++ linux-2.6.39.3/drivers/video/geode/geodefb.h 2011-05-22 19:36:32.000000000 -0400
43194 @@ -31,8 +31,8 @@ struct geodefb_par {
43195 int panel_y;
43196 void __iomem *dc_regs;
43197 void __iomem *vid_regs;
43198 - struct geode_dc_ops *dc_ops;
43199 - struct geode_vid_ops *vid_ops;
43200 + const struct geode_dc_ops *dc_ops;
43201 + const struct geode_vid_ops *vid_ops;
43202 };
43203
43204 #endif /* !__GEODEFB_H__ */
43205 diff -urNp linux-2.6.39.3/drivers/video/geode/video_cs5530.c linux-2.6.39.3/drivers/video/geode/video_cs5530.c
43206 --- linux-2.6.39.3/drivers/video/geode/video_cs5530.c 2011-05-19 00:06:34.000000000 -0400
43207 +++ linux-2.6.39.3/drivers/video/geode/video_cs5530.c 2011-05-22 19:36:32.000000000 -0400
43208 @@ -186,7 +186,7 @@ static int cs5530_blank_display(struct f
43209 return 0;
43210 }
43211
43212 -struct geode_vid_ops cs5530_vid_ops = {
43213 +const struct geode_vid_ops cs5530_vid_ops = {
43214 .set_dclk = cs5530_set_dclk_frequency,
43215 .configure_display = cs5530_configure_display,
43216 .blank_display = cs5530_blank_display,
43217 diff -urNp linux-2.6.39.3/drivers/video/geode/video_cs5530.h linux-2.6.39.3/drivers/video/geode/video_cs5530.h
43218 --- linux-2.6.39.3/drivers/video/geode/video_cs5530.h 2011-05-19 00:06:34.000000000 -0400
43219 +++ linux-2.6.39.3/drivers/video/geode/video_cs5530.h 2011-05-22 19:36:32.000000000 -0400
43220 @@ -15,7 +15,7 @@
43221 #ifndef __VIDEO_CS5530_H__
43222 #define __VIDEO_CS5530_H__
43223
43224 -extern struct geode_vid_ops cs5530_vid_ops;
43225 +extern const struct geode_vid_ops cs5530_vid_ops;
43226
43227 /* CS5530 Video device registers */
43228
43229 diff -urNp linux-2.6.39.3/drivers/video/i810/i810_accel.c linux-2.6.39.3/drivers/video/i810/i810_accel.c
43230 --- linux-2.6.39.3/drivers/video/i810/i810_accel.c 2011-05-19 00:06:34.000000000 -0400
43231 +++ linux-2.6.39.3/drivers/video/i810/i810_accel.c 2011-05-22 19:36:32.000000000 -0400
43232 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
43233 }
43234 }
43235 printk("ringbuffer lockup!!!\n");
43236 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
43237 i810_report_error(mmio);
43238 par->dev_flags |= LOCKUP;
43239 info->pixmap.scan_align = 1;
43240 diff -urNp linux-2.6.39.3/drivers/video/matrox/matroxfb_base.c linux-2.6.39.3/drivers/video/matrox/matroxfb_base.c
43241 --- linux-2.6.39.3/drivers/video/matrox/matroxfb_base.c 2011-05-19 00:06:34.000000000 -0400
43242 +++ linux-2.6.39.3/drivers/video/matrox/matroxfb_base.c 2011-05-22 19:36:32.000000000 -0400
43243 @@ -1232,7 +1232,7 @@ static struct fb_ops matroxfb_ops = {
43244 #define RSText 0x7
43245 #define RSText8 0x8
43246 /* 9-F */
43247 -static struct { struct fb_bitfield red, green, blue, transp; int bits_per_pixel; } colors[] = {
43248 +static const struct { struct fb_bitfield red, green, blue, transp; int bits_per_pixel; } colors[] = {
43249 { { 0, 8, 0}, { 0, 8, 0}, { 0, 8, 0}, { 0, 0, 0}, 8 },
43250 { { 10, 5, 0}, { 5, 5, 0}, { 0, 5, 0}, { 15, 1, 0}, 16 },
43251 { { 11, 5, 0}, { 5, 6, 0}, { 0, 5, 0}, { 0, 0, 0}, 16 },
43252 diff -urNp linux-2.6.39.3/drivers/video/omap/lcd_ams_delta.c linux-2.6.39.3/drivers/video/omap/lcd_ams_delta.c
43253 --- linux-2.6.39.3/drivers/video/omap/lcd_ams_delta.c 2011-05-19 00:06:34.000000000 -0400
43254 +++ linux-2.6.39.3/drivers/video/omap/lcd_ams_delta.c 2011-05-22 19:36:32.000000000 -0400
43255 @@ -87,7 +87,7 @@ static int ams_delta_lcd_get_contrast(st
43256 return ams_delta_lcd & AMS_DELTA_MAX_CONTRAST;
43257 }
43258
43259 -static struct lcd_ops ams_delta_lcd_ops = {
43260 +static const struct lcd_ops ams_delta_lcd_ops = {
43261 .get_power = ams_delta_lcd_get_power,
43262 .set_power = ams_delta_lcd_set_power,
43263 .get_contrast = ams_delta_lcd_get_contrast,
43264 diff -urNp linux-2.6.39.3/drivers/video/pxa3xx-gcu.c linux-2.6.39.3/drivers/video/pxa3xx-gcu.c
43265 --- linux-2.6.39.3/drivers/video/pxa3xx-gcu.c 2011-05-19 00:06:34.000000000 -0400
43266 +++ linux-2.6.39.3/drivers/video/pxa3xx-gcu.c 2011-05-22 19:36:32.000000000 -0400
43267 @@ -103,7 +103,7 @@ struct pxa3xx_gcu_priv {
43268 dma_addr_t shared_phys;
43269 struct resource *resource_mem;
43270 struct miscdevice misc_dev;
43271 - struct file_operations misc_fops;
43272 + const struct file_operations misc_fops;
43273 wait_queue_head_t wait_idle;
43274 wait_queue_head_t wait_free;
43275 spinlock_t spinlock;
43276 diff -urNp linux-2.6.39.3/drivers/video/sh_mobile_lcdcfb.c linux-2.6.39.3/drivers/video/sh_mobile_lcdcfb.c
43277 --- linux-2.6.39.3/drivers/video/sh_mobile_lcdcfb.c 2011-05-19 00:06:34.000000000 -0400
43278 +++ linux-2.6.39.3/drivers/video/sh_mobile_lcdcfb.c 2011-05-22 19:36:32.000000000 -0400
43279 @@ -245,7 +245,7 @@ static unsigned long lcdc_sys_read_data(
43280 return lcdc_read(ch->lcdc, _LDDRDR) & 0x3ffff;
43281 }
43282
43283 -struct sh_mobile_lcdc_sys_bus_ops sh_mobile_lcdc_sys_bus_ops = {
43284 +const struct sh_mobile_lcdc_sys_bus_ops sh_mobile_lcdc_sys_bus_ops = {
43285 lcdc_sys_write_index,
43286 lcdc_sys_write_data,
43287 lcdc_sys_read_data,
43288 diff -urNp linux-2.6.39.3/drivers/video/udlfb.c linux-2.6.39.3/drivers/video/udlfb.c
43289 --- linux-2.6.39.3/drivers/video/udlfb.c 2011-05-19 00:06:34.000000000 -0400
43290 +++ linux-2.6.39.3/drivers/video/udlfb.c 2011-05-22 19:36:32.000000000 -0400
43291 @@ -584,11 +584,11 @@ int dlfb_handle_damage(struct dlfb_data
43292 dlfb_urb_completion(urb);
43293
43294 error:
43295 - atomic_add(bytes_sent, &dev->bytes_sent);
43296 - atomic_add(bytes_identical, &dev->bytes_identical);
43297 - atomic_add(width*height*2, &dev->bytes_rendered);
43298 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
43299 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
43300 + atomic_add_unchecked(width*height*2, &dev->bytes_rendered);
43301 end_cycles = get_cycles();
43302 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
43303 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
43304 >> 10)), /* Kcycles */
43305 &dev->cpu_kcycles_used);
43306
43307 @@ -709,11 +709,11 @@ static void dlfb_dpy_deferred_io(struct
43308 dlfb_urb_completion(urb);
43309
43310 error:
43311 - atomic_add(bytes_sent, &dev->bytes_sent);
43312 - atomic_add(bytes_identical, &dev->bytes_identical);
43313 - atomic_add(bytes_rendered, &dev->bytes_rendered);
43314 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
43315 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
43316 + atomic_add_unchecked(bytes_rendered, &dev->bytes_rendered);
43317 end_cycles = get_cycles();
43318 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
43319 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
43320 >> 10)), /* Kcycles */
43321 &dev->cpu_kcycles_used);
43322 }
43323 @@ -1301,7 +1301,7 @@ static ssize_t metrics_bytes_rendered_sh
43324 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43325 struct dlfb_data *dev = fb_info->par;
43326 return snprintf(buf, PAGE_SIZE, "%u\n",
43327 - atomic_read(&dev->bytes_rendered));
43328 + atomic_read_unchecked(&dev->bytes_rendered));
43329 }
43330
43331 static ssize_t metrics_bytes_identical_show(struct device *fbdev,
43332 @@ -1309,7 +1309,7 @@ static ssize_t metrics_bytes_identical_s
43333 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43334 struct dlfb_data *dev = fb_info->par;
43335 return snprintf(buf, PAGE_SIZE, "%u\n",
43336 - atomic_read(&dev->bytes_identical));
43337 + atomic_read_unchecked(&dev->bytes_identical));
43338 }
43339
43340 static ssize_t metrics_bytes_sent_show(struct device *fbdev,
43341 @@ -1317,7 +1317,7 @@ static ssize_t metrics_bytes_sent_show(s
43342 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43343 struct dlfb_data *dev = fb_info->par;
43344 return snprintf(buf, PAGE_SIZE, "%u\n",
43345 - atomic_read(&dev->bytes_sent));
43346 + atomic_read_unchecked(&dev->bytes_sent));
43347 }
43348
43349 static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
43350 @@ -1325,7 +1325,7 @@ static ssize_t metrics_cpu_kcycles_used_
43351 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43352 struct dlfb_data *dev = fb_info->par;
43353 return snprintf(buf, PAGE_SIZE, "%u\n",
43354 - atomic_read(&dev->cpu_kcycles_used));
43355 + atomic_read_unchecked(&dev->cpu_kcycles_used));
43356 }
43357
43358 static ssize_t edid_show(
43359 @@ -1382,10 +1382,10 @@ static ssize_t metrics_reset_store(struc
43360 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43361 struct dlfb_data *dev = fb_info->par;
43362
43363 - atomic_set(&dev->bytes_rendered, 0);
43364 - atomic_set(&dev->bytes_identical, 0);
43365 - atomic_set(&dev->bytes_sent, 0);
43366 - atomic_set(&dev->cpu_kcycles_used, 0);
43367 + atomic_set_unchecked(&dev->bytes_rendered, 0);
43368 + atomic_set_unchecked(&dev->bytes_identical, 0);
43369 + atomic_set_unchecked(&dev->bytes_sent, 0);
43370 + atomic_set_unchecked(&dev->cpu_kcycles_used, 0);
43371
43372 return count;
43373 }
43374 diff -urNp linux-2.6.39.3/drivers/video/uvesafb.c linux-2.6.39.3/drivers/video/uvesafb.c
43375 --- linux-2.6.39.3/drivers/video/uvesafb.c 2011-05-19 00:06:34.000000000 -0400
43376 +++ linux-2.6.39.3/drivers/video/uvesafb.c 2011-05-22 19:36:32.000000000 -0400
43377 @@ -19,6 +19,7 @@
43378 #include <linux/io.h>
43379 #include <linux/mutex.h>
43380 #include <linux/slab.h>
43381 +#include <linux/moduleloader.h>
43382 #include <video/edid.h>
43383 #include <video/uvesafb.h>
43384 #ifdef CONFIG_X86
43385 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
43386 NULL,
43387 };
43388
43389 - return call_usermodehelper(v86d_path, argv, envp, 1);
43390 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
43391 }
43392
43393 /*
43394 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
43395 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
43396 par->pmi_setpal = par->ypan = 0;
43397 } else {
43398 +
43399 +#ifdef CONFIG_PAX_KERNEXEC
43400 +#ifdef CONFIG_MODULES
43401 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
43402 +#endif
43403 + if (!par->pmi_code) {
43404 + par->pmi_setpal = par->ypan = 0;
43405 + return 0;
43406 + }
43407 +#endif
43408 +
43409 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
43410 + task->t.regs.edi);
43411 +
43412 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43413 + pax_open_kernel();
43414 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
43415 + pax_close_kernel();
43416 +
43417 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
43418 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
43419 +#else
43420 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
43421 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
43422 +#endif
43423 +
43424 printk(KERN_INFO "uvesafb: protected mode interface info at "
43425 "%04x:%04x\n",
43426 (u16)task->t.regs.es, (u16)task->t.regs.edi);
43427 @@ -1821,6 +1844,11 @@ out:
43428 if (par->vbe_modes)
43429 kfree(par->vbe_modes);
43430
43431 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43432 + if (par->pmi_code)
43433 + module_free_exec(NULL, par->pmi_code);
43434 +#endif
43435 +
43436 framebuffer_release(info);
43437 return err;
43438 }
43439 @@ -1847,6 +1875,12 @@ static int uvesafb_remove(struct platfor
43440 kfree(par->vbe_state_orig);
43441 if (par->vbe_state_saved)
43442 kfree(par->vbe_state_saved);
43443 +
43444 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43445 + if (par->pmi_code)
43446 + module_free_exec(NULL, par->pmi_code);
43447 +#endif
43448 +
43449 }
43450
43451 framebuffer_release(info);
43452 @@ -2013,7 +2047,7 @@ static int param_set_scroll(const char *
43453
43454 return 0;
43455 }
43456 -static struct kernel_param_ops param_ops_scroll = {
43457 +static const struct kernel_param_ops param_ops_scroll = {
43458 .set = param_set_scroll,
43459 };
43460 #define param_check_scroll(name, p) __param_check(name, p, void)
43461 diff -urNp linux-2.6.39.3/drivers/video/vesafb.c linux-2.6.39.3/drivers/video/vesafb.c
43462 --- linux-2.6.39.3/drivers/video/vesafb.c 2011-05-19 00:06:34.000000000 -0400
43463 +++ linux-2.6.39.3/drivers/video/vesafb.c 2011-05-22 19:36:32.000000000 -0400
43464 @@ -9,6 +9,7 @@
43465 */
43466
43467 #include <linux/module.h>
43468 +#include <linux/moduleloader.h>
43469 #include <linux/kernel.h>
43470 #include <linux/errno.h>
43471 #include <linux/string.h>
43472 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
43473 static int vram_total __initdata; /* Set total amount of memory */
43474 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
43475 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
43476 -static void (*pmi_start)(void) __read_mostly;
43477 -static void (*pmi_pal) (void) __read_mostly;
43478 +static void (*pmi_start)(void) __read_only;
43479 +static void (*pmi_pal) (void) __read_only;
43480 static int depth __read_mostly;
43481 static int vga_compat __read_mostly;
43482 /* --------------------------------------------------------------------- */
43483 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
43484 unsigned int size_vmode;
43485 unsigned int size_remap;
43486 unsigned int size_total;
43487 + void *pmi_code = NULL;
43488
43489 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
43490 return -ENODEV;
43491 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
43492 size_remap = size_total;
43493 vesafb_fix.smem_len = size_remap;
43494
43495 -#ifndef __i386__
43496 - screen_info.vesapm_seg = 0;
43497 -#endif
43498 -
43499 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
43500 printk(KERN_WARNING
43501 "vesafb: cannot reserve video memory at 0x%lx\n",
43502 @@ -306,9 +304,21 @@ static int __init vesafb_probe(struct pl
43503 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
43504 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
43505
43506 +#ifdef __i386__
43507 +
43508 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43509 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
43510 + if (!pmi_code)
43511 +#elif !defined(CONFIG_PAX_KERNEXEC)
43512 + if (0)
43513 +#endif
43514 +
43515 +#endif
43516 + screen_info.vesapm_seg = 0;
43517 +
43518 if (screen_info.vesapm_seg) {
43519 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
43520 - screen_info.vesapm_seg,screen_info.vesapm_off);
43521 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
43522 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
43523 }
43524
43525 if (screen_info.vesapm_seg < 0xc000)
43526 @@ -316,9 +326,25 @@ static int __init vesafb_probe(struct pl
43527
43528 if (ypan || pmi_setpal) {
43529 unsigned short *pmi_base;
43530 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
43531 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
43532 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
43533 +
43534 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
43535 +
43536 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43537 + pax_open_kernel();
43538 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
43539 +#else
43540 + pmi_code = pmi_base;
43541 +#endif
43542 +
43543 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
43544 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
43545 +
43546 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43547 + pmi_start = ktva_ktla(pmi_start);
43548 + pmi_pal = ktva_ktla(pmi_pal);
43549 + pax_close_kernel();
43550 +#endif
43551 +
43552 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
43553 if (pmi_base[3]) {
43554 printk(KERN_INFO "vesafb: pmi: ports = ");
43555 @@ -487,6 +513,11 @@ static int __init vesafb_probe(struct pl
43556 info->node, info->fix.id);
43557 return 0;
43558 err:
43559 +
43560 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43561 + module_free_exec(NULL, pmi_code);
43562 +#endif
43563 +
43564 if (info->screen_base)
43565 iounmap(info->screen_base);
43566 framebuffer_release(info);
43567 diff -urNp linux-2.6.39.3/drivers/virtio/virtio_balloon.c linux-2.6.39.3/drivers/virtio/virtio_balloon.c
43568 --- linux-2.6.39.3/drivers/virtio/virtio_balloon.c 2011-05-19 00:06:34.000000000 -0400
43569 +++ linux-2.6.39.3/drivers/virtio/virtio_balloon.c 2011-05-22 19:36:32.000000000 -0400
43570 @@ -176,6 +176,8 @@ static void update_balloon_stats(struct
43571 struct sysinfo i;
43572 int idx = 0;
43573
43574 + pax_track_stack();
43575 +
43576 all_vm_events(events);
43577 si_meminfo(&i);
43578
43579 diff -urNp linux-2.6.39.3/drivers/xen/gntalloc.c linux-2.6.39.3/drivers/xen/gntalloc.c
43580 --- linux-2.6.39.3/drivers/xen/gntalloc.c 2011-05-19 00:06:34.000000000 -0400
43581 +++ linux-2.6.39.3/drivers/xen/gntalloc.c 2011-05-22 19:36:32.000000000 -0400
43582 @@ -440,7 +440,7 @@ static void gntalloc_vma_close(struct vm
43583 spin_unlock(&gref_lock);
43584 }
43585
43586 -static struct vm_operations_struct gntalloc_vmops = {
43587 +static const struct vm_operations_struct gntalloc_vmops = {
43588 .close = gntalloc_vma_close,
43589 };
43590
43591 diff -urNp linux-2.6.39.3/drivers/xen/gntdev.c linux-2.6.39.3/drivers/xen/gntdev.c
43592 --- linux-2.6.39.3/drivers/xen/gntdev.c 2011-05-19 00:06:34.000000000 -0400
43593 +++ linux-2.6.39.3/drivers/xen/gntdev.c 2011-05-22 19:36:32.000000000 -0400
43594 @@ -340,7 +340,7 @@ static void gntdev_vma_close(struct vm_a
43595 gntdev_put_map(map);
43596 }
43597
43598 -static struct vm_operations_struct gntdev_vmops = {
43599 +static const struct vm_operations_struct gntdev_vmops = {
43600 .close = gntdev_vma_close,
43601 };
43602
43603 @@ -404,7 +404,7 @@ static void mn_release(struct mmu_notifi
43604 spin_unlock(&priv->lock);
43605 }
43606
43607 -struct mmu_notifier_ops gntdev_mmu_ops = {
43608 +const struct mmu_notifier_ops gntdev_mmu_ops = {
43609 .release = mn_release,
43610 .invalidate_page = mn_invl_page,
43611 .invalidate_range_start = mn_invl_range_start,
43612 diff -urNp linux-2.6.39.3/drivers/xen/xenfs/privcmd.c linux-2.6.39.3/drivers/xen/xenfs/privcmd.c
43613 --- linux-2.6.39.3/drivers/xen/xenfs/privcmd.c 2011-05-19 00:06:34.000000000 -0400
43614 +++ linux-2.6.39.3/drivers/xen/xenfs/privcmd.c 2011-05-22 19:36:32.000000000 -0400
43615 @@ -268,7 +268,7 @@ static int mmap_return_errors(void *data
43616 return put_user(*mfnp, st->user++);
43617 }
43618
43619 -static struct vm_operations_struct privcmd_vm_ops;
43620 +static const struct vm_operations_struct privcmd_vm_ops;
43621
43622 static long privcmd_ioctl_mmap_batch(void __user *udata)
43623 {
43624 @@ -369,7 +369,7 @@ static int privcmd_fault(struct vm_area_
43625 return VM_FAULT_SIGBUS;
43626 }
43627
43628 -static struct vm_operations_struct privcmd_vm_ops = {
43629 +static const struct vm_operations_struct privcmd_vm_ops = {
43630 .fault = privcmd_fault
43631 };
43632
43633 diff -urNp linux-2.6.39.3/fs/9p/vfs_inode.c linux-2.6.39.3/fs/9p/vfs_inode.c
43634 --- linux-2.6.39.3/fs/9p/vfs_inode.c 2011-05-19 00:06:34.000000000 -0400
43635 +++ linux-2.6.39.3/fs/9p/vfs_inode.c 2011-05-22 19:36:32.000000000 -0400
43636 @@ -1210,7 +1210,7 @@ static void *v9fs_vfs_follow_link(struct
43637 void
43638 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
43639 {
43640 - char *s = nd_get_link(nd);
43641 + const char *s = nd_get_link(nd);
43642
43643 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
43644 IS_ERR(s) ? "<error>" : s);
43645 diff -urNp linux-2.6.39.3/fs/aio.c linux-2.6.39.3/fs/aio.c
43646 --- linux-2.6.39.3/fs/aio.c 2011-05-19 00:06:34.000000000 -0400
43647 +++ linux-2.6.39.3/fs/aio.c 2011-06-03 01:00:34.000000000 -0400
43648 @@ -119,7 +119,7 @@ static int aio_setup_ring(struct kioctx
43649 size += sizeof(struct io_event) * nr_events;
43650 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
43651
43652 - if (nr_pages < 0)
43653 + if (nr_pages <= 0)
43654 return -EINVAL;
43655
43656 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
43657 @@ -1088,6 +1088,8 @@ static int read_events(struct kioctx *ct
43658 struct aio_timeout to;
43659 int retry = 0;
43660
43661 + pax_track_stack();
43662 +
43663 /* needed to zero any padding within an entry (there shouldn't be
43664 * any, but C is fun!
43665 */
43666 @@ -1381,22 +1383,27 @@ static ssize_t aio_fsync(struct kiocb *i
43667 static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
43668 {
43669 ssize_t ret;
43670 + struct iovec iovstack;
43671
43672 #ifdef CONFIG_COMPAT
43673 if (compat)
43674 ret = compat_rw_copy_check_uvector(type,
43675 (struct compat_iovec __user *)kiocb->ki_buf,
43676 - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
43677 + kiocb->ki_nbytes, 1, &iovstack,
43678 &kiocb->ki_iovec);
43679 else
43680 #endif
43681 ret = rw_copy_check_uvector(type,
43682 (struct iovec __user *)kiocb->ki_buf,
43683 - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
43684 + kiocb->ki_nbytes, 1, &iovstack,
43685 &kiocb->ki_iovec);
43686 if (ret < 0)
43687 goto out;
43688
43689 + if (kiocb->ki_iovec == &iovstack) {
43690 + kiocb->ki_inline_vec = iovstack;
43691 + kiocb->ki_iovec = &kiocb->ki_inline_vec;
43692 + }
43693 kiocb->ki_nr_segs = kiocb->ki_nbytes;
43694 kiocb->ki_cur_seg = 0;
43695 /* ki_nbytes/left now reflect bytes instead of segs */
43696 diff -urNp linux-2.6.39.3/fs/attr.c linux-2.6.39.3/fs/attr.c
43697 --- linux-2.6.39.3/fs/attr.c 2011-05-19 00:06:34.000000000 -0400
43698 +++ linux-2.6.39.3/fs/attr.c 2011-05-22 19:41:37.000000000 -0400
43699 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
43700 unsigned long limit;
43701
43702 limit = rlimit(RLIMIT_FSIZE);
43703 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
43704 if (limit != RLIM_INFINITY && offset > limit)
43705 goto out_sig;
43706 if (offset > inode->i_sb->s_maxbytes)
43707 diff -urNp linux-2.6.39.3/fs/befs/linuxvfs.c linux-2.6.39.3/fs/befs/linuxvfs.c
43708 --- linux-2.6.39.3/fs/befs/linuxvfs.c 2011-05-19 00:06:34.000000000 -0400
43709 +++ linux-2.6.39.3/fs/befs/linuxvfs.c 2011-05-22 19:36:32.000000000 -0400
43710 @@ -498,7 +498,7 @@ static void befs_put_link(struct dentry
43711 {
43712 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
43713 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
43714 - char *link = nd_get_link(nd);
43715 + const char *link = nd_get_link(nd);
43716 if (!IS_ERR(link))
43717 kfree(link);
43718 }
43719 diff -urNp linux-2.6.39.3/fs/binfmt_aout.c linux-2.6.39.3/fs/binfmt_aout.c
43720 --- linux-2.6.39.3/fs/binfmt_aout.c 2011-05-19 00:06:34.000000000 -0400
43721 +++ linux-2.6.39.3/fs/binfmt_aout.c 2011-05-22 19:41:37.000000000 -0400
43722 @@ -16,6 +16,7 @@
43723 #include <linux/string.h>
43724 #include <linux/fs.h>
43725 #include <linux/file.h>
43726 +#include <linux/security.h>
43727 #include <linux/stat.h>
43728 #include <linux/fcntl.h>
43729 #include <linux/ptrace.h>
43730 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
43731 #endif
43732 # define START_STACK(u) ((void __user *)u.start_stack)
43733
43734 + memset(&dump, 0, sizeof(dump));
43735 +
43736 fs = get_fs();
43737 set_fs(KERNEL_DS);
43738 has_dumped = 1;
43739 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
43740
43741 /* If the size of the dump file exceeds the rlimit, then see what would happen
43742 if we wrote the stack, but not the data area. */
43743 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
43744 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
43745 dump.u_dsize = 0;
43746
43747 /* Make sure we have enough room to write the stack and data areas. */
43748 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
43749 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
43750 dump.u_ssize = 0;
43751
43752 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
43753 rlim = rlimit(RLIMIT_DATA);
43754 if (rlim >= RLIM_INFINITY)
43755 rlim = ~0;
43756 +
43757 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
43758 if (ex.a_data + ex.a_bss > rlim)
43759 return -ENOMEM;
43760
43761 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
43762 install_exec_creds(bprm);
43763 current->flags &= ~PF_FORKNOEXEC;
43764
43765 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
43766 + current->mm->pax_flags = 0UL;
43767 +#endif
43768 +
43769 +#ifdef CONFIG_PAX_PAGEEXEC
43770 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
43771 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
43772 +
43773 +#ifdef CONFIG_PAX_EMUTRAMP
43774 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
43775 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
43776 +#endif
43777 +
43778 +#ifdef CONFIG_PAX_MPROTECT
43779 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
43780 + current->mm->pax_flags |= MF_PAX_MPROTECT;
43781 +#endif
43782 +
43783 + }
43784 +#endif
43785 +
43786 if (N_MAGIC(ex) == OMAGIC) {
43787 unsigned long text_addr, map_size;
43788 loff_t pos;
43789 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
43790
43791 down_write(&current->mm->mmap_sem);
43792 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
43793 - PROT_READ | PROT_WRITE | PROT_EXEC,
43794 + PROT_READ | PROT_WRITE,
43795 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
43796 fd_offset + ex.a_text);
43797 up_write(&current->mm->mmap_sem);
43798 diff -urNp linux-2.6.39.3/fs/binfmt_elf.c linux-2.6.39.3/fs/binfmt_elf.c
43799 --- linux-2.6.39.3/fs/binfmt_elf.c 2011-05-19 00:06:34.000000000 -0400
43800 +++ linux-2.6.39.3/fs/binfmt_elf.c 2011-05-22 19:41:37.000000000 -0400
43801 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
43802 #define elf_core_dump NULL
43803 #endif
43804
43805 +#ifdef CONFIG_PAX_MPROTECT
43806 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
43807 +#endif
43808 +
43809 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
43810 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
43811 #else
43812 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
43813 .load_binary = load_elf_binary,
43814 .load_shlib = load_elf_library,
43815 .core_dump = elf_core_dump,
43816 +
43817 +#ifdef CONFIG_PAX_MPROTECT
43818 + .handle_mprotect= elf_handle_mprotect,
43819 +#endif
43820 +
43821 .min_coredump = ELF_EXEC_PAGESIZE,
43822 };
43823
43824 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
43825
43826 static int set_brk(unsigned long start, unsigned long end)
43827 {
43828 + unsigned long e = end;
43829 +
43830 start = ELF_PAGEALIGN(start);
43831 end = ELF_PAGEALIGN(end);
43832 if (end > start) {
43833 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
43834 if (BAD_ADDR(addr))
43835 return addr;
43836 }
43837 - current->mm->start_brk = current->mm->brk = end;
43838 + current->mm->start_brk = current->mm->brk = e;
43839 return 0;
43840 }
43841
43842 @@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
43843 elf_addr_t __user *u_rand_bytes;
43844 const char *k_platform = ELF_PLATFORM;
43845 const char *k_base_platform = ELF_BASE_PLATFORM;
43846 - unsigned char k_rand_bytes[16];
43847 + u32 k_rand_bytes[4];
43848 int items;
43849 elf_addr_t *elf_info;
43850 int ei_index = 0;
43851 const struct cred *cred = current_cred();
43852 struct vm_area_struct *vma;
43853 + unsigned long saved_auxv[AT_VECTOR_SIZE];
43854 +
43855 + pax_track_stack();
43856
43857 /*
43858 * In some cases (e.g. Hyper-Threading), we want to avoid L1
43859 @@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
43860 * Generate 16 random bytes for userspace PRNG seeding.
43861 */
43862 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
43863 - u_rand_bytes = (elf_addr_t __user *)
43864 - STACK_ALLOC(p, sizeof(k_rand_bytes));
43865 + srandom32(k_rand_bytes[0] ^ random32());
43866 + srandom32(k_rand_bytes[1] ^ random32());
43867 + srandom32(k_rand_bytes[2] ^ random32());
43868 + srandom32(k_rand_bytes[3] ^ random32());
43869 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
43870 + u_rand_bytes = (elf_addr_t __user *) p;
43871 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
43872 return -EFAULT;
43873
43874 @@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
43875 return -EFAULT;
43876 current->mm->env_end = p;
43877
43878 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
43879 +
43880 /* Put the elf_info on the stack in the right place. */
43881 sp = (elf_addr_t __user *)envp + 1;
43882 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
43883 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
43884 return -EFAULT;
43885 return 0;
43886 }
43887 @@ -381,10 +401,10 @@ static unsigned long load_elf_interp(str
43888 {
43889 struct elf_phdr *elf_phdata;
43890 struct elf_phdr *eppnt;
43891 - unsigned long load_addr = 0;
43892 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
43893 int load_addr_set = 0;
43894 unsigned long last_bss = 0, elf_bss = 0;
43895 - unsigned long error = ~0UL;
43896 + unsigned long error = -EINVAL;
43897 unsigned long total_size;
43898 int retval, i, size;
43899
43900 @@ -430,6 +450,11 @@ static unsigned long load_elf_interp(str
43901 goto out_close;
43902 }
43903
43904 +#ifdef CONFIG_PAX_SEGMEXEC
43905 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
43906 + pax_task_size = SEGMEXEC_TASK_SIZE;
43907 +#endif
43908 +
43909 eppnt = elf_phdata;
43910 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
43911 if (eppnt->p_type == PT_LOAD) {
43912 @@ -473,8 +498,8 @@ static unsigned long load_elf_interp(str
43913 k = load_addr + eppnt->p_vaddr;
43914 if (BAD_ADDR(k) ||
43915 eppnt->p_filesz > eppnt->p_memsz ||
43916 - eppnt->p_memsz > TASK_SIZE ||
43917 - TASK_SIZE - eppnt->p_memsz < k) {
43918 + eppnt->p_memsz > pax_task_size ||
43919 + pax_task_size - eppnt->p_memsz < k) {
43920 error = -ENOMEM;
43921 goto out_close;
43922 }
43923 @@ -528,6 +553,193 @@ out:
43924 return error;
43925 }
43926
43927 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
43928 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
43929 +{
43930 + unsigned long pax_flags = 0UL;
43931 +
43932 +#ifdef CONFIG_PAX_PAGEEXEC
43933 + if (elf_phdata->p_flags & PF_PAGEEXEC)
43934 + pax_flags |= MF_PAX_PAGEEXEC;
43935 +#endif
43936 +
43937 +#ifdef CONFIG_PAX_SEGMEXEC
43938 + if (elf_phdata->p_flags & PF_SEGMEXEC)
43939 + pax_flags |= MF_PAX_SEGMEXEC;
43940 +#endif
43941 +
43942 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
43943 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43944 + if ((__supported_pte_mask & _PAGE_NX))
43945 + pax_flags &= ~MF_PAX_SEGMEXEC;
43946 + else
43947 + pax_flags &= ~MF_PAX_PAGEEXEC;
43948 + }
43949 +#endif
43950 +
43951 +#ifdef CONFIG_PAX_EMUTRAMP
43952 + if (elf_phdata->p_flags & PF_EMUTRAMP)
43953 + pax_flags |= MF_PAX_EMUTRAMP;
43954 +#endif
43955 +
43956 +#ifdef CONFIG_PAX_MPROTECT
43957 + if (elf_phdata->p_flags & PF_MPROTECT)
43958 + pax_flags |= MF_PAX_MPROTECT;
43959 +#endif
43960 +
43961 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
43962 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
43963 + pax_flags |= MF_PAX_RANDMMAP;
43964 +#endif
43965 +
43966 + return pax_flags;
43967 +}
43968 +#endif
43969 +
43970 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
43971 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
43972 +{
43973 + unsigned long pax_flags = 0UL;
43974 +
43975 +#ifdef CONFIG_PAX_PAGEEXEC
43976 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
43977 + pax_flags |= MF_PAX_PAGEEXEC;
43978 +#endif
43979 +
43980 +#ifdef CONFIG_PAX_SEGMEXEC
43981 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
43982 + pax_flags |= MF_PAX_SEGMEXEC;
43983 +#endif
43984 +
43985 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
43986 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43987 + if ((__supported_pte_mask & _PAGE_NX))
43988 + pax_flags &= ~MF_PAX_SEGMEXEC;
43989 + else
43990 + pax_flags &= ~MF_PAX_PAGEEXEC;
43991 + }
43992 +#endif
43993 +
43994 +#ifdef CONFIG_PAX_EMUTRAMP
43995 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
43996 + pax_flags |= MF_PAX_EMUTRAMP;
43997 +#endif
43998 +
43999 +#ifdef CONFIG_PAX_MPROTECT
44000 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
44001 + pax_flags |= MF_PAX_MPROTECT;
44002 +#endif
44003 +
44004 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
44005 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
44006 + pax_flags |= MF_PAX_RANDMMAP;
44007 +#endif
44008 +
44009 + return pax_flags;
44010 +}
44011 +#endif
44012 +
44013 +#ifdef CONFIG_PAX_EI_PAX
44014 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
44015 +{
44016 + unsigned long pax_flags = 0UL;
44017 +
44018 +#ifdef CONFIG_PAX_PAGEEXEC
44019 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
44020 + pax_flags |= MF_PAX_PAGEEXEC;
44021 +#endif
44022 +
44023 +#ifdef CONFIG_PAX_SEGMEXEC
44024 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
44025 + pax_flags |= MF_PAX_SEGMEXEC;
44026 +#endif
44027 +
44028 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
44029 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44030 + if ((__supported_pte_mask & _PAGE_NX))
44031 + pax_flags &= ~MF_PAX_SEGMEXEC;
44032 + else
44033 + pax_flags &= ~MF_PAX_PAGEEXEC;
44034 + }
44035 +#endif
44036 +
44037 +#ifdef CONFIG_PAX_EMUTRAMP
44038 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
44039 + pax_flags |= MF_PAX_EMUTRAMP;
44040 +#endif
44041 +
44042 +#ifdef CONFIG_PAX_MPROTECT
44043 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
44044 + pax_flags |= MF_PAX_MPROTECT;
44045 +#endif
44046 +
44047 +#ifdef CONFIG_PAX_ASLR
44048 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
44049 + pax_flags |= MF_PAX_RANDMMAP;
44050 +#endif
44051 +
44052 + return pax_flags;
44053 +}
44054 +#endif
44055 +
44056 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
44057 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
44058 +{
44059 + unsigned long pax_flags = 0UL;
44060 +
44061 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
44062 + unsigned long i;
44063 + int found_flags = 0;
44064 +#endif
44065 +
44066 +#ifdef CONFIG_PAX_EI_PAX
44067 + pax_flags = pax_parse_ei_pax(elf_ex);
44068 +#endif
44069 +
44070 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
44071 + for (i = 0UL; i < elf_ex->e_phnum; i++)
44072 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
44073 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
44074 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
44075 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
44076 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
44077 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
44078 + return -EINVAL;
44079 +
44080 +#ifdef CONFIG_PAX_SOFTMODE
44081 + if (pax_softmode)
44082 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
44083 + else
44084 +#endif
44085 +
44086 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
44087 + found_flags = 1;
44088 + break;
44089 + }
44090 +#endif
44091 +
44092 +#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
44093 + if (found_flags == 0) {
44094 + struct elf_phdr phdr;
44095 + memset(&phdr, 0, sizeof(phdr));
44096 + phdr.p_flags = PF_NOEMUTRAMP;
44097 +#ifdef CONFIG_PAX_SOFTMODE
44098 + if (pax_softmode)
44099 + pax_flags = pax_parse_softmode(&phdr);
44100 + else
44101 +#endif
44102 + pax_flags = pax_parse_hardmode(&phdr);
44103 + }
44104 +#endif
44105 +
44106 + if (0 > pax_check_flags(&pax_flags))
44107 + return -EINVAL;
44108 +
44109 + current->mm->pax_flags = pax_flags;
44110 + return 0;
44111 +}
44112 +#endif
44113 +
44114 /*
44115 * These are the functions used to load ELF style executables and shared
44116 * libraries. There is no binary dependent code anywhere else.
44117 @@ -544,6 +756,11 @@ static unsigned long randomize_stack_top
44118 {
44119 unsigned int random_variable = 0;
44120
44121 +#ifdef CONFIG_PAX_RANDUSTACK
44122 + if (randomize_va_space)
44123 + return stack_top - current->mm->delta_stack;
44124 +#endif
44125 +
44126 if ((current->flags & PF_RANDOMIZE) &&
44127 !(current->personality & ADDR_NO_RANDOMIZE)) {
44128 random_variable = get_random_int() & STACK_RND_MASK;
44129 @@ -562,7 +779,7 @@ static int load_elf_binary(struct linux_
44130 unsigned long load_addr = 0, load_bias = 0;
44131 int load_addr_set = 0;
44132 char * elf_interpreter = NULL;
44133 - unsigned long error;
44134 + unsigned long error = 0;
44135 struct elf_phdr *elf_ppnt, *elf_phdata;
44136 unsigned long elf_bss, elf_brk;
44137 int retval, i;
44138 @@ -572,11 +789,11 @@ static int load_elf_binary(struct linux_
44139 unsigned long start_code, end_code, start_data, end_data;
44140 unsigned long reloc_func_desc __maybe_unused = 0;
44141 int executable_stack = EXSTACK_DEFAULT;
44142 - unsigned long def_flags = 0;
44143 struct {
44144 struct elfhdr elf_ex;
44145 struct elfhdr interp_elf_ex;
44146 } *loc;
44147 + unsigned long pax_task_size = TASK_SIZE;
44148
44149 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
44150 if (!loc) {
44151 @@ -714,11 +931,81 @@ static int load_elf_binary(struct linux_
44152
44153 /* OK, This is the point of no return */
44154 current->flags &= ~PF_FORKNOEXEC;
44155 - current->mm->def_flags = def_flags;
44156 +
44157 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
44158 + current->mm->pax_flags = 0UL;
44159 +#endif
44160 +
44161 +#ifdef CONFIG_PAX_DLRESOLVE
44162 + current->mm->call_dl_resolve = 0UL;
44163 +#endif
44164 +
44165 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
44166 + current->mm->call_syscall = 0UL;
44167 +#endif
44168 +
44169 +#ifdef CONFIG_PAX_ASLR
44170 + current->mm->delta_mmap = 0UL;
44171 + current->mm->delta_stack = 0UL;
44172 +#endif
44173 +
44174 + current->mm->def_flags = 0;
44175 +
44176 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
44177 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
44178 + send_sig(SIGKILL, current, 0);
44179 + goto out_free_dentry;
44180 + }
44181 +#endif
44182 +
44183 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
44184 + pax_set_initial_flags(bprm);
44185 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
44186 + if (pax_set_initial_flags_func)
44187 + (pax_set_initial_flags_func)(bprm);
44188 +#endif
44189 +
44190 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
44191 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
44192 + current->mm->context.user_cs_limit = PAGE_SIZE;
44193 + current->mm->def_flags |= VM_PAGEEXEC;
44194 + }
44195 +#endif
44196 +
44197 +#ifdef CONFIG_PAX_SEGMEXEC
44198 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
44199 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
44200 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
44201 + pax_task_size = SEGMEXEC_TASK_SIZE;
44202 + current->mm->def_flags |= VM_NOHUGEPAGE;
44203 + }
44204 +#endif
44205 +
44206 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
44207 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44208 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
44209 + put_cpu();
44210 + }
44211 +#endif
44212
44213 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
44214 may depend on the personality. */
44215 SET_PERSONALITY(loc->elf_ex);
44216 +
44217 +#ifdef CONFIG_PAX_ASLR
44218 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
44219 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
44220 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
44221 + }
44222 +#endif
44223 +
44224 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
44225 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44226 + executable_stack = EXSTACK_DISABLE_X;
44227 + current->personality &= ~READ_IMPLIES_EXEC;
44228 + } else
44229 +#endif
44230 +
44231 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
44232 current->personality |= READ_IMPLIES_EXEC;
44233
44234 @@ -800,6 +1087,20 @@ static int load_elf_binary(struct linux_
44235 #else
44236 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
44237 #endif
44238 +
44239 +#ifdef CONFIG_PAX_RANDMMAP
44240 + /* PaX: randomize base address at the default exe base if requested */
44241 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
44242 +#ifdef CONFIG_SPARC64
44243 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
44244 +#else
44245 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
44246 +#endif
44247 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
44248 + elf_flags |= MAP_FIXED;
44249 + }
44250 +#endif
44251 +
44252 }
44253
44254 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
44255 @@ -832,9 +1133,9 @@ static int load_elf_binary(struct linux_
44256 * allowed task size. Note that p_filesz must always be
44257 * <= p_memsz so it is only necessary to check p_memsz.
44258 */
44259 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
44260 - elf_ppnt->p_memsz > TASK_SIZE ||
44261 - TASK_SIZE - elf_ppnt->p_memsz < k) {
44262 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
44263 + elf_ppnt->p_memsz > pax_task_size ||
44264 + pax_task_size - elf_ppnt->p_memsz < k) {
44265 /* set_brk can never work. Avoid overflows. */
44266 send_sig(SIGKILL, current, 0);
44267 retval = -EINVAL;
44268 @@ -862,6 +1163,11 @@ static int load_elf_binary(struct linux_
44269 start_data += load_bias;
44270 end_data += load_bias;
44271
44272 +#ifdef CONFIG_PAX_RANDMMAP
44273 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
44274 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
44275 +#endif
44276 +
44277 /* Calling set_brk effectively mmaps the pages that we need
44278 * for the bss and break sections. We must do this before
44279 * mapping in the interpreter, to make sure it doesn't wind
44280 @@ -873,9 +1179,11 @@ static int load_elf_binary(struct linux_
44281 goto out_free_dentry;
44282 }
44283 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
44284 - send_sig(SIGSEGV, current, 0);
44285 - retval = -EFAULT; /* Nobody gets to see this, but.. */
44286 - goto out_free_dentry;
44287 + /*
44288 + * This bss-zeroing can fail if the ELF
44289 + * file specifies odd protections. So
44290 + * we don't check the return value
44291 + */
44292 }
44293
44294 if (elf_interpreter) {
44295 @@ -1090,7 +1398,7 @@ out:
44296 * Decide what to dump of a segment, part, all or none.
44297 */
44298 static unsigned long vma_dump_size(struct vm_area_struct *vma,
44299 - unsigned long mm_flags)
44300 + unsigned long mm_flags, long signr)
44301 {
44302 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
44303
44304 @@ -1124,7 +1432,7 @@ static unsigned long vma_dump_size(struc
44305 if (vma->vm_file == NULL)
44306 return 0;
44307
44308 - if (FILTER(MAPPED_PRIVATE))
44309 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
44310 goto whole;
44311
44312 /*
44313 @@ -1346,9 +1654,9 @@ static void fill_auxv_note(struct memelf
44314 {
44315 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
44316 int i = 0;
44317 - do
44318 + do {
44319 i += 2;
44320 - while (auxv[i - 2] != AT_NULL);
44321 + } while (auxv[i - 2] != AT_NULL);
44322 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
44323 }
44324
44325 @@ -1854,14 +2162,14 @@ static void fill_extnum_info(struct elfh
44326 }
44327
44328 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
44329 - unsigned long mm_flags)
44330 + struct coredump_params *cprm)
44331 {
44332 struct vm_area_struct *vma;
44333 size_t size = 0;
44334
44335 for (vma = first_vma(current, gate_vma); vma != NULL;
44336 vma = next_vma(vma, gate_vma))
44337 - size += vma_dump_size(vma, mm_flags);
44338 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
44339 return size;
44340 }
44341
44342 @@ -1955,7 +2263,7 @@ static int elf_core_dump(struct coredump
44343
44344 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
44345
44346 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
44347 + offset += elf_core_vma_data_size(gate_vma, cprm);
44348 offset += elf_core_extra_data_size();
44349 e_shoff = offset;
44350
44351 @@ -1969,10 +2277,12 @@ static int elf_core_dump(struct coredump
44352 offset = dataoff;
44353
44354 size += sizeof(*elf);
44355 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44356 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
44357 goto end_coredump;
44358
44359 size += sizeof(*phdr4note);
44360 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44361 if (size > cprm->limit
44362 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
44363 goto end_coredump;
44364 @@ -1986,7 +2296,7 @@ static int elf_core_dump(struct coredump
44365 phdr.p_offset = offset;
44366 phdr.p_vaddr = vma->vm_start;
44367 phdr.p_paddr = 0;
44368 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
44369 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
44370 phdr.p_memsz = vma->vm_end - vma->vm_start;
44371 offset += phdr.p_filesz;
44372 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
44373 @@ -1997,6 +2307,7 @@ static int elf_core_dump(struct coredump
44374 phdr.p_align = ELF_EXEC_PAGESIZE;
44375
44376 size += sizeof(phdr);
44377 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44378 if (size > cprm->limit
44379 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
44380 goto end_coredump;
44381 @@ -2021,7 +2332,7 @@ static int elf_core_dump(struct coredump
44382 unsigned long addr;
44383 unsigned long end;
44384
44385 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
44386 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
44387
44388 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
44389 struct page *page;
44390 @@ -2030,6 +2341,7 @@ static int elf_core_dump(struct coredump
44391 page = get_dump_page(addr);
44392 if (page) {
44393 void *kaddr = kmap(page);
44394 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
44395 stop = ((size += PAGE_SIZE) > cprm->limit) ||
44396 !dump_write(cprm->file, kaddr,
44397 PAGE_SIZE);
44398 @@ -2047,6 +2359,7 @@ static int elf_core_dump(struct coredump
44399
44400 if (e_phnum == PN_XNUM) {
44401 size += sizeof(*shdr4extnum);
44402 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44403 if (size > cprm->limit
44404 || !dump_write(cprm->file, shdr4extnum,
44405 sizeof(*shdr4extnum)))
44406 @@ -2067,6 +2380,97 @@ out:
44407
44408 #endif /* CONFIG_ELF_CORE */
44409
44410 +#ifdef CONFIG_PAX_MPROTECT
44411 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
44412 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
44413 + * we'll remove VM_MAYWRITE for good on RELRO segments.
44414 + *
44415 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
44416 + * basis because we want to allow the common case and not the special ones.
44417 + */
44418 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
44419 +{
44420 + struct elfhdr elf_h;
44421 + struct elf_phdr elf_p;
44422 + unsigned long i;
44423 + unsigned long oldflags;
44424 + bool is_textrel_rw, is_textrel_rx, is_relro;
44425 +
44426 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
44427 + return;
44428 +
44429 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
44430 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
44431 +
44432 +#ifdef CONFIG_PAX_ELFRELOCS
44433 + /* possible TEXTREL */
44434 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
44435 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
44436 +#else
44437 + is_textrel_rw = false;
44438 + is_textrel_rx = false;
44439 +#endif
44440 +
44441 + /* possible RELRO */
44442 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
44443 +
44444 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
44445 + return;
44446 +
44447 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
44448 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
44449 +
44450 +#ifdef CONFIG_PAX_ETEXECRELOCS
44451 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
44452 +#else
44453 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
44454 +#endif
44455 +
44456 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
44457 + !elf_check_arch(&elf_h) ||
44458 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
44459 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
44460 + return;
44461 +
44462 + for (i = 0UL; i < elf_h.e_phnum; i++) {
44463 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
44464 + return;
44465 + switch (elf_p.p_type) {
44466 + case PT_DYNAMIC:
44467 + if (!is_textrel_rw && !is_textrel_rx)
44468 + continue;
44469 + i = 0UL;
44470 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
44471 + elf_dyn dyn;
44472 +
44473 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
44474 + return;
44475 + if (dyn.d_tag == DT_NULL)
44476 + return;
44477 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
44478 + gr_log_textrel(vma);
44479 + if (is_textrel_rw)
44480 + vma->vm_flags |= VM_MAYWRITE;
44481 + else
44482 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
44483 + vma->vm_flags &= ~VM_MAYWRITE;
44484 + return;
44485 + }
44486 + i++;
44487 + }
44488 + return;
44489 +
44490 + case PT_GNU_RELRO:
44491 + if (!is_relro)
44492 + continue;
44493 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
44494 + vma->vm_flags &= ~VM_MAYWRITE;
44495 + return;
44496 + }
44497 + }
44498 +}
44499 +#endif
44500 +
44501 static int __init init_elf_binfmt(void)
44502 {
44503 return register_binfmt(&elf_format);
44504 diff -urNp linux-2.6.39.3/fs/binfmt_flat.c linux-2.6.39.3/fs/binfmt_flat.c
44505 --- linux-2.6.39.3/fs/binfmt_flat.c 2011-05-19 00:06:34.000000000 -0400
44506 +++ linux-2.6.39.3/fs/binfmt_flat.c 2011-05-22 19:36:32.000000000 -0400
44507 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
44508 realdatastart = (unsigned long) -ENOMEM;
44509 printk("Unable to allocate RAM for process data, errno %d\n",
44510 (int)-realdatastart);
44511 + down_write(&current->mm->mmap_sem);
44512 do_munmap(current->mm, textpos, text_len);
44513 + up_write(&current->mm->mmap_sem);
44514 ret = realdatastart;
44515 goto err;
44516 }
44517 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
44518 }
44519 if (IS_ERR_VALUE(result)) {
44520 printk("Unable to read data+bss, errno %d\n", (int)-result);
44521 + down_write(&current->mm->mmap_sem);
44522 do_munmap(current->mm, textpos, text_len);
44523 do_munmap(current->mm, realdatastart, len);
44524 + up_write(&current->mm->mmap_sem);
44525 ret = result;
44526 goto err;
44527 }
44528 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
44529 }
44530 if (IS_ERR_VALUE(result)) {
44531 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
44532 + down_write(&current->mm->mmap_sem);
44533 do_munmap(current->mm, textpos, text_len + data_len + extra +
44534 MAX_SHARED_LIBS * sizeof(unsigned long));
44535 + up_write(&current->mm->mmap_sem);
44536 ret = result;
44537 goto err;
44538 }
44539 diff -urNp linux-2.6.39.3/fs/bio.c linux-2.6.39.3/fs/bio.c
44540 --- linux-2.6.39.3/fs/bio.c 2011-05-19 00:06:34.000000000 -0400
44541 +++ linux-2.6.39.3/fs/bio.c 2011-05-22 19:36:32.000000000 -0400
44542 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
44543 const int read = bio_data_dir(bio) == READ;
44544 struct bio_map_data *bmd = bio->bi_private;
44545 int i;
44546 - char *p = bmd->sgvecs[0].iov_base;
44547 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
44548
44549 __bio_for_each_segment(bvec, bio, i, 0) {
44550 char *addr = page_address(bvec->bv_page);
44551 diff -urNp linux-2.6.39.3/fs/block_dev.c linux-2.6.39.3/fs/block_dev.c
44552 --- linux-2.6.39.3/fs/block_dev.c 2011-07-09 09:18:51.000000000 -0400
44553 +++ linux-2.6.39.3/fs/block_dev.c 2011-07-09 09:19:18.000000000 -0400
44554 @@ -671,7 +671,7 @@ static bool bd_may_claim(struct block_de
44555 else if (bdev->bd_contains == bdev)
44556 return true; /* is a whole device which isn't held */
44557
44558 - else if (whole->bd_holder == bd_may_claim)
44559 + else if (whole->bd_holder == (void *)bd_may_claim)
44560 return true; /* is a partition of a device that is being partitioned */
44561 else if (whole->bd_holder != NULL)
44562 return false; /* is a partition of a held device */
44563 diff -urNp linux-2.6.39.3/fs/btrfs/compression.c linux-2.6.39.3/fs/btrfs/compression.c
44564 --- linux-2.6.39.3/fs/btrfs/compression.c 2011-05-19 00:06:34.000000000 -0400
44565 +++ linux-2.6.39.3/fs/btrfs/compression.c 2011-05-22 19:36:32.000000000 -0400
44566 @@ -719,7 +719,7 @@ static int comp_num_workspace[BTRFS_COMP
44567 static atomic_t comp_alloc_workspace[BTRFS_COMPRESS_TYPES];
44568 static wait_queue_head_t comp_workspace_wait[BTRFS_COMPRESS_TYPES];
44569
44570 -struct btrfs_compress_op *btrfs_compress_op[] = {
44571 +const struct btrfs_compress_op *btrfs_compress_op[] = {
44572 &btrfs_zlib_compress,
44573 &btrfs_lzo_compress,
44574 };
44575 diff -urNp linux-2.6.39.3/fs/btrfs/compression.h linux-2.6.39.3/fs/btrfs/compression.h
44576 --- linux-2.6.39.3/fs/btrfs/compression.h 2011-05-19 00:06:34.000000000 -0400
44577 +++ linux-2.6.39.3/fs/btrfs/compression.h 2011-05-22 19:36:32.000000000 -0400
44578 @@ -77,7 +77,7 @@ struct btrfs_compress_op {
44579 size_t srclen, size_t destlen);
44580 };
44581
44582 -extern struct btrfs_compress_op btrfs_zlib_compress;
44583 -extern struct btrfs_compress_op btrfs_lzo_compress;
44584 +extern const struct btrfs_compress_op btrfs_zlib_compress;
44585 +extern const struct btrfs_compress_op btrfs_lzo_compress;
44586
44587 #endif
44588 diff -urNp linux-2.6.39.3/fs/btrfs/ctree.c linux-2.6.39.3/fs/btrfs/ctree.c
44589 --- linux-2.6.39.3/fs/btrfs/ctree.c 2011-05-19 00:06:34.000000000 -0400
44590 +++ linux-2.6.39.3/fs/btrfs/ctree.c 2011-05-22 19:36:32.000000000 -0400
44591 @@ -461,9 +461,12 @@ static noinline int __btrfs_cow_block(st
44592 free_extent_buffer(buf);
44593 add_root_to_dirty_list(root);
44594 } else {
44595 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
44596 - parent_start = parent->start;
44597 - else
44598 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
44599 + if (parent)
44600 + parent_start = parent->start;
44601 + else
44602 + parent_start = 0;
44603 + } else
44604 parent_start = 0;
44605
44606 WARN_ON(trans->transid != btrfs_header_generation(parent));
44607 @@ -3647,7 +3650,6 @@ setup_items_for_insert(struct btrfs_tran
44608
44609 ret = 0;
44610 if (slot == 0) {
44611 - struct btrfs_disk_key disk_key;
44612 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
44613 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
44614 }
44615 diff -urNp linux-2.6.39.3/fs/btrfs/disk-io.c linux-2.6.39.3/fs/btrfs/disk-io.c
44616 --- linux-2.6.39.3/fs/btrfs/disk-io.c 2011-05-19 00:06:34.000000000 -0400
44617 +++ linux-2.6.39.3/fs/btrfs/disk-io.c 2011-05-22 19:36:32.000000000 -0400
44618 @@ -42,7 +42,7 @@
44619 #include "tree-log.h"
44620 #include "free-space-cache.h"
44621
44622 -static struct extent_io_ops btree_extent_io_ops;
44623 +static const struct extent_io_ops btree_extent_io_ops;
44624 static void end_workqueue_fn(struct btrfs_work *work);
44625 static void free_fs_root(struct btrfs_root *root);
44626 static void btrfs_check_super_valid(struct btrfs_fs_info *fs_info,
44627 @@ -3070,7 +3070,7 @@ static int btrfs_cleanup_transaction(str
44628 return 0;
44629 }
44630
44631 -static struct extent_io_ops btree_extent_io_ops = {
44632 +static const struct extent_io_ops btree_extent_io_ops = {
44633 .write_cache_pages_lock_hook = btree_lock_page_hook,
44634 .readpage_end_io_hook = btree_readpage_end_io_hook,
44635 .submit_bio_hook = btree_submit_bio_hook,
44636 diff -urNp linux-2.6.39.3/fs/btrfs/extent_io.h linux-2.6.39.3/fs/btrfs/extent_io.h
44637 --- linux-2.6.39.3/fs/btrfs/extent_io.h 2011-05-19 00:06:34.000000000 -0400
44638 +++ linux-2.6.39.3/fs/btrfs/extent_io.h 2011-05-22 19:36:32.000000000 -0400
44639 @@ -56,36 +56,36 @@ typedef int (extent_submit_bio_hook_t)(s
44640 struct bio *bio, int mirror_num,
44641 unsigned long bio_flags, u64 bio_offset);
44642 struct extent_io_ops {
44643 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
44644 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
44645 u64 start, u64 end, int *page_started,
44646 unsigned long *nr_written);
44647 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
44648 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
44649 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
44650 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
44651 extent_submit_bio_hook_t *submit_bio_hook;
44652 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
44653 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
44654 size_t size, struct bio *bio,
44655 unsigned long bio_flags);
44656 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
44657 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
44658 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
44659 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
44660 u64 start, u64 end,
44661 struct extent_state *state);
44662 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
44663 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
44664 u64 start, u64 end,
44665 struct extent_state *state);
44666 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
44667 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
44668 struct extent_state *state);
44669 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
44670 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
44671 struct extent_state *state, int uptodate);
44672 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
44673 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
44674 int *bits);
44675 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
44676 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
44677 int *bits);
44678 - int (*merge_extent_hook)(struct inode *inode,
44679 + int (* const merge_extent_hook)(struct inode *inode,
44680 struct extent_state *new,
44681 struct extent_state *other);
44682 - int (*split_extent_hook)(struct inode *inode,
44683 + int (* const split_extent_hook)(struct inode *inode,
44684 struct extent_state *orig, u64 split);
44685 - int (*write_cache_pages_lock_hook)(struct page *page);
44686 + int (* const write_cache_pages_lock_hook)(struct page *page);
44687 };
44688
44689 struct extent_io_tree {
44690 @@ -95,7 +95,7 @@ struct extent_io_tree {
44691 u64 dirty_bytes;
44692 spinlock_t lock;
44693 spinlock_t buffer_lock;
44694 - struct extent_io_ops *ops;
44695 + const struct extent_io_ops *ops;
44696 };
44697
44698 struct extent_state {
44699 diff -urNp linux-2.6.39.3/fs/btrfs/free-space-cache.c linux-2.6.39.3/fs/btrfs/free-space-cache.c
44700 --- linux-2.6.39.3/fs/btrfs/free-space-cache.c 2011-05-19 00:06:34.000000000 -0400
44701 +++ linux-2.6.39.3/fs/btrfs/free-space-cache.c 2011-05-22 19:36:32.000000000 -0400
44702 @@ -1910,8 +1910,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
44703 while(1) {
44704 if (entry->bytes < bytes ||
44705 (!entry->bitmap && entry->offset < min_start)) {
44706 - struct rb_node *node;
44707 -
44708 node = rb_next(&entry->offset_index);
44709 if (!node)
44710 break;
44711 @@ -1925,7 +1923,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
44712 cluster, entry, bytes,
44713 min_start);
44714 if (ret == 0) {
44715 - struct rb_node *node;
44716 node = rb_next(&entry->offset_index);
44717 if (!node)
44718 break;
44719 diff -urNp linux-2.6.39.3/fs/btrfs/inode.c linux-2.6.39.3/fs/btrfs/inode.c
44720 --- linux-2.6.39.3/fs/btrfs/inode.c 2011-05-19 00:06:34.000000000 -0400
44721 +++ linux-2.6.39.3/fs/btrfs/inode.c 2011-05-22 20:42:42.000000000 -0400
44722 @@ -65,7 +65,7 @@ static const struct inode_operations btr
44723 static const struct address_space_operations btrfs_aops;
44724 static const struct address_space_operations btrfs_symlink_aops;
44725 static const struct file_operations btrfs_dir_file_operations;
44726 -static struct extent_io_ops btrfs_extent_io_ops;
44727 +static const struct extent_io_ops btrfs_extent_io_ops;
44728
44729 static struct kmem_cache *btrfs_inode_cachep;
44730 struct kmem_cache *btrfs_trans_handle_cachep;
44731 @@ -6947,7 +6947,7 @@ fail:
44732 return -ENOMEM;
44733 }
44734
44735 -static int btrfs_getattr(struct vfsmount *mnt,
44736 +int btrfs_getattr(struct vfsmount *mnt,
44737 struct dentry *dentry, struct kstat *stat)
44738 {
44739 struct inode *inode = dentry->d_inode;
44740 @@ -6959,6 +6959,14 @@ static int btrfs_getattr(struct vfsmount
44741 return 0;
44742 }
44743
44744 +EXPORT_SYMBOL(btrfs_getattr);
44745 +
44746 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
44747 +{
44748 + return BTRFS_I(inode)->root->anon_super.s_dev;
44749 +}
44750 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
44751 +
44752 /*
44753 * If a file is moved, it will inherit the cow and compression flags of the new
44754 * directory.
44755 @@ -7488,7 +7496,7 @@ static const struct file_operations btrf
44756 .fsync = btrfs_sync_file,
44757 };
44758
44759 -static struct extent_io_ops btrfs_extent_io_ops = {
44760 +static const struct extent_io_ops btrfs_extent_io_ops = {
44761 .fill_delalloc = run_delalloc_range,
44762 .submit_bio_hook = btrfs_submit_bio_hook,
44763 .merge_bio_hook = btrfs_merge_bio_hook,
44764 diff -urNp linux-2.6.39.3/fs/btrfs/ioctl.c linux-2.6.39.3/fs/btrfs/ioctl.c
44765 --- linux-2.6.39.3/fs/btrfs/ioctl.c 2011-05-19 00:06:34.000000000 -0400
44766 +++ linux-2.6.39.3/fs/btrfs/ioctl.c 2011-05-22 19:41:37.000000000 -0400
44767 @@ -2361,9 +2361,12 @@ long btrfs_ioctl_space_info(struct btrfs
44768 for (i = 0; i < num_types; i++) {
44769 struct btrfs_space_info *tmp;
44770
44771 + /* Don't copy in more than we allocated */
44772 if (!slot_count)
44773 break;
44774
44775 + slot_count--;
44776 +
44777 info = NULL;
44778 rcu_read_lock();
44779 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
44780 @@ -2385,10 +2388,7 @@ long btrfs_ioctl_space_info(struct btrfs
44781 memcpy(dest, &space, sizeof(space));
44782 dest++;
44783 space_args.total_spaces++;
44784 - slot_count--;
44785 }
44786 - if (!slot_count)
44787 - break;
44788 }
44789 up_read(&info->groups_sem);
44790 }
44791 diff -urNp linux-2.6.39.3/fs/btrfs/lzo.c linux-2.6.39.3/fs/btrfs/lzo.c
44792 --- linux-2.6.39.3/fs/btrfs/lzo.c 2011-05-19 00:06:34.000000000 -0400
44793 +++ linux-2.6.39.3/fs/btrfs/lzo.c 2011-05-22 19:36:32.000000000 -0400
44794 @@ -418,7 +418,7 @@ out:
44795 return ret;
44796 }
44797
44798 -struct btrfs_compress_op btrfs_lzo_compress = {
44799 +const struct btrfs_compress_op btrfs_lzo_compress = {
44800 .alloc_workspace = lzo_alloc_workspace,
44801 .free_workspace = lzo_free_workspace,
44802 .compress_pages = lzo_compress_pages,
44803 diff -urNp linux-2.6.39.3/fs/btrfs/relocation.c linux-2.6.39.3/fs/btrfs/relocation.c
44804 --- linux-2.6.39.3/fs/btrfs/relocation.c 2011-05-19 00:06:34.000000000 -0400
44805 +++ linux-2.6.39.3/fs/btrfs/relocation.c 2011-05-22 19:36:32.000000000 -0400
44806 @@ -1239,7 +1239,7 @@ static int __update_reloc_root(struct bt
44807 }
44808 spin_unlock(&rc->reloc_root_tree.lock);
44809
44810 - BUG_ON((struct btrfs_root *)node->data != root);
44811 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
44812
44813 if (!del) {
44814 spin_lock(&rc->reloc_root_tree.lock);
44815 diff -urNp linux-2.6.39.3/fs/btrfs/zlib.c linux-2.6.39.3/fs/btrfs/zlib.c
44816 --- linux-2.6.39.3/fs/btrfs/zlib.c 2011-05-19 00:06:34.000000000 -0400
44817 +++ linux-2.6.39.3/fs/btrfs/zlib.c 2011-05-22 19:36:32.000000000 -0400
44818 @@ -390,7 +390,7 @@ next:
44819 return ret;
44820 }
44821
44822 -struct btrfs_compress_op btrfs_zlib_compress = {
44823 +const struct btrfs_compress_op btrfs_zlib_compress = {
44824 .alloc_workspace = zlib_alloc_workspace,
44825 .free_workspace = zlib_free_workspace,
44826 .compress_pages = zlib_compress_pages,
44827 diff -urNp linux-2.6.39.3/fs/cachefiles/bind.c linux-2.6.39.3/fs/cachefiles/bind.c
44828 --- linux-2.6.39.3/fs/cachefiles/bind.c 2011-05-19 00:06:34.000000000 -0400
44829 +++ linux-2.6.39.3/fs/cachefiles/bind.c 2011-05-22 19:36:32.000000000 -0400
44830 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
44831 args);
44832
44833 /* start by checking things over */
44834 - ASSERT(cache->fstop_percent >= 0 &&
44835 - cache->fstop_percent < cache->fcull_percent &&
44836 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
44837 cache->fcull_percent < cache->frun_percent &&
44838 cache->frun_percent < 100);
44839
44840 - ASSERT(cache->bstop_percent >= 0 &&
44841 - cache->bstop_percent < cache->bcull_percent &&
44842 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
44843 cache->bcull_percent < cache->brun_percent &&
44844 cache->brun_percent < 100);
44845
44846 diff -urNp linux-2.6.39.3/fs/cachefiles/daemon.c linux-2.6.39.3/fs/cachefiles/daemon.c
44847 --- linux-2.6.39.3/fs/cachefiles/daemon.c 2011-05-19 00:06:34.000000000 -0400
44848 +++ linux-2.6.39.3/fs/cachefiles/daemon.c 2011-05-22 19:36:32.000000000 -0400
44849 @@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
44850 if (n > buflen)
44851 return -EMSGSIZE;
44852
44853 - if (copy_to_user(_buffer, buffer, n) != 0)
44854 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
44855 return -EFAULT;
44856
44857 return n;
44858 @@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
44859 if (test_bit(CACHEFILES_DEAD, &cache->flags))
44860 return -EIO;
44861
44862 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
44863 + if (datalen > PAGE_SIZE - 1)
44864 return -EOPNOTSUPP;
44865
44866 /* drag the command string into the kernel so we can parse it */
44867 @@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
44868 if (args[0] != '%' || args[1] != '\0')
44869 return -EINVAL;
44870
44871 - if (fstop < 0 || fstop >= cache->fcull_percent)
44872 + if (fstop >= cache->fcull_percent)
44873 return cachefiles_daemon_range_error(cache, args);
44874
44875 cache->fstop_percent = fstop;
44876 @@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
44877 if (args[0] != '%' || args[1] != '\0')
44878 return -EINVAL;
44879
44880 - if (bstop < 0 || bstop >= cache->bcull_percent)
44881 + if (bstop >= cache->bcull_percent)
44882 return cachefiles_daemon_range_error(cache, args);
44883
44884 cache->bstop_percent = bstop;
44885 diff -urNp linux-2.6.39.3/fs/cachefiles/internal.h linux-2.6.39.3/fs/cachefiles/internal.h
44886 --- linux-2.6.39.3/fs/cachefiles/internal.h 2011-05-19 00:06:34.000000000 -0400
44887 +++ linux-2.6.39.3/fs/cachefiles/internal.h 2011-05-22 19:36:32.000000000 -0400
44888 @@ -57,7 +57,7 @@ struct cachefiles_cache {
44889 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
44890 struct rb_root active_nodes; /* active nodes (can't be culled) */
44891 rwlock_t active_lock; /* lock for active_nodes */
44892 - atomic_t gravecounter; /* graveyard uniquifier */
44893 + atomic_unchecked_t gravecounter; /* graveyard uniquifier */
44894 unsigned frun_percent; /* when to stop culling (% files) */
44895 unsigned fcull_percent; /* when to start culling (% files) */
44896 unsigned fstop_percent; /* when to stop allocating (% files) */
44897 @@ -169,19 +169,19 @@ extern int cachefiles_check_in_use(struc
44898 * proc.c
44899 */
44900 #ifdef CONFIG_CACHEFILES_HISTOGRAM
44901 -extern atomic_t cachefiles_lookup_histogram[HZ];
44902 -extern atomic_t cachefiles_mkdir_histogram[HZ];
44903 -extern atomic_t cachefiles_create_histogram[HZ];
44904 +extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
44905 +extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
44906 +extern atomic_unchecked_t cachefiles_create_histogram[HZ];
44907
44908 extern int __init cachefiles_proc_init(void);
44909 extern void cachefiles_proc_cleanup(void);
44910 static inline
44911 -void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
44912 +void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
44913 {
44914 unsigned long jif = jiffies - start_jif;
44915 if (jif >= HZ)
44916 jif = HZ - 1;
44917 - atomic_inc(&histogram[jif]);
44918 + atomic_inc_unchecked(&histogram[jif]);
44919 }
44920
44921 #else
44922 diff -urNp linux-2.6.39.3/fs/cachefiles/namei.c linux-2.6.39.3/fs/cachefiles/namei.c
44923 --- linux-2.6.39.3/fs/cachefiles/namei.c 2011-05-19 00:06:34.000000000 -0400
44924 +++ linux-2.6.39.3/fs/cachefiles/namei.c 2011-05-22 19:36:32.000000000 -0400
44925 @@ -318,7 +318,7 @@ try_again:
44926 /* first step is to make up a grave dentry in the graveyard */
44927 sprintf(nbuffer, "%08x%08x",
44928 (uint32_t) get_seconds(),
44929 - (uint32_t) atomic_inc_return(&cache->gravecounter));
44930 + (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
44931
44932 /* do the multiway lock magic */
44933 trap = lock_rename(cache->graveyard, dir);
44934 diff -urNp linux-2.6.39.3/fs/cachefiles/proc.c linux-2.6.39.3/fs/cachefiles/proc.c
44935 --- linux-2.6.39.3/fs/cachefiles/proc.c 2011-05-19 00:06:34.000000000 -0400
44936 +++ linux-2.6.39.3/fs/cachefiles/proc.c 2011-05-22 19:36:32.000000000 -0400
44937 @@ -14,9 +14,9 @@
44938 #include <linux/seq_file.h>
44939 #include "internal.h"
44940
44941 -atomic_t cachefiles_lookup_histogram[HZ];
44942 -atomic_t cachefiles_mkdir_histogram[HZ];
44943 -atomic_t cachefiles_create_histogram[HZ];
44944 +atomic_unchecked_t cachefiles_lookup_histogram[HZ];
44945 +atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
44946 +atomic_unchecked_t cachefiles_create_histogram[HZ];
44947
44948 /*
44949 * display the latency histogram
44950 @@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
44951 return 0;
44952 default:
44953 index = (unsigned long) v - 3;
44954 - x = atomic_read(&cachefiles_lookup_histogram[index]);
44955 - y = atomic_read(&cachefiles_mkdir_histogram[index]);
44956 - z = atomic_read(&cachefiles_create_histogram[index]);
44957 + x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
44958 + y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
44959 + z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
44960 if (x == 0 && y == 0 && z == 0)
44961 return 0;
44962
44963 diff -urNp linux-2.6.39.3/fs/cachefiles/rdwr.c linux-2.6.39.3/fs/cachefiles/rdwr.c
44964 --- linux-2.6.39.3/fs/cachefiles/rdwr.c 2011-05-19 00:06:34.000000000 -0400
44965 +++ linux-2.6.39.3/fs/cachefiles/rdwr.c 2011-05-22 19:36:32.000000000 -0400
44966 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
44967 old_fs = get_fs();
44968 set_fs(KERNEL_DS);
44969 ret = file->f_op->write(
44970 - file, (const void __user *) data, len, &pos);
44971 + file, (__force const void __user *) data, len, &pos);
44972 set_fs(old_fs);
44973 kunmap(page);
44974 if (ret != len)
44975 diff -urNp linux-2.6.39.3/fs/ceph/addr.c linux-2.6.39.3/fs/ceph/addr.c
44976 --- linux-2.6.39.3/fs/ceph/addr.c 2011-05-19 00:06:34.000000000 -0400
44977 +++ linux-2.6.39.3/fs/ceph/addr.c 2011-05-22 19:36:32.000000000 -0400
44978 @@ -1164,7 +1164,7 @@ out:
44979 return ret;
44980 }
44981
44982 -static struct vm_operations_struct ceph_vmops = {
44983 +static const struct vm_operations_struct ceph_vmops = {
44984 .fault = filemap_fault,
44985 .page_mkwrite = ceph_page_mkwrite,
44986 };
44987 diff -urNp linux-2.6.39.3/fs/ceph/dir.c linux-2.6.39.3/fs/ceph/dir.c
44988 --- linux-2.6.39.3/fs/ceph/dir.c 2011-05-19 00:06:34.000000000 -0400
44989 +++ linux-2.6.39.3/fs/ceph/dir.c 2011-05-22 19:36:32.000000000 -0400
44990 @@ -226,7 +226,7 @@ static int ceph_readdir(struct file *fil
44991 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
44992 struct ceph_mds_client *mdsc = fsc->mdsc;
44993 unsigned frag = fpos_frag(filp->f_pos);
44994 - int off = fpos_off(filp->f_pos);
44995 + unsigned int off = fpos_off(filp->f_pos);
44996 int err;
44997 u32 ftype;
44998 struct ceph_mds_reply_info_parsed *rinfo;
44999 @@ -360,7 +360,7 @@ more:
45000 rinfo = &fi->last_readdir->r_reply_info;
45001 dout("readdir frag %x num %d off %d chunkoff %d\n", frag,
45002 rinfo->dir_nr, off, fi->offset);
45003 - while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) {
45004 + while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) {
45005 u64 pos = ceph_make_fpos(frag, off);
45006 struct ceph_mds_reply_inode *in =
45007 rinfo->dir_in[off - fi->offset].in;
45008 diff -urNp linux-2.6.39.3/fs/cifs/cifs_debug.c linux-2.6.39.3/fs/cifs/cifs_debug.c
45009 --- linux-2.6.39.3/fs/cifs/cifs_debug.c 2011-05-19 00:06:34.000000000 -0400
45010 +++ linux-2.6.39.3/fs/cifs/cifs_debug.c 2011-05-22 19:36:32.000000000 -0400
45011 @@ -279,25 +279,25 @@ static ssize_t cifs_stats_proc_write(str
45012 tcon = list_entry(tmp3,
45013 struct cifsTconInfo,
45014 tcon_list);
45015 - atomic_set(&tcon->num_smbs_sent, 0);
45016 - atomic_set(&tcon->num_writes, 0);
45017 - atomic_set(&tcon->num_reads, 0);
45018 - atomic_set(&tcon->num_oplock_brks, 0);
45019 - atomic_set(&tcon->num_opens, 0);
45020 - atomic_set(&tcon->num_posixopens, 0);
45021 - atomic_set(&tcon->num_posixmkdirs, 0);
45022 - atomic_set(&tcon->num_closes, 0);
45023 - atomic_set(&tcon->num_deletes, 0);
45024 - atomic_set(&tcon->num_mkdirs, 0);
45025 - atomic_set(&tcon->num_rmdirs, 0);
45026 - atomic_set(&tcon->num_renames, 0);
45027 - atomic_set(&tcon->num_t2renames, 0);
45028 - atomic_set(&tcon->num_ffirst, 0);
45029 - atomic_set(&tcon->num_fnext, 0);
45030 - atomic_set(&tcon->num_fclose, 0);
45031 - atomic_set(&tcon->num_hardlinks, 0);
45032 - atomic_set(&tcon->num_symlinks, 0);
45033 - atomic_set(&tcon->num_locks, 0);
45034 + atomic_set_unchecked(&tcon->num_smbs_sent, 0);
45035 + atomic_set_unchecked(&tcon->num_writes, 0);
45036 + atomic_set_unchecked(&tcon->num_reads, 0);
45037 + atomic_set_unchecked(&tcon->num_oplock_brks, 0);
45038 + atomic_set_unchecked(&tcon->num_opens, 0);
45039 + atomic_set_unchecked(&tcon->num_posixopens, 0);
45040 + atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
45041 + atomic_set_unchecked(&tcon->num_closes, 0);
45042 + atomic_set_unchecked(&tcon->num_deletes, 0);
45043 + atomic_set_unchecked(&tcon->num_mkdirs, 0);
45044 + atomic_set_unchecked(&tcon->num_rmdirs, 0);
45045 + atomic_set_unchecked(&tcon->num_renames, 0);
45046 + atomic_set_unchecked(&tcon->num_t2renames, 0);
45047 + atomic_set_unchecked(&tcon->num_ffirst, 0);
45048 + atomic_set_unchecked(&tcon->num_fnext, 0);
45049 + atomic_set_unchecked(&tcon->num_fclose, 0);
45050 + atomic_set_unchecked(&tcon->num_hardlinks, 0);
45051 + atomic_set_unchecked(&tcon->num_symlinks, 0);
45052 + atomic_set_unchecked(&tcon->num_locks, 0);
45053 }
45054 }
45055 }
45056 @@ -357,41 +357,41 @@ static int cifs_stats_proc_show(struct s
45057 if (tcon->need_reconnect)
45058 seq_puts(m, "\tDISCONNECTED ");
45059 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
45060 - atomic_read(&tcon->num_smbs_sent),
45061 - atomic_read(&tcon->num_oplock_brks));
45062 + atomic_read_unchecked(&tcon->num_smbs_sent),
45063 + atomic_read_unchecked(&tcon->num_oplock_brks));
45064 seq_printf(m, "\nReads: %d Bytes: %lld",
45065 - atomic_read(&tcon->num_reads),
45066 + atomic_read_unchecked(&tcon->num_reads),
45067 (long long)(tcon->bytes_read));
45068 seq_printf(m, "\nWrites: %d Bytes: %lld",
45069 - atomic_read(&tcon->num_writes),
45070 + atomic_read_unchecked(&tcon->num_writes),
45071 (long long)(tcon->bytes_written));
45072 seq_printf(m, "\nFlushes: %d",
45073 - atomic_read(&tcon->num_flushes));
45074 + atomic_read_unchecked(&tcon->num_flushes));
45075 seq_printf(m, "\nLocks: %d HardLinks: %d "
45076 "Symlinks: %d",
45077 - atomic_read(&tcon->num_locks),
45078 - atomic_read(&tcon->num_hardlinks),
45079 - atomic_read(&tcon->num_symlinks));
45080 + atomic_read_unchecked(&tcon->num_locks),
45081 + atomic_read_unchecked(&tcon->num_hardlinks),
45082 + atomic_read_unchecked(&tcon->num_symlinks));
45083 seq_printf(m, "\nOpens: %d Closes: %d "
45084 "Deletes: %d",
45085 - atomic_read(&tcon->num_opens),
45086 - atomic_read(&tcon->num_closes),
45087 - atomic_read(&tcon->num_deletes));
45088 + atomic_read_unchecked(&tcon->num_opens),
45089 + atomic_read_unchecked(&tcon->num_closes),
45090 + atomic_read_unchecked(&tcon->num_deletes));
45091 seq_printf(m, "\nPosix Opens: %d "
45092 "Posix Mkdirs: %d",
45093 - atomic_read(&tcon->num_posixopens),
45094 - atomic_read(&tcon->num_posixmkdirs));
45095 + atomic_read_unchecked(&tcon->num_posixopens),
45096 + atomic_read_unchecked(&tcon->num_posixmkdirs));
45097 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
45098 - atomic_read(&tcon->num_mkdirs),
45099 - atomic_read(&tcon->num_rmdirs));
45100 + atomic_read_unchecked(&tcon->num_mkdirs),
45101 + atomic_read_unchecked(&tcon->num_rmdirs));
45102 seq_printf(m, "\nRenames: %d T2 Renames %d",
45103 - atomic_read(&tcon->num_renames),
45104 - atomic_read(&tcon->num_t2renames));
45105 + atomic_read_unchecked(&tcon->num_renames),
45106 + atomic_read_unchecked(&tcon->num_t2renames));
45107 seq_printf(m, "\nFindFirst: %d FNext %d "
45108 "FClose %d",
45109 - atomic_read(&tcon->num_ffirst),
45110 - atomic_read(&tcon->num_fnext),
45111 - atomic_read(&tcon->num_fclose));
45112 + atomic_read_unchecked(&tcon->num_ffirst),
45113 + atomic_read_unchecked(&tcon->num_fnext),
45114 + atomic_read_unchecked(&tcon->num_fclose));
45115 }
45116 }
45117 }
45118 diff -urNp linux-2.6.39.3/fs/cifs/cifsglob.h linux-2.6.39.3/fs/cifs/cifsglob.h
45119 --- linux-2.6.39.3/fs/cifs/cifsglob.h 2011-05-19 00:06:34.000000000 -0400
45120 +++ linux-2.6.39.3/fs/cifs/cifsglob.h 2011-05-22 19:36:32.000000000 -0400
45121 @@ -305,28 +305,28 @@ struct cifsTconInfo {
45122 __u16 Flags; /* optional support bits */
45123 enum statusEnum tidStatus;
45124 #ifdef CONFIG_CIFS_STATS
45125 - atomic_t num_smbs_sent;
45126 - atomic_t num_writes;
45127 - atomic_t num_reads;
45128 - atomic_t num_flushes;
45129 - atomic_t num_oplock_brks;
45130 - atomic_t num_opens;
45131 - atomic_t num_closes;
45132 - atomic_t num_deletes;
45133 - atomic_t num_mkdirs;
45134 - atomic_t num_posixopens;
45135 - atomic_t num_posixmkdirs;
45136 - atomic_t num_rmdirs;
45137 - atomic_t num_renames;
45138 - atomic_t num_t2renames;
45139 - atomic_t num_ffirst;
45140 - atomic_t num_fnext;
45141 - atomic_t num_fclose;
45142 - atomic_t num_hardlinks;
45143 - atomic_t num_symlinks;
45144 - atomic_t num_locks;
45145 - atomic_t num_acl_get;
45146 - atomic_t num_acl_set;
45147 + atomic_unchecked_t num_smbs_sent;
45148 + atomic_unchecked_t num_writes;
45149 + atomic_unchecked_t num_reads;
45150 + atomic_unchecked_t num_flushes;
45151 + atomic_unchecked_t num_oplock_brks;
45152 + atomic_unchecked_t num_opens;
45153 + atomic_unchecked_t num_closes;
45154 + atomic_unchecked_t num_deletes;
45155 + atomic_unchecked_t num_mkdirs;
45156 + atomic_unchecked_t num_posixopens;
45157 + atomic_unchecked_t num_posixmkdirs;
45158 + atomic_unchecked_t num_rmdirs;
45159 + atomic_unchecked_t num_renames;
45160 + atomic_unchecked_t num_t2renames;
45161 + atomic_unchecked_t num_ffirst;
45162 + atomic_unchecked_t num_fnext;
45163 + atomic_unchecked_t num_fclose;
45164 + atomic_unchecked_t num_hardlinks;
45165 + atomic_unchecked_t num_symlinks;
45166 + atomic_unchecked_t num_locks;
45167 + atomic_unchecked_t num_acl_get;
45168 + atomic_unchecked_t num_acl_set;
45169 #ifdef CONFIG_CIFS_STATS2
45170 unsigned long long time_writes;
45171 unsigned long long time_reads;
45172 @@ -509,7 +509,7 @@ static inline char CIFS_DIR_SEP(const st
45173 }
45174
45175 #ifdef CONFIG_CIFS_STATS
45176 -#define cifs_stats_inc atomic_inc
45177 +#define cifs_stats_inc atomic_inc_unchecked
45178
45179 static inline void cifs_stats_bytes_written(struct cifsTconInfo *tcon,
45180 unsigned int bytes)
45181 diff -urNp linux-2.6.39.3/fs/cifs/link.c linux-2.6.39.3/fs/cifs/link.c
45182 --- linux-2.6.39.3/fs/cifs/link.c 2011-05-19 00:06:34.000000000 -0400
45183 +++ linux-2.6.39.3/fs/cifs/link.c 2011-05-22 19:36:32.000000000 -0400
45184 @@ -577,7 +577,7 @@ symlink_exit:
45185
45186 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
45187 {
45188 - char *p = nd_get_link(nd);
45189 + const char *p = nd_get_link(nd);
45190 if (!IS_ERR(p))
45191 kfree(p);
45192 }
45193 diff -urNp linux-2.6.39.3/fs/coda/cache.c linux-2.6.39.3/fs/coda/cache.c
45194 --- linux-2.6.39.3/fs/coda/cache.c 2011-05-19 00:06:34.000000000 -0400
45195 +++ linux-2.6.39.3/fs/coda/cache.c 2011-05-22 19:36:32.000000000 -0400
45196 @@ -24,7 +24,7 @@
45197 #include "coda_linux.h"
45198 #include "coda_cache.h"
45199
45200 -static atomic_t permission_epoch = ATOMIC_INIT(0);
45201 +static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
45202
45203 /* replace or extend an acl cache hit */
45204 void coda_cache_enter(struct inode *inode, int mask)
45205 @@ -32,7 +32,7 @@ void coda_cache_enter(struct inode *inod
45206 struct coda_inode_info *cii = ITOC(inode);
45207
45208 spin_lock(&cii->c_lock);
45209 - cii->c_cached_epoch = atomic_read(&permission_epoch);
45210 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
45211 if (cii->c_uid != current_fsuid()) {
45212 cii->c_uid = current_fsuid();
45213 cii->c_cached_perm = mask;
45214 @@ -46,14 +46,14 @@ void coda_cache_clear_inode(struct inode
45215 {
45216 struct coda_inode_info *cii = ITOC(inode);
45217 spin_lock(&cii->c_lock);
45218 - cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
45219 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
45220 spin_unlock(&cii->c_lock);
45221 }
45222
45223 /* remove all acl caches */
45224 void coda_cache_clear_all(struct super_block *sb)
45225 {
45226 - atomic_inc(&permission_epoch);
45227 + atomic_inc_unchecked(&permission_epoch);
45228 }
45229
45230
45231 @@ -66,7 +66,7 @@ int coda_cache_check(struct inode *inode
45232 spin_lock(&cii->c_lock);
45233 hit = (mask & cii->c_cached_perm) == mask &&
45234 cii->c_uid == current_fsuid() &&
45235 - cii->c_cached_epoch == atomic_read(&permission_epoch);
45236 + cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
45237 spin_unlock(&cii->c_lock);
45238
45239 return hit;
45240 diff -urNp linux-2.6.39.3/fs/compat_binfmt_elf.c linux-2.6.39.3/fs/compat_binfmt_elf.c
45241 --- linux-2.6.39.3/fs/compat_binfmt_elf.c 2011-05-19 00:06:34.000000000 -0400
45242 +++ linux-2.6.39.3/fs/compat_binfmt_elf.c 2011-05-22 19:36:32.000000000 -0400
45243 @@ -30,11 +30,13 @@
45244 #undef elf_phdr
45245 #undef elf_shdr
45246 #undef elf_note
45247 +#undef elf_dyn
45248 #undef elf_addr_t
45249 #define elfhdr elf32_hdr
45250 #define elf_phdr elf32_phdr
45251 #define elf_shdr elf32_shdr
45252 #define elf_note elf32_note
45253 +#define elf_dyn Elf32_Dyn
45254 #define elf_addr_t Elf32_Addr
45255
45256 /*
45257 diff -urNp linux-2.6.39.3/fs/compat.c linux-2.6.39.3/fs/compat.c
45258 --- linux-2.6.39.3/fs/compat.c 2011-05-19 00:06:34.000000000 -0400
45259 +++ linux-2.6.39.3/fs/compat.c 2011-05-22 19:41:37.000000000 -0400
45260 @@ -566,7 +566,7 @@ ssize_t compat_rw_copy_check_uvector(int
45261 goto out;
45262
45263 ret = -EINVAL;
45264 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
45265 + if (nr_segs > UIO_MAXIOV)
45266 goto out;
45267 if (nr_segs > fast_segs) {
45268 ret = -ENOMEM;
45269 @@ -848,6 +848,7 @@ struct compat_old_linux_dirent {
45270
45271 struct compat_readdir_callback {
45272 struct compat_old_linux_dirent __user *dirent;
45273 + struct file * file;
45274 int result;
45275 };
45276
45277 @@ -865,6 +866,10 @@ static int compat_fillonedir(void *__buf
45278 buf->result = -EOVERFLOW;
45279 return -EOVERFLOW;
45280 }
45281 +
45282 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45283 + return 0;
45284 +
45285 buf->result++;
45286 dirent = buf->dirent;
45287 if (!access_ok(VERIFY_WRITE, dirent,
45288 @@ -897,6 +902,7 @@ asmlinkage long compat_sys_old_readdir(u
45289
45290 buf.result = 0;
45291 buf.dirent = dirent;
45292 + buf.file = file;
45293
45294 error = vfs_readdir(file, compat_fillonedir, &buf);
45295 if (buf.result)
45296 @@ -917,6 +923,7 @@ struct compat_linux_dirent {
45297 struct compat_getdents_callback {
45298 struct compat_linux_dirent __user *current_dir;
45299 struct compat_linux_dirent __user *previous;
45300 + struct file * file;
45301 int count;
45302 int error;
45303 };
45304 @@ -938,6 +945,10 @@ static int compat_filldir(void *__buf, c
45305 buf->error = -EOVERFLOW;
45306 return -EOVERFLOW;
45307 }
45308 +
45309 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45310 + return 0;
45311 +
45312 dirent = buf->previous;
45313 if (dirent) {
45314 if (__put_user(offset, &dirent->d_off))
45315 @@ -985,6 +996,7 @@ asmlinkage long compat_sys_getdents(unsi
45316 buf.previous = NULL;
45317 buf.count = count;
45318 buf.error = 0;
45319 + buf.file = file;
45320
45321 error = vfs_readdir(file, compat_filldir, &buf);
45322 if (error >= 0)
45323 @@ -1006,6 +1018,7 @@ out:
45324 struct compat_getdents_callback64 {
45325 struct linux_dirent64 __user *current_dir;
45326 struct linux_dirent64 __user *previous;
45327 + struct file * file;
45328 int count;
45329 int error;
45330 };
45331 @@ -1022,6 +1035,10 @@ static int compat_filldir64(void * __buf
45332 buf->error = -EINVAL; /* only used if we fail.. */
45333 if (reclen > buf->count)
45334 return -EINVAL;
45335 +
45336 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45337 + return 0;
45338 +
45339 dirent = buf->previous;
45340
45341 if (dirent) {
45342 @@ -1073,6 +1090,7 @@ asmlinkage long compat_sys_getdents64(un
45343 buf.previous = NULL;
45344 buf.count = count;
45345 buf.error = 0;
45346 + buf.file = file;
45347
45348 error = vfs_readdir(file, compat_filldir64, &buf);
45349 if (error >= 0)
45350 @@ -1436,6 +1454,11 @@ int compat_do_execve(char * filename,
45351 compat_uptr_t __user *envp,
45352 struct pt_regs * regs)
45353 {
45354 +#ifdef CONFIG_GRKERNSEC
45355 + struct file *old_exec_file;
45356 + struct acl_subject_label *old_acl;
45357 + struct rlimit old_rlim[RLIM_NLIMITS];
45358 +#endif
45359 struct linux_binprm *bprm;
45360 struct file *file;
45361 struct files_struct *displaced;
45362 @@ -1472,6 +1495,19 @@ int compat_do_execve(char * filename,
45363 bprm->filename = filename;
45364 bprm->interp = filename;
45365
45366 + if (gr_process_user_ban()) {
45367 + retval = -EPERM;
45368 + goto out_file;
45369 + }
45370 +
45371 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
45372 + retval = -EAGAIN;
45373 + if (gr_handle_nproc())
45374 + goto out_file;
45375 + retval = -EACCES;
45376 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
45377 + goto out_file;
45378 +
45379 retval = bprm_mm_init(bprm);
45380 if (retval)
45381 goto out_file;
45382 @@ -1501,9 +1537,40 @@ int compat_do_execve(char * filename,
45383 if (retval < 0)
45384 goto out;
45385
45386 + if (!gr_tpe_allow(file)) {
45387 + retval = -EACCES;
45388 + goto out;
45389 + }
45390 +
45391 + if (gr_check_crash_exec(file)) {
45392 + retval = -EACCES;
45393 + goto out;
45394 + }
45395 +
45396 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
45397 +
45398 + gr_handle_exec_args_compat(bprm, argv);
45399 +
45400 +#ifdef CONFIG_GRKERNSEC
45401 + old_acl = current->acl;
45402 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
45403 + old_exec_file = current->exec_file;
45404 + get_file(file);
45405 + current->exec_file = file;
45406 +#endif
45407 +
45408 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
45409 + bprm->unsafe & LSM_UNSAFE_SHARE);
45410 + if (retval < 0)
45411 + goto out_fail;
45412 +
45413 retval = search_binary_handler(bprm, regs);
45414 if (retval < 0)
45415 - goto out;
45416 + goto out_fail;
45417 +#ifdef CONFIG_GRKERNSEC
45418 + if (old_exec_file)
45419 + fput(old_exec_file);
45420 +#endif
45421
45422 /* execve succeeded */
45423 current->fs->in_exec = 0;
45424 @@ -1514,6 +1581,14 @@ int compat_do_execve(char * filename,
45425 put_files_struct(displaced);
45426 return retval;
45427
45428 +out_fail:
45429 +#ifdef CONFIG_GRKERNSEC
45430 + current->acl = old_acl;
45431 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
45432 + fput(current->exec_file);
45433 + current->exec_file = old_exec_file;
45434 +#endif
45435 +
45436 out:
45437 if (bprm->mm) {
45438 acct_arg_size(bprm, 0);
45439 @@ -1681,6 +1756,8 @@ int compat_core_sys_select(int n, compat
45440 struct fdtable *fdt;
45441 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
45442
45443 + pax_track_stack();
45444 +
45445 if (n < 0)
45446 goto out_nofds;
45447
45448 diff -urNp linux-2.6.39.3/fs/compat_ioctl.c linux-2.6.39.3/fs/compat_ioctl.c
45449 --- linux-2.6.39.3/fs/compat_ioctl.c 2011-05-19 00:06:34.000000000 -0400
45450 +++ linux-2.6.39.3/fs/compat_ioctl.c 2011-05-22 19:36:32.000000000 -0400
45451 @@ -208,6 +208,8 @@ static int do_video_set_spu_palette(unsi
45452
45453 err = get_user(palp, &up->palette);
45454 err |= get_user(length, &up->length);
45455 + if (err)
45456 + return -EFAULT;
45457
45458 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
45459 err = put_user(compat_ptr(palp), &up_native->palette);
45460 @@ -1638,8 +1640,8 @@ asmlinkage long compat_sys_ioctl(unsigne
45461 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
45462 {
45463 unsigned int a, b;
45464 - a = *(unsigned int *)p;
45465 - b = *(unsigned int *)q;
45466 + a = *(const unsigned int *)p;
45467 + b = *(const unsigned int *)q;
45468 if (a > b)
45469 return 1;
45470 if (a < b)
45471 diff -urNp linux-2.6.39.3/fs/configfs/dir.c linux-2.6.39.3/fs/configfs/dir.c
45472 --- linux-2.6.39.3/fs/configfs/dir.c 2011-05-19 00:06:34.000000000 -0400
45473 +++ linux-2.6.39.3/fs/configfs/dir.c 2011-05-22 19:36:32.000000000 -0400
45474 @@ -1575,7 +1575,8 @@ static int configfs_readdir(struct file
45475 }
45476 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
45477 struct configfs_dirent *next;
45478 - const char * name;
45479 + const unsigned char * name;
45480 + char d_name[sizeof(next->s_dentry->d_iname)];
45481 int len;
45482 struct inode *inode = NULL;
45483
45484 @@ -1585,7 +1586,12 @@ static int configfs_readdir(struct file
45485 continue;
45486
45487 name = configfs_get_name(next);
45488 - len = strlen(name);
45489 + if (next->s_dentry && name == next->s_dentry->d_iname) {
45490 + len = next->s_dentry->d_name.len;
45491 + memcpy(d_name, name, len);
45492 + name = d_name;
45493 + } else
45494 + len = strlen(name);
45495
45496 /*
45497 * We'll have a dentry and an inode for
45498 diff -urNp linux-2.6.39.3/fs/configfs/file.c linux-2.6.39.3/fs/configfs/file.c
45499 --- linux-2.6.39.3/fs/configfs/file.c 2011-05-19 00:06:34.000000000 -0400
45500 +++ linux-2.6.39.3/fs/configfs/file.c 2011-05-22 19:36:32.000000000 -0400
45501 @@ -215,7 +215,7 @@ static int check_perm(struct inode * ino
45502 struct config_item *item = configfs_get_config_item(file->f_path.dentry->d_parent);
45503 struct configfs_attribute * attr = to_attr(file->f_path.dentry);
45504 struct configfs_buffer * buffer;
45505 - struct configfs_item_operations * ops = NULL;
45506 + struct configfs_item_operations *ops = NULL;
45507 int error = 0;
45508
45509 if (!item || !attr)
45510 diff -urNp linux-2.6.39.3/fs/configfs/item.c linux-2.6.39.3/fs/configfs/item.c
45511 --- linux-2.6.39.3/fs/configfs/item.c 2011-05-19 00:06:34.000000000 -0400
45512 +++ linux-2.6.39.3/fs/configfs/item.c 2011-05-22 19:36:32.000000000 -0400
45513 @@ -123,7 +123,7 @@ void config_item_init_type_name(struct c
45514 EXPORT_SYMBOL(config_item_init_type_name);
45515
45516 void config_group_init_type_name(struct config_group *group, const char *name,
45517 - struct config_item_type *type)
45518 + struct config_item_type *type)
45519 {
45520 config_item_set_name(&group->cg_item, name);
45521 group->cg_item.ci_type = type;
45522 diff -urNp linux-2.6.39.3/fs/dcache.c linux-2.6.39.3/fs/dcache.c
45523 --- linux-2.6.39.3/fs/dcache.c 2011-05-19 00:06:34.000000000 -0400
45524 +++ linux-2.6.39.3/fs/dcache.c 2011-05-22 19:36:32.000000000 -0400
45525 @@ -3069,7 +3069,7 @@ void __init vfs_caches_init(unsigned lon
45526 mempages -= reserve;
45527
45528 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
45529 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
45530 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
45531
45532 dcache_init();
45533 inode_init();
45534 diff -urNp linux-2.6.39.3/fs/dlm/lockspace.c linux-2.6.39.3/fs/dlm/lockspace.c
45535 --- linux-2.6.39.3/fs/dlm/lockspace.c 2011-05-19 00:06:34.000000000 -0400
45536 +++ linux-2.6.39.3/fs/dlm/lockspace.c 2011-05-22 19:36:32.000000000 -0400
45537 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
45538 return 0;
45539 }
45540
45541 -static struct kset_uevent_ops dlm_uevent_ops = {
45542 +static const struct kset_uevent_ops dlm_uevent_ops = {
45543 .uevent = dlm_uevent,
45544 };
45545
45546 diff -urNp linux-2.6.39.3/fs/ecryptfs/inode.c linux-2.6.39.3/fs/ecryptfs/inode.c
45547 --- linux-2.6.39.3/fs/ecryptfs/inode.c 2011-06-03 00:04:14.000000000 -0400
45548 +++ linux-2.6.39.3/fs/ecryptfs/inode.c 2011-06-03 00:32:07.000000000 -0400
45549 @@ -623,7 +623,7 @@ static int ecryptfs_readlink_lower(struc
45550 old_fs = get_fs();
45551 set_fs(get_ds());
45552 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
45553 - (char __user *)lower_buf,
45554 + (__force char __user *)lower_buf,
45555 lower_bufsiz);
45556 set_fs(old_fs);
45557 if (rc < 0)
45558 @@ -669,7 +669,7 @@ static void *ecryptfs_follow_link(struct
45559 }
45560 old_fs = get_fs();
45561 set_fs(get_ds());
45562 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
45563 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
45564 set_fs(old_fs);
45565 if (rc < 0) {
45566 kfree(buf);
45567 @@ -684,7 +684,7 @@ out:
45568 static void
45569 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
45570 {
45571 - char *buf = nd_get_link(nd);
45572 + const char *buf = nd_get_link(nd);
45573 if (!IS_ERR(buf)) {
45574 /* Free the char* */
45575 kfree(buf);
45576 diff -urNp linux-2.6.39.3/fs/ecryptfs/miscdev.c linux-2.6.39.3/fs/ecryptfs/miscdev.c
45577 --- linux-2.6.39.3/fs/ecryptfs/miscdev.c 2011-05-19 00:06:34.000000000 -0400
45578 +++ linux-2.6.39.3/fs/ecryptfs/miscdev.c 2011-05-22 19:36:32.000000000 -0400
45579 @@ -328,7 +328,7 @@ check_list:
45580 goto out_unlock_msg_ctx;
45581 i = 5;
45582 if (msg_ctx->msg) {
45583 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
45584 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
45585 goto out_unlock_msg_ctx;
45586 i += packet_length_size;
45587 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
45588 diff -urNp linux-2.6.39.3/fs/exec.c linux-2.6.39.3/fs/exec.c
45589 --- linux-2.6.39.3/fs/exec.c 2011-06-25 12:55:23.000000000 -0400
45590 +++ linux-2.6.39.3/fs/exec.c 2011-07-06 20:00:13.000000000 -0400
45591 @@ -55,12 +55,24 @@
45592 #include <linux/fs_struct.h>
45593 #include <linux/pipe_fs_i.h>
45594 #include <linux/oom.h>
45595 +#include <linux/random.h>
45596 +#include <linux/seq_file.h>
45597 +
45598 +#ifdef CONFIG_PAX_REFCOUNT
45599 +#include <linux/kallsyms.h>
45600 +#include <linux/kdebug.h>
45601 +#endif
45602
45603 #include <asm/uaccess.h>
45604 #include <asm/mmu_context.h>
45605 #include <asm/tlb.h>
45606 #include "internal.h"
45607
45608 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
45609 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
45610 +EXPORT_SYMBOL(pax_set_initial_flags_func);
45611 +#endif
45612 +
45613 int core_uses_pid;
45614 char core_pattern[CORENAME_MAX_SIZE] = "core";
45615 unsigned int core_pipe_limit;
45616 @@ -70,7 +82,7 @@ struct core_name {
45617 char *corename;
45618 int used, size;
45619 };
45620 -static atomic_t call_count = ATOMIC_INIT(1);
45621 +static atomic_unchecked_t call_count = ATOMIC_INIT(1);
45622
45623 /* The maximal length of core_pattern is also specified in sysctl.c */
45624
45625 @@ -116,7 +128,7 @@ SYSCALL_DEFINE1(uselib, const char __use
45626 char *tmp = getname(library);
45627 int error = PTR_ERR(tmp);
45628 static const struct open_flags uselib_flags = {
45629 - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
45630 + .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC,
45631 .acc_mode = MAY_READ | MAY_EXEC | MAY_OPEN,
45632 .intent = LOOKUP_OPEN
45633 };
45634 @@ -190,18 +202,10 @@ struct page *get_arg_page(struct linux_b
45635 int write)
45636 {
45637 struct page *page;
45638 - int ret;
45639
45640 -#ifdef CONFIG_STACK_GROWSUP
45641 - if (write) {
45642 - ret = expand_stack_downwards(bprm->vma, pos);
45643 - if (ret < 0)
45644 - return NULL;
45645 - }
45646 -#endif
45647 - ret = get_user_pages(current, bprm->mm, pos,
45648 - 1, write, 1, &page, NULL);
45649 - if (ret <= 0)
45650 + if (0 > expand_stack_downwards(bprm->vma, pos))
45651 + return NULL;
45652 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
45653 return NULL;
45654
45655 if (write) {
45656 @@ -276,6 +280,11 @@ static int __bprm_mm_init(struct linux_b
45657 vma->vm_end = STACK_TOP_MAX;
45658 vma->vm_start = vma->vm_end - PAGE_SIZE;
45659 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
45660 +
45661 +#ifdef CONFIG_PAX_SEGMEXEC
45662 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
45663 +#endif
45664 +
45665 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
45666 INIT_LIST_HEAD(&vma->anon_vma_chain);
45667
45668 @@ -290,6 +299,12 @@ static int __bprm_mm_init(struct linux_b
45669 mm->stack_vm = mm->total_vm = 1;
45670 up_write(&mm->mmap_sem);
45671 bprm->p = vma->vm_end - sizeof(void *);
45672 +
45673 +#ifdef CONFIG_PAX_RANDUSTACK
45674 + if (randomize_va_space)
45675 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
45676 +#endif
45677 +
45678 return 0;
45679 err:
45680 up_write(&mm->mmap_sem);
45681 @@ -525,7 +540,7 @@ int copy_strings_kernel(int argc, const
45682 int r;
45683 mm_segment_t oldfs = get_fs();
45684 set_fs(KERNEL_DS);
45685 - r = copy_strings(argc, (const char __user *const __user *)argv, bprm);
45686 + r = copy_strings(argc, (__force const char __user *const __user *)argv, bprm);
45687 set_fs(oldfs);
45688 return r;
45689 }
45690 @@ -555,7 +570,8 @@ static int shift_arg_pages(struct vm_are
45691 unsigned long new_end = old_end - shift;
45692 struct mmu_gather *tlb;
45693
45694 - BUG_ON(new_start > new_end);
45695 + if (new_start >= new_end || new_start < mmap_min_addr)
45696 + return -ENOMEM;
45697
45698 /*
45699 * ensure there are no vmas between where we want to go
45700 @@ -564,6 +580,10 @@ static int shift_arg_pages(struct vm_are
45701 if (vma != find_vma(mm, new_start))
45702 return -EFAULT;
45703
45704 +#ifdef CONFIG_PAX_SEGMEXEC
45705 + BUG_ON(pax_find_mirror_vma(vma));
45706 +#endif
45707 +
45708 /*
45709 * cover the whole range: [new_start, old_end)
45710 */
45711 @@ -644,10 +664,6 @@ int setup_arg_pages(struct linux_binprm
45712 stack_top = arch_align_stack(stack_top);
45713 stack_top = PAGE_ALIGN(stack_top);
45714
45715 - if (unlikely(stack_top < mmap_min_addr) ||
45716 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
45717 - return -ENOMEM;
45718 -
45719 stack_shift = vma->vm_end - stack_top;
45720
45721 bprm->p -= stack_shift;
45722 @@ -659,8 +675,28 @@ int setup_arg_pages(struct linux_binprm
45723 bprm->exec -= stack_shift;
45724
45725 down_write(&mm->mmap_sem);
45726 +
45727 + /* Move stack pages down in memory. */
45728 + if (stack_shift) {
45729 + ret = shift_arg_pages(vma, stack_shift);
45730 + if (ret)
45731 + goto out_unlock;
45732 + }
45733 +
45734 vm_flags = VM_STACK_FLAGS;
45735
45736 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
45737 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
45738 + vm_flags &= ~VM_EXEC;
45739 +
45740 +#ifdef CONFIG_PAX_MPROTECT
45741 + if (mm->pax_flags & MF_PAX_MPROTECT)
45742 + vm_flags &= ~VM_MAYEXEC;
45743 +#endif
45744 +
45745 + }
45746 +#endif
45747 +
45748 /*
45749 * Adjust stack execute permissions; explicitly enable for
45750 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
45751 @@ -679,13 +715,6 @@ int setup_arg_pages(struct linux_binprm
45752 goto out_unlock;
45753 BUG_ON(prev != vma);
45754
45755 - /* Move stack pages down in memory. */
45756 - if (stack_shift) {
45757 - ret = shift_arg_pages(vma, stack_shift);
45758 - if (ret)
45759 - goto out_unlock;
45760 - }
45761 -
45762 /* mprotect_fixup is overkill to remove the temporary stack flags */
45763 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
45764
45765 @@ -725,7 +754,7 @@ struct file *open_exec(const char *name)
45766 struct file *file;
45767 int err;
45768 static const struct open_flags open_exec_flags = {
45769 - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
45770 + .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC,
45771 .acc_mode = MAY_EXEC | MAY_OPEN,
45772 .intent = LOOKUP_OPEN
45773 };
45774 @@ -766,7 +795,7 @@ int kernel_read(struct file *file, loff_
45775 old_fs = get_fs();
45776 set_fs(get_ds());
45777 /* The cast to a user pointer is valid due to the set_fs() */
45778 - result = vfs_read(file, (void __user *)addr, count, &pos);
45779 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
45780 set_fs(old_fs);
45781 return result;
45782 }
45783 @@ -1189,7 +1218,7 @@ int check_unsafe_exec(struct linux_binpr
45784 }
45785 rcu_read_unlock();
45786
45787 - if (p->fs->users > n_fs) {
45788 + if (atomic_read(&p->fs->users) > n_fs) {
45789 bprm->unsafe |= LSM_UNSAFE_SHARE;
45790 } else {
45791 res = -EAGAIN;
45792 @@ -1381,6 +1410,11 @@ int do_execve(const char * filename,
45793 const char __user *const __user *envp,
45794 struct pt_regs * regs)
45795 {
45796 +#ifdef CONFIG_GRKERNSEC
45797 + struct file *old_exec_file;
45798 + struct acl_subject_label *old_acl;
45799 + struct rlimit old_rlim[RLIM_NLIMITS];
45800 +#endif
45801 struct linux_binprm *bprm;
45802 struct file *file;
45803 struct files_struct *displaced;
45804 @@ -1417,6 +1451,23 @@ int do_execve(const char * filename,
45805 bprm->filename = filename;
45806 bprm->interp = filename;
45807
45808 + if (gr_process_user_ban()) {
45809 + retval = -EPERM;
45810 + goto out_file;
45811 + }
45812 +
45813 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
45814 +
45815 + if (gr_handle_nproc()) {
45816 + retval = -EAGAIN;
45817 + goto out_file;
45818 + }
45819 +
45820 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
45821 + retval = -EACCES;
45822 + goto out_file;
45823 + }
45824 +
45825 retval = bprm_mm_init(bprm);
45826 if (retval)
45827 goto out_file;
45828 @@ -1446,9 +1497,40 @@ int do_execve(const char * filename,
45829 if (retval < 0)
45830 goto out;
45831
45832 + if (!gr_tpe_allow(file)) {
45833 + retval = -EACCES;
45834 + goto out;
45835 + }
45836 +
45837 + if (gr_check_crash_exec(file)) {
45838 + retval = -EACCES;
45839 + goto out;
45840 + }
45841 +
45842 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
45843 +
45844 + gr_handle_exec_args(bprm, argv);
45845 +
45846 +#ifdef CONFIG_GRKERNSEC
45847 + old_acl = current->acl;
45848 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
45849 + old_exec_file = current->exec_file;
45850 + get_file(file);
45851 + current->exec_file = file;
45852 +#endif
45853 +
45854 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
45855 + bprm->unsafe & LSM_UNSAFE_SHARE);
45856 + if (retval < 0)
45857 + goto out_fail;
45858 +
45859 retval = search_binary_handler(bprm,regs);
45860 if (retval < 0)
45861 - goto out;
45862 + goto out_fail;
45863 +#ifdef CONFIG_GRKERNSEC
45864 + if (old_exec_file)
45865 + fput(old_exec_file);
45866 +#endif
45867
45868 /* execve succeeded */
45869 current->fs->in_exec = 0;
45870 @@ -1459,6 +1541,14 @@ int do_execve(const char * filename,
45871 put_files_struct(displaced);
45872 return retval;
45873
45874 +out_fail:
45875 +#ifdef CONFIG_GRKERNSEC
45876 + current->acl = old_acl;
45877 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
45878 + fput(current->exec_file);
45879 + current->exec_file = old_exec_file;
45880 +#endif
45881 +
45882 out:
45883 if (bprm->mm) {
45884 acct_arg_size(bprm, 0);
45885 @@ -1504,7 +1594,7 @@ static int expand_corename(struct core_n
45886 {
45887 char *old_corename = cn->corename;
45888
45889 - cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
45890 + cn->size = CORENAME_MAX_SIZE * atomic_inc_return_unchecked(&call_count);
45891 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
45892
45893 if (!cn->corename) {
45894 @@ -1557,7 +1647,7 @@ static int format_corename(struct core_n
45895 int pid_in_pattern = 0;
45896 int err = 0;
45897
45898 - cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
45899 + cn->size = CORENAME_MAX_SIZE * atomic_read_unchecked(&call_count);
45900 cn->corename = kmalloc(cn->size, GFP_KERNEL);
45901 cn->used = 0;
45902
45903 @@ -1645,6 +1735,219 @@ out:
45904 return ispipe;
45905 }
45906
45907 +int pax_check_flags(unsigned long *flags)
45908 +{
45909 + int retval = 0;
45910 +
45911 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
45912 + if (*flags & MF_PAX_SEGMEXEC)
45913 + {
45914 + *flags &= ~MF_PAX_SEGMEXEC;
45915 + retval = -EINVAL;
45916 + }
45917 +#endif
45918 +
45919 + if ((*flags & MF_PAX_PAGEEXEC)
45920 +
45921 +#ifdef CONFIG_PAX_PAGEEXEC
45922 + && (*flags & MF_PAX_SEGMEXEC)
45923 +#endif
45924 +
45925 + )
45926 + {
45927 + *flags &= ~MF_PAX_PAGEEXEC;
45928 + retval = -EINVAL;
45929 + }
45930 +
45931 + if ((*flags & MF_PAX_MPROTECT)
45932 +
45933 +#ifdef CONFIG_PAX_MPROTECT
45934 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
45935 +#endif
45936 +
45937 + )
45938 + {
45939 + *flags &= ~MF_PAX_MPROTECT;
45940 + retval = -EINVAL;
45941 + }
45942 +
45943 + if ((*flags & MF_PAX_EMUTRAMP)
45944 +
45945 +#ifdef CONFIG_PAX_EMUTRAMP
45946 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
45947 +#endif
45948 +
45949 + )
45950 + {
45951 + *flags &= ~MF_PAX_EMUTRAMP;
45952 + retval = -EINVAL;
45953 + }
45954 +
45955 + return retval;
45956 +}
45957 +
45958 +EXPORT_SYMBOL(pax_check_flags);
45959 +
45960 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
45961 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
45962 +{
45963 + struct task_struct *tsk = current;
45964 + struct mm_struct *mm = current->mm;
45965 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
45966 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
45967 + char *path_exec = NULL;
45968 + char *path_fault = NULL;
45969 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
45970 +
45971 + if (buffer_exec && buffer_fault) {
45972 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
45973 +
45974 + down_read(&mm->mmap_sem);
45975 + vma = mm->mmap;
45976 + while (vma && (!vma_exec || !vma_fault)) {
45977 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
45978 + vma_exec = vma;
45979 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
45980 + vma_fault = vma;
45981 + vma = vma->vm_next;
45982 + }
45983 + if (vma_exec) {
45984 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
45985 + if (IS_ERR(path_exec))
45986 + path_exec = "<path too long>";
45987 + else {
45988 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
45989 + if (path_exec) {
45990 + *path_exec = 0;
45991 + path_exec = buffer_exec;
45992 + } else
45993 + path_exec = "<path too long>";
45994 + }
45995 + }
45996 + if (vma_fault) {
45997 + start = vma_fault->vm_start;
45998 + end = vma_fault->vm_end;
45999 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
46000 + if (vma_fault->vm_file) {
46001 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
46002 + if (IS_ERR(path_fault))
46003 + path_fault = "<path too long>";
46004 + else {
46005 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
46006 + if (path_fault) {
46007 + *path_fault = 0;
46008 + path_fault = buffer_fault;
46009 + } else
46010 + path_fault = "<path too long>";
46011 + }
46012 + } else
46013 + path_fault = "<anonymous mapping>";
46014 + }
46015 + up_read(&mm->mmap_sem);
46016 + }
46017 + if (tsk->signal->curr_ip)
46018 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
46019 + else
46020 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
46021 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
46022 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
46023 + task_uid(tsk), task_euid(tsk), pc, sp);
46024 + free_page((unsigned long)buffer_exec);
46025 + free_page((unsigned long)buffer_fault);
46026 + pax_report_insns(pc, sp);
46027 + do_coredump(SIGKILL, SIGKILL, regs);
46028 +}
46029 +#endif
46030 +
46031 +#ifdef CONFIG_PAX_REFCOUNT
46032 +void pax_report_refcount_overflow(struct pt_regs *regs)
46033 +{
46034 + if (current->signal->curr_ip)
46035 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
46036 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
46037 + else
46038 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
46039 + current->comm, task_pid_nr(current), current_uid(), current_euid());
46040 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
46041 + show_regs(regs);
46042 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
46043 +}
46044 +#endif
46045 +
46046 +#ifdef CONFIG_PAX_USERCOPY
46047 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
46048 +int object_is_on_stack(const void *obj, unsigned long len)
46049 +{
46050 + const void * const stack = task_stack_page(current);
46051 + const void * const stackend = stack + THREAD_SIZE;
46052 +
46053 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
46054 + const void *frame = NULL;
46055 + const void *oldframe;
46056 +#endif
46057 +
46058 + if (obj + len < obj)
46059 + return -1;
46060 +
46061 + if (obj + len <= stack || stackend <= obj)
46062 + return 0;
46063 +
46064 + if (obj < stack || stackend < obj + len)
46065 + return -1;
46066 +
46067 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
46068 + oldframe = __builtin_frame_address(1);
46069 + if (oldframe)
46070 + frame = __builtin_frame_address(2);
46071 + /*
46072 + low ----------------------------------------------> high
46073 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
46074 + ^----------------^
46075 + allow copies only within here
46076 + */
46077 + while (stack <= frame && frame < stackend) {
46078 + /* if obj + len extends past the last frame, this
46079 + check won't pass and the next frame will be 0,
46080 + causing us to bail out and correctly report
46081 + the copy as invalid
46082 + */
46083 + if (obj + len <= frame)
46084 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
46085 + oldframe = frame;
46086 + frame = *(const void * const *)frame;
46087 + }
46088 + return -1;
46089 +#else
46090 + return 1;
46091 +#endif
46092 +}
46093 +
46094 +
46095 +NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
46096 +{
46097 + if (current->signal->curr_ip)
46098 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
46099 + &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
46100 + else
46101 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
46102 + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
46103 + dump_stack();
46104 + gr_handle_kernel_exploit();
46105 + do_group_exit(SIGKILL);
46106 +}
46107 +#endif
46108 +
46109 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
46110 +void pax_track_stack(void)
46111 +{
46112 + unsigned long sp = (unsigned long)&sp;
46113 + if (sp < current_thread_info()->lowest_stack &&
46114 + sp > (unsigned long)task_stack_page(current))
46115 + current_thread_info()->lowest_stack = sp;
46116 +}
46117 +EXPORT_SYMBOL(pax_track_stack);
46118 +#endif
46119 +
46120 static int zap_process(struct task_struct *start, int exit_code)
46121 {
46122 struct task_struct *t;
46123 @@ -1855,17 +2158,17 @@ static void wait_for_dump_helpers(struct
46124 pipe = file->f_path.dentry->d_inode->i_pipe;
46125
46126 pipe_lock(pipe);
46127 - pipe->readers++;
46128 - pipe->writers--;
46129 + atomic_inc(&pipe->readers);
46130 + atomic_dec(&pipe->writers);
46131
46132 - while ((pipe->readers > 1) && (!signal_pending(current))) {
46133 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
46134 wake_up_interruptible_sync(&pipe->wait);
46135 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
46136 pipe_wait(pipe);
46137 }
46138
46139 - pipe->readers--;
46140 - pipe->writers++;
46141 + atomic_dec(&pipe->readers);
46142 + atomic_inc(&pipe->writers);
46143 pipe_unlock(pipe);
46144
46145 }
46146 @@ -1926,7 +2229,7 @@ void do_coredump(long signr, int exit_co
46147 int retval = 0;
46148 int flag = 0;
46149 int ispipe;
46150 - static atomic_t core_dump_count = ATOMIC_INIT(0);
46151 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
46152 struct coredump_params cprm = {
46153 .signr = signr,
46154 .regs = regs,
46155 @@ -1941,6 +2244,9 @@ void do_coredump(long signr, int exit_co
46156
46157 audit_core_dumps(signr);
46158
46159 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
46160 + gr_handle_brute_attach(current, cprm.mm_flags);
46161 +
46162 binfmt = mm->binfmt;
46163 if (!binfmt || !binfmt->core_dump)
46164 goto fail;
46165 @@ -1981,6 +2287,8 @@ void do_coredump(long signr, int exit_co
46166 goto fail_corename;
46167 }
46168
46169 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
46170 +
46171 if (ispipe) {
46172 int dump_count;
46173 char **helper_argv;
46174 @@ -2008,7 +2316,7 @@ void do_coredump(long signr, int exit_co
46175 }
46176 cprm.limit = RLIM_INFINITY;
46177
46178 - dump_count = atomic_inc_return(&core_dump_count);
46179 + dump_count = atomic_inc_return_unchecked(&core_dump_count);
46180 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
46181 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
46182 task_tgid_vnr(current), current->comm);
46183 @@ -2078,7 +2386,7 @@ close_fail:
46184 filp_close(cprm.file, NULL);
46185 fail_dropcount:
46186 if (ispipe)
46187 - atomic_dec(&core_dump_count);
46188 + atomic_dec_unchecked(&core_dump_count);
46189 fail_unlock:
46190 kfree(cn.corename);
46191 fail_corename:
46192 diff -urNp linux-2.6.39.3/fs/ext2/balloc.c linux-2.6.39.3/fs/ext2/balloc.c
46193 --- linux-2.6.39.3/fs/ext2/balloc.c 2011-05-19 00:06:34.000000000 -0400
46194 +++ linux-2.6.39.3/fs/ext2/balloc.c 2011-05-22 19:41:37.000000000 -0400
46195 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
46196
46197 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
46198 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
46199 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
46200 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
46201 sbi->s_resuid != current_fsuid() &&
46202 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
46203 return 0;
46204 diff -urNp linux-2.6.39.3/fs/ext3/balloc.c linux-2.6.39.3/fs/ext3/balloc.c
46205 --- linux-2.6.39.3/fs/ext3/balloc.c 2011-05-19 00:06:34.000000000 -0400
46206 +++ linux-2.6.39.3/fs/ext3/balloc.c 2011-05-22 19:41:37.000000000 -0400
46207 @@ -1441,7 +1441,7 @@ static int ext3_has_free_blocks(struct e
46208
46209 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
46210 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
46211 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
46212 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
46213 sbi->s_resuid != current_fsuid() &&
46214 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
46215 return 0;
46216 diff -urNp linux-2.6.39.3/fs/ext4/balloc.c linux-2.6.39.3/fs/ext4/balloc.c
46217 --- linux-2.6.39.3/fs/ext4/balloc.c 2011-05-19 00:06:34.000000000 -0400
46218 +++ linux-2.6.39.3/fs/ext4/balloc.c 2011-05-22 19:41:37.000000000 -0400
46219 @@ -522,7 +522,7 @@ static int ext4_has_free_blocks(struct e
46220 /* Hm, nope. Are (enough) root reserved blocks available? */
46221 if (sbi->s_resuid == current_fsuid() ||
46222 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
46223 - capable(CAP_SYS_RESOURCE)) {
46224 + capable_nolog(CAP_SYS_RESOURCE)) {
46225 if (free_blocks >= (nblocks + dirty_blocks))
46226 return 1;
46227 }
46228 diff -urNp linux-2.6.39.3/fs/ext4/ext4.h linux-2.6.39.3/fs/ext4/ext4.h
46229 --- linux-2.6.39.3/fs/ext4/ext4.h 2011-06-03 00:04:14.000000000 -0400
46230 +++ linux-2.6.39.3/fs/ext4/ext4.h 2011-06-03 00:32:07.000000000 -0400
46231 @@ -1166,19 +1166,19 @@ struct ext4_sb_info {
46232 unsigned long s_mb_last_start;
46233
46234 /* stats for buddy allocator */
46235 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
46236 - atomic_t s_bal_success; /* we found long enough chunks */
46237 - atomic_t s_bal_allocated; /* in blocks */
46238 - atomic_t s_bal_ex_scanned; /* total extents scanned */
46239 - atomic_t s_bal_goals; /* goal hits */
46240 - atomic_t s_bal_breaks; /* too long searches */
46241 - atomic_t s_bal_2orders; /* 2^order hits */
46242 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
46243 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
46244 + atomic_unchecked_t s_bal_allocated; /* in blocks */
46245 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
46246 + atomic_unchecked_t s_bal_goals; /* goal hits */
46247 + atomic_unchecked_t s_bal_breaks; /* too long searches */
46248 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
46249 spinlock_t s_bal_lock;
46250 unsigned long s_mb_buddies_generated;
46251 unsigned long long s_mb_generation_time;
46252 - atomic_t s_mb_lost_chunks;
46253 - atomic_t s_mb_preallocated;
46254 - atomic_t s_mb_discarded;
46255 + atomic_unchecked_t s_mb_lost_chunks;
46256 + atomic_unchecked_t s_mb_preallocated;
46257 + atomic_unchecked_t s_mb_discarded;
46258 atomic_t s_lock_busy;
46259
46260 /* locality groups */
46261 diff -urNp linux-2.6.39.3/fs/ext4/mballoc.c linux-2.6.39.3/fs/ext4/mballoc.c
46262 --- linux-2.6.39.3/fs/ext4/mballoc.c 2011-06-03 00:04:14.000000000 -0400
46263 +++ linux-2.6.39.3/fs/ext4/mballoc.c 2011-06-03 00:32:07.000000000 -0400
46264 @@ -1853,7 +1853,7 @@ void ext4_mb_simple_scan_group(struct ex
46265 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
46266
46267 if (EXT4_SB(sb)->s_mb_stats)
46268 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
46269 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
46270
46271 break;
46272 }
46273 @@ -2147,7 +2147,7 @@ repeat:
46274 ac->ac_status = AC_STATUS_CONTINUE;
46275 ac->ac_flags |= EXT4_MB_HINT_FIRST;
46276 cr = 3;
46277 - atomic_inc(&sbi->s_mb_lost_chunks);
46278 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
46279 goto repeat;
46280 }
46281 }
46282 @@ -2190,6 +2190,8 @@ static int ext4_mb_seq_groups_show(struc
46283 ext4_grpblk_t counters[16];
46284 } sg;
46285
46286 + pax_track_stack();
46287 +
46288 group--;
46289 if (group == 0)
46290 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
46291 @@ -2613,25 +2615,25 @@ int ext4_mb_release(struct super_block *
46292 if (sbi->s_mb_stats) {
46293 printk(KERN_INFO
46294 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
46295 - atomic_read(&sbi->s_bal_allocated),
46296 - atomic_read(&sbi->s_bal_reqs),
46297 - atomic_read(&sbi->s_bal_success));
46298 + atomic_read_unchecked(&sbi->s_bal_allocated),
46299 + atomic_read_unchecked(&sbi->s_bal_reqs),
46300 + atomic_read_unchecked(&sbi->s_bal_success));
46301 printk(KERN_INFO
46302 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
46303 "%u 2^N hits, %u breaks, %u lost\n",
46304 - atomic_read(&sbi->s_bal_ex_scanned),
46305 - atomic_read(&sbi->s_bal_goals),
46306 - atomic_read(&sbi->s_bal_2orders),
46307 - atomic_read(&sbi->s_bal_breaks),
46308 - atomic_read(&sbi->s_mb_lost_chunks));
46309 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
46310 + atomic_read_unchecked(&sbi->s_bal_goals),
46311 + atomic_read_unchecked(&sbi->s_bal_2orders),
46312 + atomic_read_unchecked(&sbi->s_bal_breaks),
46313 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
46314 printk(KERN_INFO
46315 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
46316 sbi->s_mb_buddies_generated++,
46317 sbi->s_mb_generation_time);
46318 printk(KERN_INFO
46319 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
46320 - atomic_read(&sbi->s_mb_preallocated),
46321 - atomic_read(&sbi->s_mb_discarded));
46322 + atomic_read_unchecked(&sbi->s_mb_preallocated),
46323 + atomic_read_unchecked(&sbi->s_mb_discarded));
46324 }
46325
46326 free_percpu(sbi->s_locality_groups);
46327 @@ -3107,16 +3109,16 @@ static void ext4_mb_collect_stats(struct
46328 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
46329
46330 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
46331 - atomic_inc(&sbi->s_bal_reqs);
46332 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
46333 + atomic_inc_unchecked(&sbi->s_bal_reqs);
46334 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
46335 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
46336 - atomic_inc(&sbi->s_bal_success);
46337 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
46338 + atomic_inc_unchecked(&sbi->s_bal_success);
46339 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
46340 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
46341 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
46342 - atomic_inc(&sbi->s_bal_goals);
46343 + atomic_inc_unchecked(&sbi->s_bal_goals);
46344 if (ac->ac_found > sbi->s_mb_max_to_scan)
46345 - atomic_inc(&sbi->s_bal_breaks);
46346 + atomic_inc_unchecked(&sbi->s_bal_breaks);
46347 }
46348
46349 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
46350 @@ -3514,7 +3516,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
46351 trace_ext4_mb_new_inode_pa(ac, pa);
46352
46353 ext4_mb_use_inode_pa(ac, pa);
46354 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46355 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46356
46357 ei = EXT4_I(ac->ac_inode);
46358 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
46359 @@ -3574,7 +3576,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
46360 trace_ext4_mb_new_group_pa(ac, pa);
46361
46362 ext4_mb_use_group_pa(ac, pa);
46363 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46364 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46365
46366 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
46367 lg = ac->ac_lg;
46368 @@ -3661,7 +3663,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
46369 * from the bitmap and continue.
46370 */
46371 }
46372 - atomic_add(free, &sbi->s_mb_discarded);
46373 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
46374
46375 return err;
46376 }
46377 @@ -3679,7 +3681,7 @@ ext4_mb_release_group_pa(struct ext4_bud
46378 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
46379 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
46380 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
46381 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
46382 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
46383 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
46384
46385 return 0;
46386 diff -urNp linux-2.6.39.3/fs/fcntl.c linux-2.6.39.3/fs/fcntl.c
46387 --- linux-2.6.39.3/fs/fcntl.c 2011-05-19 00:06:34.000000000 -0400
46388 +++ linux-2.6.39.3/fs/fcntl.c 2011-05-22 20:45:50.000000000 -0400
46389 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
46390 if (err)
46391 return err;
46392
46393 + if (gr_handle_chroot_fowner(pid, type))
46394 + return -ENOENT;
46395 + if (gr_check_protected_task_fowner(pid, type))
46396 + return -EACCES;
46397 +
46398 f_modown(filp, pid, type, force);
46399 return 0;
46400 }
46401 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
46402 switch (cmd) {
46403 case F_DUPFD:
46404 case F_DUPFD_CLOEXEC:
46405 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
46406 if (arg >= rlimit(RLIMIT_NOFILE))
46407 break;
46408 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
46409 @@ -835,14 +841,14 @@ static int __init fcntl_init(void)
46410 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
46411 * is defined as O_NONBLOCK on some platforms and not on others.
46412 */
46413 - BUILD_BUG_ON(19 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
46414 + BUILD_BUG_ON(20 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
46415 O_RDONLY | O_WRONLY | O_RDWR |
46416 O_CREAT | O_EXCL | O_NOCTTY |
46417 O_TRUNC | O_APPEND | /* O_NONBLOCK | */
46418 __O_SYNC | O_DSYNC | FASYNC |
46419 O_DIRECT | O_LARGEFILE | O_DIRECTORY |
46420 O_NOFOLLOW | O_NOATIME | O_CLOEXEC |
46421 - __FMODE_EXEC | O_PATH
46422 + __FMODE_EXEC | O_PATH | FMODE_GREXEC
46423 ));
46424
46425 fasync_cache = kmem_cache_create("fasync_cache",
46426 diff -urNp linux-2.6.39.3/fs/fifo.c linux-2.6.39.3/fs/fifo.c
46427 --- linux-2.6.39.3/fs/fifo.c 2011-05-19 00:06:34.000000000 -0400
46428 +++ linux-2.6.39.3/fs/fifo.c 2011-05-22 19:36:32.000000000 -0400
46429 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
46430 */
46431 filp->f_op = &read_pipefifo_fops;
46432 pipe->r_counter++;
46433 - if (pipe->readers++ == 0)
46434 + if (atomic_inc_return(&pipe->readers) == 1)
46435 wake_up_partner(inode);
46436
46437 - if (!pipe->writers) {
46438 + if (!atomic_read(&pipe->writers)) {
46439 if ((filp->f_flags & O_NONBLOCK)) {
46440 /* suppress POLLHUP until we have
46441 * seen a writer */
46442 @@ -81,15 +81,15 @@ static int fifo_open(struct inode *inode
46443 * errno=ENXIO when there is no process reading the FIFO.
46444 */
46445 ret = -ENXIO;
46446 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
46447 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
46448 goto err;
46449
46450 filp->f_op = &write_pipefifo_fops;
46451 pipe->w_counter++;
46452 - if (!pipe->writers++)
46453 + if (atomic_inc_return(&pipe->writers) == 1)
46454 wake_up_partner(inode);
46455
46456 - if (!pipe->readers) {
46457 + if (!atomic_read(&pipe->readers)) {
46458 wait_for_partner(inode, &pipe->r_counter);
46459 if (signal_pending(current))
46460 goto err_wr;
46461 @@ -105,11 +105,11 @@ static int fifo_open(struct inode *inode
46462 */
46463 filp->f_op = &rdwr_pipefifo_fops;
46464
46465 - pipe->readers++;
46466 - pipe->writers++;
46467 + atomic_inc(&pipe->readers);
46468 + atomic_inc(&pipe->writers);
46469 pipe->r_counter++;
46470 pipe->w_counter++;
46471 - if (pipe->readers == 1 || pipe->writers == 1)
46472 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
46473 wake_up_partner(inode);
46474 break;
46475
46476 @@ -123,19 +123,19 @@ static int fifo_open(struct inode *inode
46477 return 0;
46478
46479 err_rd:
46480 - if (!--pipe->readers)
46481 + if (atomic_dec_and_test(&pipe->readers))
46482 wake_up_interruptible(&pipe->wait);
46483 ret = -ERESTARTSYS;
46484 goto err;
46485
46486 err_wr:
46487 - if (!--pipe->writers)
46488 + if (atomic_dec_and_test(&pipe->writers))
46489 wake_up_interruptible(&pipe->wait);
46490 ret = -ERESTARTSYS;
46491 goto err;
46492
46493 err:
46494 - if (!pipe->readers && !pipe->writers)
46495 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
46496 free_pipe_info(inode);
46497
46498 err_nocleanup:
46499 diff -urNp linux-2.6.39.3/fs/file.c linux-2.6.39.3/fs/file.c
46500 --- linux-2.6.39.3/fs/file.c 2011-05-19 00:06:34.000000000 -0400
46501 +++ linux-2.6.39.3/fs/file.c 2011-05-22 19:41:37.000000000 -0400
46502 @@ -15,6 +15,7 @@
46503 #include <linux/slab.h>
46504 #include <linux/vmalloc.h>
46505 #include <linux/file.h>
46506 +#include <linux/security.h>
46507 #include <linux/fdtable.h>
46508 #include <linux/bitops.h>
46509 #include <linux/interrupt.h>
46510 @@ -254,6 +255,7 @@ int expand_files(struct files_struct *fi
46511 * N.B. For clone tasks sharing a files structure, this test
46512 * will limit the total number of files that can be opened.
46513 */
46514 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
46515 if (nr >= rlimit(RLIMIT_NOFILE))
46516 return -EMFILE;
46517
46518 diff -urNp linux-2.6.39.3/fs/filesystems.c linux-2.6.39.3/fs/filesystems.c
46519 --- linux-2.6.39.3/fs/filesystems.c 2011-05-19 00:06:34.000000000 -0400
46520 +++ linux-2.6.39.3/fs/filesystems.c 2011-05-22 19:41:37.000000000 -0400
46521 @@ -274,7 +274,12 @@ struct file_system_type *get_fs_type(con
46522 int len = dot ? dot - name : strlen(name);
46523
46524 fs = __get_fs_type(name, len);
46525 +
46526 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
46527 + if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
46528 +#else
46529 if (!fs && (request_module("%.*s", len, name) == 0))
46530 +#endif
46531 fs = __get_fs_type(name, len);
46532
46533 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
46534 diff -urNp linux-2.6.39.3/fs/fscache/cookie.c linux-2.6.39.3/fs/fscache/cookie.c
46535 --- linux-2.6.39.3/fs/fscache/cookie.c 2011-05-19 00:06:34.000000000 -0400
46536 +++ linux-2.6.39.3/fs/fscache/cookie.c 2011-05-22 19:36:32.000000000 -0400
46537 @@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
46538 parent ? (char *) parent->def->name : "<no-parent>",
46539 def->name, netfs_data);
46540
46541 - fscache_stat(&fscache_n_acquires);
46542 + fscache_stat_unchecked(&fscache_n_acquires);
46543
46544 /* if there's no parent cookie, then we don't create one here either */
46545 if (!parent) {
46546 - fscache_stat(&fscache_n_acquires_null);
46547 + fscache_stat_unchecked(&fscache_n_acquires_null);
46548 _leave(" [no parent]");
46549 return NULL;
46550 }
46551 @@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
46552 /* allocate and initialise a cookie */
46553 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
46554 if (!cookie) {
46555 - fscache_stat(&fscache_n_acquires_oom);
46556 + fscache_stat_unchecked(&fscache_n_acquires_oom);
46557 _leave(" [ENOMEM]");
46558 return NULL;
46559 }
46560 @@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
46561
46562 switch (cookie->def->type) {
46563 case FSCACHE_COOKIE_TYPE_INDEX:
46564 - fscache_stat(&fscache_n_cookie_index);
46565 + fscache_stat_unchecked(&fscache_n_cookie_index);
46566 break;
46567 case FSCACHE_COOKIE_TYPE_DATAFILE:
46568 - fscache_stat(&fscache_n_cookie_data);
46569 + fscache_stat_unchecked(&fscache_n_cookie_data);
46570 break;
46571 default:
46572 - fscache_stat(&fscache_n_cookie_special);
46573 + fscache_stat_unchecked(&fscache_n_cookie_special);
46574 break;
46575 }
46576
46577 @@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
46578 if (fscache_acquire_non_index_cookie(cookie) < 0) {
46579 atomic_dec(&parent->n_children);
46580 __fscache_cookie_put(cookie);
46581 - fscache_stat(&fscache_n_acquires_nobufs);
46582 + fscache_stat_unchecked(&fscache_n_acquires_nobufs);
46583 _leave(" = NULL");
46584 return NULL;
46585 }
46586 }
46587
46588 - fscache_stat(&fscache_n_acquires_ok);
46589 + fscache_stat_unchecked(&fscache_n_acquires_ok);
46590 _leave(" = %p", cookie);
46591 return cookie;
46592 }
46593 @@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
46594 cache = fscache_select_cache_for_object(cookie->parent);
46595 if (!cache) {
46596 up_read(&fscache_addremove_sem);
46597 - fscache_stat(&fscache_n_acquires_no_cache);
46598 + fscache_stat_unchecked(&fscache_n_acquires_no_cache);
46599 _leave(" = -ENOMEDIUM [no cache]");
46600 return -ENOMEDIUM;
46601 }
46602 @@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
46603 object = cache->ops->alloc_object(cache, cookie);
46604 fscache_stat_d(&fscache_n_cop_alloc_object);
46605 if (IS_ERR(object)) {
46606 - fscache_stat(&fscache_n_object_no_alloc);
46607 + fscache_stat_unchecked(&fscache_n_object_no_alloc);
46608 ret = PTR_ERR(object);
46609 goto error;
46610 }
46611
46612 - fscache_stat(&fscache_n_object_alloc);
46613 + fscache_stat_unchecked(&fscache_n_object_alloc);
46614
46615 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
46616
46617 @@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
46618 struct fscache_object *object;
46619 struct hlist_node *_p;
46620
46621 - fscache_stat(&fscache_n_updates);
46622 + fscache_stat_unchecked(&fscache_n_updates);
46623
46624 if (!cookie) {
46625 - fscache_stat(&fscache_n_updates_null);
46626 + fscache_stat_unchecked(&fscache_n_updates_null);
46627 _leave(" [no cookie]");
46628 return;
46629 }
46630 @@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
46631 struct fscache_object *object;
46632 unsigned long event;
46633
46634 - fscache_stat(&fscache_n_relinquishes);
46635 + fscache_stat_unchecked(&fscache_n_relinquishes);
46636 if (retire)
46637 - fscache_stat(&fscache_n_relinquishes_retire);
46638 + fscache_stat_unchecked(&fscache_n_relinquishes_retire);
46639
46640 if (!cookie) {
46641 - fscache_stat(&fscache_n_relinquishes_null);
46642 + fscache_stat_unchecked(&fscache_n_relinquishes_null);
46643 _leave(" [no cookie]");
46644 return;
46645 }
46646 @@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
46647
46648 /* wait for the cookie to finish being instantiated (or to fail) */
46649 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
46650 - fscache_stat(&fscache_n_relinquishes_waitcrt);
46651 + fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
46652 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
46653 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
46654 }
46655 diff -urNp linux-2.6.39.3/fs/fscache/internal.h linux-2.6.39.3/fs/fscache/internal.h
46656 --- linux-2.6.39.3/fs/fscache/internal.h 2011-05-19 00:06:34.000000000 -0400
46657 +++ linux-2.6.39.3/fs/fscache/internal.h 2011-05-22 19:36:32.000000000 -0400
46658 @@ -144,94 +144,94 @@ extern void fscache_proc_cleanup(void);
46659 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
46660 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
46661
46662 -extern atomic_t fscache_n_op_pend;
46663 -extern atomic_t fscache_n_op_run;
46664 -extern atomic_t fscache_n_op_enqueue;
46665 -extern atomic_t fscache_n_op_deferred_release;
46666 -extern atomic_t fscache_n_op_release;
46667 -extern atomic_t fscache_n_op_gc;
46668 -extern atomic_t fscache_n_op_cancelled;
46669 -extern atomic_t fscache_n_op_rejected;
46670 -
46671 -extern atomic_t fscache_n_attr_changed;
46672 -extern atomic_t fscache_n_attr_changed_ok;
46673 -extern atomic_t fscache_n_attr_changed_nobufs;
46674 -extern atomic_t fscache_n_attr_changed_nomem;
46675 -extern atomic_t fscache_n_attr_changed_calls;
46676 -
46677 -extern atomic_t fscache_n_allocs;
46678 -extern atomic_t fscache_n_allocs_ok;
46679 -extern atomic_t fscache_n_allocs_wait;
46680 -extern atomic_t fscache_n_allocs_nobufs;
46681 -extern atomic_t fscache_n_allocs_intr;
46682 -extern atomic_t fscache_n_allocs_object_dead;
46683 -extern atomic_t fscache_n_alloc_ops;
46684 -extern atomic_t fscache_n_alloc_op_waits;
46685 -
46686 -extern atomic_t fscache_n_retrievals;
46687 -extern atomic_t fscache_n_retrievals_ok;
46688 -extern atomic_t fscache_n_retrievals_wait;
46689 -extern atomic_t fscache_n_retrievals_nodata;
46690 -extern atomic_t fscache_n_retrievals_nobufs;
46691 -extern atomic_t fscache_n_retrievals_intr;
46692 -extern atomic_t fscache_n_retrievals_nomem;
46693 -extern atomic_t fscache_n_retrievals_object_dead;
46694 -extern atomic_t fscache_n_retrieval_ops;
46695 -extern atomic_t fscache_n_retrieval_op_waits;
46696 -
46697 -extern atomic_t fscache_n_stores;
46698 -extern atomic_t fscache_n_stores_ok;
46699 -extern atomic_t fscache_n_stores_again;
46700 -extern atomic_t fscache_n_stores_nobufs;
46701 -extern atomic_t fscache_n_stores_oom;
46702 -extern atomic_t fscache_n_store_ops;
46703 -extern atomic_t fscache_n_store_calls;
46704 -extern atomic_t fscache_n_store_pages;
46705 -extern atomic_t fscache_n_store_radix_deletes;
46706 -extern atomic_t fscache_n_store_pages_over_limit;
46707 -
46708 -extern atomic_t fscache_n_store_vmscan_not_storing;
46709 -extern atomic_t fscache_n_store_vmscan_gone;
46710 -extern atomic_t fscache_n_store_vmscan_busy;
46711 -extern atomic_t fscache_n_store_vmscan_cancelled;
46712 -
46713 -extern atomic_t fscache_n_marks;
46714 -extern atomic_t fscache_n_uncaches;
46715 -
46716 -extern atomic_t fscache_n_acquires;
46717 -extern atomic_t fscache_n_acquires_null;
46718 -extern atomic_t fscache_n_acquires_no_cache;
46719 -extern atomic_t fscache_n_acquires_ok;
46720 -extern atomic_t fscache_n_acquires_nobufs;
46721 -extern atomic_t fscache_n_acquires_oom;
46722 -
46723 -extern atomic_t fscache_n_updates;
46724 -extern atomic_t fscache_n_updates_null;
46725 -extern atomic_t fscache_n_updates_run;
46726 -
46727 -extern atomic_t fscache_n_relinquishes;
46728 -extern atomic_t fscache_n_relinquishes_null;
46729 -extern atomic_t fscache_n_relinquishes_waitcrt;
46730 -extern atomic_t fscache_n_relinquishes_retire;
46731 -
46732 -extern atomic_t fscache_n_cookie_index;
46733 -extern atomic_t fscache_n_cookie_data;
46734 -extern atomic_t fscache_n_cookie_special;
46735 -
46736 -extern atomic_t fscache_n_object_alloc;
46737 -extern atomic_t fscache_n_object_no_alloc;
46738 -extern atomic_t fscache_n_object_lookups;
46739 -extern atomic_t fscache_n_object_lookups_negative;
46740 -extern atomic_t fscache_n_object_lookups_positive;
46741 -extern atomic_t fscache_n_object_lookups_timed_out;
46742 -extern atomic_t fscache_n_object_created;
46743 -extern atomic_t fscache_n_object_avail;
46744 -extern atomic_t fscache_n_object_dead;
46745 -
46746 -extern atomic_t fscache_n_checkaux_none;
46747 -extern atomic_t fscache_n_checkaux_okay;
46748 -extern atomic_t fscache_n_checkaux_update;
46749 -extern atomic_t fscache_n_checkaux_obsolete;
46750 +extern atomic_unchecked_t fscache_n_op_pend;
46751 +extern atomic_unchecked_t fscache_n_op_run;
46752 +extern atomic_unchecked_t fscache_n_op_enqueue;
46753 +extern atomic_unchecked_t fscache_n_op_deferred_release;
46754 +extern atomic_unchecked_t fscache_n_op_release;
46755 +extern atomic_unchecked_t fscache_n_op_gc;
46756 +extern atomic_unchecked_t fscache_n_op_cancelled;
46757 +extern atomic_unchecked_t fscache_n_op_rejected;
46758 +
46759 +extern atomic_unchecked_t fscache_n_attr_changed;
46760 +extern atomic_unchecked_t fscache_n_attr_changed_ok;
46761 +extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
46762 +extern atomic_unchecked_t fscache_n_attr_changed_nomem;
46763 +extern atomic_unchecked_t fscache_n_attr_changed_calls;
46764 +
46765 +extern atomic_unchecked_t fscache_n_allocs;
46766 +extern atomic_unchecked_t fscache_n_allocs_ok;
46767 +extern atomic_unchecked_t fscache_n_allocs_wait;
46768 +extern atomic_unchecked_t fscache_n_allocs_nobufs;
46769 +extern atomic_unchecked_t fscache_n_allocs_intr;
46770 +extern atomic_unchecked_t fscache_n_allocs_object_dead;
46771 +extern atomic_unchecked_t fscache_n_alloc_ops;
46772 +extern atomic_unchecked_t fscache_n_alloc_op_waits;
46773 +
46774 +extern atomic_unchecked_t fscache_n_retrievals;
46775 +extern atomic_unchecked_t fscache_n_retrievals_ok;
46776 +extern atomic_unchecked_t fscache_n_retrievals_wait;
46777 +extern atomic_unchecked_t fscache_n_retrievals_nodata;
46778 +extern atomic_unchecked_t fscache_n_retrievals_nobufs;
46779 +extern atomic_unchecked_t fscache_n_retrievals_intr;
46780 +extern atomic_unchecked_t fscache_n_retrievals_nomem;
46781 +extern atomic_unchecked_t fscache_n_retrievals_object_dead;
46782 +extern atomic_unchecked_t fscache_n_retrieval_ops;
46783 +extern atomic_unchecked_t fscache_n_retrieval_op_waits;
46784 +
46785 +extern atomic_unchecked_t fscache_n_stores;
46786 +extern atomic_unchecked_t fscache_n_stores_ok;
46787 +extern atomic_unchecked_t fscache_n_stores_again;
46788 +extern atomic_unchecked_t fscache_n_stores_nobufs;
46789 +extern atomic_unchecked_t fscache_n_stores_oom;
46790 +extern atomic_unchecked_t fscache_n_store_ops;
46791 +extern atomic_unchecked_t fscache_n_store_calls;
46792 +extern atomic_unchecked_t fscache_n_store_pages;
46793 +extern atomic_unchecked_t fscache_n_store_radix_deletes;
46794 +extern atomic_unchecked_t fscache_n_store_pages_over_limit;
46795 +
46796 +extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
46797 +extern atomic_unchecked_t fscache_n_store_vmscan_gone;
46798 +extern atomic_unchecked_t fscache_n_store_vmscan_busy;
46799 +extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
46800 +
46801 +extern atomic_unchecked_t fscache_n_marks;
46802 +extern atomic_unchecked_t fscache_n_uncaches;
46803 +
46804 +extern atomic_unchecked_t fscache_n_acquires;
46805 +extern atomic_unchecked_t fscache_n_acquires_null;
46806 +extern atomic_unchecked_t fscache_n_acquires_no_cache;
46807 +extern atomic_unchecked_t fscache_n_acquires_ok;
46808 +extern atomic_unchecked_t fscache_n_acquires_nobufs;
46809 +extern atomic_unchecked_t fscache_n_acquires_oom;
46810 +
46811 +extern atomic_unchecked_t fscache_n_updates;
46812 +extern atomic_unchecked_t fscache_n_updates_null;
46813 +extern atomic_unchecked_t fscache_n_updates_run;
46814 +
46815 +extern atomic_unchecked_t fscache_n_relinquishes;
46816 +extern atomic_unchecked_t fscache_n_relinquishes_null;
46817 +extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
46818 +extern atomic_unchecked_t fscache_n_relinquishes_retire;
46819 +
46820 +extern atomic_unchecked_t fscache_n_cookie_index;
46821 +extern atomic_unchecked_t fscache_n_cookie_data;
46822 +extern atomic_unchecked_t fscache_n_cookie_special;
46823 +
46824 +extern atomic_unchecked_t fscache_n_object_alloc;
46825 +extern atomic_unchecked_t fscache_n_object_no_alloc;
46826 +extern atomic_unchecked_t fscache_n_object_lookups;
46827 +extern atomic_unchecked_t fscache_n_object_lookups_negative;
46828 +extern atomic_unchecked_t fscache_n_object_lookups_positive;
46829 +extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
46830 +extern atomic_unchecked_t fscache_n_object_created;
46831 +extern atomic_unchecked_t fscache_n_object_avail;
46832 +extern atomic_unchecked_t fscache_n_object_dead;
46833 +
46834 +extern atomic_unchecked_t fscache_n_checkaux_none;
46835 +extern atomic_unchecked_t fscache_n_checkaux_okay;
46836 +extern atomic_unchecked_t fscache_n_checkaux_update;
46837 +extern atomic_unchecked_t fscache_n_checkaux_obsolete;
46838
46839 extern atomic_t fscache_n_cop_alloc_object;
46840 extern atomic_t fscache_n_cop_lookup_object;
46841 @@ -255,6 +255,11 @@ static inline void fscache_stat(atomic_t
46842 atomic_inc(stat);
46843 }
46844
46845 +static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
46846 +{
46847 + atomic_inc_unchecked(stat);
46848 +}
46849 +
46850 static inline void fscache_stat_d(atomic_t *stat)
46851 {
46852 atomic_dec(stat);
46853 @@ -267,6 +272,7 @@ extern const struct file_operations fsca
46854
46855 #define __fscache_stat(stat) (NULL)
46856 #define fscache_stat(stat) do {} while (0)
46857 +#define fscache_stat_unchecked(stat) do {} while (0)
46858 #define fscache_stat_d(stat) do {} while (0)
46859 #endif
46860
46861 diff -urNp linux-2.6.39.3/fs/fscache/object.c linux-2.6.39.3/fs/fscache/object.c
46862 --- linux-2.6.39.3/fs/fscache/object.c 2011-05-19 00:06:34.000000000 -0400
46863 +++ linux-2.6.39.3/fs/fscache/object.c 2011-05-22 19:36:32.000000000 -0400
46864 @@ -128,7 +128,7 @@ static void fscache_object_state_machine
46865 /* update the object metadata on disk */
46866 case FSCACHE_OBJECT_UPDATING:
46867 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
46868 - fscache_stat(&fscache_n_updates_run);
46869 + fscache_stat_unchecked(&fscache_n_updates_run);
46870 fscache_stat(&fscache_n_cop_update_object);
46871 object->cache->ops->update_object(object);
46872 fscache_stat_d(&fscache_n_cop_update_object);
46873 @@ -217,7 +217,7 @@ static void fscache_object_state_machine
46874 spin_lock(&object->lock);
46875 object->state = FSCACHE_OBJECT_DEAD;
46876 spin_unlock(&object->lock);
46877 - fscache_stat(&fscache_n_object_dead);
46878 + fscache_stat_unchecked(&fscache_n_object_dead);
46879 goto terminal_transit;
46880
46881 /* handle the parent cache of this object being withdrawn from
46882 @@ -232,7 +232,7 @@ static void fscache_object_state_machine
46883 spin_lock(&object->lock);
46884 object->state = FSCACHE_OBJECT_DEAD;
46885 spin_unlock(&object->lock);
46886 - fscache_stat(&fscache_n_object_dead);
46887 + fscache_stat_unchecked(&fscache_n_object_dead);
46888 goto terminal_transit;
46889
46890 /* complain about the object being woken up once it is
46891 @@ -461,7 +461,7 @@ static void fscache_lookup_object(struct
46892 parent->cookie->def->name, cookie->def->name,
46893 object->cache->tag->name);
46894
46895 - fscache_stat(&fscache_n_object_lookups);
46896 + fscache_stat_unchecked(&fscache_n_object_lookups);
46897 fscache_stat(&fscache_n_cop_lookup_object);
46898 ret = object->cache->ops->lookup_object(object);
46899 fscache_stat_d(&fscache_n_cop_lookup_object);
46900 @@ -472,7 +472,7 @@ static void fscache_lookup_object(struct
46901 if (ret == -ETIMEDOUT) {
46902 /* probably stuck behind another object, so move this one to
46903 * the back of the queue */
46904 - fscache_stat(&fscache_n_object_lookups_timed_out);
46905 + fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
46906 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
46907 }
46908
46909 @@ -495,7 +495,7 @@ void fscache_object_lookup_negative(stru
46910
46911 spin_lock(&object->lock);
46912 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
46913 - fscache_stat(&fscache_n_object_lookups_negative);
46914 + fscache_stat_unchecked(&fscache_n_object_lookups_negative);
46915
46916 /* transit here to allow write requests to begin stacking up
46917 * and read requests to begin returning ENODATA */
46918 @@ -541,7 +541,7 @@ void fscache_obtained_object(struct fsca
46919 * result, in which case there may be data available */
46920 spin_lock(&object->lock);
46921 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
46922 - fscache_stat(&fscache_n_object_lookups_positive);
46923 + fscache_stat_unchecked(&fscache_n_object_lookups_positive);
46924
46925 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
46926
46927 @@ -555,7 +555,7 @@ void fscache_obtained_object(struct fsca
46928 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
46929 } else {
46930 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
46931 - fscache_stat(&fscache_n_object_created);
46932 + fscache_stat_unchecked(&fscache_n_object_created);
46933
46934 object->state = FSCACHE_OBJECT_AVAILABLE;
46935 spin_unlock(&object->lock);
46936 @@ -602,7 +602,7 @@ static void fscache_object_available(str
46937 fscache_enqueue_dependents(object);
46938
46939 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
46940 - fscache_stat(&fscache_n_object_avail);
46941 + fscache_stat_unchecked(&fscache_n_object_avail);
46942
46943 _leave("");
46944 }
46945 @@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
46946 enum fscache_checkaux result;
46947
46948 if (!object->cookie->def->check_aux) {
46949 - fscache_stat(&fscache_n_checkaux_none);
46950 + fscache_stat_unchecked(&fscache_n_checkaux_none);
46951 return FSCACHE_CHECKAUX_OKAY;
46952 }
46953
46954 @@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
46955 switch (result) {
46956 /* entry okay as is */
46957 case FSCACHE_CHECKAUX_OKAY:
46958 - fscache_stat(&fscache_n_checkaux_okay);
46959 + fscache_stat_unchecked(&fscache_n_checkaux_okay);
46960 break;
46961
46962 /* entry requires update */
46963 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
46964 - fscache_stat(&fscache_n_checkaux_update);
46965 + fscache_stat_unchecked(&fscache_n_checkaux_update);
46966 break;
46967
46968 /* entry requires deletion */
46969 case FSCACHE_CHECKAUX_OBSOLETE:
46970 - fscache_stat(&fscache_n_checkaux_obsolete);
46971 + fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
46972 break;
46973
46974 default:
46975 diff -urNp linux-2.6.39.3/fs/fscache/operation.c linux-2.6.39.3/fs/fscache/operation.c
46976 --- linux-2.6.39.3/fs/fscache/operation.c 2011-05-19 00:06:34.000000000 -0400
46977 +++ linux-2.6.39.3/fs/fscache/operation.c 2011-05-22 19:36:32.000000000 -0400
46978 @@ -17,7 +17,7 @@
46979 #include <linux/slab.h>
46980 #include "internal.h"
46981
46982 -atomic_t fscache_op_debug_id;
46983 +atomic_unchecked_t fscache_op_debug_id;
46984 EXPORT_SYMBOL(fscache_op_debug_id);
46985
46986 /**
46987 @@ -40,7 +40,7 @@ void fscache_enqueue_operation(struct fs
46988 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
46989 ASSERTCMP(atomic_read(&op->usage), >, 0);
46990
46991 - fscache_stat(&fscache_n_op_enqueue);
46992 + fscache_stat_unchecked(&fscache_n_op_enqueue);
46993 switch (op->flags & FSCACHE_OP_TYPE) {
46994 case FSCACHE_OP_ASYNC:
46995 _debug("queue async");
46996 @@ -73,7 +73,7 @@ static void fscache_run_op(struct fscach
46997 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
46998 if (op->processor)
46999 fscache_enqueue_operation(op);
47000 - fscache_stat(&fscache_n_op_run);
47001 + fscache_stat_unchecked(&fscache_n_op_run);
47002 }
47003
47004 /*
47005 @@ -104,11 +104,11 @@ int fscache_submit_exclusive_op(struct f
47006 if (object->n_ops > 1) {
47007 atomic_inc(&op->usage);
47008 list_add_tail(&op->pend_link, &object->pending_ops);
47009 - fscache_stat(&fscache_n_op_pend);
47010 + fscache_stat_unchecked(&fscache_n_op_pend);
47011 } else if (!list_empty(&object->pending_ops)) {
47012 atomic_inc(&op->usage);
47013 list_add_tail(&op->pend_link, &object->pending_ops);
47014 - fscache_stat(&fscache_n_op_pend);
47015 + fscache_stat_unchecked(&fscache_n_op_pend);
47016 fscache_start_operations(object);
47017 } else {
47018 ASSERTCMP(object->n_in_progress, ==, 0);
47019 @@ -124,7 +124,7 @@ int fscache_submit_exclusive_op(struct f
47020 object->n_exclusive++; /* reads and writes must wait */
47021 atomic_inc(&op->usage);
47022 list_add_tail(&op->pend_link, &object->pending_ops);
47023 - fscache_stat(&fscache_n_op_pend);
47024 + fscache_stat_unchecked(&fscache_n_op_pend);
47025 ret = 0;
47026 } else {
47027 /* not allowed to submit ops in any other state */
47028 @@ -211,11 +211,11 @@ int fscache_submit_op(struct fscache_obj
47029 if (object->n_exclusive > 0) {
47030 atomic_inc(&op->usage);
47031 list_add_tail(&op->pend_link, &object->pending_ops);
47032 - fscache_stat(&fscache_n_op_pend);
47033 + fscache_stat_unchecked(&fscache_n_op_pend);
47034 } else if (!list_empty(&object->pending_ops)) {
47035 atomic_inc(&op->usage);
47036 list_add_tail(&op->pend_link, &object->pending_ops);
47037 - fscache_stat(&fscache_n_op_pend);
47038 + fscache_stat_unchecked(&fscache_n_op_pend);
47039 fscache_start_operations(object);
47040 } else {
47041 ASSERTCMP(object->n_exclusive, ==, 0);
47042 @@ -227,12 +227,12 @@ int fscache_submit_op(struct fscache_obj
47043 object->n_ops++;
47044 atomic_inc(&op->usage);
47045 list_add_tail(&op->pend_link, &object->pending_ops);
47046 - fscache_stat(&fscache_n_op_pend);
47047 + fscache_stat_unchecked(&fscache_n_op_pend);
47048 ret = 0;
47049 } else if (object->state == FSCACHE_OBJECT_DYING ||
47050 object->state == FSCACHE_OBJECT_LC_DYING ||
47051 object->state == FSCACHE_OBJECT_WITHDRAWING) {
47052 - fscache_stat(&fscache_n_op_rejected);
47053 + fscache_stat_unchecked(&fscache_n_op_rejected);
47054 ret = -ENOBUFS;
47055 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
47056 fscache_report_unexpected_submission(object, op, ostate);
47057 @@ -302,7 +302,7 @@ int fscache_cancel_op(struct fscache_ope
47058
47059 ret = -EBUSY;
47060 if (!list_empty(&op->pend_link)) {
47061 - fscache_stat(&fscache_n_op_cancelled);
47062 + fscache_stat_unchecked(&fscache_n_op_cancelled);
47063 list_del_init(&op->pend_link);
47064 object->n_ops--;
47065 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
47066 @@ -341,7 +341,7 @@ void fscache_put_operation(struct fscach
47067 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
47068 BUG();
47069
47070 - fscache_stat(&fscache_n_op_release);
47071 + fscache_stat_unchecked(&fscache_n_op_release);
47072
47073 if (op->release) {
47074 op->release(op);
47075 @@ -358,7 +358,7 @@ void fscache_put_operation(struct fscach
47076 * lock, and defer it otherwise */
47077 if (!spin_trylock(&object->lock)) {
47078 _debug("defer put");
47079 - fscache_stat(&fscache_n_op_deferred_release);
47080 + fscache_stat_unchecked(&fscache_n_op_deferred_release);
47081
47082 cache = object->cache;
47083 spin_lock(&cache->op_gc_list_lock);
47084 @@ -420,7 +420,7 @@ void fscache_operation_gc(struct work_st
47085
47086 _debug("GC DEFERRED REL OBJ%x OP%x",
47087 object->debug_id, op->debug_id);
47088 - fscache_stat(&fscache_n_op_gc);
47089 + fscache_stat_unchecked(&fscache_n_op_gc);
47090
47091 ASSERTCMP(atomic_read(&op->usage), ==, 0);
47092
47093 diff -urNp linux-2.6.39.3/fs/fscache/page.c linux-2.6.39.3/fs/fscache/page.c
47094 --- linux-2.6.39.3/fs/fscache/page.c 2011-07-09 09:18:51.000000000 -0400
47095 +++ linux-2.6.39.3/fs/fscache/page.c 2011-07-09 09:19:18.000000000 -0400
47096 @@ -60,7 +60,7 @@ bool __fscache_maybe_release_page(struct
47097 val = radix_tree_lookup(&cookie->stores, page->index);
47098 if (!val) {
47099 rcu_read_unlock();
47100 - fscache_stat(&fscache_n_store_vmscan_not_storing);
47101 + fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
47102 __fscache_uncache_page(cookie, page);
47103 return true;
47104 }
47105 @@ -90,11 +90,11 @@ bool __fscache_maybe_release_page(struct
47106 spin_unlock(&cookie->stores_lock);
47107
47108 if (xpage) {
47109 - fscache_stat(&fscache_n_store_vmscan_cancelled);
47110 - fscache_stat(&fscache_n_store_radix_deletes);
47111 + fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
47112 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
47113 ASSERTCMP(xpage, ==, page);
47114 } else {
47115 - fscache_stat(&fscache_n_store_vmscan_gone);
47116 + fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
47117 }
47118
47119 wake_up_bit(&cookie->flags, 0);
47120 @@ -107,7 +107,7 @@ page_busy:
47121 /* we might want to wait here, but that could deadlock the allocator as
47122 * the work threads writing to the cache may all end up sleeping
47123 * on memory allocation */
47124 - fscache_stat(&fscache_n_store_vmscan_busy);
47125 + fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
47126 return false;
47127 }
47128 EXPORT_SYMBOL(__fscache_maybe_release_page);
47129 @@ -131,7 +131,7 @@ static void fscache_end_page_write(struc
47130 FSCACHE_COOKIE_STORING_TAG);
47131 if (!radix_tree_tag_get(&cookie->stores, page->index,
47132 FSCACHE_COOKIE_PENDING_TAG)) {
47133 - fscache_stat(&fscache_n_store_radix_deletes);
47134 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
47135 xpage = radix_tree_delete(&cookie->stores, page->index);
47136 }
47137 spin_unlock(&cookie->stores_lock);
47138 @@ -152,7 +152,7 @@ static void fscache_attr_changed_op(stru
47139
47140 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
47141
47142 - fscache_stat(&fscache_n_attr_changed_calls);
47143 + fscache_stat_unchecked(&fscache_n_attr_changed_calls);
47144
47145 if (fscache_object_is_active(object)) {
47146 fscache_set_op_state(op, "CallFS");
47147 @@ -179,11 +179,11 @@ int __fscache_attr_changed(struct fscach
47148
47149 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47150
47151 - fscache_stat(&fscache_n_attr_changed);
47152 + fscache_stat_unchecked(&fscache_n_attr_changed);
47153
47154 op = kzalloc(sizeof(*op), GFP_KERNEL);
47155 if (!op) {
47156 - fscache_stat(&fscache_n_attr_changed_nomem);
47157 + fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
47158 _leave(" = -ENOMEM");
47159 return -ENOMEM;
47160 }
47161 @@ -202,7 +202,7 @@ int __fscache_attr_changed(struct fscach
47162 if (fscache_submit_exclusive_op(object, op) < 0)
47163 goto nobufs;
47164 spin_unlock(&cookie->lock);
47165 - fscache_stat(&fscache_n_attr_changed_ok);
47166 + fscache_stat_unchecked(&fscache_n_attr_changed_ok);
47167 fscache_put_operation(op);
47168 _leave(" = 0");
47169 return 0;
47170 @@ -210,7 +210,7 @@ int __fscache_attr_changed(struct fscach
47171 nobufs:
47172 spin_unlock(&cookie->lock);
47173 kfree(op);
47174 - fscache_stat(&fscache_n_attr_changed_nobufs);
47175 + fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
47176 _leave(" = %d", -ENOBUFS);
47177 return -ENOBUFS;
47178 }
47179 @@ -246,7 +246,7 @@ static struct fscache_retrieval *fscache
47180 /* allocate a retrieval operation and attempt to submit it */
47181 op = kzalloc(sizeof(*op), GFP_NOIO);
47182 if (!op) {
47183 - fscache_stat(&fscache_n_retrievals_nomem);
47184 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47185 return NULL;
47186 }
47187
47188 @@ -275,13 +275,13 @@ static int fscache_wait_for_deferred_loo
47189 return 0;
47190 }
47191
47192 - fscache_stat(&fscache_n_retrievals_wait);
47193 + fscache_stat_unchecked(&fscache_n_retrievals_wait);
47194
47195 jif = jiffies;
47196 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
47197 fscache_wait_bit_interruptible,
47198 TASK_INTERRUPTIBLE) != 0) {
47199 - fscache_stat(&fscache_n_retrievals_intr);
47200 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
47201 _leave(" = -ERESTARTSYS");
47202 return -ERESTARTSYS;
47203 }
47204 @@ -299,8 +299,8 @@ static int fscache_wait_for_deferred_loo
47205 */
47206 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
47207 struct fscache_retrieval *op,
47208 - atomic_t *stat_op_waits,
47209 - atomic_t *stat_object_dead)
47210 + atomic_unchecked_t *stat_op_waits,
47211 + atomic_unchecked_t *stat_object_dead)
47212 {
47213 int ret;
47214
47215 @@ -308,7 +308,7 @@ static int fscache_wait_for_retrieval_ac
47216 goto check_if_dead;
47217
47218 _debug(">>> WT");
47219 - fscache_stat(stat_op_waits);
47220 + fscache_stat_unchecked(stat_op_waits);
47221 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
47222 fscache_wait_bit_interruptible,
47223 TASK_INTERRUPTIBLE) < 0) {
47224 @@ -325,7 +325,7 @@ static int fscache_wait_for_retrieval_ac
47225
47226 check_if_dead:
47227 if (unlikely(fscache_object_is_dead(object))) {
47228 - fscache_stat(stat_object_dead);
47229 + fscache_stat_unchecked(stat_object_dead);
47230 return -ENOBUFS;
47231 }
47232 return 0;
47233 @@ -352,7 +352,7 @@ int __fscache_read_or_alloc_page(struct
47234
47235 _enter("%p,%p,,,", cookie, page);
47236
47237 - fscache_stat(&fscache_n_retrievals);
47238 + fscache_stat_unchecked(&fscache_n_retrievals);
47239
47240 if (hlist_empty(&cookie->backing_objects))
47241 goto nobufs;
47242 @@ -386,7 +386,7 @@ int __fscache_read_or_alloc_page(struct
47243 goto nobufs_unlock;
47244 spin_unlock(&cookie->lock);
47245
47246 - fscache_stat(&fscache_n_retrieval_ops);
47247 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
47248
47249 /* pin the netfs read context in case we need to do the actual netfs
47250 * read because we've encountered a cache read failure */
47251 @@ -416,15 +416,15 @@ int __fscache_read_or_alloc_page(struct
47252
47253 error:
47254 if (ret == -ENOMEM)
47255 - fscache_stat(&fscache_n_retrievals_nomem);
47256 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47257 else if (ret == -ERESTARTSYS)
47258 - fscache_stat(&fscache_n_retrievals_intr);
47259 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
47260 else if (ret == -ENODATA)
47261 - fscache_stat(&fscache_n_retrievals_nodata);
47262 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
47263 else if (ret < 0)
47264 - fscache_stat(&fscache_n_retrievals_nobufs);
47265 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47266 else
47267 - fscache_stat(&fscache_n_retrievals_ok);
47268 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
47269
47270 fscache_put_retrieval(op);
47271 _leave(" = %d", ret);
47272 @@ -434,7 +434,7 @@ nobufs_unlock:
47273 spin_unlock(&cookie->lock);
47274 kfree(op);
47275 nobufs:
47276 - fscache_stat(&fscache_n_retrievals_nobufs);
47277 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47278 _leave(" = -ENOBUFS");
47279 return -ENOBUFS;
47280 }
47281 @@ -472,7 +472,7 @@ int __fscache_read_or_alloc_pages(struct
47282
47283 _enter("%p,,%d,,,", cookie, *nr_pages);
47284
47285 - fscache_stat(&fscache_n_retrievals);
47286 + fscache_stat_unchecked(&fscache_n_retrievals);
47287
47288 if (hlist_empty(&cookie->backing_objects))
47289 goto nobufs;
47290 @@ -503,7 +503,7 @@ int __fscache_read_or_alloc_pages(struct
47291 goto nobufs_unlock;
47292 spin_unlock(&cookie->lock);
47293
47294 - fscache_stat(&fscache_n_retrieval_ops);
47295 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
47296
47297 /* pin the netfs read context in case we need to do the actual netfs
47298 * read because we've encountered a cache read failure */
47299 @@ -533,15 +533,15 @@ int __fscache_read_or_alloc_pages(struct
47300
47301 error:
47302 if (ret == -ENOMEM)
47303 - fscache_stat(&fscache_n_retrievals_nomem);
47304 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47305 else if (ret == -ERESTARTSYS)
47306 - fscache_stat(&fscache_n_retrievals_intr);
47307 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
47308 else if (ret == -ENODATA)
47309 - fscache_stat(&fscache_n_retrievals_nodata);
47310 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
47311 else if (ret < 0)
47312 - fscache_stat(&fscache_n_retrievals_nobufs);
47313 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47314 else
47315 - fscache_stat(&fscache_n_retrievals_ok);
47316 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
47317
47318 fscache_put_retrieval(op);
47319 _leave(" = %d", ret);
47320 @@ -551,7 +551,7 @@ nobufs_unlock:
47321 spin_unlock(&cookie->lock);
47322 kfree(op);
47323 nobufs:
47324 - fscache_stat(&fscache_n_retrievals_nobufs);
47325 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47326 _leave(" = -ENOBUFS");
47327 return -ENOBUFS;
47328 }
47329 @@ -575,7 +575,7 @@ int __fscache_alloc_page(struct fscache_
47330
47331 _enter("%p,%p,,,", cookie, page);
47332
47333 - fscache_stat(&fscache_n_allocs);
47334 + fscache_stat_unchecked(&fscache_n_allocs);
47335
47336 if (hlist_empty(&cookie->backing_objects))
47337 goto nobufs;
47338 @@ -602,7 +602,7 @@ int __fscache_alloc_page(struct fscache_
47339 goto nobufs_unlock;
47340 spin_unlock(&cookie->lock);
47341
47342 - fscache_stat(&fscache_n_alloc_ops);
47343 + fscache_stat_unchecked(&fscache_n_alloc_ops);
47344
47345 ret = fscache_wait_for_retrieval_activation(
47346 object, op,
47347 @@ -618,11 +618,11 @@ int __fscache_alloc_page(struct fscache_
47348
47349 error:
47350 if (ret == -ERESTARTSYS)
47351 - fscache_stat(&fscache_n_allocs_intr);
47352 + fscache_stat_unchecked(&fscache_n_allocs_intr);
47353 else if (ret < 0)
47354 - fscache_stat(&fscache_n_allocs_nobufs);
47355 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
47356 else
47357 - fscache_stat(&fscache_n_allocs_ok);
47358 + fscache_stat_unchecked(&fscache_n_allocs_ok);
47359
47360 fscache_put_retrieval(op);
47361 _leave(" = %d", ret);
47362 @@ -632,7 +632,7 @@ nobufs_unlock:
47363 spin_unlock(&cookie->lock);
47364 kfree(op);
47365 nobufs:
47366 - fscache_stat(&fscache_n_allocs_nobufs);
47367 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
47368 _leave(" = -ENOBUFS");
47369 return -ENOBUFS;
47370 }
47371 @@ -675,7 +675,7 @@ static void fscache_write_op(struct fsca
47372
47373 spin_lock(&cookie->stores_lock);
47374
47375 - fscache_stat(&fscache_n_store_calls);
47376 + fscache_stat_unchecked(&fscache_n_store_calls);
47377
47378 /* find a page to store */
47379 page = NULL;
47380 @@ -686,7 +686,7 @@ static void fscache_write_op(struct fsca
47381 page = results[0];
47382 _debug("gang %d [%lx]", n, page->index);
47383 if (page->index > op->store_limit) {
47384 - fscache_stat(&fscache_n_store_pages_over_limit);
47385 + fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
47386 goto superseded;
47387 }
47388
47389 @@ -699,7 +699,7 @@ static void fscache_write_op(struct fsca
47390 spin_unlock(&object->lock);
47391
47392 fscache_set_op_state(&op->op, "Store");
47393 - fscache_stat(&fscache_n_store_pages);
47394 + fscache_stat_unchecked(&fscache_n_store_pages);
47395 fscache_stat(&fscache_n_cop_write_page);
47396 ret = object->cache->ops->write_page(op, page);
47397 fscache_stat_d(&fscache_n_cop_write_page);
47398 @@ -769,7 +769,7 @@ int __fscache_write_page(struct fscache_
47399 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47400 ASSERT(PageFsCache(page));
47401
47402 - fscache_stat(&fscache_n_stores);
47403 + fscache_stat_unchecked(&fscache_n_stores);
47404
47405 op = kzalloc(sizeof(*op), GFP_NOIO);
47406 if (!op)
47407 @@ -821,7 +821,7 @@ int __fscache_write_page(struct fscache_
47408 spin_unlock(&cookie->stores_lock);
47409 spin_unlock(&object->lock);
47410
47411 - op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
47412 + op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
47413 op->store_limit = object->store_limit;
47414
47415 if (fscache_submit_op(object, &op->op) < 0)
47416 @@ -829,8 +829,8 @@ int __fscache_write_page(struct fscache_
47417
47418 spin_unlock(&cookie->lock);
47419 radix_tree_preload_end();
47420 - fscache_stat(&fscache_n_store_ops);
47421 - fscache_stat(&fscache_n_stores_ok);
47422 + fscache_stat_unchecked(&fscache_n_store_ops);
47423 + fscache_stat_unchecked(&fscache_n_stores_ok);
47424
47425 /* the work queue now carries its own ref on the object */
47426 fscache_put_operation(&op->op);
47427 @@ -838,14 +838,14 @@ int __fscache_write_page(struct fscache_
47428 return 0;
47429
47430 already_queued:
47431 - fscache_stat(&fscache_n_stores_again);
47432 + fscache_stat_unchecked(&fscache_n_stores_again);
47433 already_pending:
47434 spin_unlock(&cookie->stores_lock);
47435 spin_unlock(&object->lock);
47436 spin_unlock(&cookie->lock);
47437 radix_tree_preload_end();
47438 kfree(op);
47439 - fscache_stat(&fscache_n_stores_ok);
47440 + fscache_stat_unchecked(&fscache_n_stores_ok);
47441 _leave(" = 0");
47442 return 0;
47443
47444 @@ -864,14 +864,14 @@ nobufs:
47445 spin_unlock(&cookie->lock);
47446 radix_tree_preload_end();
47447 kfree(op);
47448 - fscache_stat(&fscache_n_stores_nobufs);
47449 + fscache_stat_unchecked(&fscache_n_stores_nobufs);
47450 _leave(" = -ENOBUFS");
47451 return -ENOBUFS;
47452
47453 nomem_free:
47454 kfree(op);
47455 nomem:
47456 - fscache_stat(&fscache_n_stores_oom);
47457 + fscache_stat_unchecked(&fscache_n_stores_oom);
47458 _leave(" = -ENOMEM");
47459 return -ENOMEM;
47460 }
47461 @@ -889,7 +889,7 @@ void __fscache_uncache_page(struct fscac
47462 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47463 ASSERTCMP(page, !=, NULL);
47464
47465 - fscache_stat(&fscache_n_uncaches);
47466 + fscache_stat_unchecked(&fscache_n_uncaches);
47467
47468 /* cache withdrawal may beat us to it */
47469 if (!PageFsCache(page))
47470 @@ -942,7 +942,7 @@ void fscache_mark_pages_cached(struct fs
47471 unsigned long loop;
47472
47473 #ifdef CONFIG_FSCACHE_STATS
47474 - atomic_add(pagevec->nr, &fscache_n_marks);
47475 + atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
47476 #endif
47477
47478 for (loop = 0; loop < pagevec->nr; loop++) {
47479 diff -urNp linux-2.6.39.3/fs/fscache/stats.c linux-2.6.39.3/fs/fscache/stats.c
47480 --- linux-2.6.39.3/fs/fscache/stats.c 2011-05-19 00:06:34.000000000 -0400
47481 +++ linux-2.6.39.3/fs/fscache/stats.c 2011-05-22 19:36:32.000000000 -0400
47482 @@ -18,95 +18,95 @@
47483 /*
47484 * operation counters
47485 */
47486 -atomic_t fscache_n_op_pend;
47487 -atomic_t fscache_n_op_run;
47488 -atomic_t fscache_n_op_enqueue;
47489 -atomic_t fscache_n_op_requeue;
47490 -atomic_t fscache_n_op_deferred_release;
47491 -atomic_t fscache_n_op_release;
47492 -atomic_t fscache_n_op_gc;
47493 -atomic_t fscache_n_op_cancelled;
47494 -atomic_t fscache_n_op_rejected;
47495 -
47496 -atomic_t fscache_n_attr_changed;
47497 -atomic_t fscache_n_attr_changed_ok;
47498 -atomic_t fscache_n_attr_changed_nobufs;
47499 -atomic_t fscache_n_attr_changed_nomem;
47500 -atomic_t fscache_n_attr_changed_calls;
47501 -
47502 -atomic_t fscache_n_allocs;
47503 -atomic_t fscache_n_allocs_ok;
47504 -atomic_t fscache_n_allocs_wait;
47505 -atomic_t fscache_n_allocs_nobufs;
47506 -atomic_t fscache_n_allocs_intr;
47507 -atomic_t fscache_n_allocs_object_dead;
47508 -atomic_t fscache_n_alloc_ops;
47509 -atomic_t fscache_n_alloc_op_waits;
47510 -
47511 -atomic_t fscache_n_retrievals;
47512 -atomic_t fscache_n_retrievals_ok;
47513 -atomic_t fscache_n_retrievals_wait;
47514 -atomic_t fscache_n_retrievals_nodata;
47515 -atomic_t fscache_n_retrievals_nobufs;
47516 -atomic_t fscache_n_retrievals_intr;
47517 -atomic_t fscache_n_retrievals_nomem;
47518 -atomic_t fscache_n_retrievals_object_dead;
47519 -atomic_t fscache_n_retrieval_ops;
47520 -atomic_t fscache_n_retrieval_op_waits;
47521 -
47522 -atomic_t fscache_n_stores;
47523 -atomic_t fscache_n_stores_ok;
47524 -atomic_t fscache_n_stores_again;
47525 -atomic_t fscache_n_stores_nobufs;
47526 -atomic_t fscache_n_stores_oom;
47527 -atomic_t fscache_n_store_ops;
47528 -atomic_t fscache_n_store_calls;
47529 -atomic_t fscache_n_store_pages;
47530 -atomic_t fscache_n_store_radix_deletes;
47531 -atomic_t fscache_n_store_pages_over_limit;
47532 -
47533 -atomic_t fscache_n_store_vmscan_not_storing;
47534 -atomic_t fscache_n_store_vmscan_gone;
47535 -atomic_t fscache_n_store_vmscan_busy;
47536 -atomic_t fscache_n_store_vmscan_cancelled;
47537 -
47538 -atomic_t fscache_n_marks;
47539 -atomic_t fscache_n_uncaches;
47540 -
47541 -atomic_t fscache_n_acquires;
47542 -atomic_t fscache_n_acquires_null;
47543 -atomic_t fscache_n_acquires_no_cache;
47544 -atomic_t fscache_n_acquires_ok;
47545 -atomic_t fscache_n_acquires_nobufs;
47546 -atomic_t fscache_n_acquires_oom;
47547 -
47548 -atomic_t fscache_n_updates;
47549 -atomic_t fscache_n_updates_null;
47550 -atomic_t fscache_n_updates_run;
47551 -
47552 -atomic_t fscache_n_relinquishes;
47553 -atomic_t fscache_n_relinquishes_null;
47554 -atomic_t fscache_n_relinquishes_waitcrt;
47555 -atomic_t fscache_n_relinquishes_retire;
47556 -
47557 -atomic_t fscache_n_cookie_index;
47558 -atomic_t fscache_n_cookie_data;
47559 -atomic_t fscache_n_cookie_special;
47560 -
47561 -atomic_t fscache_n_object_alloc;
47562 -atomic_t fscache_n_object_no_alloc;
47563 -atomic_t fscache_n_object_lookups;
47564 -atomic_t fscache_n_object_lookups_negative;
47565 -atomic_t fscache_n_object_lookups_positive;
47566 -atomic_t fscache_n_object_lookups_timed_out;
47567 -atomic_t fscache_n_object_created;
47568 -atomic_t fscache_n_object_avail;
47569 -atomic_t fscache_n_object_dead;
47570 -
47571 -atomic_t fscache_n_checkaux_none;
47572 -atomic_t fscache_n_checkaux_okay;
47573 -atomic_t fscache_n_checkaux_update;
47574 -atomic_t fscache_n_checkaux_obsolete;
47575 +atomic_unchecked_t fscache_n_op_pend;
47576 +atomic_unchecked_t fscache_n_op_run;
47577 +atomic_unchecked_t fscache_n_op_enqueue;
47578 +atomic_unchecked_t fscache_n_op_requeue;
47579 +atomic_unchecked_t fscache_n_op_deferred_release;
47580 +atomic_unchecked_t fscache_n_op_release;
47581 +atomic_unchecked_t fscache_n_op_gc;
47582 +atomic_unchecked_t fscache_n_op_cancelled;
47583 +atomic_unchecked_t fscache_n_op_rejected;
47584 +
47585 +atomic_unchecked_t fscache_n_attr_changed;
47586 +atomic_unchecked_t fscache_n_attr_changed_ok;
47587 +atomic_unchecked_t fscache_n_attr_changed_nobufs;
47588 +atomic_unchecked_t fscache_n_attr_changed_nomem;
47589 +atomic_unchecked_t fscache_n_attr_changed_calls;
47590 +
47591 +atomic_unchecked_t fscache_n_allocs;
47592 +atomic_unchecked_t fscache_n_allocs_ok;
47593 +atomic_unchecked_t fscache_n_allocs_wait;
47594 +atomic_unchecked_t fscache_n_allocs_nobufs;
47595 +atomic_unchecked_t fscache_n_allocs_intr;
47596 +atomic_unchecked_t fscache_n_allocs_object_dead;
47597 +atomic_unchecked_t fscache_n_alloc_ops;
47598 +atomic_unchecked_t fscache_n_alloc_op_waits;
47599 +
47600 +atomic_unchecked_t fscache_n_retrievals;
47601 +atomic_unchecked_t fscache_n_retrievals_ok;
47602 +atomic_unchecked_t fscache_n_retrievals_wait;
47603 +atomic_unchecked_t fscache_n_retrievals_nodata;
47604 +atomic_unchecked_t fscache_n_retrievals_nobufs;
47605 +atomic_unchecked_t fscache_n_retrievals_intr;
47606 +atomic_unchecked_t fscache_n_retrievals_nomem;
47607 +atomic_unchecked_t fscache_n_retrievals_object_dead;
47608 +atomic_unchecked_t fscache_n_retrieval_ops;
47609 +atomic_unchecked_t fscache_n_retrieval_op_waits;
47610 +
47611 +atomic_unchecked_t fscache_n_stores;
47612 +atomic_unchecked_t fscache_n_stores_ok;
47613 +atomic_unchecked_t fscache_n_stores_again;
47614 +atomic_unchecked_t fscache_n_stores_nobufs;
47615 +atomic_unchecked_t fscache_n_stores_oom;
47616 +atomic_unchecked_t fscache_n_store_ops;
47617 +atomic_unchecked_t fscache_n_store_calls;
47618 +atomic_unchecked_t fscache_n_store_pages;
47619 +atomic_unchecked_t fscache_n_store_radix_deletes;
47620 +atomic_unchecked_t fscache_n_store_pages_over_limit;
47621 +
47622 +atomic_unchecked_t fscache_n_store_vmscan_not_storing;
47623 +atomic_unchecked_t fscache_n_store_vmscan_gone;
47624 +atomic_unchecked_t fscache_n_store_vmscan_busy;
47625 +atomic_unchecked_t fscache_n_store_vmscan_cancelled;
47626 +
47627 +atomic_unchecked_t fscache_n_marks;
47628 +atomic_unchecked_t fscache_n_uncaches;
47629 +
47630 +atomic_unchecked_t fscache_n_acquires;
47631 +atomic_unchecked_t fscache_n_acquires_null;
47632 +atomic_unchecked_t fscache_n_acquires_no_cache;
47633 +atomic_unchecked_t fscache_n_acquires_ok;
47634 +atomic_unchecked_t fscache_n_acquires_nobufs;
47635 +atomic_unchecked_t fscache_n_acquires_oom;
47636 +
47637 +atomic_unchecked_t fscache_n_updates;
47638 +atomic_unchecked_t fscache_n_updates_null;
47639 +atomic_unchecked_t fscache_n_updates_run;
47640 +
47641 +atomic_unchecked_t fscache_n_relinquishes;
47642 +atomic_unchecked_t fscache_n_relinquishes_null;
47643 +atomic_unchecked_t fscache_n_relinquishes_waitcrt;
47644 +atomic_unchecked_t fscache_n_relinquishes_retire;
47645 +
47646 +atomic_unchecked_t fscache_n_cookie_index;
47647 +atomic_unchecked_t fscache_n_cookie_data;
47648 +atomic_unchecked_t fscache_n_cookie_special;
47649 +
47650 +atomic_unchecked_t fscache_n_object_alloc;
47651 +atomic_unchecked_t fscache_n_object_no_alloc;
47652 +atomic_unchecked_t fscache_n_object_lookups;
47653 +atomic_unchecked_t fscache_n_object_lookups_negative;
47654 +atomic_unchecked_t fscache_n_object_lookups_positive;
47655 +atomic_unchecked_t fscache_n_object_lookups_timed_out;
47656 +atomic_unchecked_t fscache_n_object_created;
47657 +atomic_unchecked_t fscache_n_object_avail;
47658 +atomic_unchecked_t fscache_n_object_dead;
47659 +
47660 +atomic_unchecked_t fscache_n_checkaux_none;
47661 +atomic_unchecked_t fscache_n_checkaux_okay;
47662 +atomic_unchecked_t fscache_n_checkaux_update;
47663 +atomic_unchecked_t fscache_n_checkaux_obsolete;
47664
47665 atomic_t fscache_n_cop_alloc_object;
47666 atomic_t fscache_n_cop_lookup_object;
47667 @@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
47668 seq_puts(m, "FS-Cache statistics\n");
47669
47670 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
47671 - atomic_read(&fscache_n_cookie_index),
47672 - atomic_read(&fscache_n_cookie_data),
47673 - atomic_read(&fscache_n_cookie_special));
47674 + atomic_read_unchecked(&fscache_n_cookie_index),
47675 + atomic_read_unchecked(&fscache_n_cookie_data),
47676 + atomic_read_unchecked(&fscache_n_cookie_special));
47677
47678 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
47679 - atomic_read(&fscache_n_object_alloc),
47680 - atomic_read(&fscache_n_object_no_alloc),
47681 - atomic_read(&fscache_n_object_avail),
47682 - atomic_read(&fscache_n_object_dead));
47683 + atomic_read_unchecked(&fscache_n_object_alloc),
47684 + atomic_read_unchecked(&fscache_n_object_no_alloc),
47685 + atomic_read_unchecked(&fscache_n_object_avail),
47686 + atomic_read_unchecked(&fscache_n_object_dead));
47687 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
47688 - atomic_read(&fscache_n_checkaux_none),
47689 - atomic_read(&fscache_n_checkaux_okay),
47690 - atomic_read(&fscache_n_checkaux_update),
47691 - atomic_read(&fscache_n_checkaux_obsolete));
47692 + atomic_read_unchecked(&fscache_n_checkaux_none),
47693 + atomic_read_unchecked(&fscache_n_checkaux_okay),
47694 + atomic_read_unchecked(&fscache_n_checkaux_update),
47695 + atomic_read_unchecked(&fscache_n_checkaux_obsolete));
47696
47697 seq_printf(m, "Pages : mrk=%u unc=%u\n",
47698 - atomic_read(&fscache_n_marks),
47699 - atomic_read(&fscache_n_uncaches));
47700 + atomic_read_unchecked(&fscache_n_marks),
47701 + atomic_read_unchecked(&fscache_n_uncaches));
47702
47703 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
47704 " oom=%u\n",
47705 - atomic_read(&fscache_n_acquires),
47706 - atomic_read(&fscache_n_acquires_null),
47707 - atomic_read(&fscache_n_acquires_no_cache),
47708 - atomic_read(&fscache_n_acquires_ok),
47709 - atomic_read(&fscache_n_acquires_nobufs),
47710 - atomic_read(&fscache_n_acquires_oom));
47711 + atomic_read_unchecked(&fscache_n_acquires),
47712 + atomic_read_unchecked(&fscache_n_acquires_null),
47713 + atomic_read_unchecked(&fscache_n_acquires_no_cache),
47714 + atomic_read_unchecked(&fscache_n_acquires_ok),
47715 + atomic_read_unchecked(&fscache_n_acquires_nobufs),
47716 + atomic_read_unchecked(&fscache_n_acquires_oom));
47717
47718 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
47719 - atomic_read(&fscache_n_object_lookups),
47720 - atomic_read(&fscache_n_object_lookups_negative),
47721 - atomic_read(&fscache_n_object_lookups_positive),
47722 - atomic_read(&fscache_n_object_created),
47723 - atomic_read(&fscache_n_object_lookups_timed_out));
47724 + atomic_read_unchecked(&fscache_n_object_lookups),
47725 + atomic_read_unchecked(&fscache_n_object_lookups_negative),
47726 + atomic_read_unchecked(&fscache_n_object_lookups_positive),
47727 + atomic_read_unchecked(&fscache_n_object_created),
47728 + atomic_read_unchecked(&fscache_n_object_lookups_timed_out));
47729
47730 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
47731 - atomic_read(&fscache_n_updates),
47732 - atomic_read(&fscache_n_updates_null),
47733 - atomic_read(&fscache_n_updates_run));
47734 + atomic_read_unchecked(&fscache_n_updates),
47735 + atomic_read_unchecked(&fscache_n_updates_null),
47736 + atomic_read_unchecked(&fscache_n_updates_run));
47737
47738 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
47739 - atomic_read(&fscache_n_relinquishes),
47740 - atomic_read(&fscache_n_relinquishes_null),
47741 - atomic_read(&fscache_n_relinquishes_waitcrt),
47742 - atomic_read(&fscache_n_relinquishes_retire));
47743 + atomic_read_unchecked(&fscache_n_relinquishes),
47744 + atomic_read_unchecked(&fscache_n_relinquishes_null),
47745 + atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
47746 + atomic_read_unchecked(&fscache_n_relinquishes_retire));
47747
47748 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
47749 - atomic_read(&fscache_n_attr_changed),
47750 - atomic_read(&fscache_n_attr_changed_ok),
47751 - atomic_read(&fscache_n_attr_changed_nobufs),
47752 - atomic_read(&fscache_n_attr_changed_nomem),
47753 - atomic_read(&fscache_n_attr_changed_calls));
47754 + atomic_read_unchecked(&fscache_n_attr_changed),
47755 + atomic_read_unchecked(&fscache_n_attr_changed_ok),
47756 + atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
47757 + atomic_read_unchecked(&fscache_n_attr_changed_nomem),
47758 + atomic_read_unchecked(&fscache_n_attr_changed_calls));
47759
47760 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
47761 - atomic_read(&fscache_n_allocs),
47762 - atomic_read(&fscache_n_allocs_ok),
47763 - atomic_read(&fscache_n_allocs_wait),
47764 - atomic_read(&fscache_n_allocs_nobufs),
47765 - atomic_read(&fscache_n_allocs_intr));
47766 + atomic_read_unchecked(&fscache_n_allocs),
47767 + atomic_read_unchecked(&fscache_n_allocs_ok),
47768 + atomic_read_unchecked(&fscache_n_allocs_wait),
47769 + atomic_read_unchecked(&fscache_n_allocs_nobufs),
47770 + atomic_read_unchecked(&fscache_n_allocs_intr));
47771 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
47772 - atomic_read(&fscache_n_alloc_ops),
47773 - atomic_read(&fscache_n_alloc_op_waits),
47774 - atomic_read(&fscache_n_allocs_object_dead));
47775 + atomic_read_unchecked(&fscache_n_alloc_ops),
47776 + atomic_read_unchecked(&fscache_n_alloc_op_waits),
47777 + atomic_read_unchecked(&fscache_n_allocs_object_dead));
47778
47779 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
47780 " int=%u oom=%u\n",
47781 - atomic_read(&fscache_n_retrievals),
47782 - atomic_read(&fscache_n_retrievals_ok),
47783 - atomic_read(&fscache_n_retrievals_wait),
47784 - atomic_read(&fscache_n_retrievals_nodata),
47785 - atomic_read(&fscache_n_retrievals_nobufs),
47786 - atomic_read(&fscache_n_retrievals_intr),
47787 - atomic_read(&fscache_n_retrievals_nomem));
47788 + atomic_read_unchecked(&fscache_n_retrievals),
47789 + atomic_read_unchecked(&fscache_n_retrievals_ok),
47790 + atomic_read_unchecked(&fscache_n_retrievals_wait),
47791 + atomic_read_unchecked(&fscache_n_retrievals_nodata),
47792 + atomic_read_unchecked(&fscache_n_retrievals_nobufs),
47793 + atomic_read_unchecked(&fscache_n_retrievals_intr),
47794 + atomic_read_unchecked(&fscache_n_retrievals_nomem));
47795 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
47796 - atomic_read(&fscache_n_retrieval_ops),
47797 - atomic_read(&fscache_n_retrieval_op_waits),
47798 - atomic_read(&fscache_n_retrievals_object_dead));
47799 + atomic_read_unchecked(&fscache_n_retrieval_ops),
47800 + atomic_read_unchecked(&fscache_n_retrieval_op_waits),
47801 + atomic_read_unchecked(&fscache_n_retrievals_object_dead));
47802
47803 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
47804 - atomic_read(&fscache_n_stores),
47805 - atomic_read(&fscache_n_stores_ok),
47806 - atomic_read(&fscache_n_stores_again),
47807 - atomic_read(&fscache_n_stores_nobufs),
47808 - atomic_read(&fscache_n_stores_oom));
47809 + atomic_read_unchecked(&fscache_n_stores),
47810 + atomic_read_unchecked(&fscache_n_stores_ok),
47811 + atomic_read_unchecked(&fscache_n_stores_again),
47812 + atomic_read_unchecked(&fscache_n_stores_nobufs),
47813 + atomic_read_unchecked(&fscache_n_stores_oom));
47814 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
47815 - atomic_read(&fscache_n_store_ops),
47816 - atomic_read(&fscache_n_store_calls),
47817 - atomic_read(&fscache_n_store_pages),
47818 - atomic_read(&fscache_n_store_radix_deletes),
47819 - atomic_read(&fscache_n_store_pages_over_limit));
47820 + atomic_read_unchecked(&fscache_n_store_ops),
47821 + atomic_read_unchecked(&fscache_n_store_calls),
47822 + atomic_read_unchecked(&fscache_n_store_pages),
47823 + atomic_read_unchecked(&fscache_n_store_radix_deletes),
47824 + atomic_read_unchecked(&fscache_n_store_pages_over_limit));
47825
47826 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
47827 - atomic_read(&fscache_n_store_vmscan_not_storing),
47828 - atomic_read(&fscache_n_store_vmscan_gone),
47829 - atomic_read(&fscache_n_store_vmscan_busy),
47830 - atomic_read(&fscache_n_store_vmscan_cancelled));
47831 + atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
47832 + atomic_read_unchecked(&fscache_n_store_vmscan_gone),
47833 + atomic_read_unchecked(&fscache_n_store_vmscan_busy),
47834 + atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
47835
47836 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
47837 - atomic_read(&fscache_n_op_pend),
47838 - atomic_read(&fscache_n_op_run),
47839 - atomic_read(&fscache_n_op_enqueue),
47840 - atomic_read(&fscache_n_op_cancelled),
47841 - atomic_read(&fscache_n_op_rejected));
47842 + atomic_read_unchecked(&fscache_n_op_pend),
47843 + atomic_read_unchecked(&fscache_n_op_run),
47844 + atomic_read_unchecked(&fscache_n_op_enqueue),
47845 + atomic_read_unchecked(&fscache_n_op_cancelled),
47846 + atomic_read_unchecked(&fscache_n_op_rejected));
47847 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
47848 - atomic_read(&fscache_n_op_deferred_release),
47849 - atomic_read(&fscache_n_op_release),
47850 - atomic_read(&fscache_n_op_gc));
47851 + atomic_read_unchecked(&fscache_n_op_deferred_release),
47852 + atomic_read_unchecked(&fscache_n_op_release),
47853 + atomic_read_unchecked(&fscache_n_op_gc));
47854
47855 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
47856 atomic_read(&fscache_n_cop_alloc_object),
47857 diff -urNp linux-2.6.39.3/fs/fs_struct.c linux-2.6.39.3/fs/fs_struct.c
47858 --- linux-2.6.39.3/fs/fs_struct.c 2011-05-19 00:06:34.000000000 -0400
47859 +++ linux-2.6.39.3/fs/fs_struct.c 2011-05-22 19:41:37.000000000 -0400
47860 @@ -4,6 +4,7 @@
47861 #include <linux/path.h>
47862 #include <linux/slab.h>
47863 #include <linux/fs_struct.h>
47864 +#include <linux/grsecurity.h>
47865 #include "internal.h"
47866
47867 static inline void path_get_longterm(struct path *path)
47868 @@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
47869 old_root = fs->root;
47870 fs->root = *path;
47871 path_get_longterm(path);
47872 + gr_set_chroot_entries(current, path);
47873 write_seqcount_end(&fs->seq);
47874 spin_unlock(&fs->lock);
47875 if (old_root.dentry)
47876 @@ -74,6 +76,7 @@ void chroot_fs_refs(struct path *old_roo
47877 && fs->root.mnt == old_root->mnt) {
47878 path_get_longterm(new_root);
47879 fs->root = *new_root;
47880 + gr_set_chroot_entries(p, new_root);
47881 count++;
47882 }
47883 if (fs->pwd.dentry == old_root->dentry
47884 @@ -109,7 +112,8 @@ void exit_fs(struct task_struct *tsk)
47885 spin_lock(&fs->lock);
47886 write_seqcount_begin(&fs->seq);
47887 tsk->fs = NULL;
47888 - kill = !--fs->users;
47889 + gr_clear_chroot_entries(tsk);
47890 + kill = !atomic_dec_return(&fs->users);
47891 write_seqcount_end(&fs->seq);
47892 spin_unlock(&fs->lock);
47893 task_unlock(tsk);
47894 @@ -123,7 +127,7 @@ struct fs_struct *copy_fs_struct(struct
47895 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
47896 /* We don't need to lock fs - think why ;-) */
47897 if (fs) {
47898 - fs->users = 1;
47899 + atomic_set(&fs->users, 1);
47900 fs->in_exec = 0;
47901 spin_lock_init(&fs->lock);
47902 seqcount_init(&fs->seq);
47903 @@ -132,6 +136,9 @@ struct fs_struct *copy_fs_struct(struct
47904 spin_lock(&old->lock);
47905 fs->root = old->root;
47906 path_get_longterm(&fs->root);
47907 + /* instead of calling gr_set_chroot_entries here,
47908 + we call it from every caller of this function
47909 + */
47910 fs->pwd = old->pwd;
47911 path_get_longterm(&fs->pwd);
47912 spin_unlock(&old->lock);
47913 @@ -150,8 +157,9 @@ int unshare_fs_struct(void)
47914
47915 task_lock(current);
47916 spin_lock(&fs->lock);
47917 - kill = !--fs->users;
47918 + kill = !atomic_dec_return(&fs->users);
47919 current->fs = new_fs;
47920 + gr_set_chroot_entries(current, &new_fs->root);
47921 spin_unlock(&fs->lock);
47922 task_unlock(current);
47923
47924 @@ -170,7 +178,7 @@ EXPORT_SYMBOL(current_umask);
47925
47926 /* to be mentioned only in INIT_TASK */
47927 struct fs_struct init_fs = {
47928 - .users = 1,
47929 + .users = ATOMIC_INIT(1),
47930 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
47931 .seq = SEQCNT_ZERO,
47932 .umask = 0022,
47933 @@ -186,12 +194,13 @@ void daemonize_fs_struct(void)
47934 task_lock(current);
47935
47936 spin_lock(&init_fs.lock);
47937 - init_fs.users++;
47938 + atomic_inc(&init_fs.users);
47939 spin_unlock(&init_fs.lock);
47940
47941 spin_lock(&fs->lock);
47942 current->fs = &init_fs;
47943 - kill = !--fs->users;
47944 + gr_set_chroot_entries(current, &current->fs->root);
47945 + kill = !atomic_dec_return(&fs->users);
47946 spin_unlock(&fs->lock);
47947
47948 task_unlock(current);
47949 diff -urNp linux-2.6.39.3/fs/fuse/cuse.c linux-2.6.39.3/fs/fuse/cuse.c
47950 --- linux-2.6.39.3/fs/fuse/cuse.c 2011-05-19 00:06:34.000000000 -0400
47951 +++ linux-2.6.39.3/fs/fuse/cuse.c 2011-05-22 19:36:32.000000000 -0400
47952 @@ -538,8 +538,18 @@ static int cuse_channel_release(struct i
47953 return rc;
47954 }
47955
47956 -static struct file_operations cuse_channel_fops; /* initialized during init */
47957 -
47958 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
47959 + .owner = THIS_MODULE,
47960 + .llseek = no_llseek,
47961 + .read = do_sync_read,
47962 + .aio_read = fuse_dev_read,
47963 + .write = do_sync_write,
47964 + .aio_write = fuse_dev_write,
47965 + .poll = fuse_dev_poll,
47966 + .open = cuse_channel_open,
47967 + .release = cuse_channel_release,
47968 + .fasync = fuse_dev_fasync,
47969 +};
47970
47971 /**************************************************************************
47972 * Misc stuff and module initializatiion
47973 @@ -585,12 +595,6 @@ static int __init cuse_init(void)
47974 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
47975 INIT_LIST_HEAD(&cuse_conntbl[i]);
47976
47977 - /* inherit and extend fuse_dev_operations */
47978 - cuse_channel_fops = fuse_dev_operations;
47979 - cuse_channel_fops.owner = THIS_MODULE;
47980 - cuse_channel_fops.open = cuse_channel_open;
47981 - cuse_channel_fops.release = cuse_channel_release;
47982 -
47983 cuse_class = class_create(THIS_MODULE, "cuse");
47984 if (IS_ERR(cuse_class))
47985 return PTR_ERR(cuse_class);
47986 diff -urNp linux-2.6.39.3/fs/fuse/dev.c linux-2.6.39.3/fs/fuse/dev.c
47987 --- linux-2.6.39.3/fs/fuse/dev.c 2011-05-19 00:06:34.000000000 -0400
47988 +++ linux-2.6.39.3/fs/fuse/dev.c 2011-05-22 19:36:32.000000000 -0400
47989 @@ -1181,7 +1181,7 @@ static ssize_t fuse_dev_do_read(struct f
47990 return err;
47991 }
47992
47993 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
47994 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
47995 unsigned long nr_segs, loff_t pos)
47996 {
47997 struct fuse_copy_state cs;
47998 @@ -1195,6 +1195,8 @@ static ssize_t fuse_dev_read(struct kioc
47999 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
48000 }
48001
48002 +EXPORT_SYMBOL_GPL(fuse_dev_read);
48003 +
48004 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
48005 struct pipe_buffer *buf)
48006 {
48007 @@ -1238,7 +1240,7 @@ static ssize_t fuse_dev_splice_read(stru
48008 ret = 0;
48009 pipe_lock(pipe);
48010
48011 - if (!pipe->readers) {
48012 + if (!atomic_read(&pipe->readers)) {
48013 send_sig(SIGPIPE, current, 0);
48014 if (!ret)
48015 ret = -EPIPE;
48016 @@ -1731,7 +1733,7 @@ static ssize_t fuse_dev_do_write(struct
48017 return err;
48018 }
48019
48020 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
48021 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
48022 unsigned long nr_segs, loff_t pos)
48023 {
48024 struct fuse_copy_state cs;
48025 @@ -1744,6 +1746,8 @@ static ssize_t fuse_dev_write(struct kio
48026 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
48027 }
48028
48029 +EXPORT_SYMBOL_GPL(fuse_dev_write);
48030 +
48031 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
48032 struct file *out, loff_t *ppos,
48033 size_t len, unsigned int flags)
48034 @@ -1822,7 +1826,7 @@ out:
48035 return ret;
48036 }
48037
48038 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
48039 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
48040 {
48041 unsigned mask = POLLOUT | POLLWRNORM;
48042 struct fuse_conn *fc = fuse_get_conn(file);
48043 @@ -1841,6 +1845,8 @@ static unsigned fuse_dev_poll(struct fil
48044 return mask;
48045 }
48046
48047 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
48048 +
48049 /*
48050 * Abort all requests on the given list (pending or processing)
48051 *
48052 @@ -1977,7 +1983,7 @@ int fuse_dev_release(struct inode *inode
48053 }
48054 EXPORT_SYMBOL_GPL(fuse_dev_release);
48055
48056 -static int fuse_dev_fasync(int fd, struct file *file, int on)
48057 +int fuse_dev_fasync(int fd, struct file *file, int on)
48058 {
48059 struct fuse_conn *fc = fuse_get_conn(file);
48060 if (!fc)
48061 @@ -1987,6 +1993,8 @@ static int fuse_dev_fasync(int fd, struc
48062 return fasync_helper(fd, file, on, &fc->fasync);
48063 }
48064
48065 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
48066 +
48067 const struct file_operations fuse_dev_operations = {
48068 .owner = THIS_MODULE,
48069 .llseek = no_llseek,
48070 diff -urNp linux-2.6.39.3/fs/fuse/dir.c linux-2.6.39.3/fs/fuse/dir.c
48071 --- linux-2.6.39.3/fs/fuse/dir.c 2011-05-19 00:06:34.000000000 -0400
48072 +++ linux-2.6.39.3/fs/fuse/dir.c 2011-05-22 19:36:32.000000000 -0400
48073 @@ -1147,7 +1147,7 @@ static char *read_link(struct dentry *de
48074 return link;
48075 }
48076
48077 -static void free_link(char *link)
48078 +static void free_link(const char *link)
48079 {
48080 if (!IS_ERR(link))
48081 free_page((unsigned long) link);
48082 diff -urNp linux-2.6.39.3/fs/fuse/fuse_i.h linux-2.6.39.3/fs/fuse/fuse_i.h
48083 --- linux-2.6.39.3/fs/fuse/fuse_i.h 2011-05-19 00:06:34.000000000 -0400
48084 +++ linux-2.6.39.3/fs/fuse/fuse_i.h 2011-05-22 19:36:32.000000000 -0400
48085 @@ -540,6 +540,16 @@ extern const struct file_operations fuse
48086
48087 extern const struct dentry_operations fuse_dentry_operations;
48088
48089 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
48090 + unsigned long nr_segs, loff_t pos);
48091 +
48092 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
48093 + unsigned long nr_segs, loff_t pos);
48094 +
48095 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
48096 +
48097 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
48098 +
48099 /**
48100 * Inode to nodeid comparison.
48101 */
48102 diff -urNp linux-2.6.39.3/fs/gfs2/ops_inode.c linux-2.6.39.3/fs/gfs2/ops_inode.c
48103 --- linux-2.6.39.3/fs/gfs2/ops_inode.c 2011-05-19 00:06:34.000000000 -0400
48104 +++ linux-2.6.39.3/fs/gfs2/ops_inode.c 2011-05-22 19:36:32.000000000 -0400
48105 @@ -740,6 +740,8 @@ static int gfs2_rename(struct inode *odi
48106 unsigned int x;
48107 int error;
48108
48109 + pax_track_stack();
48110 +
48111 if (ndentry->d_inode) {
48112 nip = GFS2_I(ndentry->d_inode);
48113 if (ip == nip)
48114 @@ -1019,7 +1021,7 @@ out:
48115
48116 static void gfs2_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
48117 {
48118 - char *s = nd_get_link(nd);
48119 + const char *s = nd_get_link(nd);
48120 if (!IS_ERR(s))
48121 kfree(s);
48122 }
48123 diff -urNp linux-2.6.39.3/fs/hfsplus/catalog.c linux-2.6.39.3/fs/hfsplus/catalog.c
48124 --- linux-2.6.39.3/fs/hfsplus/catalog.c 2011-05-19 00:06:34.000000000 -0400
48125 +++ linux-2.6.39.3/fs/hfsplus/catalog.c 2011-05-22 19:36:32.000000000 -0400
48126 @@ -179,6 +179,8 @@ int hfsplus_find_cat(struct super_block
48127 int err;
48128 u16 type;
48129
48130 + pax_track_stack();
48131 +
48132 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
48133 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
48134 if (err)
48135 @@ -210,6 +212,8 @@ int hfsplus_create_cat(u32 cnid, struct
48136 int entry_size;
48137 int err;
48138
48139 + pax_track_stack();
48140 +
48141 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n",
48142 str->name, cnid, inode->i_nlink);
48143 hfs_find_init(HFSPLUS_SB(sb)->cat_tree, &fd);
48144 @@ -349,6 +353,8 @@ int hfsplus_rename_cat(u32 cnid,
48145 int entry_size, type;
48146 int err = 0;
48147
48148 + pax_track_stack();
48149 +
48150 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n",
48151 cnid, src_dir->i_ino, src_name->name,
48152 dst_dir->i_ino, dst_name->name);
48153 diff -urNp linux-2.6.39.3/fs/hfsplus/dir.c linux-2.6.39.3/fs/hfsplus/dir.c
48154 --- linux-2.6.39.3/fs/hfsplus/dir.c 2011-05-19 00:06:34.000000000 -0400
48155 +++ linux-2.6.39.3/fs/hfsplus/dir.c 2011-05-22 19:36:32.000000000 -0400
48156 @@ -129,6 +129,8 @@ static int hfsplus_readdir(struct file *
48157 struct hfsplus_readdir_data *rd;
48158 u16 type;
48159
48160 + pax_track_stack();
48161 +
48162 if (filp->f_pos >= inode->i_size)
48163 return 0;
48164
48165 diff -urNp linux-2.6.39.3/fs/hfsplus/inode.c linux-2.6.39.3/fs/hfsplus/inode.c
48166 --- linux-2.6.39.3/fs/hfsplus/inode.c 2011-05-19 00:06:34.000000000 -0400
48167 +++ linux-2.6.39.3/fs/hfsplus/inode.c 2011-05-22 19:36:32.000000000 -0400
48168 @@ -489,6 +489,8 @@ int hfsplus_cat_read_inode(struct inode
48169 int res = 0;
48170 u16 type;
48171
48172 + pax_track_stack();
48173 +
48174 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
48175
48176 HFSPLUS_I(inode)->linkid = 0;
48177 @@ -552,6 +554,8 @@ int hfsplus_cat_write_inode(struct inode
48178 struct hfs_find_data fd;
48179 hfsplus_cat_entry entry;
48180
48181 + pax_track_stack();
48182 +
48183 if (HFSPLUS_IS_RSRC(inode))
48184 main_inode = HFSPLUS_I(inode)->rsrc_inode;
48185
48186 diff -urNp linux-2.6.39.3/fs/hfsplus/ioctl.c linux-2.6.39.3/fs/hfsplus/ioctl.c
48187 --- linux-2.6.39.3/fs/hfsplus/ioctl.c 2011-05-19 00:06:34.000000000 -0400
48188 +++ linux-2.6.39.3/fs/hfsplus/ioctl.c 2011-05-22 19:36:32.000000000 -0400
48189 @@ -122,6 +122,8 @@ int hfsplus_setxattr(struct dentry *dent
48190 struct hfsplus_cat_file *file;
48191 int res;
48192
48193 + pax_track_stack();
48194 +
48195 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
48196 return -EOPNOTSUPP;
48197
48198 @@ -166,6 +168,8 @@ ssize_t hfsplus_getxattr(struct dentry *
48199 struct hfsplus_cat_file *file;
48200 ssize_t res = 0;
48201
48202 + pax_track_stack();
48203 +
48204 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
48205 return -EOPNOTSUPP;
48206
48207 diff -urNp linux-2.6.39.3/fs/hfsplus/super.c linux-2.6.39.3/fs/hfsplus/super.c
48208 --- linux-2.6.39.3/fs/hfsplus/super.c 2011-05-19 00:06:34.000000000 -0400
48209 +++ linux-2.6.39.3/fs/hfsplus/super.c 2011-05-22 19:36:32.000000000 -0400
48210 @@ -340,6 +340,8 @@ static int hfsplus_fill_super(struct sup
48211 struct nls_table *nls = NULL;
48212 int err;
48213
48214 + pax_track_stack();
48215 +
48216 err = -EINVAL;
48217 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
48218 if (!sbi)
48219 diff -urNp linux-2.6.39.3/fs/hugetlbfs/inode.c linux-2.6.39.3/fs/hugetlbfs/inode.c
48220 --- linux-2.6.39.3/fs/hugetlbfs/inode.c 2011-05-19 00:06:34.000000000 -0400
48221 +++ linux-2.6.39.3/fs/hugetlbfs/inode.c 2011-05-22 19:41:37.000000000 -0400
48222 @@ -914,7 +914,7 @@ static struct file_system_type hugetlbfs
48223 .kill_sb = kill_litter_super,
48224 };
48225
48226 -static struct vfsmount *hugetlbfs_vfsmount;
48227 +struct vfsmount *hugetlbfs_vfsmount;
48228
48229 static int can_do_hugetlb_shm(void)
48230 {
48231 diff -urNp linux-2.6.39.3/fs/inode.c linux-2.6.39.3/fs/inode.c
48232 --- linux-2.6.39.3/fs/inode.c 2011-05-19 00:06:34.000000000 -0400
48233 +++ linux-2.6.39.3/fs/inode.c 2011-05-22 19:36:32.000000000 -0400
48234 @@ -862,8 +862,8 @@ unsigned int get_next_ino(void)
48235
48236 #ifdef CONFIG_SMP
48237 if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) {
48238 - static atomic_t shared_last_ino;
48239 - int next = atomic_add_return(LAST_INO_BATCH, &shared_last_ino);
48240 + static atomic_unchecked_t shared_last_ino;
48241 + int next = atomic_add_return_unchecked(LAST_INO_BATCH, &shared_last_ino);
48242
48243 res = next - LAST_INO_BATCH;
48244 }
48245 diff -urNp linux-2.6.39.3/fs/jbd/checkpoint.c linux-2.6.39.3/fs/jbd/checkpoint.c
48246 --- linux-2.6.39.3/fs/jbd/checkpoint.c 2011-05-19 00:06:34.000000000 -0400
48247 +++ linux-2.6.39.3/fs/jbd/checkpoint.c 2011-05-22 19:36:32.000000000 -0400
48248 @@ -350,6 +350,8 @@ int log_do_checkpoint(journal_t *journal
48249 tid_t this_tid;
48250 int result;
48251
48252 + pax_track_stack();
48253 +
48254 jbd_debug(1, "Start checkpoint\n");
48255
48256 /*
48257 diff -urNp linux-2.6.39.3/fs/jffs2/compr_rtime.c linux-2.6.39.3/fs/jffs2/compr_rtime.c
48258 --- linux-2.6.39.3/fs/jffs2/compr_rtime.c 2011-05-19 00:06:34.000000000 -0400
48259 +++ linux-2.6.39.3/fs/jffs2/compr_rtime.c 2011-05-22 19:36:32.000000000 -0400
48260 @@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
48261 int outpos = 0;
48262 int pos=0;
48263
48264 + pax_track_stack();
48265 +
48266 memset(positions,0,sizeof(positions));
48267
48268 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
48269 @@ -78,6 +80,8 @@ static int jffs2_rtime_decompress(unsign
48270 int outpos = 0;
48271 int pos=0;
48272
48273 + pax_track_stack();
48274 +
48275 memset(positions,0,sizeof(positions));
48276
48277 while (outpos<destlen) {
48278 diff -urNp linux-2.6.39.3/fs/jffs2/compr_rubin.c linux-2.6.39.3/fs/jffs2/compr_rubin.c
48279 --- linux-2.6.39.3/fs/jffs2/compr_rubin.c 2011-05-19 00:06:34.000000000 -0400
48280 +++ linux-2.6.39.3/fs/jffs2/compr_rubin.c 2011-05-22 19:36:32.000000000 -0400
48281 @@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
48282 int ret;
48283 uint32_t mysrclen, mydstlen;
48284
48285 + pax_track_stack();
48286 +
48287 mysrclen = *sourcelen;
48288 mydstlen = *dstlen - 8;
48289
48290 diff -urNp linux-2.6.39.3/fs/jffs2/erase.c linux-2.6.39.3/fs/jffs2/erase.c
48291 --- linux-2.6.39.3/fs/jffs2/erase.c 2011-05-19 00:06:34.000000000 -0400
48292 +++ linux-2.6.39.3/fs/jffs2/erase.c 2011-05-22 19:36:32.000000000 -0400
48293 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
48294 struct jffs2_unknown_node marker = {
48295 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
48296 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
48297 - .totlen = cpu_to_je32(c->cleanmarker_size)
48298 + .totlen = cpu_to_je32(c->cleanmarker_size),
48299 + .hdr_crc = cpu_to_je32(0)
48300 };
48301
48302 jffs2_prealloc_raw_node_refs(c, jeb, 1);
48303 diff -urNp linux-2.6.39.3/fs/jffs2/wbuf.c linux-2.6.39.3/fs/jffs2/wbuf.c
48304 --- linux-2.6.39.3/fs/jffs2/wbuf.c 2011-05-19 00:06:34.000000000 -0400
48305 +++ linux-2.6.39.3/fs/jffs2/wbuf.c 2011-05-22 19:36:32.000000000 -0400
48306 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
48307 {
48308 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
48309 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
48310 - .totlen = constant_cpu_to_je32(8)
48311 + .totlen = constant_cpu_to_je32(8),
48312 + .hdr_crc = constant_cpu_to_je32(0)
48313 };
48314
48315 /*
48316 diff -urNp linux-2.6.39.3/fs/jffs2/xattr.c linux-2.6.39.3/fs/jffs2/xattr.c
48317 --- linux-2.6.39.3/fs/jffs2/xattr.c 2011-05-19 00:06:34.000000000 -0400
48318 +++ linux-2.6.39.3/fs/jffs2/xattr.c 2011-05-22 19:36:32.000000000 -0400
48319 @@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
48320
48321 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
48322
48323 + pax_track_stack();
48324 +
48325 /* Phase.1 : Merge same xref */
48326 for (i=0; i < XREF_TMPHASH_SIZE; i++)
48327 xref_tmphash[i] = NULL;
48328 diff -urNp linux-2.6.39.3/fs/jfs/super.c linux-2.6.39.3/fs/jfs/super.c
48329 --- linux-2.6.39.3/fs/jfs/super.c 2011-05-19 00:06:34.000000000 -0400
48330 +++ linux-2.6.39.3/fs/jfs/super.c 2011-06-07 18:07:24.000000000 -0400
48331 @@ -803,7 +803,7 @@ static int __init init_jfs_fs(void)
48332
48333 jfs_inode_cachep =
48334 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
48335 - SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
48336 + SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
48337 init_once);
48338 if (jfs_inode_cachep == NULL)
48339 return -ENOMEM;
48340 diff -urNp linux-2.6.39.3/fs/Kconfig.binfmt linux-2.6.39.3/fs/Kconfig.binfmt
48341 --- linux-2.6.39.3/fs/Kconfig.binfmt 2011-05-19 00:06:34.000000000 -0400
48342 +++ linux-2.6.39.3/fs/Kconfig.binfmt 2011-05-22 19:36:32.000000000 -0400
48343 @@ -86,7 +86,7 @@ config HAVE_AOUT
48344
48345 config BINFMT_AOUT
48346 tristate "Kernel support for a.out and ECOFF binaries"
48347 - depends on HAVE_AOUT
48348 + depends on HAVE_AOUT && BROKEN
48349 ---help---
48350 A.out (Assembler.OUTput) is a set of formats for libraries and
48351 executables used in the earliest versions of UNIX. Linux used
48352 diff -urNp linux-2.6.39.3/fs/libfs.c linux-2.6.39.3/fs/libfs.c
48353 --- linux-2.6.39.3/fs/libfs.c 2011-05-19 00:06:34.000000000 -0400
48354 +++ linux-2.6.39.3/fs/libfs.c 2011-05-22 19:36:32.000000000 -0400
48355 @@ -163,6 +163,9 @@ int dcache_readdir(struct file * filp, v
48356
48357 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
48358 struct dentry *next;
48359 + char d_name[sizeof(next->d_iname)];
48360 + const unsigned char *name;
48361 +
48362 next = list_entry(p, struct dentry, d_u.d_child);
48363 spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
48364 if (!simple_positive(next)) {
48365 @@ -172,7 +175,12 @@ int dcache_readdir(struct file * filp, v
48366
48367 spin_unlock(&next->d_lock);
48368 spin_unlock(&dentry->d_lock);
48369 - if (filldir(dirent, next->d_name.name,
48370 + name = next->d_name.name;
48371 + if (name == next->d_iname) {
48372 + memcpy(d_name, name, next->d_name.len);
48373 + name = d_name;
48374 + }
48375 + if (filldir(dirent, name,
48376 next->d_name.len, filp->f_pos,
48377 next->d_inode->i_ino,
48378 dt_type(next->d_inode)) < 0)
48379 diff -urNp linux-2.6.39.3/fs/lockd/clntproc.c linux-2.6.39.3/fs/lockd/clntproc.c
48380 --- linux-2.6.39.3/fs/lockd/clntproc.c 2011-07-09 09:18:51.000000000 -0400
48381 +++ linux-2.6.39.3/fs/lockd/clntproc.c 2011-07-09 09:19:18.000000000 -0400
48382 @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
48383 /*
48384 * Cookie counter for NLM requests
48385 */
48386 -static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
48387 +static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
48388
48389 void nlmclnt_next_cookie(struct nlm_cookie *c)
48390 {
48391 - u32 cookie = atomic_inc_return(&nlm_cookie);
48392 + u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
48393
48394 memcpy(c->data, &cookie, 4);
48395 c->len=4;
48396 @@ -620,6 +620,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
48397 struct nlm_rqst reqst, *req;
48398 int status;
48399
48400 + pax_track_stack();
48401 +
48402 req = &reqst;
48403 memset(req, 0, sizeof(*req));
48404 locks_init_lock(&req->a_args.lock.fl);
48405 diff -urNp linux-2.6.39.3/fs/lockd/svc.c linux-2.6.39.3/fs/lockd/svc.c
48406 --- linux-2.6.39.3/fs/lockd/svc.c 2011-05-19 00:06:34.000000000 -0400
48407 +++ linux-2.6.39.3/fs/lockd/svc.c 2011-05-22 19:36:32.000000000 -0400
48408 @@ -41,7 +41,7 @@
48409
48410 static struct svc_program nlmsvc_program;
48411
48412 -struct nlmsvc_binding * nlmsvc_ops;
48413 +const struct nlmsvc_binding * nlmsvc_ops;
48414 EXPORT_SYMBOL_GPL(nlmsvc_ops);
48415
48416 static DEFINE_MUTEX(nlmsvc_mutex);
48417 diff -urNp linux-2.6.39.3/fs/locks.c linux-2.6.39.3/fs/locks.c
48418 --- linux-2.6.39.3/fs/locks.c 2011-07-09 09:18:51.000000000 -0400
48419 +++ linux-2.6.39.3/fs/locks.c 2011-07-06 19:44:53.000000000 -0400
48420 @@ -2043,16 +2043,16 @@ void locks_remove_flock(struct file *fil
48421 return;
48422
48423 if (filp->f_op && filp->f_op->flock) {
48424 - struct file_lock fl = {
48425 + struct file_lock flock = {
48426 .fl_pid = current->tgid,
48427 .fl_file = filp,
48428 .fl_flags = FL_FLOCK,
48429 .fl_type = F_UNLCK,
48430 .fl_end = OFFSET_MAX,
48431 };
48432 - filp->f_op->flock(filp, F_SETLKW, &fl);
48433 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
48434 - fl.fl_ops->fl_release_private(&fl);
48435 + filp->f_op->flock(filp, F_SETLKW, &flock);
48436 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
48437 + flock.fl_ops->fl_release_private(&flock);
48438 }
48439
48440 lock_flocks();
48441 diff -urNp linux-2.6.39.3/fs/logfs/super.c linux-2.6.39.3/fs/logfs/super.c
48442 --- linux-2.6.39.3/fs/logfs/super.c 2011-05-19 00:06:34.000000000 -0400
48443 +++ linux-2.6.39.3/fs/logfs/super.c 2011-05-22 19:36:32.000000000 -0400
48444 @@ -266,6 +266,8 @@ static int logfs_recover_sb(struct super
48445 struct logfs_disk_super _ds1, *ds1 = &_ds1;
48446 int err, valid0, valid1;
48447
48448 + pax_track_stack();
48449 +
48450 /* read first superblock */
48451 err = wbuf_read(sb, super->s_sb_ofs[0], sizeof(*ds0), ds0);
48452 if (err)
48453 diff -urNp linux-2.6.39.3/fs/namei.c linux-2.6.39.3/fs/namei.c
48454 --- linux-2.6.39.3/fs/namei.c 2011-06-03 00:04:14.000000000 -0400
48455 +++ linux-2.6.39.3/fs/namei.c 2011-06-03 00:32:07.000000000 -0400
48456 @@ -237,20 +237,30 @@ int generic_permission(struct inode *ino
48457 return ret;
48458
48459 /*
48460 - * Read/write DACs are always overridable.
48461 - * Executable DACs are overridable if at least one exec bit is set.
48462 + * Searching includes executable on directories, else just read.
48463 */
48464 - if (!(mask & MAY_EXEC) || execute_ok(inode))
48465 - if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
48466 + mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
48467 + if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE))) {
48468 +#ifdef CONFIG_GRKERNSEC
48469 + if (flags & IPERM_FLAG_RCU)
48470 + return -ECHILD;
48471 +#endif
48472 + if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
48473 return 0;
48474 + }
48475
48476 /*
48477 - * Searching includes executable on directories, else just read.
48478 + * Read/write DACs are always overridable.
48479 + * Executable DACs are overridable if at least one exec bit is set.
48480 */
48481 - mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
48482 - if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
48483 - if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
48484 + if (!(mask & MAY_EXEC) || execute_ok(inode)) {
48485 +#ifdef CONFIG_GRKERNSEC
48486 + if (flags & IPERM_FLAG_RCU)
48487 + return -ECHILD;
48488 +#endif
48489 + if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
48490 return 0;
48491 + }
48492
48493 return -EACCES;
48494 }
48495 @@ -626,6 +636,9 @@ static inline int handle_reval_path(stru
48496 struct dentry *dentry = nd->path.dentry;
48497 int status;
48498
48499 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
48500 + return -ENOENT;
48501 +
48502 if (likely(!(nd->flags & LOOKUP_JUMPED)))
48503 return 0;
48504
48505 @@ -671,9 +684,16 @@ static inline int exec_permission(struct
48506 if (ret == -ECHILD)
48507 return ret;
48508
48509 - if (ns_capable(ns, CAP_DAC_OVERRIDE) ||
48510 - ns_capable(ns, CAP_DAC_READ_SEARCH))
48511 + if (ns_capable_nolog(ns, CAP_DAC_OVERRIDE))
48512 goto ok;
48513 + else {
48514 +#ifdef CONFIG_GRKERNSEC
48515 + if (flags & IPERM_FLAG_RCU)
48516 + return -ECHILD;
48517 +#endif
48518 + if (ns_capable(ns, CAP_DAC_READ_SEARCH) || ns_capable(ns, CAP_DAC_OVERRIDE))
48519 + goto ok;
48520 + }
48521
48522 return ret;
48523 ok:
48524 @@ -781,11 +801,19 @@ follow_link(struct path *link, struct na
48525 return error;
48526 }
48527
48528 + if (gr_handle_follow_link(dentry->d_parent->d_inode,
48529 + dentry->d_inode, dentry, nd->path.mnt)) {
48530 + error = -EACCES;
48531 + *p = ERR_PTR(error); /* no ->put_link(), please */
48532 + path_put(&nd->path);
48533 + return error;
48534 + }
48535 +
48536 nd->last_type = LAST_BIND;
48537 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
48538 error = PTR_ERR(*p);
48539 if (!IS_ERR(*p)) {
48540 - char *s = nd_get_link(nd);
48541 + const char *s = nd_get_link(nd);
48542 error = 0;
48543 if (s)
48544 error = __vfs_follow_link(nd, s);
48545 @@ -1697,6 +1725,9 @@ static int do_path_lookup(int dfd, const
48546 retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd);
48547
48548 if (likely(!retval)) {
48549 + if (*name != '/' && nd->path.dentry && nd->inode && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
48550 + return -ENOENT;
48551 +
48552 if (unlikely(!audit_dummy_context())) {
48553 if (nd->path.dentry && nd->inode)
48554 audit_inode(name, nd->path.dentry);
48555 @@ -2007,6 +2038,30 @@ int vfs_create(struct inode *dir, struct
48556 return error;
48557 }
48558
48559 +/*
48560 + * Note that while the flag value (low two bits) for sys_open means:
48561 + * 00 - read-only
48562 + * 01 - write-only
48563 + * 10 - read-write
48564 + * 11 - special
48565 + * it is changed into
48566 + * 00 - no permissions needed
48567 + * 01 - read-permission
48568 + * 10 - write-permission
48569 + * 11 - read-write
48570 + * for the internal routines (ie open_namei()/follow_link() etc)
48571 + * This is more logical, and also allows the 00 "no perm needed"
48572 + * to be used for symlinks (where the permissions are checked
48573 + * later).
48574 + *
48575 +*/
48576 +static inline int open_to_namei_flags(int flag)
48577 +{
48578 + if ((flag+1) & O_ACCMODE)
48579 + flag++;
48580 + return flag;
48581 +}
48582 +
48583 static int may_open(struct path *path, int acc_mode, int flag)
48584 {
48585 struct dentry *dentry = path->dentry;
48586 @@ -2059,7 +2114,27 @@ static int may_open(struct path *path, i
48587 /*
48588 * Ensure there are no outstanding leases on the file.
48589 */
48590 - return break_lease(inode, flag);
48591 + error = break_lease(inode, flag);
48592 +
48593 + if (error)
48594 + return error;
48595 +
48596 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
48597 + error = -EPERM;
48598 + goto exit;
48599 + }
48600 +
48601 + if (gr_handle_rawio(inode)) {
48602 + error = -EPERM;
48603 + goto exit;
48604 + }
48605 +
48606 + if (!gr_acl_handle_open(dentry, path->mnt, open_to_namei_flags(flag))) {
48607 + error = -EACCES;
48608 + goto exit;
48609 + }
48610 +exit:
48611 + return error;
48612 }
48613
48614 static int handle_truncate(struct file *filp)
48615 @@ -2085,30 +2160,6 @@ static int handle_truncate(struct file *
48616 }
48617
48618 /*
48619 - * Note that while the flag value (low two bits) for sys_open means:
48620 - * 00 - read-only
48621 - * 01 - write-only
48622 - * 10 - read-write
48623 - * 11 - special
48624 - * it is changed into
48625 - * 00 - no permissions needed
48626 - * 01 - read-permission
48627 - * 10 - write-permission
48628 - * 11 - read-write
48629 - * for the internal routines (ie open_namei()/follow_link() etc)
48630 - * This is more logical, and also allows the 00 "no perm needed"
48631 - * to be used for symlinks (where the permissions are checked
48632 - * later).
48633 - *
48634 -*/
48635 -static inline int open_to_namei_flags(int flag)
48636 -{
48637 - if ((flag+1) & O_ACCMODE)
48638 - flag++;
48639 - return flag;
48640 -}
48641 -
48642 -/*
48643 * Handle the last step of open()
48644 */
48645 static struct file *do_last(struct nameidata *nd, struct path *path,
48646 @@ -2117,6 +2168,7 @@ static struct file *do_last(struct namei
48647 struct dentry *dir = nd->path.dentry;
48648 struct dentry *dentry;
48649 int open_flag = op->open_flag;
48650 + int flag = open_to_namei_flags(open_flag);
48651 int will_truncate = open_flag & O_TRUNC;
48652 int want_write = 0;
48653 int acc_mode = op->acc_mode;
48654 @@ -2212,6 +2264,12 @@ static struct file *do_last(struct namei
48655 /* Negative dentry, just create the file */
48656 if (!dentry->d_inode) {
48657 int mode = op->mode;
48658 +
48659 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, path->mnt, flag, mode)) {
48660 + error = -EACCES;
48661 + goto exit_mutex_unlock;
48662 + }
48663 +
48664 if (!IS_POSIXACL(dir->d_inode))
48665 mode &= ~current_umask();
48666 /*
48667 @@ -2235,6 +2293,8 @@ static struct file *do_last(struct namei
48668 error = vfs_create(dir->d_inode, dentry, mode, nd);
48669 if (error)
48670 goto exit_mutex_unlock;
48671 + else
48672 + gr_handle_create(path->dentry, path->mnt);
48673 mutex_unlock(&dir->d_inode->i_mutex);
48674 dput(nd->path.dentry);
48675 nd->path.dentry = dentry;
48676 @@ -2244,6 +2304,14 @@ static struct file *do_last(struct namei
48677 /*
48678 * It already exists.
48679 */
48680 +
48681 + /* only check if O_CREAT is specified, all other checks need to go
48682 + into may_open */
48683 + if (gr_handle_fifo(path->dentry, path->mnt, dir, flag, acc_mode)) {
48684 + error = -EACCES;
48685 + goto exit_mutex_unlock;
48686 + }
48687 +
48688 mutex_unlock(&dir->d_inode->i_mutex);
48689 audit_inode(pathname, path->dentry);
48690
48691 @@ -2530,6 +2598,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
48692 error = may_mknod(mode);
48693 if (error)
48694 goto out_dput;
48695 +
48696 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
48697 + error = -EPERM;
48698 + goto out_dput;
48699 + }
48700 +
48701 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
48702 + error = -EACCES;
48703 + goto out_dput;
48704 + }
48705 +
48706 error = mnt_want_write(nd.path.mnt);
48707 if (error)
48708 goto out_dput;
48709 @@ -2550,6 +2629,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
48710 }
48711 out_drop_write:
48712 mnt_drop_write(nd.path.mnt);
48713 +
48714 + if (!error)
48715 + gr_handle_create(dentry, nd.path.mnt);
48716 out_dput:
48717 dput(dentry);
48718 out_unlock:
48719 @@ -2602,6 +2684,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
48720 if (IS_ERR(dentry))
48721 goto out_unlock;
48722
48723 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
48724 + error = -EACCES;
48725 + goto out_dput;
48726 + }
48727 +
48728 if (!IS_POSIXACL(nd.path.dentry->d_inode))
48729 mode &= ~current_umask();
48730 error = mnt_want_write(nd.path.mnt);
48731 @@ -2613,6 +2700,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
48732 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
48733 out_drop_write:
48734 mnt_drop_write(nd.path.mnt);
48735 +
48736 + if (!error)
48737 + gr_handle_create(dentry, nd.path.mnt);
48738 +
48739 out_dput:
48740 dput(dentry);
48741 out_unlock:
48742 @@ -2692,6 +2783,8 @@ static long do_rmdir(int dfd, const char
48743 char * name;
48744 struct dentry *dentry;
48745 struct nameidata nd;
48746 + ino_t saved_ino = 0;
48747 + dev_t saved_dev = 0;
48748
48749 error = user_path_parent(dfd, pathname, &nd, &name);
48750 if (error)
48751 @@ -2716,6 +2809,19 @@ static long do_rmdir(int dfd, const char
48752 error = PTR_ERR(dentry);
48753 if (IS_ERR(dentry))
48754 goto exit2;
48755 +
48756 + if (dentry->d_inode != NULL) {
48757 + if (dentry->d_inode->i_nlink <= 1) {
48758 + saved_ino = dentry->d_inode->i_ino;
48759 + saved_dev = gr_get_dev_from_dentry(dentry);
48760 + }
48761 +
48762 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
48763 + error = -EACCES;
48764 + goto exit3;
48765 + }
48766 + }
48767 +
48768 error = mnt_want_write(nd.path.mnt);
48769 if (error)
48770 goto exit3;
48771 @@ -2723,6 +2829,8 @@ static long do_rmdir(int dfd, const char
48772 if (error)
48773 goto exit4;
48774 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
48775 + if (!error && (saved_dev || saved_ino))
48776 + gr_handle_delete(saved_ino, saved_dev);
48777 exit4:
48778 mnt_drop_write(nd.path.mnt);
48779 exit3:
48780 @@ -2785,6 +2893,8 @@ static long do_unlinkat(int dfd, const c
48781 struct dentry *dentry;
48782 struct nameidata nd;
48783 struct inode *inode = NULL;
48784 + ino_t saved_ino = 0;
48785 + dev_t saved_dev = 0;
48786
48787 error = user_path_parent(dfd, pathname, &nd, &name);
48788 if (error)
48789 @@ -2804,8 +2914,17 @@ static long do_unlinkat(int dfd, const c
48790 if (nd.last.name[nd.last.len])
48791 goto slashes;
48792 inode = dentry->d_inode;
48793 - if (inode)
48794 + if (inode) {
48795 ihold(inode);
48796 + if (inode->i_nlink <= 1) {
48797 + saved_ino = inode->i_ino;
48798 + saved_dev = gr_get_dev_from_dentry(dentry);
48799 + }
48800 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
48801 + error = -EACCES;
48802 + goto exit2;
48803 + }
48804 + }
48805 error = mnt_want_write(nd.path.mnt);
48806 if (error)
48807 goto exit2;
48808 @@ -2813,6 +2932,8 @@ static long do_unlinkat(int dfd, const c
48809 if (error)
48810 goto exit3;
48811 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
48812 + if (!error && (saved_ino || saved_dev))
48813 + gr_handle_delete(saved_ino, saved_dev);
48814 exit3:
48815 mnt_drop_write(nd.path.mnt);
48816 exit2:
48817 @@ -2890,6 +3011,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
48818 if (IS_ERR(dentry))
48819 goto out_unlock;
48820
48821 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
48822 + error = -EACCES;
48823 + goto out_dput;
48824 + }
48825 +
48826 error = mnt_want_write(nd.path.mnt);
48827 if (error)
48828 goto out_dput;
48829 @@ -2897,6 +3023,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
48830 if (error)
48831 goto out_drop_write;
48832 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
48833 + if (!error)
48834 + gr_handle_create(dentry, nd.path.mnt);
48835 out_drop_write:
48836 mnt_drop_write(nd.path.mnt);
48837 out_dput:
48838 @@ -3005,6 +3133,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
48839 error = PTR_ERR(new_dentry);
48840 if (IS_ERR(new_dentry))
48841 goto out_unlock;
48842 +
48843 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
48844 + old_path.dentry->d_inode,
48845 + old_path.dentry->d_inode->i_mode, to)) {
48846 + error = -EACCES;
48847 + goto out_dput;
48848 + }
48849 +
48850 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
48851 + old_path.dentry, old_path.mnt, to)) {
48852 + error = -EACCES;
48853 + goto out_dput;
48854 + }
48855 +
48856 error = mnt_want_write(nd.path.mnt);
48857 if (error)
48858 goto out_dput;
48859 @@ -3012,6 +3154,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
48860 if (error)
48861 goto out_drop_write;
48862 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
48863 + if (!error)
48864 + gr_handle_create(new_dentry, nd.path.mnt);
48865 out_drop_write:
48866 mnt_drop_write(nd.path.mnt);
48867 out_dput:
48868 @@ -3189,6 +3333,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48869 char *to;
48870 int error;
48871
48872 + pax_track_stack();
48873 +
48874 error = user_path_parent(olddfd, oldname, &oldnd, &from);
48875 if (error)
48876 goto exit;
48877 @@ -3245,6 +3391,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48878 if (new_dentry == trap)
48879 goto exit5;
48880
48881 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
48882 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
48883 + to);
48884 + if (error)
48885 + goto exit5;
48886 +
48887 error = mnt_want_write(oldnd.path.mnt);
48888 if (error)
48889 goto exit5;
48890 @@ -3254,6 +3406,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48891 goto exit6;
48892 error = vfs_rename(old_dir->d_inode, old_dentry,
48893 new_dir->d_inode, new_dentry);
48894 + if (!error)
48895 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
48896 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
48897 exit6:
48898 mnt_drop_write(oldnd.path.mnt);
48899 exit5:
48900 @@ -3279,6 +3434,8 @@ SYSCALL_DEFINE2(rename, const char __use
48901
48902 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
48903 {
48904 + char tmpbuf[64];
48905 + const char *newlink;
48906 int len;
48907
48908 len = PTR_ERR(link);
48909 @@ -3288,7 +3445,14 @@ int vfs_readlink(struct dentry *dentry,
48910 len = strlen(link);
48911 if (len > (unsigned) buflen)
48912 len = buflen;
48913 - if (copy_to_user(buffer, link, len))
48914 +
48915 + if (len < sizeof(tmpbuf)) {
48916 + memcpy(tmpbuf, link, len);
48917 + newlink = tmpbuf;
48918 + } else
48919 + newlink = link;
48920 +
48921 + if (copy_to_user(buffer, newlink, len))
48922 len = -EFAULT;
48923 out:
48924 return len;
48925 diff -urNp linux-2.6.39.3/fs/namespace.c linux-2.6.39.3/fs/namespace.c
48926 --- linux-2.6.39.3/fs/namespace.c 2011-05-19 00:06:34.000000000 -0400
48927 +++ linux-2.6.39.3/fs/namespace.c 2011-05-22 20:43:58.000000000 -0400
48928 @@ -1328,6 +1328,9 @@ static int do_umount(struct vfsmount *mn
48929 if (!(sb->s_flags & MS_RDONLY))
48930 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
48931 up_write(&sb->s_umount);
48932 +
48933 + gr_log_remount(mnt->mnt_devname, retval);
48934 +
48935 return retval;
48936 }
48937
48938 @@ -1347,6 +1350,9 @@ static int do_umount(struct vfsmount *mn
48939 br_write_unlock(vfsmount_lock);
48940 up_write(&namespace_sem);
48941 release_mounts(&umount_list);
48942 +
48943 + gr_log_unmount(mnt->mnt_devname, retval);
48944 +
48945 return retval;
48946 }
48947
48948 @@ -2338,6 +2344,16 @@ long do_mount(char *dev_name, char *dir_
48949 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
48950 MS_STRICTATIME);
48951
48952 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
48953 + retval = -EPERM;
48954 + goto dput_out;
48955 + }
48956 +
48957 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
48958 + retval = -EPERM;
48959 + goto dput_out;
48960 + }
48961 +
48962 if (flags & MS_REMOUNT)
48963 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
48964 data_page);
48965 @@ -2352,6 +2368,9 @@ long do_mount(char *dev_name, char *dir_
48966 dev_name, data_page);
48967 dput_out:
48968 path_put(&path);
48969 +
48970 + gr_log_mount(dev_name, dir_name, retval);
48971 +
48972 return retval;
48973 }
48974
48975 @@ -2575,6 +2594,11 @@ SYSCALL_DEFINE2(pivot_root, const char _
48976 if (error)
48977 goto out2;
48978
48979 + if (gr_handle_chroot_pivot()) {
48980 + error = -EPERM;
48981 + goto out2;
48982 + }
48983 +
48984 get_fs_root(current->fs, &root);
48985 error = lock_mount(&old);
48986 if (error)
48987 diff -urNp linux-2.6.39.3/fs/ncpfs/dir.c linux-2.6.39.3/fs/ncpfs/dir.c
48988 --- linux-2.6.39.3/fs/ncpfs/dir.c 2011-05-19 00:06:34.000000000 -0400
48989 +++ linux-2.6.39.3/fs/ncpfs/dir.c 2011-05-22 19:36:32.000000000 -0400
48990 @@ -299,6 +299,8 @@ ncp_lookup_validate(struct dentry *dentr
48991 int res, val = 0, len;
48992 __u8 __name[NCP_MAXPATHLEN + 1];
48993
48994 + pax_track_stack();
48995 +
48996 if (dentry == dentry->d_sb->s_root)
48997 return 1;
48998
48999 @@ -844,6 +846,8 @@ static struct dentry *ncp_lookup(struct
49000 int error, res, len;
49001 __u8 __name[NCP_MAXPATHLEN + 1];
49002
49003 + pax_track_stack();
49004 +
49005 error = -EIO;
49006 if (!ncp_conn_valid(server))
49007 goto finished;
49008 @@ -931,6 +935,8 @@ int ncp_create_new(struct inode *dir, st
49009 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
49010 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
49011
49012 + pax_track_stack();
49013 +
49014 ncp_age_dentry(server, dentry);
49015 len = sizeof(__name);
49016 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
49017 @@ -992,6 +998,8 @@ static int ncp_mkdir(struct inode *dir,
49018 int error, len;
49019 __u8 __name[NCP_MAXPATHLEN + 1];
49020
49021 + pax_track_stack();
49022 +
49023 DPRINTK("ncp_mkdir: making %s/%s\n",
49024 dentry->d_parent->d_name.name, dentry->d_name.name);
49025
49026 @@ -1135,6 +1143,8 @@ static int ncp_rename(struct inode *old_
49027 int old_len, new_len;
49028 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
49029
49030 + pax_track_stack();
49031 +
49032 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
49033 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
49034 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
49035 diff -urNp linux-2.6.39.3/fs/ncpfs/inode.c linux-2.6.39.3/fs/ncpfs/inode.c
49036 --- linux-2.6.39.3/fs/ncpfs/inode.c 2011-05-19 00:06:34.000000000 -0400
49037 +++ linux-2.6.39.3/fs/ncpfs/inode.c 2011-05-22 19:36:32.000000000 -0400
49038 @@ -461,6 +461,8 @@ static int ncp_fill_super(struct super_b
49039 #endif
49040 struct ncp_entry_info finfo;
49041
49042 + pax_track_stack();
49043 +
49044 data.wdog_pid = NULL;
49045 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
49046 if (!server)
49047 diff -urNp linux-2.6.39.3/fs/nfs/inode.c linux-2.6.39.3/fs/nfs/inode.c
49048 --- linux-2.6.39.3/fs/nfs/inode.c 2011-07-09 09:18:51.000000000 -0400
49049 +++ linux-2.6.39.3/fs/nfs/inode.c 2011-07-09 09:19:24.000000000 -0400
49050 @@ -150,7 +150,7 @@ static void nfs_zap_caches_locked(struct
49051 nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
49052 nfsi->attrtimeo_timestamp = jiffies;
49053
49054 - memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_COOKIEVERF(inode)));
49055 + memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_I(inode)->cookieverf));
49056 if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
49057 nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
49058 else
49059 @@ -1000,16 +1000,16 @@ static int nfs_size_need_update(const st
49060 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
49061 }
49062
49063 -static atomic_long_t nfs_attr_generation_counter;
49064 +static atomic_long_unchecked_t nfs_attr_generation_counter;
49065
49066 static unsigned long nfs_read_attr_generation_counter(void)
49067 {
49068 - return atomic_long_read(&nfs_attr_generation_counter);
49069 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
49070 }
49071
49072 unsigned long nfs_inc_attr_generation_counter(void)
49073 {
49074 - return atomic_long_inc_return(&nfs_attr_generation_counter);
49075 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
49076 }
49077
49078 void nfs_fattr_init(struct nfs_fattr *fattr)
49079 diff -urNp linux-2.6.39.3/fs/nfs/nfs4proc.c linux-2.6.39.3/fs/nfs/nfs4proc.c
49080 --- linux-2.6.39.3/fs/nfs/nfs4proc.c 2011-07-09 09:18:51.000000000 -0400
49081 +++ linux-2.6.39.3/fs/nfs/nfs4proc.c 2011-07-09 09:19:24.000000000 -0400
49082 @@ -5858,14 +5858,14 @@ struct nfs4_state_recovery_ops nfs41_nog
49083 };
49084 #endif /* CONFIG_NFS_V4_1 */
49085
49086 -struct nfs4_state_maintenance_ops nfs40_state_renewal_ops = {
49087 +const struct nfs4_state_maintenance_ops nfs40_state_renewal_ops = {
49088 .sched_state_renewal = nfs4_proc_async_renew,
49089 .get_state_renewal_cred_locked = nfs4_get_renew_cred_locked,
49090 .renew_lease = nfs4_proc_renew,
49091 };
49092
49093 #if defined(CONFIG_NFS_V4_1)
49094 -struct nfs4_state_maintenance_ops nfs41_state_renewal_ops = {
49095 +const struct nfs4_state_maintenance_ops nfs41_state_renewal_ops = {
49096 .sched_state_renewal = nfs41_proc_async_sequence,
49097 .get_state_renewal_cred_locked = nfs4_get_machine_cred_locked,
49098 .renew_lease = nfs4_proc_sequence,
49099 diff -urNp linux-2.6.39.3/fs/nfsd/lockd.c linux-2.6.39.3/fs/nfsd/lockd.c
49100 --- linux-2.6.39.3/fs/nfsd/lockd.c 2011-05-19 00:06:34.000000000 -0400
49101 +++ linux-2.6.39.3/fs/nfsd/lockd.c 2011-05-22 19:36:32.000000000 -0400
49102 @@ -60,7 +60,7 @@ nlm_fclose(struct file *filp)
49103 fput(filp);
49104 }
49105
49106 -static struct nlmsvc_binding nfsd_nlm_ops = {
49107 +static const struct nlmsvc_binding nfsd_nlm_ops = {
49108 .fopen = nlm_fopen, /* open file for locking */
49109 .fclose = nlm_fclose, /* close file */
49110 };
49111 diff -urNp linux-2.6.39.3/fs/nfsd/nfs4state.c linux-2.6.39.3/fs/nfsd/nfs4state.c
49112 --- linux-2.6.39.3/fs/nfsd/nfs4state.c 2011-05-19 00:06:34.000000000 -0400
49113 +++ linux-2.6.39.3/fs/nfsd/nfs4state.c 2011-05-22 19:36:32.000000000 -0400
49114 @@ -3784,6 +3784,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
49115 unsigned int strhashval;
49116 int err;
49117
49118 + pax_track_stack();
49119 +
49120 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
49121 (long long) lock->lk_offset,
49122 (long long) lock->lk_length);
49123 diff -urNp linux-2.6.39.3/fs/nfsd/nfs4xdr.c linux-2.6.39.3/fs/nfsd/nfs4xdr.c
49124 --- linux-2.6.39.3/fs/nfsd/nfs4xdr.c 2011-05-19 00:06:34.000000000 -0400
49125 +++ linux-2.6.39.3/fs/nfsd/nfs4xdr.c 2011-05-22 19:36:32.000000000 -0400
49126 @@ -1793,6 +1793,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
49127 .dentry = dentry,
49128 };
49129
49130 + pax_track_stack();
49131 +
49132 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
49133 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
49134 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
49135 diff -urNp linux-2.6.39.3/fs/nfsd/nfsctl.c linux-2.6.39.3/fs/nfsd/nfsctl.c
49136 --- linux-2.6.39.3/fs/nfsd/nfsctl.c 2011-07-09 09:18:51.000000000 -0400
49137 +++ linux-2.6.39.3/fs/nfsd/nfsctl.c 2011-07-09 09:19:24.000000000 -0400
49138 @@ -183,7 +183,7 @@ static int export_features_open(struct i
49139 return single_open(file, export_features_show, NULL);
49140 }
49141
49142 -static struct file_operations export_features_operations = {
49143 +static const struct file_operations export_features_operations = {
49144 .open = export_features_open,
49145 .read = seq_read,
49146 .llseek = seq_lseek,
49147 diff -urNp linux-2.6.39.3/fs/nfsd/vfs.c linux-2.6.39.3/fs/nfsd/vfs.c
49148 --- linux-2.6.39.3/fs/nfsd/vfs.c 2011-07-09 09:18:51.000000000 -0400
49149 +++ linux-2.6.39.3/fs/nfsd/vfs.c 2011-07-09 09:19:24.000000000 -0400
49150 @@ -901,7 +901,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
49151 } else {
49152 oldfs = get_fs();
49153 set_fs(KERNEL_DS);
49154 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
49155 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
49156 set_fs(oldfs);
49157 }
49158
49159 @@ -1005,7 +1005,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
49160
49161 /* Write the data. */
49162 oldfs = get_fs(); set_fs(KERNEL_DS);
49163 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
49164 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
49165 set_fs(oldfs);
49166 if (host_err < 0)
49167 goto out_nfserr;
49168 @@ -1528,7 +1528,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
49169 */
49170
49171 oldfs = get_fs(); set_fs(KERNEL_DS);
49172 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
49173 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
49174 set_fs(oldfs);
49175
49176 if (host_err < 0)
49177 diff -urNp linux-2.6.39.3/fs/nilfs2/segment.c linux-2.6.39.3/fs/nilfs2/segment.c
49178 --- linux-2.6.39.3/fs/nilfs2/segment.c 2011-05-19 00:06:34.000000000 -0400
49179 +++ linux-2.6.39.3/fs/nilfs2/segment.c 2011-05-22 19:36:32.000000000 -0400
49180 @@ -555,7 +555,7 @@ static void nilfs_write_file_node_binfo(
49181 *vblocknr = binfo->bi_v.bi_vblocknr;
49182 }
49183
49184 -static struct nilfs_sc_operations nilfs_sc_file_ops = {
49185 +static const struct nilfs_sc_operations nilfs_sc_file_ops = {
49186 .collect_data = nilfs_collect_file_data,
49187 .collect_node = nilfs_collect_file_node,
49188 .collect_bmap = nilfs_collect_file_bmap,
49189 @@ -604,7 +604,7 @@ static void nilfs_write_dat_node_binfo(s
49190 *binfo_dat = binfo->bi_dat;
49191 }
49192
49193 -static struct nilfs_sc_operations nilfs_sc_dat_ops = {
49194 +static const struct nilfs_sc_operations nilfs_sc_dat_ops = {
49195 .collect_data = nilfs_collect_dat_data,
49196 .collect_node = nilfs_collect_file_node,
49197 .collect_bmap = nilfs_collect_dat_bmap,
49198 @@ -612,7 +612,7 @@ static struct nilfs_sc_operations nilfs_
49199 .write_node_binfo = nilfs_write_dat_node_binfo,
49200 };
49201
49202 -static struct nilfs_sc_operations nilfs_sc_dsync_ops = {
49203 +static const struct nilfs_sc_operations nilfs_sc_dsync_ops = {
49204 .collect_data = nilfs_collect_file_data,
49205 .collect_node = NULL,
49206 .collect_bmap = NULL,
49207 @@ -971,7 +971,7 @@ static size_t nilfs_segctor_buffer_rest(
49208
49209 static int nilfs_segctor_scan_file(struct nilfs_sc_info *sci,
49210 struct inode *inode,
49211 - struct nilfs_sc_operations *sc_ops)
49212 + const struct nilfs_sc_operations *sc_ops)
49213 {
49214 LIST_HEAD(data_buffers);
49215 LIST_HEAD(node_buffers);
49216 @@ -1475,7 +1475,7 @@ nilfs_segctor_update_payload_blocknr(str
49217 sector_t blocknr;
49218 unsigned long nfinfo = segbuf->sb_sum.nfinfo;
49219 unsigned long nblocks = 0, ndatablk = 0;
49220 - struct nilfs_sc_operations *sc_op = NULL;
49221 + const struct nilfs_sc_operations *sc_op = NULL;
49222 struct nilfs_segsum_pointer ssp;
49223 struct nilfs_finfo *finfo = NULL;
49224 union nilfs_binfo binfo;
49225 diff -urNp linux-2.6.39.3/fs/notify/dnotify/dnotify.c linux-2.6.39.3/fs/notify/dnotify/dnotify.c
49226 --- linux-2.6.39.3/fs/notify/dnotify/dnotify.c 2011-05-19 00:06:34.000000000 -0400
49227 +++ linux-2.6.39.3/fs/notify/dnotify/dnotify.c 2011-05-22 19:36:32.000000000 -0400
49228 @@ -151,7 +151,7 @@ static void dnotify_free_mark(struct fsn
49229 kmem_cache_free(dnotify_mark_cache, dn_mark);
49230 }
49231
49232 -static struct fsnotify_ops dnotify_fsnotify_ops = {
49233 +static const struct fsnotify_ops dnotify_fsnotify_ops = {
49234 .handle_event = dnotify_handle_event,
49235 .should_send_event = dnotify_should_send_event,
49236 .free_group_priv = NULL,
49237 diff -urNp linux-2.6.39.3/fs/notify/notification.c linux-2.6.39.3/fs/notify/notification.c
49238 --- linux-2.6.39.3/fs/notify/notification.c 2011-05-19 00:06:34.000000000 -0400
49239 +++ linux-2.6.39.3/fs/notify/notification.c 2011-05-22 19:36:32.000000000 -0400
49240 @@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
49241 * get set to 0 so it will never get 'freed'
49242 */
49243 static struct fsnotify_event *q_overflow_event;
49244 -static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
49245 +static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
49246
49247 /**
49248 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
49249 @@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
49250 */
49251 u32 fsnotify_get_cookie(void)
49252 {
49253 - return atomic_inc_return(&fsnotify_sync_cookie);
49254 + return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
49255 }
49256 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
49257
49258 diff -urNp linux-2.6.39.3/fs/ntfs/dir.c linux-2.6.39.3/fs/ntfs/dir.c
49259 --- linux-2.6.39.3/fs/ntfs/dir.c 2011-05-19 00:06:34.000000000 -0400
49260 +++ linux-2.6.39.3/fs/ntfs/dir.c 2011-05-22 19:36:32.000000000 -0400
49261 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
49262 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
49263 ~(s64)(ndir->itype.index.block_size - 1)));
49264 /* Bounds checks. */
49265 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
49266 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
49267 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
49268 "inode 0x%lx or driver bug.", vdir->i_ino);
49269 goto err_out;
49270 diff -urNp linux-2.6.39.3/fs/ntfs/file.c linux-2.6.39.3/fs/ntfs/file.c
49271 --- linux-2.6.39.3/fs/ntfs/file.c 2011-05-19 00:06:34.000000000 -0400
49272 +++ linux-2.6.39.3/fs/ntfs/file.c 2011-05-22 19:36:32.000000000 -0400
49273 @@ -2222,6 +2222,6 @@ const struct inode_operations ntfs_file_
49274 #endif /* NTFS_RW */
49275 };
49276
49277 -const struct file_operations ntfs_empty_file_ops = {};
49278 +const struct file_operations ntfs_empty_file_ops __read_only;
49279
49280 -const struct inode_operations ntfs_empty_inode_ops = {};
49281 +const struct inode_operations ntfs_empty_inode_ops __read_only;
49282 diff -urNp linux-2.6.39.3/fs/ocfs2/cluster/heartbeat.c linux-2.6.39.3/fs/ocfs2/cluster/heartbeat.c
49283 --- linux-2.6.39.3/fs/ocfs2/cluster/heartbeat.c 2011-05-19 00:06:34.000000000 -0400
49284 +++ linux-2.6.39.3/fs/ocfs2/cluster/heartbeat.c 2011-05-22 19:36:32.000000000 -0400
49285 @@ -2261,7 +2261,7 @@ static struct configfs_item_operations o
49286 .store_attribute = o2hb_heartbeat_group_store,
49287 };
49288
49289 -static struct configfs_group_operations o2hb_heartbeat_group_group_ops = {
49290 +static const struct configfs_group_operations o2hb_heartbeat_group_group_ops = {
49291 .make_item = o2hb_heartbeat_group_make_item,
49292 .drop_item = o2hb_heartbeat_group_drop_item,
49293 };
49294 diff -urNp linux-2.6.39.3/fs/ocfs2/cluster/nodemanager.c linux-2.6.39.3/fs/ocfs2/cluster/nodemanager.c
49295 --- linux-2.6.39.3/fs/ocfs2/cluster/nodemanager.c 2011-05-19 00:06:34.000000000 -0400
49296 +++ linux-2.6.39.3/fs/ocfs2/cluster/nodemanager.c 2011-05-22 19:36:32.000000000 -0400
49297 @@ -752,7 +752,7 @@ static void o2nm_node_group_drop_item(st
49298 config_item_put(item);
49299 }
49300
49301 -static struct configfs_group_operations o2nm_node_group_group_ops = {
49302 +static const struct configfs_group_operations o2nm_node_group_group_ops = {
49303 .make_item = o2nm_node_group_make_item,
49304 .drop_item = o2nm_node_group_drop_item,
49305 };
49306 @@ -869,7 +869,7 @@ static void o2nm_cluster_group_drop_item
49307 config_item_put(item);
49308 }
49309
49310 -static struct configfs_group_operations o2nm_cluster_group_group_ops = {
49311 +static const struct configfs_group_operations o2nm_cluster_group_group_ops = {
49312 .make_group = o2nm_cluster_group_make_group,
49313 .drop_item = o2nm_cluster_group_drop_item,
49314 };
49315 diff -urNp linux-2.6.39.3/fs/ocfs2/localalloc.c linux-2.6.39.3/fs/ocfs2/localalloc.c
49316 --- linux-2.6.39.3/fs/ocfs2/localalloc.c 2011-05-19 00:06:34.000000000 -0400
49317 +++ linux-2.6.39.3/fs/ocfs2/localalloc.c 2011-05-22 19:36:32.000000000 -0400
49318 @@ -1283,7 +1283,7 @@ static int ocfs2_local_alloc_slide_windo
49319 goto bail;
49320 }
49321
49322 - atomic_inc(&osb->alloc_stats.moves);
49323 + atomic_inc_unchecked(&osb->alloc_stats.moves);
49324
49325 bail:
49326 if (handle)
49327 diff -urNp linux-2.6.39.3/fs/ocfs2/namei.c linux-2.6.39.3/fs/ocfs2/namei.c
49328 --- linux-2.6.39.3/fs/ocfs2/namei.c 2011-05-19 00:06:34.000000000 -0400
49329 +++ linux-2.6.39.3/fs/ocfs2/namei.c 2011-05-22 19:36:32.000000000 -0400
49330 @@ -1063,6 +1063,8 @@ static int ocfs2_rename(struct inode *ol
49331 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
49332 struct ocfs2_dir_lookup_result target_insert = { NULL, };
49333
49334 + pax_track_stack();
49335 +
49336 /* At some point it might be nice to break this function up a
49337 * bit. */
49338
49339 diff -urNp linux-2.6.39.3/fs/ocfs2/ocfs2.h linux-2.6.39.3/fs/ocfs2/ocfs2.h
49340 --- linux-2.6.39.3/fs/ocfs2/ocfs2.h 2011-05-19 00:06:34.000000000 -0400
49341 +++ linux-2.6.39.3/fs/ocfs2/ocfs2.h 2011-05-22 19:36:32.000000000 -0400
49342 @@ -235,11 +235,11 @@ enum ocfs2_vol_state
49343
49344 struct ocfs2_alloc_stats
49345 {
49346 - atomic_t moves;
49347 - atomic_t local_data;
49348 - atomic_t bitmap_data;
49349 - atomic_t bg_allocs;
49350 - atomic_t bg_extends;
49351 + atomic_unchecked_t moves;
49352 + atomic_unchecked_t local_data;
49353 + atomic_unchecked_t bitmap_data;
49354 + atomic_unchecked_t bg_allocs;
49355 + atomic_unchecked_t bg_extends;
49356 };
49357
49358 enum ocfs2_local_alloc_state
49359 diff -urNp linux-2.6.39.3/fs/ocfs2/stackglue.h linux-2.6.39.3/fs/ocfs2/stackglue.h
49360 --- linux-2.6.39.3/fs/ocfs2/stackglue.h 2011-05-19 00:06:34.000000000 -0400
49361 +++ linux-2.6.39.3/fs/ocfs2/stackglue.h 2011-05-22 19:36:32.000000000 -0400
49362 @@ -221,13 +221,13 @@ struct ocfs2_stack_operations {
49363 };
49364
49365 /*
49366 - * Each stack plugin must describe itself by registering a
49367 + * Each stack plugin must describe itself by registerin const g a
49368 * ocfs2_stack_plugin structure. This is only seen by stackglue and the
49369 * stack driver.
49370 */
49371 struct ocfs2_stack_plugin {
49372 char *sp_name;
49373 - struct ocfs2_stack_operations *sp_ops;
49374 + const struct ocfs2_stack_operations *sp_ops;
49375 struct module *sp_owner;
49376
49377 /* These are managed by the stackglue code. */
49378 diff -urNp linux-2.6.39.3/fs/ocfs2/stack_o2cb.c linux-2.6.39.3/fs/ocfs2/stack_o2cb.c
49379 --- linux-2.6.39.3/fs/ocfs2/stack_o2cb.c 2011-05-19 00:06:34.000000000 -0400
49380 +++ linux-2.6.39.3/fs/ocfs2/stack_o2cb.c 2011-06-07 18:07:24.000000000 -0400
49381 @@ -358,7 +358,7 @@ static int o2cb_cluster_this_node(unsign
49382 return 0;
49383 }
49384
49385 -static struct ocfs2_stack_operations o2cb_stack_ops = {
49386 +static const struct ocfs2_stack_operations o2cb_stack_ops = {
49387 .connect = o2cb_cluster_connect,
49388 .disconnect = o2cb_cluster_disconnect,
49389 .this_node = o2cb_cluster_this_node,
49390 diff -urNp linux-2.6.39.3/fs/ocfs2/stack_user.c linux-2.6.39.3/fs/ocfs2/stack_user.c
49391 --- linux-2.6.39.3/fs/ocfs2/stack_user.c 2011-05-19 00:06:34.000000000 -0400
49392 +++ linux-2.6.39.3/fs/ocfs2/stack_user.c 2011-05-22 19:36:32.000000000 -0400
49393 @@ -399,7 +399,7 @@ static int ocfs2_control_do_setversion_m
49394 long major, minor;
49395 char *ptr = NULL;
49396 struct ocfs2_control_private *p = file->private_data;
49397 - struct ocfs2_protocol_version *max =
49398 + const struct ocfs2_protocol_version *max =
49399 &ocfs2_user_plugin.sp_max_proto;
49400
49401 if (ocfs2_control_get_handshake_state(file) !=
49402 @@ -861,7 +861,7 @@ static int user_cluster_this_node(unsign
49403 return 0;
49404 }
49405
49406 -static struct ocfs2_stack_operations ocfs2_user_plugin_ops = {
49407 +static const struct ocfs2_stack_operations ocfs2_user_plugin_ops = {
49408 .connect = user_cluster_connect,
49409 .disconnect = user_cluster_disconnect,
49410 .this_node = user_cluster_this_node,
49411 diff -urNp linux-2.6.39.3/fs/ocfs2/suballoc.c linux-2.6.39.3/fs/ocfs2/suballoc.c
49412 --- linux-2.6.39.3/fs/ocfs2/suballoc.c 2011-05-19 00:06:34.000000000 -0400
49413 +++ linux-2.6.39.3/fs/ocfs2/suballoc.c 2011-05-22 19:36:32.000000000 -0400
49414 @@ -872,7 +872,7 @@ static int ocfs2_reserve_suballoc_bits(s
49415 mlog_errno(status);
49416 goto bail;
49417 }
49418 - atomic_inc(&osb->alloc_stats.bg_extends);
49419 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
49420
49421 /* You should never ask for this much metadata */
49422 BUG_ON(bits_wanted >
49423 @@ -2008,7 +2008,7 @@ int ocfs2_claim_metadata(handle_t *handl
49424 mlog_errno(status);
49425 goto bail;
49426 }
49427 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49428 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49429
49430 *suballoc_loc = res.sr_bg_blkno;
49431 *suballoc_bit_start = res.sr_bit_offset;
49432 @@ -2172,7 +2172,7 @@ int ocfs2_claim_new_inode_at_loc(handle_
49433 trace_ocfs2_claim_new_inode_at_loc((unsigned long long)di_blkno,
49434 res->sr_bits);
49435
49436 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49437 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49438
49439 BUG_ON(res->sr_bits != 1);
49440
49441 @@ -2214,7 +2214,7 @@ int ocfs2_claim_new_inode(handle_t *hand
49442 mlog_errno(status);
49443 goto bail;
49444 }
49445 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49446 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49447
49448 BUG_ON(res.sr_bits != 1);
49449
49450 @@ -2318,7 +2318,7 @@ int __ocfs2_claim_clusters(handle_t *han
49451 cluster_start,
49452 num_clusters);
49453 if (!status)
49454 - atomic_inc(&osb->alloc_stats.local_data);
49455 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
49456 } else {
49457 if (min_clusters > (osb->bitmap_cpg - 1)) {
49458 /* The only paths asking for contiguousness
49459 @@ -2344,7 +2344,7 @@ int __ocfs2_claim_clusters(handle_t *han
49460 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
49461 res.sr_bg_blkno,
49462 res.sr_bit_offset);
49463 - atomic_inc(&osb->alloc_stats.bitmap_data);
49464 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
49465 *num_clusters = res.sr_bits;
49466 }
49467 }
49468 diff -urNp linux-2.6.39.3/fs/ocfs2/super.c linux-2.6.39.3/fs/ocfs2/super.c
49469 --- linux-2.6.39.3/fs/ocfs2/super.c 2011-05-19 00:06:34.000000000 -0400
49470 +++ linux-2.6.39.3/fs/ocfs2/super.c 2011-05-22 19:36:32.000000000 -0400
49471 @@ -299,11 +299,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
49472 "%10s => GlobalAllocs: %d LocalAllocs: %d "
49473 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
49474 "Stats",
49475 - atomic_read(&osb->alloc_stats.bitmap_data),
49476 - atomic_read(&osb->alloc_stats.local_data),
49477 - atomic_read(&osb->alloc_stats.bg_allocs),
49478 - atomic_read(&osb->alloc_stats.moves),
49479 - atomic_read(&osb->alloc_stats.bg_extends));
49480 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
49481 + atomic_read_unchecked(&osb->alloc_stats.local_data),
49482 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
49483 + atomic_read_unchecked(&osb->alloc_stats.moves),
49484 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
49485
49486 out += snprintf(buf + out, len - out,
49487 "%10s => State: %u Descriptor: %llu Size: %u bits "
49488 @@ -2111,11 +2111,11 @@ static int ocfs2_initialize_super(struct
49489 spin_lock_init(&osb->osb_xattr_lock);
49490 ocfs2_init_steal_slots(osb);
49491
49492 - atomic_set(&osb->alloc_stats.moves, 0);
49493 - atomic_set(&osb->alloc_stats.local_data, 0);
49494 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
49495 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
49496 - atomic_set(&osb->alloc_stats.bg_extends, 0);
49497 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
49498 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
49499 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
49500 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
49501 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
49502
49503 /* Copy the blockcheck stats from the superblock probe */
49504 osb->osb_ecc_stats = *stats;
49505 diff -urNp linux-2.6.39.3/fs/ocfs2/symlink.c linux-2.6.39.3/fs/ocfs2/symlink.c
49506 --- linux-2.6.39.3/fs/ocfs2/symlink.c 2011-05-19 00:06:34.000000000 -0400
49507 +++ linux-2.6.39.3/fs/ocfs2/symlink.c 2011-05-22 19:36:32.000000000 -0400
49508 @@ -142,7 +142,7 @@ bail:
49509
49510 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
49511 {
49512 - char *link = nd_get_link(nd);
49513 + const char *link = nd_get_link(nd);
49514 if (!IS_ERR(link))
49515 kfree(link);
49516 }
49517 diff -urNp linux-2.6.39.3/fs/open.c linux-2.6.39.3/fs/open.c
49518 --- linux-2.6.39.3/fs/open.c 2011-05-19 00:06:34.000000000 -0400
49519 +++ linux-2.6.39.3/fs/open.c 2011-05-22 20:46:51.000000000 -0400
49520 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
49521 error = locks_verify_truncate(inode, NULL, length);
49522 if (!error)
49523 error = security_path_truncate(&path);
49524 +
49525 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
49526 + error = -EACCES;
49527 +
49528 if (!error)
49529 error = do_truncate(path.dentry, length, 0, NULL);
49530
49531 @@ -358,6 +362,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
49532 if (__mnt_is_readonly(path.mnt))
49533 res = -EROFS;
49534
49535 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
49536 + res = -EACCES;
49537 +
49538 out_path_release:
49539 path_put(&path);
49540 out:
49541 @@ -384,6 +391,8 @@ SYSCALL_DEFINE1(chdir, const char __user
49542 if (error)
49543 goto dput_and_out;
49544
49545 + gr_log_chdir(path.dentry, path.mnt);
49546 +
49547 set_fs_pwd(current->fs, &path);
49548
49549 dput_and_out:
49550 @@ -410,6 +419,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
49551 goto out_putf;
49552
49553 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
49554 +
49555 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
49556 + error = -EPERM;
49557 +
49558 + if (!error)
49559 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
49560 +
49561 if (!error)
49562 set_fs_pwd(current->fs, &file->f_path);
49563 out_putf:
49564 @@ -438,7 +454,18 @@ SYSCALL_DEFINE1(chroot, const char __use
49565 if (error)
49566 goto dput_and_out;
49567
49568 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
49569 + goto dput_and_out;
49570 +
49571 + if (gr_handle_chroot_caps(&path)) {
49572 + error = -ENOMEM;
49573 + goto dput_and_out;
49574 + }
49575 +
49576 set_fs_root(current->fs, &path);
49577 +
49578 + gr_handle_chroot_chdir(&path);
49579 +
49580 error = 0;
49581 dput_and_out:
49582 path_put(&path);
49583 @@ -466,12 +493,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
49584 err = mnt_want_write_file(file);
49585 if (err)
49586 goto out_putf;
49587 +
49588 mutex_lock(&inode->i_mutex);
49589 +
49590 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
49591 + err = -EACCES;
49592 + goto out_unlock;
49593 + }
49594 +
49595 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
49596 if (err)
49597 goto out_unlock;
49598 if (mode == (mode_t) -1)
49599 mode = inode->i_mode;
49600 +
49601 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
49602 + err = -EACCES;
49603 + goto out_unlock;
49604 + }
49605 +
49606 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
49607 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
49608 err = notify_change(dentry, &newattrs);
49609 @@ -499,12 +539,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
49610 error = mnt_want_write(path.mnt);
49611 if (error)
49612 goto dput_and_out;
49613 +
49614 mutex_lock(&inode->i_mutex);
49615 +
49616 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
49617 + error = -EACCES;
49618 + goto out_unlock;
49619 + }
49620 +
49621 error = security_path_chmod(path.dentry, path.mnt, mode);
49622 if (error)
49623 goto out_unlock;
49624 if (mode == (mode_t) -1)
49625 mode = inode->i_mode;
49626 +
49627 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
49628 + error = -EACCES;
49629 + goto out_unlock;
49630 + }
49631 +
49632 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
49633 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
49634 error = notify_change(path.dentry, &newattrs);
49635 @@ -528,6 +581,9 @@ static int chown_common(struct path *pat
49636 int error;
49637 struct iattr newattrs;
49638
49639 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
49640 + return -EACCES;
49641 +
49642 newattrs.ia_valid = ATTR_CTIME;
49643 if (user != (uid_t) -1) {
49644 newattrs.ia_valid |= ATTR_UID;
49645 @@ -998,7 +1054,10 @@ long do_sys_open(int dfd, const char __u
49646 if (!IS_ERR(tmp)) {
49647 fd = get_unused_fd_flags(flags);
49648 if (fd >= 0) {
49649 - struct file *f = do_filp_open(dfd, tmp, &op, lookup);
49650 + struct file *f;
49651 + /* don't allow to be set by userland */
49652 + flags &= ~FMODE_GREXEC;
49653 + f = do_filp_open(dfd, tmp, &op, lookup);
49654 if (IS_ERR(f)) {
49655 put_unused_fd(fd);
49656 fd = PTR_ERR(f);
49657 diff -urNp linux-2.6.39.3/fs/partitions/ldm.c linux-2.6.39.3/fs/partitions/ldm.c
49658 --- linux-2.6.39.3/fs/partitions/ldm.c 2011-06-03 00:04:14.000000000 -0400
49659 +++ linux-2.6.39.3/fs/partitions/ldm.c 2011-06-03 00:32:07.000000000 -0400
49660 @@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
49661 ldm_error ("A VBLK claims to have %d parts.", num);
49662 return false;
49663 }
49664 +
49665 if (rec >= num) {
49666 ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
49667 return false;
49668 @@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
49669 goto found;
49670 }
49671
49672 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
49673 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
49674 if (!f) {
49675 ldm_crit ("Out of memory.");
49676 return false;
49677 diff -urNp linux-2.6.39.3/fs/pipe.c linux-2.6.39.3/fs/pipe.c
49678 --- linux-2.6.39.3/fs/pipe.c 2011-05-19 00:06:34.000000000 -0400
49679 +++ linux-2.6.39.3/fs/pipe.c 2011-05-22 19:41:37.000000000 -0400
49680 @@ -420,9 +420,9 @@ redo:
49681 }
49682 if (bufs) /* More to do? */
49683 continue;
49684 - if (!pipe->writers)
49685 + if (!atomic_read(&pipe->writers))
49686 break;
49687 - if (!pipe->waiting_writers) {
49688 + if (!atomic_read(&pipe->waiting_writers)) {
49689 /* syscall merging: Usually we must not sleep
49690 * if O_NONBLOCK is set, or if we got some data.
49691 * But if a writer sleeps in kernel space, then
49692 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
49693 mutex_lock(&inode->i_mutex);
49694 pipe = inode->i_pipe;
49695
49696 - if (!pipe->readers) {
49697 + if (!atomic_read(&pipe->readers)) {
49698 send_sig(SIGPIPE, current, 0);
49699 ret = -EPIPE;
49700 goto out;
49701 @@ -530,7 +530,7 @@ redo1:
49702 for (;;) {
49703 int bufs;
49704
49705 - if (!pipe->readers) {
49706 + if (!atomic_read(&pipe->readers)) {
49707 send_sig(SIGPIPE, current, 0);
49708 if (!ret)
49709 ret = -EPIPE;
49710 @@ -616,9 +616,9 @@ redo2:
49711 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
49712 do_wakeup = 0;
49713 }
49714 - pipe->waiting_writers++;
49715 + atomic_inc(&pipe->waiting_writers);
49716 pipe_wait(pipe);
49717 - pipe->waiting_writers--;
49718 + atomic_dec(&pipe->waiting_writers);
49719 }
49720 out:
49721 mutex_unlock(&inode->i_mutex);
49722 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
49723 mask = 0;
49724 if (filp->f_mode & FMODE_READ) {
49725 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
49726 - if (!pipe->writers && filp->f_version != pipe->w_counter)
49727 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
49728 mask |= POLLHUP;
49729 }
49730
49731 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
49732 * Most Unices do not set POLLERR for FIFOs but on Linux they
49733 * behave exactly like pipes for poll().
49734 */
49735 - if (!pipe->readers)
49736 + if (!atomic_read(&pipe->readers))
49737 mask |= POLLERR;
49738 }
49739
49740 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
49741
49742 mutex_lock(&inode->i_mutex);
49743 pipe = inode->i_pipe;
49744 - pipe->readers -= decr;
49745 - pipe->writers -= decw;
49746 + atomic_sub(decr, &pipe->readers);
49747 + atomic_sub(decw, &pipe->writers);
49748
49749 - if (!pipe->readers && !pipe->writers) {
49750 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
49751 free_pipe_info(inode);
49752 } else {
49753 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
49754 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
49755
49756 if (inode->i_pipe) {
49757 ret = 0;
49758 - inode->i_pipe->readers++;
49759 + atomic_inc(&inode->i_pipe->readers);
49760 }
49761
49762 mutex_unlock(&inode->i_mutex);
49763 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
49764
49765 if (inode->i_pipe) {
49766 ret = 0;
49767 - inode->i_pipe->writers++;
49768 + atomic_inc(&inode->i_pipe->writers);
49769 }
49770
49771 mutex_unlock(&inode->i_mutex);
49772 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
49773 if (inode->i_pipe) {
49774 ret = 0;
49775 if (filp->f_mode & FMODE_READ)
49776 - inode->i_pipe->readers++;
49777 + atomic_inc(&inode->i_pipe->readers);
49778 if (filp->f_mode & FMODE_WRITE)
49779 - inode->i_pipe->writers++;
49780 + atomic_inc(&inode->i_pipe->writers);
49781 }
49782
49783 mutex_unlock(&inode->i_mutex);
49784 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
49785 inode->i_pipe = NULL;
49786 }
49787
49788 -static struct vfsmount *pipe_mnt __read_mostly;
49789 +struct vfsmount *pipe_mnt __read_mostly;
49790
49791 /*
49792 * pipefs_dname() is called from d_path().
49793 @@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
49794 goto fail_iput;
49795 inode->i_pipe = pipe;
49796
49797 - pipe->readers = pipe->writers = 1;
49798 + atomic_set(&pipe->readers, 1);
49799 + atomic_set(&pipe->writers, 1);
49800 inode->i_fop = &rdwr_pipefifo_fops;
49801
49802 /*
49803 diff -urNp linux-2.6.39.3/fs/proc/array.c linux-2.6.39.3/fs/proc/array.c
49804 --- linux-2.6.39.3/fs/proc/array.c 2011-05-19 00:06:34.000000000 -0400
49805 +++ linux-2.6.39.3/fs/proc/array.c 2011-05-22 19:41:37.000000000 -0400
49806 @@ -60,6 +60,7 @@
49807 #include <linux/tty.h>
49808 #include <linux/string.h>
49809 #include <linux/mman.h>
49810 +#include <linux/grsecurity.h>
49811 #include <linux/proc_fs.h>
49812 #include <linux/ioport.h>
49813 #include <linux/uaccess.h>
49814 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
49815 seq_putc(m, '\n');
49816 }
49817
49818 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49819 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
49820 +{
49821 + if (p->mm)
49822 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
49823 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
49824 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
49825 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
49826 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
49827 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
49828 + else
49829 + seq_printf(m, "PaX:\t-----\n");
49830 +}
49831 +#endif
49832 +
49833 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
49834 struct pid *pid, struct task_struct *task)
49835 {
49836 @@ -354,9 +370,24 @@ int proc_pid_status(struct seq_file *m,
49837 task_cpus_allowed(m, task);
49838 cpuset_task_status_allowed(m, task);
49839 task_context_switch_counts(m, task);
49840 +
49841 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49842 + task_pax(m, task);
49843 +#endif
49844 +
49845 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
49846 + task_grsec_rbac(m, task);
49847 +#endif
49848 +
49849 return 0;
49850 }
49851
49852 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49853 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
49854 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
49855 + _mm->pax_flags & MF_PAX_SEGMEXEC))
49856 +#endif
49857 +
49858 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
49859 struct pid *pid, struct task_struct *task, int whole)
49860 {
49861 @@ -375,9 +406,11 @@ static int do_task_stat(struct seq_file
49862 cputime_t cutime, cstime, utime, stime;
49863 cputime_t cgtime, gtime;
49864 unsigned long rsslim = 0;
49865 - char tcomm[sizeof(task->comm)];
49866 + char tcomm[sizeof(task->comm)] = { 0 };
49867 unsigned long flags;
49868
49869 + pax_track_stack();
49870 +
49871 state = *get_task_state(task);
49872 vsize = eip = esp = 0;
49873 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
49874 @@ -449,6 +482,19 @@ static int do_task_stat(struct seq_file
49875 gtime = task->gtime;
49876 }
49877
49878 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49879 + if (PAX_RAND_FLAGS(mm)) {
49880 + eip = 0;
49881 + esp = 0;
49882 + wchan = 0;
49883 + }
49884 +#endif
49885 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49886 + wchan = 0;
49887 + eip =0;
49888 + esp =0;
49889 +#endif
49890 +
49891 /* scale priority and nice values from timeslices to -20..20 */
49892 /* to make it look like a "normal" Unix priority/nice value */
49893 priority = task_prio(task);
49894 @@ -489,9 +535,15 @@ static int do_task_stat(struct seq_file
49895 vsize,
49896 mm ? get_mm_rss(mm) : 0,
49897 rsslim,
49898 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49899 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
49900 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
49901 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
49902 +#else
49903 mm ? (permitted ? mm->start_code : 1) : 0,
49904 mm ? (permitted ? mm->end_code : 1) : 0,
49905 (permitted && mm) ? mm->start_stack : 0,
49906 +#endif
49907 esp,
49908 eip,
49909 /* The signal information here is obsolete.
49910 @@ -544,3 +596,18 @@ int proc_pid_statm(struct seq_file *m, s
49911
49912 return 0;
49913 }
49914 +
49915 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
49916 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
49917 +{
49918 + u32 curr_ip = 0;
49919 + unsigned long flags;
49920 +
49921 + if (lock_task_sighand(task, &flags)) {
49922 + curr_ip = task->signal->curr_ip;
49923 + unlock_task_sighand(task, &flags);
49924 + }
49925 +
49926 + return sprintf(buffer, "%pI4\n", &curr_ip);
49927 +}
49928 +#endif
49929 diff -urNp linux-2.6.39.3/fs/proc/base.c linux-2.6.39.3/fs/proc/base.c
49930 --- linux-2.6.39.3/fs/proc/base.c 2011-05-19 00:06:34.000000000 -0400
49931 +++ linux-2.6.39.3/fs/proc/base.c 2011-06-04 21:20:04.000000000 -0400
49932 @@ -104,6 +104,22 @@ struct pid_entry {
49933 union proc_op op;
49934 };
49935
49936 +struct getdents_callback {
49937 + struct linux_dirent __user * current_dir;
49938 + struct linux_dirent __user * previous;
49939 + struct file * file;
49940 + int count;
49941 + int error;
49942 +};
49943 +
49944 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
49945 + loff_t offset, u64 ino, unsigned int d_type)
49946 +{
49947 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
49948 + buf->error = -EINVAL;
49949 + return 0;
49950 +}
49951 +
49952 #define NOD(NAME, MODE, IOP, FOP, OP) { \
49953 .name = (NAME), \
49954 .len = sizeof(NAME) - 1, \
49955 @@ -206,6 +222,9 @@ static struct mm_struct *__check_mem_per
49956 if (task == current)
49957 return mm;
49958
49959 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
49960 + return ERR_PTR(-EPERM);
49961 +
49962 /*
49963 * If current is actively ptrace'ing, and would also be
49964 * permitted to freshly attach with ptrace now, permit it.
49965 @@ -279,6 +298,9 @@ static int proc_pid_cmdline(struct task_
49966 if (!mm->arg_end)
49967 goto out_mm; /* Shh! No looking before we're done */
49968
49969 + if (gr_acl_handle_procpidmem(task))
49970 + goto out_mm;
49971 +
49972 len = mm->arg_end - mm->arg_start;
49973
49974 if (len > PAGE_SIZE)
49975 @@ -306,12 +328,28 @@ out:
49976 return res;
49977 }
49978
49979 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49980 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
49981 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
49982 + _mm->pax_flags & MF_PAX_SEGMEXEC))
49983 +#endif
49984 +
49985 static int proc_pid_auxv(struct task_struct *task, char *buffer)
49986 {
49987 struct mm_struct *mm = mm_for_maps(task);
49988 int res = PTR_ERR(mm);
49989 if (mm && !IS_ERR(mm)) {
49990 unsigned int nwords = 0;
49991 +
49992 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49993 + /* allow if we're currently ptracing this task */
49994 + if (PAX_RAND_FLAGS(mm) &&
49995 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
49996 + mmput(mm);
49997 + return res;
49998 + }
49999 +#endif
50000 +
50001 do {
50002 nwords += 2;
50003 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
50004 @@ -325,7 +363,7 @@ static int proc_pid_auxv(struct task_str
50005 }
50006
50007
50008 -#ifdef CONFIG_KALLSYMS
50009 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50010 /*
50011 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
50012 * Returns the resolved symbol. If that fails, simply return the address.
50013 @@ -364,7 +402,7 @@ static void unlock_trace(struct task_str
50014 mutex_unlock(&task->signal->cred_guard_mutex);
50015 }
50016
50017 -#ifdef CONFIG_STACKTRACE
50018 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50019
50020 #define MAX_STACK_TRACE_DEPTH 64
50021
50022 @@ -555,7 +593,7 @@ static int proc_pid_limits(struct task_s
50023 return count;
50024 }
50025
50026 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50027 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50028 static int proc_pid_syscall(struct task_struct *task, char *buffer)
50029 {
50030 long nr;
50031 @@ -584,7 +622,7 @@ static int proc_pid_syscall(struct task_
50032 /************************************************************************/
50033
50034 /* permission checks */
50035 -static int proc_fd_access_allowed(struct inode *inode)
50036 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
50037 {
50038 struct task_struct *task;
50039 int allowed = 0;
50040 @@ -594,7 +632,10 @@ static int proc_fd_access_allowed(struct
50041 */
50042 task = get_proc_task(inode);
50043 if (task) {
50044 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
50045 + if (log)
50046 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
50047 + else
50048 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
50049 put_task_struct(task);
50050 }
50051 return allowed;
50052 @@ -973,6 +1014,9 @@ static ssize_t environ_read(struct file
50053 if (!task)
50054 goto out_no_task;
50055
50056 + if (gr_acl_handle_procpidmem(task))
50057 + goto out;
50058 +
50059 ret = -ENOMEM;
50060 page = (char *)__get_free_page(GFP_TEMPORARY);
50061 if (!page)
50062 @@ -1660,7 +1704,7 @@ static void *proc_pid_follow_link(struct
50063 path_put(&nd->path);
50064
50065 /* Are we allowed to snoop on the tasks file descriptors? */
50066 - if (!proc_fd_access_allowed(inode))
50067 + if (!proc_fd_access_allowed(inode,0))
50068 goto out;
50069
50070 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
50071 @@ -1699,8 +1743,18 @@ static int proc_pid_readlink(struct dent
50072 struct path path;
50073
50074 /* Are we allowed to snoop on the tasks file descriptors? */
50075 - if (!proc_fd_access_allowed(inode))
50076 - goto out;
50077 + /* logging this is needed for learning on chromium to work properly,
50078 + but we don't want to flood the logs from 'ps' which does a readlink
50079 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
50080 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
50081 + */
50082 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
50083 + if (!proc_fd_access_allowed(inode,0))
50084 + goto out;
50085 + } else {
50086 + if (!proc_fd_access_allowed(inode,1))
50087 + goto out;
50088 + }
50089
50090 error = PROC_I(inode)->op.proc_get_link(inode, &path);
50091 if (error)
50092 @@ -1766,7 +1820,11 @@ static struct inode *proc_pid_make_inode
50093 rcu_read_lock();
50094 cred = __task_cred(task);
50095 inode->i_uid = cred->euid;
50096 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50097 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50098 +#else
50099 inode->i_gid = cred->egid;
50100 +#endif
50101 rcu_read_unlock();
50102 }
50103 security_task_to_inode(task, inode);
50104 @@ -1784,6 +1842,9 @@ static int pid_getattr(struct vfsmount *
50105 struct inode *inode = dentry->d_inode;
50106 struct task_struct *task;
50107 const struct cred *cred;
50108 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50109 + const struct cred *tmpcred = current_cred();
50110 +#endif
50111
50112 generic_fillattr(inode, stat);
50113
50114 @@ -1791,13 +1852,41 @@ static int pid_getattr(struct vfsmount *
50115 stat->uid = 0;
50116 stat->gid = 0;
50117 task = pid_task(proc_pid(inode), PIDTYPE_PID);
50118 +
50119 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
50120 + rcu_read_unlock();
50121 + return -ENOENT;
50122 + }
50123 +
50124 if (task) {
50125 + cred = __task_cred(task);
50126 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50127 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
50128 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50129 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
50130 +#endif
50131 + ) {
50132 +#endif
50133 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
50134 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50135 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
50136 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50137 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
50138 +#endif
50139 task_dumpable(task)) {
50140 - cred = __task_cred(task);
50141 stat->uid = cred->euid;
50142 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50143 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
50144 +#else
50145 stat->gid = cred->egid;
50146 +#endif
50147 }
50148 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50149 + } else {
50150 + rcu_read_unlock();
50151 + return -ENOENT;
50152 + }
50153 +#endif
50154 }
50155 rcu_read_unlock();
50156 return 0;
50157 @@ -1834,11 +1923,20 @@ static int pid_revalidate(struct dentry
50158
50159 if (task) {
50160 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
50161 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50162 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
50163 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50164 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
50165 +#endif
50166 task_dumpable(task)) {
50167 rcu_read_lock();
50168 cred = __task_cred(task);
50169 inode->i_uid = cred->euid;
50170 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50171 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50172 +#else
50173 inode->i_gid = cred->egid;
50174 +#endif
50175 rcu_read_unlock();
50176 } else {
50177 inode->i_uid = 0;
50178 @@ -1959,7 +2057,8 @@ static int proc_fd_info(struct inode *in
50179 int fd = proc_fd(inode);
50180
50181 if (task) {
50182 - files = get_files_struct(task);
50183 + if (!gr_acl_handle_procpidmem(task))
50184 + files = get_files_struct(task);
50185 put_task_struct(task);
50186 }
50187 if (files) {
50188 @@ -2219,15 +2318,25 @@ static const struct file_operations proc
50189 */
50190 static int proc_fd_permission(struct inode *inode, int mask, unsigned int flags)
50191 {
50192 + struct task_struct *task;
50193 int rv;
50194
50195 if (flags & IPERM_FLAG_RCU)
50196 return -ECHILD;
50197 rv = generic_permission(inode, mask, flags, NULL);
50198 - if (rv == 0)
50199 - return 0;
50200 +
50201 if (task_pid(current) == proc_pid(inode))
50202 rv = 0;
50203 +
50204 + task = get_proc_task(inode);
50205 + if (task == NULL)
50206 + return rv;
50207 +
50208 + if (gr_acl_handle_procpidmem(task))
50209 + rv = -EACCES;
50210 +
50211 + put_task_struct(task);
50212 +
50213 return rv;
50214 }
50215
50216 @@ -2337,6 +2446,9 @@ static struct dentry *proc_pident_lookup
50217 if (!task)
50218 goto out_no_task;
50219
50220 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50221 + goto out;
50222 +
50223 /*
50224 * Yes, it does not scale. And it should not. Don't add
50225 * new entries into /proc/<tgid>/ without very good reasons.
50226 @@ -2381,6 +2493,9 @@ static int proc_pident_readdir(struct fi
50227 if (!task)
50228 goto out_no_task;
50229
50230 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50231 + goto out;
50232 +
50233 ret = 0;
50234 i = filp->f_pos;
50235 switch (i) {
50236 @@ -2651,7 +2766,7 @@ static void *proc_self_follow_link(struc
50237 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
50238 void *cookie)
50239 {
50240 - char *s = nd_get_link(nd);
50241 + const char *s = nd_get_link(nd);
50242 if (!IS_ERR(s))
50243 __putname(s);
50244 }
50245 @@ -2835,7 +2950,7 @@ static const struct pid_entry tgid_base_
50246 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
50247 #endif
50248 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
50249 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50250 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50251 INF("syscall", S_IRUGO, proc_pid_syscall),
50252 #endif
50253 INF("cmdline", S_IRUGO, proc_pid_cmdline),
50254 @@ -2860,10 +2975,10 @@ static const struct pid_entry tgid_base_
50255 #ifdef CONFIG_SECURITY
50256 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
50257 #endif
50258 -#ifdef CONFIG_KALLSYMS
50259 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50260 INF("wchan", S_IRUGO, proc_pid_wchan),
50261 #endif
50262 -#ifdef CONFIG_STACKTRACE
50263 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50264 ONE("stack", S_IRUGO, proc_pid_stack),
50265 #endif
50266 #ifdef CONFIG_SCHEDSTATS
50267 @@ -2894,6 +3009,9 @@ static const struct pid_entry tgid_base_
50268 #ifdef CONFIG_TASK_IO_ACCOUNTING
50269 INF("io", S_IRUGO, proc_tgid_io_accounting),
50270 #endif
50271 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
50272 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
50273 +#endif
50274 };
50275
50276 static int proc_tgid_base_readdir(struct file * filp,
50277 @@ -3019,7 +3137,14 @@ static struct dentry *proc_pid_instantia
50278 if (!inode)
50279 goto out;
50280
50281 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50282 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
50283 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50284 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50285 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
50286 +#else
50287 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
50288 +#endif
50289 inode->i_op = &proc_tgid_base_inode_operations;
50290 inode->i_fop = &proc_tgid_base_operations;
50291 inode->i_flags|=S_IMMUTABLE;
50292 @@ -3061,7 +3186,11 @@ struct dentry *proc_pid_lookup(struct in
50293 if (!task)
50294 goto out;
50295
50296 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50297 + goto out_put_task;
50298 +
50299 result = proc_pid_instantiate(dir, dentry, task, NULL);
50300 +out_put_task:
50301 put_task_struct(task);
50302 out:
50303 return result;
50304 @@ -3126,6 +3255,11 @@ int proc_pid_readdir(struct file * filp,
50305 {
50306 unsigned int nr;
50307 struct task_struct *reaper;
50308 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50309 + const struct cred *tmpcred = current_cred();
50310 + const struct cred *itercred;
50311 +#endif
50312 + filldir_t __filldir = filldir;
50313 struct tgid_iter iter;
50314 struct pid_namespace *ns;
50315
50316 @@ -3149,8 +3283,27 @@ int proc_pid_readdir(struct file * filp,
50317 for (iter = next_tgid(ns, iter);
50318 iter.task;
50319 iter.tgid += 1, iter = next_tgid(ns, iter)) {
50320 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50321 + rcu_read_lock();
50322 + itercred = __task_cred(iter.task);
50323 +#endif
50324 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
50325 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50326 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
50327 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50328 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
50329 +#endif
50330 + )
50331 +#endif
50332 + )
50333 + __filldir = &gr_fake_filldir;
50334 + else
50335 + __filldir = filldir;
50336 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50337 + rcu_read_unlock();
50338 +#endif
50339 filp->f_pos = iter.tgid + TGID_OFFSET;
50340 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
50341 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
50342 put_task_struct(iter.task);
50343 goto out;
50344 }
50345 @@ -3177,7 +3330,7 @@ static const struct pid_entry tid_base_s
50346 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
50347 #endif
50348 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
50349 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50350 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50351 INF("syscall", S_IRUGO, proc_pid_syscall),
50352 #endif
50353 INF("cmdline", S_IRUGO, proc_pid_cmdline),
50354 @@ -3201,10 +3354,10 @@ static const struct pid_entry tid_base_s
50355 #ifdef CONFIG_SECURITY
50356 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
50357 #endif
50358 -#ifdef CONFIG_KALLSYMS
50359 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50360 INF("wchan", S_IRUGO, proc_pid_wchan),
50361 #endif
50362 -#ifdef CONFIG_STACKTRACE
50363 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50364 ONE("stack", S_IRUGO, proc_pid_stack),
50365 #endif
50366 #ifdef CONFIG_SCHEDSTATS
50367 diff -urNp linux-2.6.39.3/fs/proc/cmdline.c linux-2.6.39.3/fs/proc/cmdline.c
50368 --- linux-2.6.39.3/fs/proc/cmdline.c 2011-05-19 00:06:34.000000000 -0400
50369 +++ linux-2.6.39.3/fs/proc/cmdline.c 2011-05-22 19:41:37.000000000 -0400
50370 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
50371
50372 static int __init proc_cmdline_init(void)
50373 {
50374 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50375 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
50376 +#else
50377 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
50378 +#endif
50379 return 0;
50380 }
50381 module_init(proc_cmdline_init);
50382 diff -urNp linux-2.6.39.3/fs/proc/devices.c linux-2.6.39.3/fs/proc/devices.c
50383 --- linux-2.6.39.3/fs/proc/devices.c 2011-05-19 00:06:34.000000000 -0400
50384 +++ linux-2.6.39.3/fs/proc/devices.c 2011-05-22 19:41:37.000000000 -0400
50385 @@ -64,7 +64,11 @@ static const struct file_operations proc
50386
50387 static int __init proc_devices_init(void)
50388 {
50389 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50390 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
50391 +#else
50392 proc_create("devices", 0, NULL, &proc_devinfo_operations);
50393 +#endif
50394 return 0;
50395 }
50396 module_init(proc_devices_init);
50397 diff -urNp linux-2.6.39.3/fs/proc/inode.c linux-2.6.39.3/fs/proc/inode.c
50398 --- linux-2.6.39.3/fs/proc/inode.c 2011-05-19 00:06:34.000000000 -0400
50399 +++ linux-2.6.39.3/fs/proc/inode.c 2011-05-22 19:41:37.000000000 -0400
50400 @@ -433,7 +433,11 @@ struct inode *proc_get_inode(struct supe
50401 if (de->mode) {
50402 inode->i_mode = de->mode;
50403 inode->i_uid = de->uid;
50404 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50405 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50406 +#else
50407 inode->i_gid = de->gid;
50408 +#endif
50409 }
50410 if (de->size)
50411 inode->i_size = de->size;
50412 diff -urNp linux-2.6.39.3/fs/proc/internal.h linux-2.6.39.3/fs/proc/internal.h
50413 --- linux-2.6.39.3/fs/proc/internal.h 2011-05-19 00:06:34.000000000 -0400
50414 +++ linux-2.6.39.3/fs/proc/internal.h 2011-05-22 19:41:37.000000000 -0400
50415 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
50416 struct pid *pid, struct task_struct *task);
50417 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
50418 struct pid *pid, struct task_struct *task);
50419 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
50420 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
50421 +#endif
50422 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
50423
50424 extern const struct file_operations proc_maps_operations;
50425 diff -urNp linux-2.6.39.3/fs/proc/Kconfig linux-2.6.39.3/fs/proc/Kconfig
50426 --- linux-2.6.39.3/fs/proc/Kconfig 2011-05-19 00:06:34.000000000 -0400
50427 +++ linux-2.6.39.3/fs/proc/Kconfig 2011-05-22 19:41:37.000000000 -0400
50428 @@ -30,12 +30,12 @@ config PROC_FS
50429
50430 config PROC_KCORE
50431 bool "/proc/kcore support" if !ARM
50432 - depends on PROC_FS && MMU
50433 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
50434
50435 config PROC_VMCORE
50436 bool "/proc/vmcore support"
50437 - depends on PROC_FS && CRASH_DUMP
50438 - default y
50439 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
50440 + default n
50441 help
50442 Exports the dump image of crashed kernel in ELF format.
50443
50444 @@ -59,8 +59,8 @@ config PROC_SYSCTL
50445 limited in memory.
50446
50447 config PROC_PAGE_MONITOR
50448 - default y
50449 - depends on PROC_FS && MMU
50450 + default n
50451 + depends on PROC_FS && MMU && !GRKERNSEC
50452 bool "Enable /proc page monitoring" if EXPERT
50453 help
50454 Various /proc files exist to monitor process memory utilization:
50455 diff -urNp linux-2.6.39.3/fs/proc/kcore.c linux-2.6.39.3/fs/proc/kcore.c
50456 --- linux-2.6.39.3/fs/proc/kcore.c 2011-05-19 00:06:34.000000000 -0400
50457 +++ linux-2.6.39.3/fs/proc/kcore.c 2011-05-22 19:41:37.000000000 -0400
50458 @@ -321,6 +321,8 @@ static void elf_kcore_store_hdr(char *bu
50459 off_t offset = 0;
50460 struct kcore_list *m;
50461
50462 + pax_track_stack();
50463 +
50464 /* setup ELF header */
50465 elf = (struct elfhdr *) bufp;
50466 bufp += sizeof(struct elfhdr);
50467 @@ -478,9 +480,10 @@ read_kcore(struct file *file, char __use
50468 * the addresses in the elf_phdr on our list.
50469 */
50470 start = kc_offset_to_vaddr(*fpos - elf_buflen);
50471 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
50472 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
50473 + if (tsz > buflen)
50474 tsz = buflen;
50475 -
50476 +
50477 while (buflen) {
50478 struct kcore_list *m;
50479
50480 @@ -509,20 +512,23 @@ read_kcore(struct file *file, char __use
50481 kfree(elf_buf);
50482 } else {
50483 if (kern_addr_valid(start)) {
50484 - unsigned long n;
50485 + char *elf_buf;
50486 + mm_segment_t oldfs;
50487
50488 - n = copy_to_user(buffer, (char *)start, tsz);
50489 - /*
50490 - * We cannot distingush between fault on source
50491 - * and fault on destination. When this happens
50492 - * we clear too and hope it will trigger the
50493 - * EFAULT again.
50494 - */
50495 - if (n) {
50496 - if (clear_user(buffer + tsz - n,
50497 - n))
50498 + elf_buf = kmalloc(tsz, GFP_KERNEL);
50499 + if (!elf_buf)
50500 + return -ENOMEM;
50501 + oldfs = get_fs();
50502 + set_fs(KERNEL_DS);
50503 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
50504 + set_fs(oldfs);
50505 + if (copy_to_user(buffer, elf_buf, tsz)) {
50506 + kfree(elf_buf);
50507 return -EFAULT;
50508 + }
50509 }
50510 + set_fs(oldfs);
50511 + kfree(elf_buf);
50512 } else {
50513 if (clear_user(buffer, tsz))
50514 return -EFAULT;
50515 @@ -542,6 +548,9 @@ read_kcore(struct file *file, char __use
50516
50517 static int open_kcore(struct inode *inode, struct file *filp)
50518 {
50519 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
50520 + return -EPERM;
50521 +#endif
50522 if (!capable(CAP_SYS_RAWIO))
50523 return -EPERM;
50524 if (kcore_need_update)
50525 diff -urNp linux-2.6.39.3/fs/proc/meminfo.c linux-2.6.39.3/fs/proc/meminfo.c
50526 --- linux-2.6.39.3/fs/proc/meminfo.c 2011-05-19 00:06:34.000000000 -0400
50527 +++ linux-2.6.39.3/fs/proc/meminfo.c 2011-05-22 19:36:32.000000000 -0400
50528 @@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
50529 unsigned long pages[NR_LRU_LISTS];
50530 int lru;
50531
50532 + pax_track_stack();
50533 +
50534 /*
50535 * display in kilobytes.
50536 */
50537 @@ -157,7 +159,7 @@ static int meminfo_proc_show(struct seq_
50538 vmi.used >> 10,
50539 vmi.largest_chunk >> 10
50540 #ifdef CONFIG_MEMORY_FAILURE
50541 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
50542 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
50543 #endif
50544 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
50545 ,K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
50546 diff -urNp linux-2.6.39.3/fs/proc/nommu.c linux-2.6.39.3/fs/proc/nommu.c
50547 --- linux-2.6.39.3/fs/proc/nommu.c 2011-05-19 00:06:34.000000000 -0400
50548 +++ linux-2.6.39.3/fs/proc/nommu.c 2011-05-22 19:36:32.000000000 -0400
50549 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
50550 if (len < 1)
50551 len = 1;
50552 seq_printf(m, "%*c", len, ' ');
50553 - seq_path(m, &file->f_path, "");
50554 + seq_path(m, &file->f_path, "\n\\");
50555 }
50556
50557 seq_putc(m, '\n');
50558 diff -urNp linux-2.6.39.3/fs/proc/proc_net.c linux-2.6.39.3/fs/proc/proc_net.c
50559 --- linux-2.6.39.3/fs/proc/proc_net.c 2011-05-19 00:06:34.000000000 -0400
50560 +++ linux-2.6.39.3/fs/proc/proc_net.c 2011-05-22 19:41:37.000000000 -0400
50561 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
50562 struct task_struct *task;
50563 struct nsproxy *ns;
50564 struct net *net = NULL;
50565 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50566 + const struct cred *cred = current_cred();
50567 +#endif
50568 +
50569 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50570 + if (cred->fsuid)
50571 + return net;
50572 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50573 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
50574 + return net;
50575 +#endif
50576
50577 rcu_read_lock();
50578 task = pid_task(proc_pid(dir), PIDTYPE_PID);
50579 diff -urNp linux-2.6.39.3/fs/proc/proc_sysctl.c linux-2.6.39.3/fs/proc/proc_sysctl.c
50580 --- linux-2.6.39.3/fs/proc/proc_sysctl.c 2011-05-19 00:06:34.000000000 -0400
50581 +++ linux-2.6.39.3/fs/proc/proc_sysctl.c 2011-05-22 19:41:37.000000000 -0400
50582 @@ -8,6 +8,8 @@
50583 #include <linux/namei.h>
50584 #include "internal.h"
50585
50586 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
50587 +
50588 static const struct dentry_operations proc_sys_dentry_operations;
50589 static const struct file_operations proc_sys_file_operations;
50590 static const struct inode_operations proc_sys_inode_operations;
50591 @@ -111,6 +113,9 @@ static struct dentry *proc_sys_lookup(st
50592 if (!p)
50593 goto out;
50594
50595 + if (gr_handle_sysctl(p, MAY_EXEC))
50596 + goto out;
50597 +
50598 err = ERR_PTR(-ENOMEM);
50599 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
50600 if (h)
50601 @@ -230,6 +235,9 @@ static int scan(struct ctl_table_header
50602 if (*pos < file->f_pos)
50603 continue;
50604
50605 + if (gr_handle_sysctl(table, 0))
50606 + continue;
50607 +
50608 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
50609 if (res)
50610 return res;
50611 @@ -358,6 +366,9 @@ static int proc_sys_getattr(struct vfsmo
50612 if (IS_ERR(head))
50613 return PTR_ERR(head);
50614
50615 + if (table && gr_handle_sysctl(table, MAY_EXEC))
50616 + return -ENOENT;
50617 +
50618 generic_fillattr(inode, stat);
50619 if (table)
50620 stat->mode = (stat->mode & S_IFMT) | table->mode;
50621 diff -urNp linux-2.6.39.3/fs/proc/root.c linux-2.6.39.3/fs/proc/root.c
50622 --- linux-2.6.39.3/fs/proc/root.c 2011-05-19 00:06:34.000000000 -0400
50623 +++ linux-2.6.39.3/fs/proc/root.c 2011-05-22 19:41:37.000000000 -0400
50624 @@ -122,7 +122,15 @@ void __init proc_root_init(void)
50625 #ifdef CONFIG_PROC_DEVICETREE
50626 proc_device_tree_init();
50627 #endif
50628 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50629 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50630 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
50631 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50632 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
50633 +#endif
50634 +#else
50635 proc_mkdir("bus", NULL);
50636 +#endif
50637 proc_sys_init();
50638 }
50639
50640 diff -urNp linux-2.6.39.3/fs/proc/task_mmu.c linux-2.6.39.3/fs/proc/task_mmu.c
50641 --- linux-2.6.39.3/fs/proc/task_mmu.c 2011-05-19 00:06:34.000000000 -0400
50642 +++ linux-2.6.39.3/fs/proc/task_mmu.c 2011-05-22 22:43:29.000000000 -0400
50643 @@ -51,8 +51,13 @@ void task_mem(struct seq_file *m, struct
50644 "VmExe:\t%8lu kB\n"
50645 "VmLib:\t%8lu kB\n"
50646 "VmPTE:\t%8lu kB\n"
50647 - "VmSwap:\t%8lu kB\n",
50648 - hiwater_vm << (PAGE_SHIFT-10),
50649 + "VmSwap:\t%8lu kB\n"
50650 +
50651 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
50652 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
50653 +#endif
50654 +
50655 + ,hiwater_vm << (PAGE_SHIFT-10),
50656 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
50657 mm->locked_vm << (PAGE_SHIFT-10),
50658 hiwater_rss << (PAGE_SHIFT-10),
50659 @@ -60,7 +65,13 @@ void task_mem(struct seq_file *m, struct
50660 data << (PAGE_SHIFT-10),
50661 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
50662 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
50663 - swap << (PAGE_SHIFT-10));
50664 + swap << (PAGE_SHIFT-10)
50665 +
50666 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
50667 + , mm->context.user_cs_base, mm->context.user_cs_limit
50668 +#endif
50669 +
50670 + );
50671 }
50672
50673 unsigned long task_vsize(struct mm_struct *mm)
50674 @@ -207,6 +218,12 @@ static int do_maps_open(struct inode *in
50675 return ret;
50676 }
50677
50678 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50679 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
50680 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
50681 + _mm->pax_flags & MF_PAX_SEGMEXEC))
50682 +#endif
50683 +
50684 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
50685 {
50686 struct mm_struct *mm = vma->vm_mm;
50687 @@ -225,13 +242,13 @@ static void show_map_vma(struct seq_file
50688 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
50689 }
50690
50691 - /* We don't show the stack guard page in /proc/maps */
50692 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50693 + start = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start;
50694 + end = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end;
50695 +#else
50696 start = vma->vm_start;
50697 - if (stack_guard_page_start(vma, start))
50698 - start += PAGE_SIZE;
50699 end = vma->vm_end;
50700 - if (stack_guard_page_end(vma, end))
50701 - end -= PAGE_SIZE;
50702 +#endif
50703
50704 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
50705 start,
50706 @@ -240,7 +257,11 @@ static void show_map_vma(struct seq_file
50707 flags & VM_WRITE ? 'w' : '-',
50708 flags & VM_EXEC ? 'x' : '-',
50709 flags & VM_MAYSHARE ? 's' : 'p',
50710 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50711 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
50712 +#else
50713 pgoff,
50714 +#endif
50715 MAJOR(dev), MINOR(dev), ino, &len);
50716
50717 /*
50718 @@ -249,7 +270,7 @@ static void show_map_vma(struct seq_file
50719 */
50720 if (file) {
50721 pad_len_spaces(m, len);
50722 - seq_path(m, &file->f_path, "\n");
50723 + seq_path(m, &file->f_path, "\n\\");
50724 } else {
50725 const char *name = arch_vma_name(vma);
50726 if (!name) {
50727 @@ -257,8 +278,9 @@ static void show_map_vma(struct seq_file
50728 if (vma->vm_start <= mm->brk &&
50729 vma->vm_end >= mm->start_brk) {
50730 name = "[heap]";
50731 - } else if (vma->vm_start <= mm->start_stack &&
50732 - vma->vm_end >= mm->start_stack) {
50733 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
50734 + (vma->vm_start <= mm->start_stack &&
50735 + vma->vm_end >= mm->start_stack)) {
50736 name = "[stack]";
50737 }
50738 } else {
50739 @@ -433,11 +455,16 @@ static int show_smap(struct seq_file *m,
50740 };
50741
50742 memset(&mss, 0, sizeof mss);
50743 - mss.vma = vma;
50744 - /* mmap_sem is held in m_start */
50745 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
50746 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
50747 -
50748 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50749 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
50750 +#endif
50751 + mss.vma = vma;
50752 + /* mmap_sem is held in m_start */
50753 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
50754 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
50755 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50756 + }
50757 +#endif
50758 show_map_vma(m, vma);
50759
50760 seq_printf(m,
50761 @@ -455,7 +482,11 @@ static int show_smap(struct seq_file *m,
50762 "KernelPageSize: %8lu kB\n"
50763 "MMUPageSize: %8lu kB\n"
50764 "Locked: %8lu kB\n",
50765 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50766 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
50767 +#else
50768 (vma->vm_end - vma->vm_start) >> 10,
50769 +#endif
50770 mss.resident >> 10,
50771 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
50772 mss.shared_clean >> 10,
50773 diff -urNp linux-2.6.39.3/fs/proc/task_nommu.c linux-2.6.39.3/fs/proc/task_nommu.c
50774 --- linux-2.6.39.3/fs/proc/task_nommu.c 2011-05-19 00:06:34.000000000 -0400
50775 +++ linux-2.6.39.3/fs/proc/task_nommu.c 2011-05-22 19:36:32.000000000 -0400
50776 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
50777 else
50778 bytes += kobjsize(mm);
50779
50780 - if (current->fs && current->fs->users > 1)
50781 + if (current->fs && atomic_read(&current->fs->users) > 1)
50782 sbytes += kobjsize(current->fs);
50783 else
50784 bytes += kobjsize(current->fs);
50785 @@ -166,7 +166,7 @@ static int nommu_vma_show(struct seq_fil
50786
50787 if (file) {
50788 pad_len_spaces(m, len);
50789 - seq_path(m, &file->f_path, "");
50790 + seq_path(m, &file->f_path, "\n\\");
50791 } else if (mm) {
50792 if (vma->vm_start <= mm->start_stack &&
50793 vma->vm_end >= mm->start_stack) {
50794 diff -urNp linux-2.6.39.3/fs/quota/netlink.c linux-2.6.39.3/fs/quota/netlink.c
50795 --- linux-2.6.39.3/fs/quota/netlink.c 2011-05-19 00:06:34.000000000 -0400
50796 +++ linux-2.6.39.3/fs/quota/netlink.c 2011-05-22 19:36:32.000000000 -0400
50797 @@ -33,7 +33,7 @@ static struct genl_family quota_genl_fam
50798 void quota_send_warning(short type, unsigned int id, dev_t dev,
50799 const char warntype)
50800 {
50801 - static atomic_t seq;
50802 + static atomic_unchecked_t seq;
50803 struct sk_buff *skb;
50804 void *msg_head;
50805 int ret;
50806 @@ -49,7 +49,7 @@ void quota_send_warning(short type, unsi
50807 "VFS: Not enough memory to send quota warning.\n");
50808 return;
50809 }
50810 - msg_head = genlmsg_put(skb, 0, atomic_add_return(1, &seq),
50811 + msg_head = genlmsg_put(skb, 0, atomic_add_return_unchecked(1, &seq),
50812 &quota_genl_family, 0, QUOTA_NL_C_WARNING);
50813 if (!msg_head) {
50814 printk(KERN_ERR
50815 diff -urNp linux-2.6.39.3/fs/readdir.c linux-2.6.39.3/fs/readdir.c
50816 --- linux-2.6.39.3/fs/readdir.c 2011-05-19 00:06:34.000000000 -0400
50817 +++ linux-2.6.39.3/fs/readdir.c 2011-05-22 19:41:42.000000000 -0400
50818 @@ -17,6 +17,7 @@
50819 #include <linux/security.h>
50820 #include <linux/syscalls.h>
50821 #include <linux/unistd.h>
50822 +#include <linux/namei.h>
50823
50824 #include <asm/uaccess.h>
50825
50826 @@ -67,6 +68,7 @@ struct old_linux_dirent {
50827
50828 struct readdir_callback {
50829 struct old_linux_dirent __user * dirent;
50830 + struct file * file;
50831 int result;
50832 };
50833
50834 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
50835 buf->result = -EOVERFLOW;
50836 return -EOVERFLOW;
50837 }
50838 +
50839 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50840 + return 0;
50841 +
50842 buf->result++;
50843 dirent = buf->dirent;
50844 if (!access_ok(VERIFY_WRITE, dirent,
50845 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
50846
50847 buf.result = 0;
50848 buf.dirent = dirent;
50849 + buf.file = file;
50850
50851 error = vfs_readdir(file, fillonedir, &buf);
50852 if (buf.result)
50853 @@ -142,6 +149,7 @@ struct linux_dirent {
50854 struct getdents_callback {
50855 struct linux_dirent __user * current_dir;
50856 struct linux_dirent __user * previous;
50857 + struct file * file;
50858 int count;
50859 int error;
50860 };
50861 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
50862 buf->error = -EOVERFLOW;
50863 return -EOVERFLOW;
50864 }
50865 +
50866 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50867 + return 0;
50868 +
50869 dirent = buf->previous;
50870 if (dirent) {
50871 if (__put_user(offset, &dirent->d_off))
50872 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
50873 buf.previous = NULL;
50874 buf.count = count;
50875 buf.error = 0;
50876 + buf.file = file;
50877
50878 error = vfs_readdir(file, filldir, &buf);
50879 if (error >= 0)
50880 @@ -229,6 +242,7 @@ out:
50881 struct getdents_callback64 {
50882 struct linux_dirent64 __user * current_dir;
50883 struct linux_dirent64 __user * previous;
50884 + struct file *file;
50885 int count;
50886 int error;
50887 };
50888 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
50889 buf->error = -EINVAL; /* only used if we fail.. */
50890 if (reclen > buf->count)
50891 return -EINVAL;
50892 +
50893 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50894 + return 0;
50895 +
50896 dirent = buf->previous;
50897 if (dirent) {
50898 if (__put_user(offset, &dirent->d_off))
50899 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
50900
50901 buf.current_dir = dirent;
50902 buf.previous = NULL;
50903 + buf.file = file;
50904 buf.count = count;
50905 buf.error = 0;
50906
50907 diff -urNp linux-2.6.39.3/fs/reiserfs/dir.c linux-2.6.39.3/fs/reiserfs/dir.c
50908 --- linux-2.6.39.3/fs/reiserfs/dir.c 2011-05-19 00:06:34.000000000 -0400
50909 +++ linux-2.6.39.3/fs/reiserfs/dir.c 2011-05-22 19:36:32.000000000 -0400
50910 @@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentr
50911 struct reiserfs_dir_entry de;
50912 int ret = 0;
50913
50914 + pax_track_stack();
50915 +
50916 reiserfs_write_lock(inode->i_sb);
50917
50918 reiserfs_check_lock_depth(inode->i_sb, "readdir");
50919 diff -urNp linux-2.6.39.3/fs/reiserfs/do_balan.c linux-2.6.39.3/fs/reiserfs/do_balan.c
50920 --- linux-2.6.39.3/fs/reiserfs/do_balan.c 2011-05-19 00:06:34.000000000 -0400
50921 +++ linux-2.6.39.3/fs/reiserfs/do_balan.c 2011-05-22 19:36:32.000000000 -0400
50922 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
50923 return;
50924 }
50925
50926 - atomic_inc(&(fs_generation(tb->tb_sb)));
50927 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
50928 do_balance_starts(tb);
50929
50930 /* balance leaf returns 0 except if combining L R and S into
50931 diff -urNp linux-2.6.39.3/fs/reiserfs/item_ops.c linux-2.6.39.3/fs/reiserfs/item_ops.c
50932 --- linux-2.6.39.3/fs/reiserfs/item_ops.c 2011-05-19 00:06:34.000000000 -0400
50933 +++ linux-2.6.39.3/fs/reiserfs/item_ops.c 2011-05-22 19:36:32.000000000 -0400
50934 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
50935 vi->vi_index, vi->vi_type, vi->vi_ih);
50936 }
50937
50938 -static struct item_operations stat_data_ops = {
50939 +static const struct item_operations stat_data_ops = {
50940 .bytes_number = sd_bytes_number,
50941 .decrement_key = sd_decrement_key,
50942 .is_left_mergeable = sd_is_left_mergeable,
50943 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
50944 vi->vi_index, vi->vi_type, vi->vi_ih);
50945 }
50946
50947 -static struct item_operations direct_ops = {
50948 +static const struct item_operations direct_ops = {
50949 .bytes_number = direct_bytes_number,
50950 .decrement_key = direct_decrement_key,
50951 .is_left_mergeable = direct_is_left_mergeable,
50952 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
50953 vi->vi_index, vi->vi_type, vi->vi_ih);
50954 }
50955
50956 -static struct item_operations indirect_ops = {
50957 +static const struct item_operations indirect_ops = {
50958 .bytes_number = indirect_bytes_number,
50959 .decrement_key = indirect_decrement_key,
50960 .is_left_mergeable = indirect_is_left_mergeable,
50961 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
50962 printk("\n");
50963 }
50964
50965 -static struct item_operations direntry_ops = {
50966 +static const struct item_operations direntry_ops = {
50967 .bytes_number = direntry_bytes_number,
50968 .decrement_key = direntry_decrement_key,
50969 .is_left_mergeable = direntry_is_left_mergeable,
50970 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
50971 "Invalid item type observed, run fsck ASAP");
50972 }
50973
50974 -static struct item_operations errcatch_ops = {
50975 +static const struct item_operations errcatch_ops = {
50976 errcatch_bytes_number,
50977 errcatch_decrement_key,
50978 errcatch_is_left_mergeable,
50979 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
50980 #error Item types must use disk-format assigned values.
50981 #endif
50982
50983 -struct item_operations *item_ops[TYPE_ANY + 1] = {
50984 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
50985 &stat_data_ops,
50986 &indirect_ops,
50987 &direct_ops,
50988 diff -urNp linux-2.6.39.3/fs/reiserfs/journal.c linux-2.6.39.3/fs/reiserfs/journal.c
50989 --- linux-2.6.39.3/fs/reiserfs/journal.c 2011-05-19 00:06:34.000000000 -0400
50990 +++ linux-2.6.39.3/fs/reiserfs/journal.c 2011-05-22 19:36:32.000000000 -0400
50991 @@ -2299,6 +2299,8 @@ static struct buffer_head *reiserfs_brea
50992 struct buffer_head *bh;
50993 int i, j;
50994
50995 + pax_track_stack();
50996 +
50997 bh = __getblk(dev, block, bufsize);
50998 if (buffer_uptodate(bh))
50999 return (bh);
51000 diff -urNp linux-2.6.39.3/fs/reiserfs/namei.c linux-2.6.39.3/fs/reiserfs/namei.c
51001 --- linux-2.6.39.3/fs/reiserfs/namei.c 2011-05-19 00:06:34.000000000 -0400
51002 +++ linux-2.6.39.3/fs/reiserfs/namei.c 2011-05-22 19:36:32.000000000 -0400
51003 @@ -1225,6 +1225,8 @@ static int reiserfs_rename(struct inode
51004 unsigned long savelink = 1;
51005 struct timespec ctime;
51006
51007 + pax_track_stack();
51008 +
51009 /* three balancings: (1) old name removal, (2) new name insertion
51010 and (3) maybe "save" link insertion
51011 stat data updates: (1) old directory,
51012 diff -urNp linux-2.6.39.3/fs/reiserfs/procfs.c linux-2.6.39.3/fs/reiserfs/procfs.c
51013 --- linux-2.6.39.3/fs/reiserfs/procfs.c 2011-05-19 00:06:34.000000000 -0400
51014 +++ linux-2.6.39.3/fs/reiserfs/procfs.c 2011-05-22 19:36:32.000000000 -0400
51015 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
51016 "SMALL_TAILS " : "NO_TAILS ",
51017 replay_only(sb) ? "REPLAY_ONLY " : "",
51018 convert_reiserfs(sb) ? "CONV " : "",
51019 - atomic_read(&r->s_generation_counter),
51020 + atomic_read_unchecked(&r->s_generation_counter),
51021 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
51022 SF(s_do_balance), SF(s_unneeded_left_neighbor),
51023 SF(s_good_search_by_key_reada), SF(s_bmaps),
51024 @@ -299,6 +299,8 @@ static int show_journal(struct seq_file
51025 struct journal_params *jp = &rs->s_v1.s_journal;
51026 char b[BDEVNAME_SIZE];
51027
51028 + pax_track_stack();
51029 +
51030 seq_printf(m, /* on-disk fields */
51031 "jp_journal_1st_block: \t%i\n"
51032 "jp_journal_dev: \t%s[%x]\n"
51033 diff -urNp linux-2.6.39.3/fs/reiserfs/stree.c linux-2.6.39.3/fs/reiserfs/stree.c
51034 --- linux-2.6.39.3/fs/reiserfs/stree.c 2011-05-19 00:06:34.000000000 -0400
51035 +++ linux-2.6.39.3/fs/reiserfs/stree.c 2011-05-22 19:36:32.000000000 -0400
51036 @@ -1196,6 +1196,8 @@ int reiserfs_delete_item(struct reiserfs
51037 int iter = 0;
51038 #endif
51039
51040 + pax_track_stack();
51041 +
51042 BUG_ON(!th->t_trans_id);
51043
51044 init_tb_struct(th, &s_del_balance, sb, path,
51045 @@ -1333,6 +1335,8 @@ void reiserfs_delete_solid_item(struct r
51046 int retval;
51047 int quota_cut_bytes = 0;
51048
51049 + pax_track_stack();
51050 +
51051 BUG_ON(!th->t_trans_id);
51052
51053 le_key2cpu_key(&cpu_key, key);
51054 @@ -1562,6 +1566,8 @@ int reiserfs_cut_from_item(struct reiser
51055 int quota_cut_bytes;
51056 loff_t tail_pos = 0;
51057
51058 + pax_track_stack();
51059 +
51060 BUG_ON(!th->t_trans_id);
51061
51062 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
51063 @@ -1957,6 +1963,8 @@ int reiserfs_paste_into_item(struct reis
51064 int retval;
51065 int fs_gen;
51066
51067 + pax_track_stack();
51068 +
51069 BUG_ON(!th->t_trans_id);
51070
51071 fs_gen = get_generation(inode->i_sb);
51072 @@ -2045,6 +2053,8 @@ int reiserfs_insert_item(struct reiserfs
51073 int fs_gen = 0;
51074 int quota_bytes = 0;
51075
51076 + pax_track_stack();
51077 +
51078 BUG_ON(!th->t_trans_id);
51079
51080 if (inode) { /* Do we count quotas for item? */
51081 diff -urNp linux-2.6.39.3/fs/reiserfs/super.c linux-2.6.39.3/fs/reiserfs/super.c
51082 --- linux-2.6.39.3/fs/reiserfs/super.c 2011-05-19 00:06:34.000000000 -0400
51083 +++ linux-2.6.39.3/fs/reiserfs/super.c 2011-05-22 19:36:32.000000000 -0400
51084 @@ -927,6 +927,8 @@ static int reiserfs_parse_options(struct
51085 {.option_name = NULL}
51086 };
51087
51088 + pax_track_stack();
51089 +
51090 *blocks = 0;
51091 if (!options || !*options)
51092 /* use default configuration: create tails, journaling on, no
51093 diff -urNp linux-2.6.39.3/fs/select.c linux-2.6.39.3/fs/select.c
51094 --- linux-2.6.39.3/fs/select.c 2011-05-19 00:06:34.000000000 -0400
51095 +++ linux-2.6.39.3/fs/select.c 2011-05-22 19:41:42.000000000 -0400
51096 @@ -20,6 +20,7 @@
51097 #include <linux/module.h>
51098 #include <linux/slab.h>
51099 #include <linux/poll.h>
51100 +#include <linux/security.h>
51101 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
51102 #include <linux/file.h>
51103 #include <linux/fdtable.h>
51104 @@ -403,6 +404,8 @@ int do_select(int n, fd_set_bits *fds, s
51105 int retval, i, timed_out = 0;
51106 unsigned long slack = 0;
51107
51108 + pax_track_stack();
51109 +
51110 rcu_read_lock();
51111 retval = max_select_fd(n, fds);
51112 rcu_read_unlock();
51113 @@ -528,6 +531,8 @@ int core_sys_select(int n, fd_set __user
51114 /* Allocate small arguments on the stack to save memory and be faster */
51115 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
51116
51117 + pax_track_stack();
51118 +
51119 ret = -EINVAL;
51120 if (n < 0)
51121 goto out_nofds;
51122 @@ -837,6 +842,9 @@ int do_sys_poll(struct pollfd __user *uf
51123 struct poll_list *walk = head;
51124 unsigned long todo = nfds;
51125
51126 + pax_track_stack();
51127 +
51128 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
51129 if (nfds > rlimit(RLIMIT_NOFILE))
51130 return -EINVAL;
51131
51132 diff -urNp linux-2.6.39.3/fs/seq_file.c linux-2.6.39.3/fs/seq_file.c
51133 --- linux-2.6.39.3/fs/seq_file.c 2011-05-19 00:06:34.000000000 -0400
51134 +++ linux-2.6.39.3/fs/seq_file.c 2011-05-22 19:36:32.000000000 -0400
51135 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
51136 return 0;
51137 }
51138 if (!m->buf) {
51139 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
51140 + m->size = PAGE_SIZE;
51141 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
51142 if (!m->buf)
51143 return -ENOMEM;
51144 }
51145 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
51146 Eoverflow:
51147 m->op->stop(m, p);
51148 kfree(m->buf);
51149 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
51150 + m->size <<= 1;
51151 + m->buf = kmalloc(m->size, GFP_KERNEL);
51152 return !m->buf ? -ENOMEM : -EAGAIN;
51153 }
51154
51155 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
51156 m->version = file->f_version;
51157 /* grab buffer if we didn't have one */
51158 if (!m->buf) {
51159 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
51160 + m->size = PAGE_SIZE;
51161 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
51162 if (!m->buf)
51163 goto Enomem;
51164 }
51165 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
51166 goto Fill;
51167 m->op->stop(m, p);
51168 kfree(m->buf);
51169 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
51170 + m->size <<= 1;
51171 + m->buf = kmalloc(m->size, GFP_KERNEL);
51172 if (!m->buf)
51173 goto Enomem;
51174 m->count = 0;
51175 diff -urNp linux-2.6.39.3/fs/splice.c linux-2.6.39.3/fs/splice.c
51176 --- linux-2.6.39.3/fs/splice.c 2011-05-19 00:06:34.000000000 -0400
51177 +++ linux-2.6.39.3/fs/splice.c 2011-05-22 19:36:32.000000000 -0400
51178 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
51179 pipe_lock(pipe);
51180
51181 for (;;) {
51182 - if (!pipe->readers) {
51183 + if (!atomic_read(&pipe->readers)) {
51184 send_sig(SIGPIPE, current, 0);
51185 if (!ret)
51186 ret = -EPIPE;
51187 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
51188 do_wakeup = 0;
51189 }
51190
51191 - pipe->waiting_writers++;
51192 + atomic_inc(&pipe->waiting_writers);
51193 pipe_wait(pipe);
51194 - pipe->waiting_writers--;
51195 + atomic_dec(&pipe->waiting_writers);
51196 }
51197
51198 pipe_unlock(pipe);
51199 @@ -316,6 +316,8 @@ __generic_file_splice_read(struct file *
51200 .spd_release = spd_release_page,
51201 };
51202
51203 + pax_track_stack();
51204 +
51205 if (splice_grow_spd(pipe, &spd))
51206 return -ENOMEM;
51207
51208 @@ -556,7 +558,7 @@ static ssize_t kernel_readv(struct file
51209 old_fs = get_fs();
51210 set_fs(get_ds());
51211 /* The cast to a user pointer is valid due to the set_fs() */
51212 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
51213 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
51214 set_fs(old_fs);
51215
51216 return res;
51217 @@ -571,7 +573,7 @@ static ssize_t kernel_write(struct file
51218 old_fs = get_fs();
51219 set_fs(get_ds());
51220 /* The cast to a user pointer is valid due to the set_fs() */
51221 - res = vfs_write(file, (const char __user *)buf, count, &pos);
51222 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
51223 set_fs(old_fs);
51224
51225 return res;
51226 @@ -599,6 +601,8 @@ ssize_t default_file_splice_read(struct
51227 .spd_release = spd_release_page,
51228 };
51229
51230 + pax_track_stack();
51231 +
51232 if (splice_grow_spd(pipe, &spd))
51233 return -ENOMEM;
51234
51235 @@ -622,7 +626,7 @@ ssize_t default_file_splice_read(struct
51236 goto err;
51237
51238 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
51239 - vec[i].iov_base = (void __user *) page_address(page);
51240 + vec[i].iov_base = (__force void __user *) page_address(page);
51241 vec[i].iov_len = this_len;
51242 spd.pages[i] = page;
51243 spd.nr_pages++;
51244 @@ -842,10 +846,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
51245 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
51246 {
51247 while (!pipe->nrbufs) {
51248 - if (!pipe->writers)
51249 + if (!atomic_read(&pipe->writers))
51250 return 0;
51251
51252 - if (!pipe->waiting_writers && sd->num_spliced)
51253 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
51254 return 0;
51255
51256 if (sd->flags & SPLICE_F_NONBLOCK)
51257 @@ -1178,7 +1182,7 @@ ssize_t splice_direct_to_actor(struct fi
51258 * out of the pipe right after the splice_to_pipe(). So set
51259 * PIPE_READERS appropriately.
51260 */
51261 - pipe->readers = 1;
51262 + atomic_set(&pipe->readers, 1);
51263
51264 current->splice_pipe = pipe;
51265 }
51266 @@ -1615,6 +1619,8 @@ static long vmsplice_to_pipe(struct file
51267 };
51268 long ret;
51269
51270 + pax_track_stack();
51271 +
51272 pipe = get_pipe_info(file);
51273 if (!pipe)
51274 return -EBADF;
51275 @@ -1730,9 +1736,9 @@ static int ipipe_prep(struct pipe_inode_
51276 ret = -ERESTARTSYS;
51277 break;
51278 }
51279 - if (!pipe->writers)
51280 + if (!atomic_read(&pipe->writers))
51281 break;
51282 - if (!pipe->waiting_writers) {
51283 + if (!atomic_read(&pipe->waiting_writers)) {
51284 if (flags & SPLICE_F_NONBLOCK) {
51285 ret = -EAGAIN;
51286 break;
51287 @@ -1764,7 +1770,7 @@ static int opipe_prep(struct pipe_inode_
51288 pipe_lock(pipe);
51289
51290 while (pipe->nrbufs >= pipe->buffers) {
51291 - if (!pipe->readers) {
51292 + if (!atomic_read(&pipe->readers)) {
51293 send_sig(SIGPIPE, current, 0);
51294 ret = -EPIPE;
51295 break;
51296 @@ -1777,9 +1783,9 @@ static int opipe_prep(struct pipe_inode_
51297 ret = -ERESTARTSYS;
51298 break;
51299 }
51300 - pipe->waiting_writers++;
51301 + atomic_inc(&pipe->waiting_writers);
51302 pipe_wait(pipe);
51303 - pipe->waiting_writers--;
51304 + atomic_dec(&pipe->waiting_writers);
51305 }
51306
51307 pipe_unlock(pipe);
51308 @@ -1815,14 +1821,14 @@ retry:
51309 pipe_double_lock(ipipe, opipe);
51310
51311 do {
51312 - if (!opipe->readers) {
51313 + if (!atomic_read(&opipe->readers)) {
51314 send_sig(SIGPIPE, current, 0);
51315 if (!ret)
51316 ret = -EPIPE;
51317 break;
51318 }
51319
51320 - if (!ipipe->nrbufs && !ipipe->writers)
51321 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
51322 break;
51323
51324 /*
51325 @@ -1922,7 +1928,7 @@ static int link_pipe(struct pipe_inode_i
51326 pipe_double_lock(ipipe, opipe);
51327
51328 do {
51329 - if (!opipe->readers) {
51330 + if (!atomic_read(&opipe->readers)) {
51331 send_sig(SIGPIPE, current, 0);
51332 if (!ret)
51333 ret = -EPIPE;
51334 @@ -1967,7 +1973,7 @@ static int link_pipe(struct pipe_inode_i
51335 * return EAGAIN if we have the potential of some data in the
51336 * future, otherwise just return 0
51337 */
51338 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
51339 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
51340 ret = -EAGAIN;
51341
51342 pipe_unlock(ipipe);
51343 diff -urNp linux-2.6.39.3/fs/sysfs/file.c linux-2.6.39.3/fs/sysfs/file.c
51344 --- linux-2.6.39.3/fs/sysfs/file.c 2011-05-19 00:06:34.000000000 -0400
51345 +++ linux-2.6.39.3/fs/sysfs/file.c 2011-05-22 19:36:32.000000000 -0400
51346 @@ -44,7 +44,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
51347
51348 struct sysfs_open_dirent {
51349 atomic_t refcnt;
51350 - atomic_t event;
51351 + atomic_unchecked_t event;
51352 wait_queue_head_t poll;
51353 struct list_head buffers; /* goes through sysfs_buffer.list */
51354 };
51355 @@ -88,7 +88,7 @@ static int fill_read_buffer(struct dentr
51356 if (!sysfs_get_active(attr_sd))
51357 return -ENODEV;
51358
51359 - buffer->event = atomic_read(&attr_sd->s_attr.open->event);
51360 + buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
51361 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
51362
51363 sysfs_put_active(attr_sd);
51364 @@ -294,7 +294,7 @@ static int sysfs_get_open_dirent(struct
51365 return -ENOMEM;
51366
51367 atomic_set(&new_od->refcnt, 0);
51368 - atomic_set(&new_od->event, 1);
51369 + atomic_set_unchecked(&new_od->event, 1);
51370 init_waitqueue_head(&new_od->poll);
51371 INIT_LIST_HEAD(&new_od->buffers);
51372 goto retry;
51373 @@ -444,7 +444,7 @@ static unsigned int sysfs_poll(struct fi
51374
51375 sysfs_put_active(attr_sd);
51376
51377 - if (buffer->event != atomic_read(&od->event))
51378 + if (buffer->event != atomic_read_unchecked(&od->event))
51379 goto trigger;
51380
51381 return DEFAULT_POLLMASK;
51382 @@ -463,7 +463,7 @@ void sysfs_notify_dirent(struct sysfs_di
51383
51384 od = sd->s_attr.open;
51385 if (od) {
51386 - atomic_inc(&od->event);
51387 + atomic_inc_unchecked(&od->event);
51388 wake_up_interruptible(&od->poll);
51389 }
51390
51391 diff -urNp linux-2.6.39.3/fs/sysfs/mount.c linux-2.6.39.3/fs/sysfs/mount.c
51392 --- linux-2.6.39.3/fs/sysfs/mount.c 2011-05-19 00:06:34.000000000 -0400
51393 +++ linux-2.6.39.3/fs/sysfs/mount.c 2011-05-22 19:41:42.000000000 -0400
51394 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
51395 .s_name = "",
51396 .s_count = ATOMIC_INIT(1),
51397 .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
51398 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
51399 + .s_mode = S_IFDIR | S_IRWXU,
51400 +#else
51401 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
51402 +#endif
51403 .s_ino = 1,
51404 };
51405
51406 diff -urNp linux-2.6.39.3/fs/sysfs/symlink.c linux-2.6.39.3/fs/sysfs/symlink.c
51407 --- linux-2.6.39.3/fs/sysfs/symlink.c 2011-05-19 00:06:34.000000000 -0400
51408 +++ linux-2.6.39.3/fs/sysfs/symlink.c 2011-05-22 19:36:32.000000000 -0400
51409 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
51410
51411 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
51412 {
51413 - char *page = nd_get_link(nd);
51414 + const char *page = nd_get_link(nd);
51415 if (!IS_ERR(page))
51416 free_page((unsigned long)page);
51417 }
51418 diff -urNp linux-2.6.39.3/fs/udf/inode.c linux-2.6.39.3/fs/udf/inode.c
51419 --- linux-2.6.39.3/fs/udf/inode.c 2011-05-19 00:06:34.000000000 -0400
51420 +++ linux-2.6.39.3/fs/udf/inode.c 2011-05-22 19:36:32.000000000 -0400
51421 @@ -560,6 +560,8 @@ static struct buffer_head *inode_getblk(
51422 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
51423 int lastblock = 0;
51424
51425 + pax_track_stack();
51426 +
51427 prev_epos.offset = udf_file_entry_alloc_offset(inode);
51428 prev_epos.block = iinfo->i_location;
51429 prev_epos.bh = NULL;
51430 diff -urNp linux-2.6.39.3/fs/udf/misc.c linux-2.6.39.3/fs/udf/misc.c
51431 --- linux-2.6.39.3/fs/udf/misc.c 2011-05-19 00:06:34.000000000 -0400
51432 +++ linux-2.6.39.3/fs/udf/misc.c 2011-05-22 19:36:32.000000000 -0400
51433 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
51434
51435 u8 udf_tag_checksum(const struct tag *t)
51436 {
51437 - u8 *data = (u8 *)t;
51438 + const u8 *data = (const u8 *)t;
51439 u8 checksum = 0;
51440 int i;
51441 for (i = 0; i < sizeof(struct tag); ++i)
51442 diff -urNp linux-2.6.39.3/fs/utimes.c linux-2.6.39.3/fs/utimes.c
51443 --- linux-2.6.39.3/fs/utimes.c 2011-05-19 00:06:34.000000000 -0400
51444 +++ linux-2.6.39.3/fs/utimes.c 2011-05-22 19:41:42.000000000 -0400
51445 @@ -1,6 +1,7 @@
51446 #include <linux/compiler.h>
51447 #include <linux/file.h>
51448 #include <linux/fs.h>
51449 +#include <linux/security.h>
51450 #include <linux/linkage.h>
51451 #include <linux/mount.h>
51452 #include <linux/namei.h>
51453 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
51454 goto mnt_drop_write_and_out;
51455 }
51456 }
51457 +
51458 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
51459 + error = -EACCES;
51460 + goto mnt_drop_write_and_out;
51461 + }
51462 +
51463 mutex_lock(&inode->i_mutex);
51464 error = notify_change(path->dentry, &newattrs);
51465 mutex_unlock(&inode->i_mutex);
51466 diff -urNp linux-2.6.39.3/fs/xattr_acl.c linux-2.6.39.3/fs/xattr_acl.c
51467 --- linux-2.6.39.3/fs/xattr_acl.c 2011-05-19 00:06:34.000000000 -0400
51468 +++ linux-2.6.39.3/fs/xattr_acl.c 2011-05-22 19:36:32.000000000 -0400
51469 @@ -17,8 +17,8 @@
51470 struct posix_acl *
51471 posix_acl_from_xattr(const void *value, size_t size)
51472 {
51473 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
51474 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
51475 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
51476 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
51477 int count;
51478 struct posix_acl *acl;
51479 struct posix_acl_entry *acl_e;
51480 diff -urNp linux-2.6.39.3/fs/xattr.c linux-2.6.39.3/fs/xattr.c
51481 --- linux-2.6.39.3/fs/xattr.c 2011-05-19 00:06:34.000000000 -0400
51482 +++ linux-2.6.39.3/fs/xattr.c 2011-05-22 19:41:42.000000000 -0400
51483 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
51484 * Extended attribute SET operations
51485 */
51486 static long
51487 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
51488 +setxattr(struct path *path, const char __user *name, const void __user *value,
51489 size_t size, int flags)
51490 {
51491 int error;
51492 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
51493 return PTR_ERR(kvalue);
51494 }
51495
51496 - error = vfs_setxattr(d, kname, kvalue, size, flags);
51497 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
51498 + error = -EACCES;
51499 + goto out;
51500 + }
51501 +
51502 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
51503 +out:
51504 kfree(kvalue);
51505 return error;
51506 }
51507 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
51508 return error;
51509 error = mnt_want_write(path.mnt);
51510 if (!error) {
51511 - error = setxattr(path.dentry, name, value, size, flags);
51512 + error = setxattr(&path, name, value, size, flags);
51513 mnt_drop_write(path.mnt);
51514 }
51515 path_put(&path);
51516 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
51517 return error;
51518 error = mnt_want_write(path.mnt);
51519 if (!error) {
51520 - error = setxattr(path.dentry, name, value, size, flags);
51521 + error = setxattr(&path, name, value, size, flags);
51522 mnt_drop_write(path.mnt);
51523 }
51524 path_put(&path);
51525 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
51526 const void __user *,value, size_t, size, int, flags)
51527 {
51528 struct file *f;
51529 - struct dentry *dentry;
51530 int error = -EBADF;
51531
51532 f = fget(fd);
51533 if (!f)
51534 return error;
51535 - dentry = f->f_path.dentry;
51536 - audit_inode(NULL, dentry);
51537 + audit_inode(NULL, f->f_path.dentry);
51538 error = mnt_want_write_file(f);
51539 if (!error) {
51540 - error = setxattr(dentry, name, value, size, flags);
51541 + error = setxattr(&f->f_path, name, value, size, flags);
51542 mnt_drop_write(f->f_path.mnt);
51543 }
51544 fput(f);
51545 diff -urNp linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl32.c
51546 --- linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-05-19 00:06:34.000000000 -0400
51547 +++ linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-05-22 19:41:42.000000000 -0400
51548 @@ -73,6 +73,7 @@ xfs_compat_ioc_fsgeometry_v1(
51549 xfs_fsop_geom_t fsgeo;
51550 int error;
51551
51552 + memset(&fsgeo, 0, sizeof(fsgeo));
51553 error = xfs_fs_geometry(mp, &fsgeo, 3);
51554 if (error)
51555 return -error;
51556 diff -urNp linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl.c
51557 --- linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl.c 2011-05-19 00:06:34.000000000 -0400
51558 +++ linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl.c 2011-05-22 19:36:32.000000000 -0400
51559 @@ -128,7 +128,7 @@ xfs_find_handle(
51560 }
51561
51562 error = -EFAULT;
51563 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
51564 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
51565 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
51566 goto out_put;
51567
51568 diff -urNp linux-2.6.39.3/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.39.3/fs/xfs/linux-2.6/xfs_iops.c
51569 --- linux-2.6.39.3/fs/xfs/linux-2.6/xfs_iops.c 2011-05-19 00:06:34.000000000 -0400
51570 +++ linux-2.6.39.3/fs/xfs/linux-2.6/xfs_iops.c 2011-05-22 19:36:32.000000000 -0400
51571 @@ -437,7 +437,7 @@ xfs_vn_put_link(
51572 struct nameidata *nd,
51573 void *p)
51574 {
51575 - char *s = nd_get_link(nd);
51576 + const char *s = nd_get_link(nd);
51577
51578 if (!IS_ERR(s))
51579 kfree(s);
51580 diff -urNp linux-2.6.39.3/fs/xfs/xfs_bmap.c linux-2.6.39.3/fs/xfs/xfs_bmap.c
51581 --- linux-2.6.39.3/fs/xfs/xfs_bmap.c 2011-05-19 00:06:34.000000000 -0400
51582 +++ linux-2.6.39.3/fs/xfs/xfs_bmap.c 2011-05-22 19:36:32.000000000 -0400
51583 @@ -287,7 +287,7 @@ xfs_bmap_validate_ret(
51584 int nmap,
51585 int ret_nmap);
51586 #else
51587 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
51588 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
51589 #endif /* DEBUG */
51590
51591 STATIC int
51592 diff -urNp linux-2.6.39.3/fs/xfs/xfs_dir2.c linux-2.6.39.3/fs/xfs/xfs_dir2.c
51593 --- linux-2.6.39.3/fs/xfs/xfs_dir2.c 2011-05-19 00:06:34.000000000 -0400
51594 +++ linux-2.6.39.3/fs/xfs/xfs_dir2.c 2011-05-22 19:36:32.000000000 -0400
51595 @@ -85,7 +85,7 @@ xfs_ascii_ci_compname(
51596 return result;
51597 }
51598
51599 -static struct xfs_nameops xfs_ascii_ci_nameops = {
51600 +static const struct xfs_nameops xfs_ascii_ci_nameops = {
51601 .hashname = xfs_ascii_ci_hashname,
51602 .compname = xfs_ascii_ci_compname,
51603 };
51604 diff -urNp linux-2.6.39.3/fs/xfs/xfs_dir2_sf.c linux-2.6.39.3/fs/xfs/xfs_dir2_sf.c
51605 --- linux-2.6.39.3/fs/xfs/xfs_dir2_sf.c 2011-05-19 00:06:34.000000000 -0400
51606 +++ linux-2.6.39.3/fs/xfs/xfs_dir2_sf.c 2011-05-22 19:36:32.000000000 -0400
51607 @@ -780,7 +780,15 @@ xfs_dir2_sf_getdents(
51608 }
51609
51610 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
51611 - if (filldir(dirent, (char *)sfep->name, sfep->namelen,
51612 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
51613 + char name[sfep->namelen];
51614 + memcpy(name, sfep->name, sfep->namelen);
51615 + if (filldir(dirent, name, sfep->namelen,
51616 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
51617 + *offset = off & 0x7fffffff;
51618 + return 0;
51619 + }
51620 + } else if (filldir(dirent, (char *)sfep->name, sfep->namelen,
51621 off & 0x7fffffff, ino, DT_UNKNOWN)) {
51622 *offset = off & 0x7fffffff;
51623 return 0;
51624 diff -urNp linux-2.6.39.3/grsecurity/gracl_alloc.c linux-2.6.39.3/grsecurity/gracl_alloc.c
51625 --- linux-2.6.39.3/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
51626 +++ linux-2.6.39.3/grsecurity/gracl_alloc.c 2011-05-22 19:41:42.000000000 -0400
51627 @@ -0,0 +1,105 @@
51628 +#include <linux/kernel.h>
51629 +#include <linux/mm.h>
51630 +#include <linux/slab.h>
51631 +#include <linux/vmalloc.h>
51632 +#include <linux/gracl.h>
51633 +#include <linux/grsecurity.h>
51634 +
51635 +static unsigned long alloc_stack_next = 1;
51636 +static unsigned long alloc_stack_size = 1;
51637 +static void **alloc_stack;
51638 +
51639 +static __inline__ int
51640 +alloc_pop(void)
51641 +{
51642 + if (alloc_stack_next == 1)
51643 + return 0;
51644 +
51645 + kfree(alloc_stack[alloc_stack_next - 2]);
51646 +
51647 + alloc_stack_next--;
51648 +
51649 + return 1;
51650 +}
51651 +
51652 +static __inline__ int
51653 +alloc_push(void *buf)
51654 +{
51655 + if (alloc_stack_next >= alloc_stack_size)
51656 + return 1;
51657 +
51658 + alloc_stack[alloc_stack_next - 1] = buf;
51659 +
51660 + alloc_stack_next++;
51661 +
51662 + return 0;
51663 +}
51664 +
51665 +void *
51666 +acl_alloc(unsigned long len)
51667 +{
51668 + void *ret = NULL;
51669 +
51670 + if (!len || len > PAGE_SIZE)
51671 + goto out;
51672 +
51673 + ret = kmalloc(len, GFP_KERNEL);
51674 +
51675 + if (ret) {
51676 + if (alloc_push(ret)) {
51677 + kfree(ret);
51678 + ret = NULL;
51679 + }
51680 + }
51681 +
51682 +out:
51683 + return ret;
51684 +}
51685 +
51686 +void *
51687 +acl_alloc_num(unsigned long num, unsigned long len)
51688 +{
51689 + if (!len || (num > (PAGE_SIZE / len)))
51690 + return NULL;
51691 +
51692 + return acl_alloc(num * len);
51693 +}
51694 +
51695 +void
51696 +acl_free_all(void)
51697 +{
51698 + if (gr_acl_is_enabled() || !alloc_stack)
51699 + return;
51700 +
51701 + while (alloc_pop()) ;
51702 +
51703 + if (alloc_stack) {
51704 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
51705 + kfree(alloc_stack);
51706 + else
51707 + vfree(alloc_stack);
51708 + }
51709 +
51710 + alloc_stack = NULL;
51711 + alloc_stack_size = 1;
51712 + alloc_stack_next = 1;
51713 +
51714 + return;
51715 +}
51716 +
51717 +int
51718 +acl_alloc_stack_init(unsigned long size)
51719 +{
51720 + if ((size * sizeof (void *)) <= PAGE_SIZE)
51721 + alloc_stack =
51722 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
51723 + else
51724 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
51725 +
51726 + alloc_stack_size = size;
51727 +
51728 + if (!alloc_stack)
51729 + return 0;
51730 + else
51731 + return 1;
51732 +}
51733 diff -urNp linux-2.6.39.3/grsecurity/gracl.c linux-2.6.39.3/grsecurity/gracl.c
51734 --- linux-2.6.39.3/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
51735 +++ linux-2.6.39.3/grsecurity/gracl.c 2011-06-11 16:26:18.000000000 -0400
51736 @@ -0,0 +1,4109 @@
51737 +#include <linux/kernel.h>
51738 +#include <linux/module.h>
51739 +#include <linux/sched.h>
51740 +#include <linux/mm.h>
51741 +#include <linux/file.h>
51742 +#include <linux/fs.h>
51743 +#include <linux/namei.h>
51744 +#include <linux/mount.h>
51745 +#include <linux/tty.h>
51746 +#include <linux/proc_fs.h>
51747 +#include <linux/lglock.h>
51748 +#include <linux/slab.h>
51749 +#include <linux/vmalloc.h>
51750 +#include <linux/types.h>
51751 +#include <linux/sysctl.h>
51752 +#include <linux/netdevice.h>
51753 +#include <linux/ptrace.h>
51754 +#include <linux/gracl.h>
51755 +#include <linux/gralloc.h>
51756 +#include <linux/grsecurity.h>
51757 +#include <linux/grinternal.h>
51758 +#include <linux/pid_namespace.h>
51759 +#include <linux/fdtable.h>
51760 +#include <linux/percpu.h>
51761 +
51762 +#include <asm/uaccess.h>
51763 +#include <asm/errno.h>
51764 +#include <asm/mman.h>
51765 +
51766 +static struct acl_role_db acl_role_set;
51767 +static struct name_db name_set;
51768 +static struct inodev_db inodev_set;
51769 +
51770 +/* for keeping track of userspace pointers used for subjects, so we
51771 + can share references in the kernel as well
51772 +*/
51773 +
51774 +static struct path real_root;
51775 +
51776 +static struct acl_subj_map_db subj_map_set;
51777 +
51778 +static struct acl_role_label *default_role;
51779 +
51780 +static struct acl_role_label *role_list;
51781 +
51782 +static u16 acl_sp_role_value;
51783 +
51784 +extern char *gr_shared_page[4];
51785 +static DEFINE_MUTEX(gr_dev_mutex);
51786 +DEFINE_RWLOCK(gr_inode_lock);
51787 +
51788 +struct gr_arg *gr_usermode;
51789 +
51790 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
51791 +
51792 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
51793 +extern void gr_clear_learn_entries(void);
51794 +
51795 +#ifdef CONFIG_GRKERNSEC_RESLOG
51796 +extern void gr_log_resource(const struct task_struct *task,
51797 + const int res, const unsigned long wanted, const int gt);
51798 +#endif
51799 +
51800 +unsigned char *gr_system_salt;
51801 +unsigned char *gr_system_sum;
51802 +
51803 +static struct sprole_pw **acl_special_roles = NULL;
51804 +static __u16 num_sprole_pws = 0;
51805 +
51806 +static struct acl_role_label *kernel_role = NULL;
51807 +
51808 +static unsigned int gr_auth_attempts = 0;
51809 +static unsigned long gr_auth_expires = 0UL;
51810 +
51811 +#ifdef CONFIG_NET
51812 +extern struct vfsmount *sock_mnt;
51813 +#endif
51814 +
51815 +extern struct vfsmount *pipe_mnt;
51816 +extern struct vfsmount *shm_mnt;
51817 +#ifdef CONFIG_HUGETLBFS
51818 +extern struct vfsmount *hugetlbfs_vfsmount;
51819 +#endif
51820 +
51821 +static struct acl_object_label *fakefs_obj_rw;
51822 +static struct acl_object_label *fakefs_obj_rwx;
51823 +
51824 +extern int gr_init_uidset(void);
51825 +extern void gr_free_uidset(void);
51826 +extern void gr_remove_uid(uid_t uid);
51827 +extern int gr_find_uid(uid_t uid);
51828 +
51829 +DECLARE_BRLOCK(vfsmount_lock);
51830 +
51831 +__inline__ int
51832 +gr_acl_is_enabled(void)
51833 +{
51834 + return (gr_status & GR_READY);
51835 +}
51836 +
51837 +#ifdef CONFIG_BTRFS_FS
51838 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
51839 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
51840 +#endif
51841 +
51842 +static inline dev_t __get_dev(const struct dentry *dentry)
51843 +{
51844 +#ifdef CONFIG_BTRFS_FS
51845 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
51846 + return get_btrfs_dev_from_inode(dentry->d_inode);
51847 + else
51848 +#endif
51849 + return dentry->d_inode->i_sb->s_dev;
51850 +}
51851 +
51852 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
51853 +{
51854 + return __get_dev(dentry);
51855 +}
51856 +
51857 +static char gr_task_roletype_to_char(struct task_struct *task)
51858 +{
51859 + switch (task->role->roletype &
51860 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
51861 + GR_ROLE_SPECIAL)) {
51862 + case GR_ROLE_DEFAULT:
51863 + return 'D';
51864 + case GR_ROLE_USER:
51865 + return 'U';
51866 + case GR_ROLE_GROUP:
51867 + return 'G';
51868 + case GR_ROLE_SPECIAL:
51869 + return 'S';
51870 + }
51871 +
51872 + return 'X';
51873 +}
51874 +
51875 +char gr_roletype_to_char(void)
51876 +{
51877 + return gr_task_roletype_to_char(current);
51878 +}
51879 +
51880 +__inline__ int
51881 +gr_acl_tpe_check(void)
51882 +{
51883 + if (unlikely(!(gr_status & GR_READY)))
51884 + return 0;
51885 + if (current->role->roletype & GR_ROLE_TPE)
51886 + return 1;
51887 + else
51888 + return 0;
51889 +}
51890 +
51891 +int
51892 +gr_handle_rawio(const struct inode *inode)
51893 +{
51894 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
51895 + if (inode && S_ISBLK(inode->i_mode) &&
51896 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
51897 + !capable(CAP_SYS_RAWIO))
51898 + return 1;
51899 +#endif
51900 + return 0;
51901 +}
51902 +
51903 +static int
51904 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
51905 +{
51906 + if (likely(lena != lenb))
51907 + return 0;
51908 +
51909 + return !memcmp(a, b, lena);
51910 +}
51911 +
51912 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
51913 +{
51914 + *buflen -= namelen;
51915 + if (*buflen < 0)
51916 + return -ENAMETOOLONG;
51917 + *buffer -= namelen;
51918 + memcpy(*buffer, str, namelen);
51919 + return 0;
51920 +}
51921 +
51922 +static int prepend_name(char **buffer, int *buflen, struct qstr *name)
51923 +{
51924 + return prepend(buffer, buflen, name->name, name->len);
51925 +}
51926 +
51927 +static int prepend_path(const struct path *path, struct path *root,
51928 + char **buffer, int *buflen)
51929 +{
51930 + struct dentry *dentry = path->dentry;
51931 + struct vfsmount *vfsmnt = path->mnt;
51932 + bool slash = false;
51933 + int error = 0;
51934 +
51935 + while (dentry != root->dentry || vfsmnt != root->mnt) {
51936 + struct dentry * parent;
51937 +
51938 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
51939 + /* Global root? */
51940 + if (vfsmnt->mnt_parent == vfsmnt) {
51941 + goto out;
51942 + }
51943 + dentry = vfsmnt->mnt_mountpoint;
51944 + vfsmnt = vfsmnt->mnt_parent;
51945 + continue;
51946 + }
51947 + parent = dentry->d_parent;
51948 + prefetch(parent);
51949 + spin_lock(&dentry->d_lock);
51950 + error = prepend_name(buffer, buflen, &dentry->d_name);
51951 + spin_unlock(&dentry->d_lock);
51952 + if (!error)
51953 + error = prepend(buffer, buflen, "/", 1);
51954 + if (error)
51955 + break;
51956 +
51957 + slash = true;
51958 + dentry = parent;
51959 + }
51960 +
51961 +out:
51962 + if (!error && !slash)
51963 + error = prepend(buffer, buflen, "/", 1);
51964 +
51965 + return error;
51966 +}
51967 +
51968 +/* this must be called with vfsmount_lock and rename_lock held */
51969 +
51970 +static char *__our_d_path(const struct path *path, struct path *root,
51971 + char *buf, int buflen)
51972 +{
51973 + char *res = buf + buflen;
51974 + int error;
51975 +
51976 + prepend(&res, &buflen, "\0", 1);
51977 + error = prepend_path(path, root, &res, &buflen);
51978 + if (error)
51979 + return ERR_PTR(error);
51980 +
51981 + return res;
51982 +}
51983 +
51984 +static char *
51985 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
51986 +{
51987 + char *retval;
51988 +
51989 + retval = __our_d_path(path, root, buf, buflen);
51990 + if (unlikely(IS_ERR(retval)))
51991 + retval = strcpy(buf, "<path too long>");
51992 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
51993 + retval[1] = '\0';
51994 +
51995 + return retval;
51996 +}
51997 +
51998 +static char *
51999 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
52000 + char *buf, int buflen)
52001 +{
52002 + struct path path;
52003 + char *res;
52004 +
52005 + path.dentry = (struct dentry *)dentry;
52006 + path.mnt = (struct vfsmount *)vfsmnt;
52007 +
52008 + /* we can use real_root.dentry, real_root.mnt, because this is only called
52009 + by the RBAC system */
52010 + res = gen_full_path(&path, &real_root, buf, buflen);
52011 +
52012 + return res;
52013 +}
52014 +
52015 +static char *
52016 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
52017 + char *buf, int buflen)
52018 +{
52019 + char *res;
52020 + struct path path;
52021 + struct path root;
52022 + struct task_struct *reaper = &init_task;
52023 +
52024 + path.dentry = (struct dentry *)dentry;
52025 + path.mnt = (struct vfsmount *)vfsmnt;
52026 +
52027 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
52028 + get_fs_root(reaper->fs, &root);
52029 +
52030 + write_seqlock(&rename_lock);
52031 + br_read_lock(vfsmount_lock);
52032 + res = gen_full_path(&path, &root, buf, buflen);
52033 + br_read_unlock(vfsmount_lock);
52034 + write_sequnlock(&rename_lock);
52035 +
52036 + path_put(&root);
52037 + return res;
52038 +}
52039 +
52040 +static char *
52041 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
52042 +{
52043 + char *ret;
52044 + write_seqlock(&rename_lock);
52045 + br_read_lock(vfsmount_lock);
52046 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
52047 + PAGE_SIZE);
52048 + br_read_unlock(vfsmount_lock);
52049 + write_sequnlock(&rename_lock);
52050 + return ret;
52051 +}
52052 +
52053 +char *
52054 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
52055 +{
52056 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
52057 + PAGE_SIZE);
52058 +}
52059 +
52060 +char *
52061 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
52062 +{
52063 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
52064 + PAGE_SIZE);
52065 +}
52066 +
52067 +char *
52068 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
52069 +{
52070 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
52071 + PAGE_SIZE);
52072 +}
52073 +
52074 +char *
52075 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
52076 +{
52077 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
52078 + PAGE_SIZE);
52079 +}
52080 +
52081 +char *
52082 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
52083 +{
52084 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
52085 + PAGE_SIZE);
52086 +}
52087 +
52088 +__inline__ __u32
52089 +to_gr_audit(const __u32 reqmode)
52090 +{
52091 + /* masks off auditable permission flags, then shifts them to create
52092 + auditing flags, and adds the special case of append auditing if
52093 + we're requesting write */
52094 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
52095 +}
52096 +
52097 +struct acl_subject_label *
52098 +lookup_subject_map(const struct acl_subject_label *userp)
52099 +{
52100 + unsigned int index = shash(userp, subj_map_set.s_size);
52101 + struct subject_map *match;
52102 +
52103 + match = subj_map_set.s_hash[index];
52104 +
52105 + while (match && match->user != userp)
52106 + match = match->next;
52107 +
52108 + if (match != NULL)
52109 + return match->kernel;
52110 + else
52111 + return NULL;
52112 +}
52113 +
52114 +static void
52115 +insert_subj_map_entry(struct subject_map *subjmap)
52116 +{
52117 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
52118 + struct subject_map **curr;
52119 +
52120 + subjmap->prev = NULL;
52121 +
52122 + curr = &subj_map_set.s_hash[index];
52123 + if (*curr != NULL)
52124 + (*curr)->prev = subjmap;
52125 +
52126 + subjmap->next = *curr;
52127 + *curr = subjmap;
52128 +
52129 + return;
52130 +}
52131 +
52132 +static struct acl_role_label *
52133 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
52134 + const gid_t gid)
52135 +{
52136 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
52137 + struct acl_role_label *match;
52138 + struct role_allowed_ip *ipp;
52139 + unsigned int x;
52140 + u32 curr_ip = task->signal->curr_ip;
52141 +
52142 + task->signal->saved_ip = curr_ip;
52143 +
52144 + match = acl_role_set.r_hash[index];
52145 +
52146 + while (match) {
52147 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
52148 + for (x = 0; x < match->domain_child_num; x++) {
52149 + if (match->domain_children[x] == uid)
52150 + goto found;
52151 + }
52152 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
52153 + break;
52154 + match = match->next;
52155 + }
52156 +found:
52157 + if (match == NULL) {
52158 + try_group:
52159 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
52160 + match = acl_role_set.r_hash[index];
52161 +
52162 + while (match) {
52163 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
52164 + for (x = 0; x < match->domain_child_num; x++) {
52165 + if (match->domain_children[x] == gid)
52166 + goto found2;
52167 + }
52168 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
52169 + break;
52170 + match = match->next;
52171 + }
52172 +found2:
52173 + if (match == NULL)
52174 + match = default_role;
52175 + if (match->allowed_ips == NULL)
52176 + return match;
52177 + else {
52178 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
52179 + if (likely
52180 + ((ntohl(curr_ip) & ipp->netmask) ==
52181 + (ntohl(ipp->addr) & ipp->netmask)))
52182 + return match;
52183 + }
52184 + match = default_role;
52185 + }
52186 + } else if (match->allowed_ips == NULL) {
52187 + return match;
52188 + } else {
52189 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
52190 + if (likely
52191 + ((ntohl(curr_ip) & ipp->netmask) ==
52192 + (ntohl(ipp->addr) & ipp->netmask)))
52193 + return match;
52194 + }
52195 + goto try_group;
52196 + }
52197 +
52198 + return match;
52199 +}
52200 +
52201 +struct acl_subject_label *
52202 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
52203 + const struct acl_role_label *role)
52204 +{
52205 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
52206 + struct acl_subject_label *match;
52207 +
52208 + match = role->subj_hash[index];
52209 +
52210 + while (match && (match->inode != ino || match->device != dev ||
52211 + (match->mode & GR_DELETED))) {
52212 + match = match->next;
52213 + }
52214 +
52215 + if (match && !(match->mode & GR_DELETED))
52216 + return match;
52217 + else
52218 + return NULL;
52219 +}
52220 +
52221 +struct acl_subject_label *
52222 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
52223 + const struct acl_role_label *role)
52224 +{
52225 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
52226 + struct acl_subject_label *match;
52227 +
52228 + match = role->subj_hash[index];
52229 +
52230 + while (match && (match->inode != ino || match->device != dev ||
52231 + !(match->mode & GR_DELETED))) {
52232 + match = match->next;
52233 + }
52234 +
52235 + if (match && (match->mode & GR_DELETED))
52236 + return match;
52237 + else
52238 + return NULL;
52239 +}
52240 +
52241 +static struct acl_object_label *
52242 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
52243 + const struct acl_subject_label *subj)
52244 +{
52245 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
52246 + struct acl_object_label *match;
52247 +
52248 + match = subj->obj_hash[index];
52249 +
52250 + while (match && (match->inode != ino || match->device != dev ||
52251 + (match->mode & GR_DELETED))) {
52252 + match = match->next;
52253 + }
52254 +
52255 + if (match && !(match->mode & GR_DELETED))
52256 + return match;
52257 + else
52258 + return NULL;
52259 +}
52260 +
52261 +static struct acl_object_label *
52262 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
52263 + const struct acl_subject_label *subj)
52264 +{
52265 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
52266 + struct acl_object_label *match;
52267 +
52268 + match = subj->obj_hash[index];
52269 +
52270 + while (match && (match->inode != ino || match->device != dev ||
52271 + !(match->mode & GR_DELETED))) {
52272 + match = match->next;
52273 + }
52274 +
52275 + if (match && (match->mode & GR_DELETED))
52276 + return match;
52277 +
52278 + match = subj->obj_hash[index];
52279 +
52280 + while (match && (match->inode != ino || match->device != dev ||
52281 + (match->mode & GR_DELETED))) {
52282 + match = match->next;
52283 + }
52284 +
52285 + if (match && !(match->mode & GR_DELETED))
52286 + return match;
52287 + else
52288 + return NULL;
52289 +}
52290 +
52291 +static struct name_entry *
52292 +lookup_name_entry(const char *name)
52293 +{
52294 + unsigned int len = strlen(name);
52295 + unsigned int key = full_name_hash(name, len);
52296 + unsigned int index = key % name_set.n_size;
52297 + struct name_entry *match;
52298 +
52299 + match = name_set.n_hash[index];
52300 +
52301 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
52302 + match = match->next;
52303 +
52304 + return match;
52305 +}
52306 +
52307 +static struct name_entry *
52308 +lookup_name_entry_create(const char *name)
52309 +{
52310 + unsigned int len = strlen(name);
52311 + unsigned int key = full_name_hash(name, len);
52312 + unsigned int index = key % name_set.n_size;
52313 + struct name_entry *match;
52314 +
52315 + match = name_set.n_hash[index];
52316 +
52317 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
52318 + !match->deleted))
52319 + match = match->next;
52320 +
52321 + if (match && match->deleted)
52322 + return match;
52323 +
52324 + match = name_set.n_hash[index];
52325 +
52326 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
52327 + match->deleted))
52328 + match = match->next;
52329 +
52330 + if (match && !match->deleted)
52331 + return match;
52332 + else
52333 + return NULL;
52334 +}
52335 +
52336 +static struct inodev_entry *
52337 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
52338 +{
52339 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
52340 + struct inodev_entry *match;
52341 +
52342 + match = inodev_set.i_hash[index];
52343 +
52344 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
52345 + match = match->next;
52346 +
52347 + return match;
52348 +}
52349 +
52350 +static void
52351 +insert_inodev_entry(struct inodev_entry *entry)
52352 +{
52353 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
52354 + inodev_set.i_size);
52355 + struct inodev_entry **curr;
52356 +
52357 + entry->prev = NULL;
52358 +
52359 + curr = &inodev_set.i_hash[index];
52360 + if (*curr != NULL)
52361 + (*curr)->prev = entry;
52362 +
52363 + entry->next = *curr;
52364 + *curr = entry;
52365 +
52366 + return;
52367 +}
52368 +
52369 +static void
52370 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
52371 +{
52372 + unsigned int index =
52373 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
52374 + struct acl_role_label **curr;
52375 + struct acl_role_label *tmp;
52376 +
52377 + curr = &acl_role_set.r_hash[index];
52378 +
52379 + /* if role was already inserted due to domains and already has
52380 + a role in the same bucket as it attached, then we need to
52381 + combine these two buckets
52382 + */
52383 + if (role->next) {
52384 + tmp = role->next;
52385 + while (tmp->next)
52386 + tmp = tmp->next;
52387 + tmp->next = *curr;
52388 + } else
52389 + role->next = *curr;
52390 + *curr = role;
52391 +
52392 + return;
52393 +}
52394 +
52395 +static void
52396 +insert_acl_role_label(struct acl_role_label *role)
52397 +{
52398 + int i;
52399 +
52400 + if (role_list == NULL) {
52401 + role_list = role;
52402 + role->prev = NULL;
52403 + } else {
52404 + role->prev = role_list;
52405 + role_list = role;
52406 + }
52407 +
52408 + /* used for hash chains */
52409 + role->next = NULL;
52410 +
52411 + if (role->roletype & GR_ROLE_DOMAIN) {
52412 + for (i = 0; i < role->domain_child_num; i++)
52413 + __insert_acl_role_label(role, role->domain_children[i]);
52414 + } else
52415 + __insert_acl_role_label(role, role->uidgid);
52416 +}
52417 +
52418 +static int
52419 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
52420 +{
52421 + struct name_entry **curr, *nentry;
52422 + struct inodev_entry *ientry;
52423 + unsigned int len = strlen(name);
52424 + unsigned int key = full_name_hash(name, len);
52425 + unsigned int index = key % name_set.n_size;
52426 +
52427 + curr = &name_set.n_hash[index];
52428 +
52429 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
52430 + curr = &((*curr)->next);
52431 +
52432 + if (*curr != NULL)
52433 + return 1;
52434 +
52435 + nentry = acl_alloc(sizeof (struct name_entry));
52436 + if (nentry == NULL)
52437 + return 0;
52438 + ientry = acl_alloc(sizeof (struct inodev_entry));
52439 + if (ientry == NULL)
52440 + return 0;
52441 + ientry->nentry = nentry;
52442 +
52443 + nentry->key = key;
52444 + nentry->name = name;
52445 + nentry->inode = inode;
52446 + nentry->device = device;
52447 + nentry->len = len;
52448 + nentry->deleted = deleted;
52449 +
52450 + nentry->prev = NULL;
52451 + curr = &name_set.n_hash[index];
52452 + if (*curr != NULL)
52453 + (*curr)->prev = nentry;
52454 + nentry->next = *curr;
52455 + *curr = nentry;
52456 +
52457 + /* insert us into the table searchable by inode/dev */
52458 + insert_inodev_entry(ientry);
52459 +
52460 + return 1;
52461 +}
52462 +
52463 +static void
52464 +insert_acl_obj_label(struct acl_object_label *obj,
52465 + struct acl_subject_label *subj)
52466 +{
52467 + unsigned int index =
52468 + fhash(obj->inode, obj->device, subj->obj_hash_size);
52469 + struct acl_object_label **curr;
52470 +
52471 +
52472 + obj->prev = NULL;
52473 +
52474 + curr = &subj->obj_hash[index];
52475 + if (*curr != NULL)
52476 + (*curr)->prev = obj;
52477 +
52478 + obj->next = *curr;
52479 + *curr = obj;
52480 +
52481 + return;
52482 +}
52483 +
52484 +static void
52485 +insert_acl_subj_label(struct acl_subject_label *obj,
52486 + struct acl_role_label *role)
52487 +{
52488 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
52489 + struct acl_subject_label **curr;
52490 +
52491 + obj->prev = NULL;
52492 +
52493 + curr = &role->subj_hash[index];
52494 + if (*curr != NULL)
52495 + (*curr)->prev = obj;
52496 +
52497 + obj->next = *curr;
52498 + *curr = obj;
52499 +
52500 + return;
52501 +}
52502 +
52503 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
52504 +
52505 +static void *
52506 +create_table(__u32 * len, int elementsize)
52507 +{
52508 + unsigned int table_sizes[] = {
52509 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
52510 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
52511 + 4194301, 8388593, 16777213, 33554393, 67108859
52512 + };
52513 + void *newtable = NULL;
52514 + unsigned int pwr = 0;
52515 +
52516 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
52517 + table_sizes[pwr] <= *len)
52518 + pwr++;
52519 +
52520 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
52521 + return newtable;
52522 +
52523 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
52524 + newtable =
52525 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
52526 + else
52527 + newtable = vmalloc(table_sizes[pwr] * elementsize);
52528 +
52529 + *len = table_sizes[pwr];
52530 +
52531 + return newtable;
52532 +}
52533 +
52534 +static int
52535 +init_variables(const struct gr_arg *arg)
52536 +{
52537 + struct task_struct *reaper = &init_task;
52538 + unsigned int stacksize;
52539 +
52540 + subj_map_set.s_size = arg->role_db.num_subjects;
52541 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
52542 + name_set.n_size = arg->role_db.num_objects;
52543 + inodev_set.i_size = arg->role_db.num_objects;
52544 +
52545 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
52546 + !name_set.n_size || !inodev_set.i_size)
52547 + return 1;
52548 +
52549 + if (!gr_init_uidset())
52550 + return 1;
52551 +
52552 + /* set up the stack that holds allocation info */
52553 +
52554 + stacksize = arg->role_db.num_pointers + 5;
52555 +
52556 + if (!acl_alloc_stack_init(stacksize))
52557 + return 1;
52558 +
52559 + /* grab reference for the real root dentry and vfsmount */
52560 + get_fs_root(reaper->fs, &real_root);
52561 +
52562 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
52563 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
52564 +#endif
52565 +
52566 + fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
52567 + if (fakefs_obj_rw == NULL)
52568 + return 1;
52569 + fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
52570 +
52571 + fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
52572 + if (fakefs_obj_rwx == NULL)
52573 + return 1;
52574 + fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
52575 +
52576 + subj_map_set.s_hash =
52577 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
52578 + acl_role_set.r_hash =
52579 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
52580 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
52581 + inodev_set.i_hash =
52582 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
52583 +
52584 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
52585 + !name_set.n_hash || !inodev_set.i_hash)
52586 + return 1;
52587 +
52588 + memset(subj_map_set.s_hash, 0,
52589 + sizeof(struct subject_map *) * subj_map_set.s_size);
52590 + memset(acl_role_set.r_hash, 0,
52591 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
52592 + memset(name_set.n_hash, 0,
52593 + sizeof (struct name_entry *) * name_set.n_size);
52594 + memset(inodev_set.i_hash, 0,
52595 + sizeof (struct inodev_entry *) * inodev_set.i_size);
52596 +
52597 + return 0;
52598 +}
52599 +
52600 +/* free information not needed after startup
52601 + currently contains user->kernel pointer mappings for subjects
52602 +*/
52603 +
52604 +static void
52605 +free_init_variables(void)
52606 +{
52607 + __u32 i;
52608 +
52609 + if (subj_map_set.s_hash) {
52610 + for (i = 0; i < subj_map_set.s_size; i++) {
52611 + if (subj_map_set.s_hash[i]) {
52612 + kfree(subj_map_set.s_hash[i]);
52613 + subj_map_set.s_hash[i] = NULL;
52614 + }
52615 + }
52616 +
52617 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
52618 + PAGE_SIZE)
52619 + kfree(subj_map_set.s_hash);
52620 + else
52621 + vfree(subj_map_set.s_hash);
52622 + }
52623 +
52624 + return;
52625 +}
52626 +
52627 +static void
52628 +free_variables(void)
52629 +{
52630 + struct acl_subject_label *s;
52631 + struct acl_role_label *r;
52632 + struct task_struct *task, *task2;
52633 + unsigned int x;
52634 +
52635 + gr_clear_learn_entries();
52636 +
52637 + read_lock(&tasklist_lock);
52638 + do_each_thread(task2, task) {
52639 + task->acl_sp_role = 0;
52640 + task->acl_role_id = 0;
52641 + task->acl = NULL;
52642 + task->role = NULL;
52643 + } while_each_thread(task2, task);
52644 + read_unlock(&tasklist_lock);
52645 +
52646 + /* release the reference to the real root dentry and vfsmount */
52647 + path_put(&real_root);
52648 +
52649 + /* free all object hash tables */
52650 +
52651 + FOR_EACH_ROLE_START(r)
52652 + if (r->subj_hash == NULL)
52653 + goto next_role;
52654 + FOR_EACH_SUBJECT_START(r, s, x)
52655 + if (s->obj_hash == NULL)
52656 + break;
52657 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
52658 + kfree(s->obj_hash);
52659 + else
52660 + vfree(s->obj_hash);
52661 + FOR_EACH_SUBJECT_END(s, x)
52662 + FOR_EACH_NESTED_SUBJECT_START(r, s)
52663 + if (s->obj_hash == NULL)
52664 + break;
52665 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
52666 + kfree(s->obj_hash);
52667 + else
52668 + vfree(s->obj_hash);
52669 + FOR_EACH_NESTED_SUBJECT_END(s)
52670 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
52671 + kfree(r->subj_hash);
52672 + else
52673 + vfree(r->subj_hash);
52674 + r->subj_hash = NULL;
52675 +next_role:
52676 + FOR_EACH_ROLE_END(r)
52677 +
52678 + acl_free_all();
52679 +
52680 + if (acl_role_set.r_hash) {
52681 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
52682 + PAGE_SIZE)
52683 + kfree(acl_role_set.r_hash);
52684 + else
52685 + vfree(acl_role_set.r_hash);
52686 + }
52687 + if (name_set.n_hash) {
52688 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
52689 + PAGE_SIZE)
52690 + kfree(name_set.n_hash);
52691 + else
52692 + vfree(name_set.n_hash);
52693 + }
52694 +
52695 + if (inodev_set.i_hash) {
52696 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
52697 + PAGE_SIZE)
52698 + kfree(inodev_set.i_hash);
52699 + else
52700 + vfree(inodev_set.i_hash);
52701 + }
52702 +
52703 + gr_free_uidset();
52704 +
52705 + memset(&name_set, 0, sizeof (struct name_db));
52706 + memset(&inodev_set, 0, sizeof (struct inodev_db));
52707 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
52708 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
52709 +
52710 + default_role = NULL;
52711 + role_list = NULL;
52712 +
52713 + return;
52714 +}
52715 +
52716 +static __u32
52717 +count_user_objs(struct acl_object_label *userp)
52718 +{
52719 + struct acl_object_label o_tmp;
52720 + __u32 num = 0;
52721 +
52722 + while (userp) {
52723 + if (copy_from_user(&o_tmp, userp,
52724 + sizeof (struct acl_object_label)))
52725 + break;
52726 +
52727 + userp = o_tmp.prev;
52728 + num++;
52729 + }
52730 +
52731 + return num;
52732 +}
52733 +
52734 +static struct acl_subject_label *
52735 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
52736 +
52737 +static int
52738 +copy_user_glob(struct acl_object_label *obj)
52739 +{
52740 + struct acl_object_label *g_tmp, **guser;
52741 + unsigned int len;
52742 + char *tmp;
52743 +
52744 + if (obj->globbed == NULL)
52745 + return 0;
52746 +
52747 + guser = &obj->globbed;
52748 + while (*guser) {
52749 + g_tmp = (struct acl_object_label *)
52750 + acl_alloc(sizeof (struct acl_object_label));
52751 + if (g_tmp == NULL)
52752 + return -ENOMEM;
52753 +
52754 + if (copy_from_user(g_tmp, *guser,
52755 + sizeof (struct acl_object_label)))
52756 + return -EFAULT;
52757 +
52758 + len = strnlen_user(g_tmp->filename, PATH_MAX);
52759 +
52760 + if (!len || len >= PATH_MAX)
52761 + return -EINVAL;
52762 +
52763 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52764 + return -ENOMEM;
52765 +
52766 + if (copy_from_user(tmp, g_tmp->filename, len))
52767 + return -EFAULT;
52768 + tmp[len-1] = '\0';
52769 + g_tmp->filename = tmp;
52770 +
52771 + *guser = g_tmp;
52772 + guser = &(g_tmp->next);
52773 + }
52774 +
52775 + return 0;
52776 +}
52777 +
52778 +static int
52779 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
52780 + struct acl_role_label *role)
52781 +{
52782 + struct acl_object_label *o_tmp;
52783 + unsigned int len;
52784 + int ret;
52785 + char *tmp;
52786 +
52787 + while (userp) {
52788 + if ((o_tmp = (struct acl_object_label *)
52789 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
52790 + return -ENOMEM;
52791 +
52792 + if (copy_from_user(o_tmp, userp,
52793 + sizeof (struct acl_object_label)))
52794 + return -EFAULT;
52795 +
52796 + userp = o_tmp->prev;
52797 +
52798 + len = strnlen_user(o_tmp->filename, PATH_MAX);
52799 +
52800 + if (!len || len >= PATH_MAX)
52801 + return -EINVAL;
52802 +
52803 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52804 + return -ENOMEM;
52805 +
52806 + if (copy_from_user(tmp, o_tmp->filename, len))
52807 + return -EFAULT;
52808 + tmp[len-1] = '\0';
52809 + o_tmp->filename = tmp;
52810 +
52811 + insert_acl_obj_label(o_tmp, subj);
52812 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
52813 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
52814 + return -ENOMEM;
52815 +
52816 + ret = copy_user_glob(o_tmp);
52817 + if (ret)
52818 + return ret;
52819 +
52820 + if (o_tmp->nested) {
52821 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
52822 + if (IS_ERR(o_tmp->nested))
52823 + return PTR_ERR(o_tmp->nested);
52824 +
52825 + /* insert into nested subject list */
52826 + o_tmp->nested->next = role->hash->first;
52827 + role->hash->first = o_tmp->nested;
52828 + }
52829 + }
52830 +
52831 + return 0;
52832 +}
52833 +
52834 +static __u32
52835 +count_user_subjs(struct acl_subject_label *userp)
52836 +{
52837 + struct acl_subject_label s_tmp;
52838 + __u32 num = 0;
52839 +
52840 + while (userp) {
52841 + if (copy_from_user(&s_tmp, userp,
52842 + sizeof (struct acl_subject_label)))
52843 + break;
52844 +
52845 + userp = s_tmp.prev;
52846 + /* do not count nested subjects against this count, since
52847 + they are not included in the hash table, but are
52848 + attached to objects. We have already counted
52849 + the subjects in userspace for the allocation
52850 + stack
52851 + */
52852 + if (!(s_tmp.mode & GR_NESTED))
52853 + num++;
52854 + }
52855 +
52856 + return num;
52857 +}
52858 +
52859 +static int
52860 +copy_user_allowedips(struct acl_role_label *rolep)
52861 +{
52862 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
52863 +
52864 + ruserip = rolep->allowed_ips;
52865 +
52866 + while (ruserip) {
52867 + rlast = rtmp;
52868 +
52869 + if ((rtmp = (struct role_allowed_ip *)
52870 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
52871 + return -ENOMEM;
52872 +
52873 + if (copy_from_user(rtmp, ruserip,
52874 + sizeof (struct role_allowed_ip)))
52875 + return -EFAULT;
52876 +
52877 + ruserip = rtmp->prev;
52878 +
52879 + if (!rlast) {
52880 + rtmp->prev = NULL;
52881 + rolep->allowed_ips = rtmp;
52882 + } else {
52883 + rlast->next = rtmp;
52884 + rtmp->prev = rlast;
52885 + }
52886 +
52887 + if (!ruserip)
52888 + rtmp->next = NULL;
52889 + }
52890 +
52891 + return 0;
52892 +}
52893 +
52894 +static int
52895 +copy_user_transitions(struct acl_role_label *rolep)
52896 +{
52897 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
52898 +
52899 + unsigned int len;
52900 + char *tmp;
52901 +
52902 + rusertp = rolep->transitions;
52903 +
52904 + while (rusertp) {
52905 + rlast = rtmp;
52906 +
52907 + if ((rtmp = (struct role_transition *)
52908 + acl_alloc(sizeof (struct role_transition))) == NULL)
52909 + return -ENOMEM;
52910 +
52911 + if (copy_from_user(rtmp, rusertp,
52912 + sizeof (struct role_transition)))
52913 + return -EFAULT;
52914 +
52915 + rusertp = rtmp->prev;
52916 +
52917 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
52918 +
52919 + if (!len || len >= GR_SPROLE_LEN)
52920 + return -EINVAL;
52921 +
52922 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52923 + return -ENOMEM;
52924 +
52925 + if (copy_from_user(tmp, rtmp->rolename, len))
52926 + return -EFAULT;
52927 + tmp[len-1] = '\0';
52928 + rtmp->rolename = tmp;
52929 +
52930 + if (!rlast) {
52931 + rtmp->prev = NULL;
52932 + rolep->transitions = rtmp;
52933 + } else {
52934 + rlast->next = rtmp;
52935 + rtmp->prev = rlast;
52936 + }
52937 +
52938 + if (!rusertp)
52939 + rtmp->next = NULL;
52940 + }
52941 +
52942 + return 0;
52943 +}
52944 +
52945 +static struct acl_subject_label *
52946 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
52947 +{
52948 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
52949 + unsigned int len;
52950 + char *tmp;
52951 + __u32 num_objs;
52952 + struct acl_ip_label **i_tmp, *i_utmp2;
52953 + struct gr_hash_struct ghash;
52954 + struct subject_map *subjmap;
52955 + unsigned int i_num;
52956 + int err;
52957 +
52958 + s_tmp = lookup_subject_map(userp);
52959 +
52960 + /* we've already copied this subject into the kernel, just return
52961 + the reference to it, and don't copy it over again
52962 + */
52963 + if (s_tmp)
52964 + return(s_tmp);
52965 +
52966 + if ((s_tmp = (struct acl_subject_label *)
52967 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
52968 + return ERR_PTR(-ENOMEM);
52969 +
52970 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
52971 + if (subjmap == NULL)
52972 + return ERR_PTR(-ENOMEM);
52973 +
52974 + subjmap->user = userp;
52975 + subjmap->kernel = s_tmp;
52976 + insert_subj_map_entry(subjmap);
52977 +
52978 + if (copy_from_user(s_tmp, userp,
52979 + sizeof (struct acl_subject_label)))
52980 + return ERR_PTR(-EFAULT);
52981 +
52982 + len = strnlen_user(s_tmp->filename, PATH_MAX);
52983 +
52984 + if (!len || len >= PATH_MAX)
52985 + return ERR_PTR(-EINVAL);
52986 +
52987 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52988 + return ERR_PTR(-ENOMEM);
52989 +
52990 + if (copy_from_user(tmp, s_tmp->filename, len))
52991 + return ERR_PTR(-EFAULT);
52992 + tmp[len-1] = '\0';
52993 + s_tmp->filename = tmp;
52994 +
52995 + if (!strcmp(s_tmp->filename, "/"))
52996 + role->root_label = s_tmp;
52997 +
52998 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
52999 + return ERR_PTR(-EFAULT);
53000 +
53001 + /* copy user and group transition tables */
53002 +
53003 + if (s_tmp->user_trans_num) {
53004 + uid_t *uidlist;
53005 +
53006 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
53007 + if (uidlist == NULL)
53008 + return ERR_PTR(-ENOMEM);
53009 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
53010 + return ERR_PTR(-EFAULT);
53011 +
53012 + s_tmp->user_transitions = uidlist;
53013 + }
53014 +
53015 + if (s_tmp->group_trans_num) {
53016 + gid_t *gidlist;
53017 +
53018 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
53019 + if (gidlist == NULL)
53020 + return ERR_PTR(-ENOMEM);
53021 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
53022 + return ERR_PTR(-EFAULT);
53023 +
53024 + s_tmp->group_transitions = gidlist;
53025 + }
53026 +
53027 + /* set up object hash table */
53028 + num_objs = count_user_objs(ghash.first);
53029 +
53030 + s_tmp->obj_hash_size = num_objs;
53031 + s_tmp->obj_hash =
53032 + (struct acl_object_label **)
53033 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
53034 +
53035 + if (!s_tmp->obj_hash)
53036 + return ERR_PTR(-ENOMEM);
53037 +
53038 + memset(s_tmp->obj_hash, 0,
53039 + s_tmp->obj_hash_size *
53040 + sizeof (struct acl_object_label *));
53041 +
53042 + /* add in objects */
53043 + err = copy_user_objs(ghash.first, s_tmp, role);
53044 +
53045 + if (err)
53046 + return ERR_PTR(err);
53047 +
53048 + /* set pointer for parent subject */
53049 + if (s_tmp->parent_subject) {
53050 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
53051 +
53052 + if (IS_ERR(s_tmp2))
53053 + return s_tmp2;
53054 +
53055 + s_tmp->parent_subject = s_tmp2;
53056 + }
53057 +
53058 + /* add in ip acls */
53059 +
53060 + if (!s_tmp->ip_num) {
53061 + s_tmp->ips = NULL;
53062 + goto insert;
53063 + }
53064 +
53065 + i_tmp =
53066 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
53067 + sizeof (struct acl_ip_label *));
53068 +
53069 + if (!i_tmp)
53070 + return ERR_PTR(-ENOMEM);
53071 +
53072 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
53073 + *(i_tmp + i_num) =
53074 + (struct acl_ip_label *)
53075 + acl_alloc(sizeof (struct acl_ip_label));
53076 + if (!*(i_tmp + i_num))
53077 + return ERR_PTR(-ENOMEM);
53078 +
53079 + if (copy_from_user
53080 + (&i_utmp2, s_tmp->ips + i_num,
53081 + sizeof (struct acl_ip_label *)))
53082 + return ERR_PTR(-EFAULT);
53083 +
53084 + if (copy_from_user
53085 + (*(i_tmp + i_num), i_utmp2,
53086 + sizeof (struct acl_ip_label)))
53087 + return ERR_PTR(-EFAULT);
53088 +
53089 + if ((*(i_tmp + i_num))->iface == NULL)
53090 + continue;
53091 +
53092 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
53093 + if (!len || len >= IFNAMSIZ)
53094 + return ERR_PTR(-EINVAL);
53095 + tmp = acl_alloc(len);
53096 + if (tmp == NULL)
53097 + return ERR_PTR(-ENOMEM);
53098 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
53099 + return ERR_PTR(-EFAULT);
53100 + (*(i_tmp + i_num))->iface = tmp;
53101 + }
53102 +
53103 + s_tmp->ips = i_tmp;
53104 +
53105 +insert:
53106 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
53107 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
53108 + return ERR_PTR(-ENOMEM);
53109 +
53110 + return s_tmp;
53111 +}
53112 +
53113 +static int
53114 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
53115 +{
53116 + struct acl_subject_label s_pre;
53117 + struct acl_subject_label * ret;
53118 + int err;
53119 +
53120 + while (userp) {
53121 + if (copy_from_user(&s_pre, userp,
53122 + sizeof (struct acl_subject_label)))
53123 + return -EFAULT;
53124 +
53125 + /* do not add nested subjects here, add
53126 + while parsing objects
53127 + */
53128 +
53129 + if (s_pre.mode & GR_NESTED) {
53130 + userp = s_pre.prev;
53131 + continue;
53132 + }
53133 +
53134 + ret = do_copy_user_subj(userp, role);
53135 +
53136 + err = PTR_ERR(ret);
53137 + if (IS_ERR(ret))
53138 + return err;
53139 +
53140 + insert_acl_subj_label(ret, role);
53141 +
53142 + userp = s_pre.prev;
53143 + }
53144 +
53145 + return 0;
53146 +}
53147 +
53148 +static int
53149 +copy_user_acl(struct gr_arg *arg)
53150 +{
53151 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
53152 + struct sprole_pw *sptmp;
53153 + struct gr_hash_struct *ghash;
53154 + uid_t *domainlist;
53155 + unsigned int r_num;
53156 + unsigned int len;
53157 + char *tmp;
53158 + int err = 0;
53159 + __u16 i;
53160 + __u32 num_subjs;
53161 +
53162 + /* we need a default and kernel role */
53163 + if (arg->role_db.num_roles < 2)
53164 + return -EINVAL;
53165 +
53166 + /* copy special role authentication info from userspace */
53167 +
53168 + num_sprole_pws = arg->num_sprole_pws;
53169 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
53170 +
53171 + if (!acl_special_roles) {
53172 + err = -ENOMEM;
53173 + goto cleanup;
53174 + }
53175 +
53176 + for (i = 0; i < num_sprole_pws; i++) {
53177 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
53178 + if (!sptmp) {
53179 + err = -ENOMEM;
53180 + goto cleanup;
53181 + }
53182 + if (copy_from_user(sptmp, arg->sprole_pws + i,
53183 + sizeof (struct sprole_pw))) {
53184 + err = -EFAULT;
53185 + goto cleanup;
53186 + }
53187 +
53188 + len =
53189 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
53190 +
53191 + if (!len || len >= GR_SPROLE_LEN) {
53192 + err = -EINVAL;
53193 + goto cleanup;
53194 + }
53195 +
53196 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
53197 + err = -ENOMEM;
53198 + goto cleanup;
53199 + }
53200 +
53201 + if (copy_from_user(tmp, sptmp->rolename, len)) {
53202 + err = -EFAULT;
53203 + goto cleanup;
53204 + }
53205 + tmp[len-1] = '\0';
53206 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
53207 + printk(KERN_ALERT "Copying special role %s\n", tmp);
53208 +#endif
53209 + sptmp->rolename = tmp;
53210 + acl_special_roles[i] = sptmp;
53211 + }
53212 +
53213 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
53214 +
53215 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
53216 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
53217 +
53218 + if (!r_tmp) {
53219 + err = -ENOMEM;
53220 + goto cleanup;
53221 + }
53222 +
53223 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
53224 + sizeof (struct acl_role_label *))) {
53225 + err = -EFAULT;
53226 + goto cleanup;
53227 + }
53228 +
53229 + if (copy_from_user(r_tmp, r_utmp2,
53230 + sizeof (struct acl_role_label))) {
53231 + err = -EFAULT;
53232 + goto cleanup;
53233 + }
53234 +
53235 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
53236 +
53237 + if (!len || len >= PATH_MAX) {
53238 + err = -EINVAL;
53239 + goto cleanup;
53240 + }
53241 +
53242 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
53243 + err = -ENOMEM;
53244 + goto cleanup;
53245 + }
53246 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
53247 + err = -EFAULT;
53248 + goto cleanup;
53249 + }
53250 + tmp[len-1] = '\0';
53251 + r_tmp->rolename = tmp;
53252 +
53253 + if (!strcmp(r_tmp->rolename, "default")
53254 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
53255 + default_role = r_tmp;
53256 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
53257 + kernel_role = r_tmp;
53258 + }
53259 +
53260 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
53261 + err = -ENOMEM;
53262 + goto cleanup;
53263 + }
53264 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
53265 + err = -EFAULT;
53266 + goto cleanup;
53267 + }
53268 +
53269 + r_tmp->hash = ghash;
53270 +
53271 + num_subjs = count_user_subjs(r_tmp->hash->first);
53272 +
53273 + r_tmp->subj_hash_size = num_subjs;
53274 + r_tmp->subj_hash =
53275 + (struct acl_subject_label **)
53276 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
53277 +
53278 + if (!r_tmp->subj_hash) {
53279 + err = -ENOMEM;
53280 + goto cleanup;
53281 + }
53282 +
53283 + err = copy_user_allowedips(r_tmp);
53284 + if (err)
53285 + goto cleanup;
53286 +
53287 + /* copy domain info */
53288 + if (r_tmp->domain_children != NULL) {
53289 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
53290 + if (domainlist == NULL) {
53291 + err = -ENOMEM;
53292 + goto cleanup;
53293 + }
53294 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
53295 + err = -EFAULT;
53296 + goto cleanup;
53297 + }
53298 + r_tmp->domain_children = domainlist;
53299 + }
53300 +
53301 + err = copy_user_transitions(r_tmp);
53302 + if (err)
53303 + goto cleanup;
53304 +
53305 + memset(r_tmp->subj_hash, 0,
53306 + r_tmp->subj_hash_size *
53307 + sizeof (struct acl_subject_label *));
53308 +
53309 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
53310 +
53311 + if (err)
53312 + goto cleanup;
53313 +
53314 + /* set nested subject list to null */
53315 + r_tmp->hash->first = NULL;
53316 +
53317 + insert_acl_role_label(r_tmp);
53318 + }
53319 +
53320 + goto return_err;
53321 + cleanup:
53322 + free_variables();
53323 + return_err:
53324 + return err;
53325 +
53326 +}
53327 +
53328 +static int
53329 +gracl_init(struct gr_arg *args)
53330 +{
53331 + int error = 0;
53332 +
53333 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
53334 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
53335 +
53336 + if (init_variables(args)) {
53337 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
53338 + error = -ENOMEM;
53339 + free_variables();
53340 + goto out;
53341 + }
53342 +
53343 + error = copy_user_acl(args);
53344 + free_init_variables();
53345 + if (error) {
53346 + free_variables();
53347 + goto out;
53348 + }
53349 +
53350 + if ((error = gr_set_acls(0))) {
53351 + free_variables();
53352 + goto out;
53353 + }
53354 +
53355 + pax_open_kernel();
53356 + gr_status |= GR_READY;
53357 + pax_close_kernel();
53358 +
53359 + out:
53360 + return error;
53361 +}
53362 +
53363 +/* derived from glibc fnmatch() 0: match, 1: no match*/
53364 +
53365 +static int
53366 +glob_match(const char *p, const char *n)
53367 +{
53368 + char c;
53369 +
53370 + while ((c = *p++) != '\0') {
53371 + switch (c) {
53372 + case '?':
53373 + if (*n == '\0')
53374 + return 1;
53375 + else if (*n == '/')
53376 + return 1;
53377 + break;
53378 + case '\\':
53379 + if (*n != c)
53380 + return 1;
53381 + break;
53382 + case '*':
53383 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
53384 + if (*n == '/')
53385 + return 1;
53386 + else if (c == '?') {
53387 + if (*n == '\0')
53388 + return 1;
53389 + else
53390 + ++n;
53391 + }
53392 + }
53393 + if (c == '\0') {
53394 + return 0;
53395 + } else {
53396 + const char *endp;
53397 +
53398 + if ((endp = strchr(n, '/')) == NULL)
53399 + endp = n + strlen(n);
53400 +
53401 + if (c == '[') {
53402 + for (--p; n < endp; ++n)
53403 + if (!glob_match(p, n))
53404 + return 0;
53405 + } else if (c == '/') {
53406 + while (*n != '\0' && *n != '/')
53407 + ++n;
53408 + if (*n == '/' && !glob_match(p, n + 1))
53409 + return 0;
53410 + } else {
53411 + for (--p; n < endp; ++n)
53412 + if (*n == c && !glob_match(p, n))
53413 + return 0;
53414 + }
53415 +
53416 + return 1;
53417 + }
53418 + case '[':
53419 + {
53420 + int not;
53421 + char cold;
53422 +
53423 + if (*n == '\0' || *n == '/')
53424 + return 1;
53425 +
53426 + not = (*p == '!' || *p == '^');
53427 + if (not)
53428 + ++p;
53429 +
53430 + c = *p++;
53431 + for (;;) {
53432 + unsigned char fn = (unsigned char)*n;
53433 +
53434 + if (c == '\0')
53435 + return 1;
53436 + else {
53437 + if (c == fn)
53438 + goto matched;
53439 + cold = c;
53440 + c = *p++;
53441 +
53442 + if (c == '-' && *p != ']') {
53443 + unsigned char cend = *p++;
53444 +
53445 + if (cend == '\0')
53446 + return 1;
53447 +
53448 + if (cold <= fn && fn <= cend)
53449 + goto matched;
53450 +
53451 + c = *p++;
53452 + }
53453 + }
53454 +
53455 + if (c == ']')
53456 + break;
53457 + }
53458 + if (!not)
53459 + return 1;
53460 + break;
53461 + matched:
53462 + while (c != ']') {
53463 + if (c == '\0')
53464 + return 1;
53465 +
53466 + c = *p++;
53467 + }
53468 + if (not)
53469 + return 1;
53470 + }
53471 + break;
53472 + default:
53473 + if (c != *n)
53474 + return 1;
53475 + }
53476 +
53477 + ++n;
53478 + }
53479 +
53480 + if (*n == '\0')
53481 + return 0;
53482 +
53483 + if (*n == '/')
53484 + return 0;
53485 +
53486 + return 1;
53487 +}
53488 +
53489 +static struct acl_object_label *
53490 +chk_glob_label(struct acl_object_label *globbed,
53491 + struct dentry *dentry, struct vfsmount *mnt, char **path)
53492 +{
53493 + struct acl_object_label *tmp;
53494 +
53495 + if (*path == NULL)
53496 + *path = gr_to_filename_nolock(dentry, mnt);
53497 +
53498 + tmp = globbed;
53499 +
53500 + while (tmp) {
53501 + if (!glob_match(tmp->filename, *path))
53502 + return tmp;
53503 + tmp = tmp->next;
53504 + }
53505 +
53506 + return NULL;
53507 +}
53508 +
53509 +static struct acl_object_label *
53510 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
53511 + const ino_t curr_ino, const dev_t curr_dev,
53512 + const struct acl_subject_label *subj, char **path, const int checkglob)
53513 +{
53514 + struct acl_subject_label *tmpsubj;
53515 + struct acl_object_label *retval;
53516 + struct acl_object_label *retval2;
53517 +
53518 + tmpsubj = (struct acl_subject_label *) subj;
53519 + read_lock(&gr_inode_lock);
53520 + do {
53521 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
53522 + if (retval) {
53523 + if (checkglob && retval->globbed) {
53524 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
53525 + (struct vfsmount *)orig_mnt, path);
53526 + if (retval2)
53527 + retval = retval2;
53528 + }
53529 + break;
53530 + }
53531 + } while ((tmpsubj = tmpsubj->parent_subject));
53532 + read_unlock(&gr_inode_lock);
53533 +
53534 + return retval;
53535 +}
53536 +
53537 +static __inline__ struct acl_object_label *
53538 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
53539 + struct dentry *curr_dentry,
53540 + const struct acl_subject_label *subj, char **path, const int checkglob)
53541 +{
53542 + int newglob = checkglob;
53543 + ino_t inode;
53544 + dev_t device;
53545 +
53546 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
53547 + as we don't want a / * rule to match instead of the / object
53548 + don't do this for create lookups that call this function though, since they're looking up
53549 + on the parent and thus need globbing checks on all paths
53550 + */
53551 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
53552 + newglob = GR_NO_GLOB;
53553 +
53554 + spin_lock(&curr_dentry->d_lock);
53555 + inode = curr_dentry->d_inode->i_ino;
53556 + device = __get_dev(curr_dentry);
53557 + spin_unlock(&curr_dentry->d_lock);
53558 +
53559 + return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
53560 +}
53561 +
53562 +static struct acl_object_label *
53563 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53564 + const struct acl_subject_label *subj, char *path, const int checkglob)
53565 +{
53566 + struct dentry *dentry = (struct dentry *) l_dentry;
53567 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
53568 + struct acl_object_label *retval;
53569 + struct dentry *parent;
53570 +
53571 + write_seqlock(&rename_lock);
53572 + br_read_lock(vfsmount_lock);
53573 +
53574 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
53575 +#ifdef CONFIG_NET
53576 + mnt == sock_mnt ||
53577 +#endif
53578 +#ifdef CONFIG_HUGETLBFS
53579 + (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
53580 +#endif
53581 + /* ignore Eric Biederman */
53582 + IS_PRIVATE(l_dentry->d_inode))) {
53583 + retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
53584 + goto out;
53585 + }
53586 +
53587 + for (;;) {
53588 + if (dentry == real_root.dentry && mnt == real_root.mnt)
53589 + break;
53590 +
53591 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
53592 + if (mnt->mnt_parent == mnt)
53593 + break;
53594 +
53595 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
53596 + if (retval != NULL)
53597 + goto out;
53598 +
53599 + dentry = mnt->mnt_mountpoint;
53600 + mnt = mnt->mnt_parent;
53601 + continue;
53602 + }
53603 +
53604 + parent = dentry->d_parent;
53605 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
53606 + if (retval != NULL)
53607 + goto out;
53608 +
53609 + dentry = parent;
53610 + }
53611 +
53612 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
53613 +
53614 + /* real_root is pinned so we don't have to hold a reference */
53615 + if (retval == NULL)
53616 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
53617 +out:
53618 + br_read_unlock(vfsmount_lock);
53619 + write_sequnlock(&rename_lock);
53620 +
53621 + BUG_ON(retval == NULL);
53622 +
53623 + return retval;
53624 +}
53625 +
53626 +static __inline__ struct acl_object_label *
53627 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53628 + const struct acl_subject_label *subj)
53629 +{
53630 + char *path = NULL;
53631 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
53632 +}
53633 +
53634 +static __inline__ struct acl_object_label *
53635 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53636 + const struct acl_subject_label *subj)
53637 +{
53638 + char *path = NULL;
53639 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
53640 +}
53641 +
53642 +static __inline__ struct acl_object_label *
53643 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53644 + const struct acl_subject_label *subj, char *path)
53645 +{
53646 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
53647 +}
53648 +
53649 +static struct acl_subject_label *
53650 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53651 + const struct acl_role_label *role)
53652 +{
53653 + struct dentry *dentry = (struct dentry *) l_dentry;
53654 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
53655 + struct acl_subject_label *retval;
53656 + struct dentry *parent;
53657 +
53658 + write_seqlock(&rename_lock);
53659 + br_read_lock(vfsmount_lock);
53660 +
53661 + for (;;) {
53662 + if (dentry == real_root.dentry && mnt == real_root.mnt)
53663 + break;
53664 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
53665 + if (mnt->mnt_parent == mnt)
53666 + break;
53667 +
53668 + spin_lock(&dentry->d_lock);
53669 + read_lock(&gr_inode_lock);
53670 + retval =
53671 + lookup_acl_subj_label(dentry->d_inode->i_ino,
53672 + __get_dev(dentry), role);
53673 + read_unlock(&gr_inode_lock);
53674 + spin_unlock(&dentry->d_lock);
53675 + if (retval != NULL)
53676 + goto out;
53677 +
53678 + dentry = mnt->mnt_mountpoint;
53679 + mnt = mnt->mnt_parent;
53680 + continue;
53681 + }
53682 +
53683 + spin_lock(&dentry->d_lock);
53684 + read_lock(&gr_inode_lock);
53685 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
53686 + __get_dev(dentry), role);
53687 + read_unlock(&gr_inode_lock);
53688 + parent = dentry->d_parent;
53689 + spin_unlock(&dentry->d_lock);
53690 +
53691 + if (retval != NULL)
53692 + goto out;
53693 +
53694 + dentry = parent;
53695 + }
53696 +
53697 + spin_lock(&dentry->d_lock);
53698 + read_lock(&gr_inode_lock);
53699 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
53700 + __get_dev(dentry), role);
53701 + read_unlock(&gr_inode_lock);
53702 + spin_unlock(&dentry->d_lock);
53703 +
53704 + if (unlikely(retval == NULL)) {
53705 + /* real_root is pinned, we don't need to hold a reference */
53706 + read_lock(&gr_inode_lock);
53707 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
53708 + __get_dev(real_root.dentry), role);
53709 + read_unlock(&gr_inode_lock);
53710 + }
53711 +out:
53712 + br_read_unlock(vfsmount_lock);
53713 + write_sequnlock(&rename_lock);
53714 +
53715 + BUG_ON(retval == NULL);
53716 +
53717 + return retval;
53718 +}
53719 +
53720 +static void
53721 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
53722 +{
53723 + struct task_struct *task = current;
53724 + const struct cred *cred = current_cred();
53725 +
53726 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
53727 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
53728 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
53729 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
53730 +
53731 + return;
53732 +}
53733 +
53734 +static void
53735 +gr_log_learn_sysctl(const char *path, const __u32 mode)
53736 +{
53737 + struct task_struct *task = current;
53738 + const struct cred *cred = current_cred();
53739 +
53740 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
53741 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
53742 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
53743 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
53744 +
53745 + return;
53746 +}
53747 +
53748 +static void
53749 +gr_log_learn_id_change(const char type, const unsigned int real,
53750 + const unsigned int effective, const unsigned int fs)
53751 +{
53752 + struct task_struct *task = current;
53753 + const struct cred *cred = current_cred();
53754 +
53755 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
53756 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
53757 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
53758 + type, real, effective, fs, &task->signal->saved_ip);
53759 +
53760 + return;
53761 +}
53762 +
53763 +__u32
53764 +gr_check_link(const struct dentry * new_dentry,
53765 + const struct dentry * parent_dentry,
53766 + const struct vfsmount * parent_mnt,
53767 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
53768 +{
53769 + struct acl_object_label *obj;
53770 + __u32 oldmode, newmode;
53771 + __u32 needmode;
53772 +
53773 + if (unlikely(!(gr_status & GR_READY)))
53774 + return (GR_CREATE | GR_LINK);
53775 +
53776 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
53777 + oldmode = obj->mode;
53778 +
53779 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
53780 + oldmode |= (GR_CREATE | GR_LINK);
53781 +
53782 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
53783 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
53784 + needmode |= GR_SETID | GR_AUDIT_SETID;
53785 +
53786 + newmode =
53787 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
53788 + oldmode | needmode);
53789 +
53790 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
53791 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
53792 + GR_INHERIT | GR_AUDIT_INHERIT);
53793 +
53794 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
53795 + goto bad;
53796 +
53797 + if ((oldmode & needmode) != needmode)
53798 + goto bad;
53799 +
53800 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
53801 + if ((newmode & needmode) != needmode)
53802 + goto bad;
53803 +
53804 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
53805 + return newmode;
53806 +bad:
53807 + needmode = oldmode;
53808 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
53809 + needmode |= GR_SETID;
53810 +
53811 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
53812 + gr_log_learn(old_dentry, old_mnt, needmode);
53813 + return (GR_CREATE | GR_LINK);
53814 + } else if (newmode & GR_SUPPRESS)
53815 + return GR_SUPPRESS;
53816 + else
53817 + return 0;
53818 +}
53819 +
53820 +__u32
53821 +gr_search_file(const struct dentry * dentry, const __u32 mode,
53822 + const struct vfsmount * mnt)
53823 +{
53824 + __u32 retval = mode;
53825 + struct acl_subject_label *curracl;
53826 + struct acl_object_label *currobj;
53827 +
53828 + if (unlikely(!(gr_status & GR_READY)))
53829 + return (mode & ~GR_AUDITS);
53830 +
53831 + curracl = current->acl;
53832 +
53833 + currobj = chk_obj_label(dentry, mnt, curracl);
53834 + retval = currobj->mode & mode;
53835 +
53836 + /* if we're opening a specified transfer file for writing
53837 + (e.g. /dev/initctl), then transfer our role to init
53838 + */
53839 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
53840 + current->role->roletype & GR_ROLE_PERSIST)) {
53841 + struct task_struct *task = init_pid_ns.child_reaper;
53842 +
53843 + if (task->role != current->role) {
53844 + task->acl_sp_role = 0;
53845 + task->acl_role_id = current->acl_role_id;
53846 + task->role = current->role;
53847 + rcu_read_lock();
53848 + read_lock(&grsec_exec_file_lock);
53849 + gr_apply_subject_to_task(task);
53850 + read_unlock(&grsec_exec_file_lock);
53851 + rcu_read_unlock();
53852 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
53853 + }
53854 + }
53855 +
53856 + if (unlikely
53857 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
53858 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
53859 + __u32 new_mode = mode;
53860 +
53861 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53862 +
53863 + retval = new_mode;
53864 +
53865 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
53866 + new_mode |= GR_INHERIT;
53867 +
53868 + if (!(mode & GR_NOLEARN))
53869 + gr_log_learn(dentry, mnt, new_mode);
53870 + }
53871 +
53872 + return retval;
53873 +}
53874 +
53875 +__u32
53876 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
53877 + const struct vfsmount * mnt, const __u32 mode)
53878 +{
53879 + struct name_entry *match;
53880 + struct acl_object_label *matchpo;
53881 + struct acl_subject_label *curracl;
53882 + char *path;
53883 + __u32 retval;
53884 +
53885 + if (unlikely(!(gr_status & GR_READY)))
53886 + return (mode & ~GR_AUDITS);
53887 +
53888 + preempt_disable();
53889 + path = gr_to_filename_rbac(new_dentry, mnt);
53890 + match = lookup_name_entry_create(path);
53891 +
53892 + if (!match)
53893 + goto check_parent;
53894 +
53895 + curracl = current->acl;
53896 +
53897 + read_lock(&gr_inode_lock);
53898 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
53899 + read_unlock(&gr_inode_lock);
53900 +
53901 + if (matchpo) {
53902 + if ((matchpo->mode & mode) !=
53903 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
53904 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
53905 + __u32 new_mode = mode;
53906 +
53907 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53908 +
53909 + gr_log_learn(new_dentry, mnt, new_mode);
53910 +
53911 + preempt_enable();
53912 + return new_mode;
53913 + }
53914 + preempt_enable();
53915 + return (matchpo->mode & mode);
53916 + }
53917 +
53918 + check_parent:
53919 + curracl = current->acl;
53920 +
53921 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
53922 + retval = matchpo->mode & mode;
53923 +
53924 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
53925 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
53926 + __u32 new_mode = mode;
53927 +
53928 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53929 +
53930 + gr_log_learn(new_dentry, mnt, new_mode);
53931 + preempt_enable();
53932 + return new_mode;
53933 + }
53934 +
53935 + preempt_enable();
53936 + return retval;
53937 +}
53938 +
53939 +int
53940 +gr_check_hidden_task(const struct task_struct *task)
53941 +{
53942 + if (unlikely(!(gr_status & GR_READY)))
53943 + return 0;
53944 +
53945 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
53946 + return 1;
53947 +
53948 + return 0;
53949 +}
53950 +
53951 +int
53952 +gr_check_protected_task(const struct task_struct *task)
53953 +{
53954 + if (unlikely(!(gr_status & GR_READY) || !task))
53955 + return 0;
53956 +
53957 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
53958 + task->acl != current->acl)
53959 + return 1;
53960 +
53961 + return 0;
53962 +}
53963 +
53964 +int
53965 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
53966 +{
53967 + struct task_struct *p;
53968 + int ret = 0;
53969 +
53970 + if (unlikely(!(gr_status & GR_READY) || !pid))
53971 + return ret;
53972 +
53973 + read_lock(&tasklist_lock);
53974 + do_each_pid_task(pid, type, p) {
53975 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
53976 + p->acl != current->acl) {
53977 + ret = 1;
53978 + goto out;
53979 + }
53980 + } while_each_pid_task(pid, type, p);
53981 +out:
53982 + read_unlock(&tasklist_lock);
53983 +
53984 + return ret;
53985 +}
53986 +
53987 +void
53988 +gr_copy_label(struct task_struct *tsk)
53989 +{
53990 + tsk->signal->used_accept = 0;
53991 + tsk->acl_sp_role = 0;
53992 + tsk->acl_role_id = current->acl_role_id;
53993 + tsk->acl = current->acl;
53994 + tsk->role = current->role;
53995 + tsk->signal->curr_ip = current->signal->curr_ip;
53996 + tsk->signal->saved_ip = current->signal->saved_ip;
53997 + if (current->exec_file)
53998 + get_file(current->exec_file);
53999 + tsk->exec_file = current->exec_file;
54000 + tsk->is_writable = current->is_writable;
54001 + if (unlikely(current->signal->used_accept)) {
54002 + current->signal->curr_ip = 0;
54003 + current->signal->saved_ip = 0;
54004 + }
54005 +
54006 + return;
54007 +}
54008 +
54009 +static void
54010 +gr_set_proc_res(struct task_struct *task)
54011 +{
54012 + struct acl_subject_label *proc;
54013 + unsigned short i;
54014 +
54015 + proc = task->acl;
54016 +
54017 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
54018 + return;
54019 +
54020 + for (i = 0; i < RLIM_NLIMITS; i++) {
54021 + if (!(proc->resmask & (1 << i)))
54022 + continue;
54023 +
54024 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
54025 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
54026 + }
54027 +
54028 + return;
54029 +}
54030 +
54031 +extern int __gr_process_user_ban(struct user_struct *user);
54032 +
54033 +int
54034 +gr_check_user_change(int real, int effective, int fs)
54035 +{
54036 + unsigned int i;
54037 + __u16 num;
54038 + uid_t *uidlist;
54039 + int curuid;
54040 + int realok = 0;
54041 + int effectiveok = 0;
54042 + int fsok = 0;
54043 +
54044 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
54045 + struct user_struct *user;
54046 +
54047 + if (real == -1)
54048 + goto skipit;
54049 +
54050 + user = find_user(real);
54051 + if (user == NULL)
54052 + goto skipit;
54053 +
54054 + if (__gr_process_user_ban(user)) {
54055 + /* for find_user */
54056 + free_uid(user);
54057 + return 1;
54058 + }
54059 +
54060 + /* for find_user */
54061 + free_uid(user);
54062 +
54063 +skipit:
54064 +#endif
54065 +
54066 + if (unlikely(!(gr_status & GR_READY)))
54067 + return 0;
54068 +
54069 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
54070 + gr_log_learn_id_change('u', real, effective, fs);
54071 +
54072 + num = current->acl->user_trans_num;
54073 + uidlist = current->acl->user_transitions;
54074 +
54075 + if (uidlist == NULL)
54076 + return 0;
54077 +
54078 + if (real == -1)
54079 + realok = 1;
54080 + if (effective == -1)
54081 + effectiveok = 1;
54082 + if (fs == -1)
54083 + fsok = 1;
54084 +
54085 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
54086 + for (i = 0; i < num; i++) {
54087 + curuid = (int)uidlist[i];
54088 + if (real == curuid)
54089 + realok = 1;
54090 + if (effective == curuid)
54091 + effectiveok = 1;
54092 + if (fs == curuid)
54093 + fsok = 1;
54094 + }
54095 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
54096 + for (i = 0; i < num; i++) {
54097 + curuid = (int)uidlist[i];
54098 + if (real == curuid)
54099 + break;
54100 + if (effective == curuid)
54101 + break;
54102 + if (fs == curuid)
54103 + break;
54104 + }
54105 + /* not in deny list */
54106 + if (i == num) {
54107 + realok = 1;
54108 + effectiveok = 1;
54109 + fsok = 1;
54110 + }
54111 + }
54112 +
54113 + if (realok && effectiveok && fsok)
54114 + return 0;
54115 + else {
54116 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
54117 + return 1;
54118 + }
54119 +}
54120 +
54121 +int
54122 +gr_check_group_change(int real, int effective, int fs)
54123 +{
54124 + unsigned int i;
54125 + __u16 num;
54126 + gid_t *gidlist;
54127 + int curgid;
54128 + int realok = 0;
54129 + int effectiveok = 0;
54130 + int fsok = 0;
54131 +
54132 + if (unlikely(!(gr_status & GR_READY)))
54133 + return 0;
54134 +
54135 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
54136 + gr_log_learn_id_change('g', real, effective, fs);
54137 +
54138 + num = current->acl->group_trans_num;
54139 + gidlist = current->acl->group_transitions;
54140 +
54141 + if (gidlist == NULL)
54142 + return 0;
54143 +
54144 + if (real == -1)
54145 + realok = 1;
54146 + if (effective == -1)
54147 + effectiveok = 1;
54148 + if (fs == -1)
54149 + fsok = 1;
54150 +
54151 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
54152 + for (i = 0; i < num; i++) {
54153 + curgid = (int)gidlist[i];
54154 + if (real == curgid)
54155 + realok = 1;
54156 + if (effective == curgid)
54157 + effectiveok = 1;
54158 + if (fs == curgid)
54159 + fsok = 1;
54160 + }
54161 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
54162 + for (i = 0; i < num; i++) {
54163 + curgid = (int)gidlist[i];
54164 + if (real == curgid)
54165 + break;
54166 + if (effective == curgid)
54167 + break;
54168 + if (fs == curgid)
54169 + break;
54170 + }
54171 + /* not in deny list */
54172 + if (i == num) {
54173 + realok = 1;
54174 + effectiveok = 1;
54175 + fsok = 1;
54176 + }
54177 + }
54178 +
54179 + if (realok && effectiveok && fsok)
54180 + return 0;
54181 + else {
54182 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
54183 + return 1;
54184 + }
54185 +}
54186 +
54187 +void
54188 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
54189 +{
54190 + struct acl_role_label *role = task->role;
54191 + struct acl_subject_label *subj = NULL;
54192 + struct acl_object_label *obj;
54193 + struct file *filp;
54194 +
54195 + if (unlikely(!(gr_status & GR_READY)))
54196 + return;
54197 +
54198 + filp = task->exec_file;
54199 +
54200 + /* kernel process, we'll give them the kernel role */
54201 + if (unlikely(!filp)) {
54202 + task->role = kernel_role;
54203 + task->acl = kernel_role->root_label;
54204 + return;
54205 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
54206 + role = lookup_acl_role_label(task, uid, gid);
54207 +
54208 + /* perform subject lookup in possibly new role
54209 + we can use this result below in the case where role == task->role
54210 + */
54211 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
54212 +
54213 + /* if we changed uid/gid, but result in the same role
54214 + and are using inheritance, don't lose the inherited subject
54215 + if current subject is other than what normal lookup
54216 + would result in, we arrived via inheritance, don't
54217 + lose subject
54218 + */
54219 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
54220 + (subj == task->acl)))
54221 + task->acl = subj;
54222 +
54223 + task->role = role;
54224 +
54225 + task->is_writable = 0;
54226 +
54227 + /* ignore additional mmap checks for processes that are writable
54228 + by the default ACL */
54229 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
54230 + if (unlikely(obj->mode & GR_WRITE))
54231 + task->is_writable = 1;
54232 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
54233 + if (unlikely(obj->mode & GR_WRITE))
54234 + task->is_writable = 1;
54235 +
54236 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54237 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54238 +#endif
54239 +
54240 + gr_set_proc_res(task);
54241 +
54242 + return;
54243 +}
54244 +
54245 +int
54246 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
54247 + const int unsafe_share)
54248 +{
54249 + struct task_struct *task = current;
54250 + struct acl_subject_label *newacl;
54251 + struct acl_object_label *obj;
54252 + __u32 retmode;
54253 +
54254 + if (unlikely(!(gr_status & GR_READY)))
54255 + return 0;
54256 +
54257 + newacl = chk_subj_label(dentry, mnt, task->role);
54258 +
54259 + task_lock(task);
54260 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
54261 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
54262 + !(task->role->roletype & GR_ROLE_GOD) &&
54263 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
54264 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
54265 + task_unlock(task);
54266 + if (unsafe_share)
54267 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
54268 + else
54269 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
54270 + return -EACCES;
54271 + }
54272 + task_unlock(task);
54273 +
54274 + obj = chk_obj_label(dentry, mnt, task->acl);
54275 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
54276 +
54277 + if (!(task->acl->mode & GR_INHERITLEARN) &&
54278 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
54279 + if (obj->nested)
54280 + task->acl = obj->nested;
54281 + else
54282 + task->acl = newacl;
54283 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
54284 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
54285 +
54286 + task->is_writable = 0;
54287 +
54288 + /* ignore additional mmap checks for processes that are writable
54289 + by the default ACL */
54290 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
54291 + if (unlikely(obj->mode & GR_WRITE))
54292 + task->is_writable = 1;
54293 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
54294 + if (unlikely(obj->mode & GR_WRITE))
54295 + task->is_writable = 1;
54296 +
54297 + gr_set_proc_res(task);
54298 +
54299 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54300 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54301 +#endif
54302 + return 0;
54303 +}
54304 +
54305 +/* always called with valid inodev ptr */
54306 +static void
54307 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
54308 +{
54309 + struct acl_object_label *matchpo;
54310 + struct acl_subject_label *matchps;
54311 + struct acl_subject_label *subj;
54312 + struct acl_role_label *role;
54313 + unsigned int x;
54314 +
54315 + FOR_EACH_ROLE_START(role)
54316 + FOR_EACH_SUBJECT_START(role, subj, x)
54317 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
54318 + matchpo->mode |= GR_DELETED;
54319 + FOR_EACH_SUBJECT_END(subj,x)
54320 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
54321 + if (subj->inode == ino && subj->device == dev)
54322 + subj->mode |= GR_DELETED;
54323 + FOR_EACH_NESTED_SUBJECT_END(subj)
54324 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
54325 + matchps->mode |= GR_DELETED;
54326 + FOR_EACH_ROLE_END(role)
54327 +
54328 + inodev->nentry->deleted = 1;
54329 +
54330 + return;
54331 +}
54332 +
54333 +void
54334 +gr_handle_delete(const ino_t ino, const dev_t dev)
54335 +{
54336 + struct inodev_entry *inodev;
54337 +
54338 + if (unlikely(!(gr_status & GR_READY)))
54339 + return;
54340 +
54341 + write_lock(&gr_inode_lock);
54342 + inodev = lookup_inodev_entry(ino, dev);
54343 + if (inodev != NULL)
54344 + do_handle_delete(inodev, ino, dev);
54345 + write_unlock(&gr_inode_lock);
54346 +
54347 + return;
54348 +}
54349 +
54350 +static void
54351 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
54352 + const ino_t newinode, const dev_t newdevice,
54353 + struct acl_subject_label *subj)
54354 +{
54355 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
54356 + struct acl_object_label *match;
54357 +
54358 + match = subj->obj_hash[index];
54359 +
54360 + while (match && (match->inode != oldinode ||
54361 + match->device != olddevice ||
54362 + !(match->mode & GR_DELETED)))
54363 + match = match->next;
54364 +
54365 + if (match && (match->inode == oldinode)
54366 + && (match->device == olddevice)
54367 + && (match->mode & GR_DELETED)) {
54368 + if (match->prev == NULL) {
54369 + subj->obj_hash[index] = match->next;
54370 + if (match->next != NULL)
54371 + match->next->prev = NULL;
54372 + } else {
54373 + match->prev->next = match->next;
54374 + if (match->next != NULL)
54375 + match->next->prev = match->prev;
54376 + }
54377 + match->prev = NULL;
54378 + match->next = NULL;
54379 + match->inode = newinode;
54380 + match->device = newdevice;
54381 + match->mode &= ~GR_DELETED;
54382 +
54383 + insert_acl_obj_label(match, subj);
54384 + }
54385 +
54386 + return;
54387 +}
54388 +
54389 +static void
54390 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
54391 + const ino_t newinode, const dev_t newdevice,
54392 + struct acl_role_label *role)
54393 +{
54394 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
54395 + struct acl_subject_label *match;
54396 +
54397 + match = role->subj_hash[index];
54398 +
54399 + while (match && (match->inode != oldinode ||
54400 + match->device != olddevice ||
54401 + !(match->mode & GR_DELETED)))
54402 + match = match->next;
54403 +
54404 + if (match && (match->inode == oldinode)
54405 + && (match->device == olddevice)
54406 + && (match->mode & GR_DELETED)) {
54407 + if (match->prev == NULL) {
54408 + role->subj_hash[index] = match->next;
54409 + if (match->next != NULL)
54410 + match->next->prev = NULL;
54411 + } else {
54412 + match->prev->next = match->next;
54413 + if (match->next != NULL)
54414 + match->next->prev = match->prev;
54415 + }
54416 + match->prev = NULL;
54417 + match->next = NULL;
54418 + match->inode = newinode;
54419 + match->device = newdevice;
54420 + match->mode &= ~GR_DELETED;
54421 +
54422 + insert_acl_subj_label(match, role);
54423 + }
54424 +
54425 + return;
54426 +}
54427 +
54428 +static void
54429 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
54430 + const ino_t newinode, const dev_t newdevice)
54431 +{
54432 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
54433 + struct inodev_entry *match;
54434 +
54435 + match = inodev_set.i_hash[index];
54436 +
54437 + while (match && (match->nentry->inode != oldinode ||
54438 + match->nentry->device != olddevice || !match->nentry->deleted))
54439 + match = match->next;
54440 +
54441 + if (match && (match->nentry->inode == oldinode)
54442 + && (match->nentry->device == olddevice) &&
54443 + match->nentry->deleted) {
54444 + if (match->prev == NULL) {
54445 + inodev_set.i_hash[index] = match->next;
54446 + if (match->next != NULL)
54447 + match->next->prev = NULL;
54448 + } else {
54449 + match->prev->next = match->next;
54450 + if (match->next != NULL)
54451 + match->next->prev = match->prev;
54452 + }
54453 + match->prev = NULL;
54454 + match->next = NULL;
54455 + match->nentry->inode = newinode;
54456 + match->nentry->device = newdevice;
54457 + match->nentry->deleted = 0;
54458 +
54459 + insert_inodev_entry(match);
54460 + }
54461 +
54462 + return;
54463 +}
54464 +
54465 +static void
54466 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
54467 + const struct vfsmount *mnt)
54468 +{
54469 + struct acl_subject_label *subj;
54470 + struct acl_role_label *role;
54471 + unsigned int x;
54472 + ino_t ino = dentry->d_inode->i_ino;
54473 + dev_t dev = __get_dev(dentry);
54474 +
54475 + FOR_EACH_ROLE_START(role)
54476 + update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
54477 +
54478 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
54479 + if ((subj->inode == ino) && (subj->device == dev)) {
54480 + subj->inode = ino;
54481 + subj->device = dev;
54482 + }
54483 + FOR_EACH_NESTED_SUBJECT_END(subj)
54484 + FOR_EACH_SUBJECT_START(role, subj, x)
54485 + update_acl_obj_label(matchn->inode, matchn->device,
54486 + ino, dev, subj);
54487 + FOR_EACH_SUBJECT_END(subj,x)
54488 + FOR_EACH_ROLE_END(role)
54489 +
54490 + update_inodev_entry(matchn->inode, matchn->device, ino, dev);
54491 +
54492 + return;
54493 +}
54494 +
54495 +void
54496 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
54497 +{
54498 + struct name_entry *matchn;
54499 +
54500 + if (unlikely(!(gr_status & GR_READY)))
54501 + return;
54502 +
54503 + preempt_disable();
54504 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
54505 +
54506 + if (unlikely((unsigned long)matchn)) {
54507 + write_lock(&gr_inode_lock);
54508 + do_handle_create(matchn, dentry, mnt);
54509 + write_unlock(&gr_inode_lock);
54510 + }
54511 + preempt_enable();
54512 +
54513 + return;
54514 +}
54515 +
54516 +void
54517 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
54518 + struct dentry *old_dentry,
54519 + struct dentry *new_dentry,
54520 + struct vfsmount *mnt, const __u8 replace)
54521 +{
54522 + struct name_entry *matchn;
54523 + struct inodev_entry *inodev;
54524 + ino_t old_ino = old_dentry->d_inode->i_ino;
54525 + dev_t old_dev = __get_dev(old_dentry);
54526 +
54527 + /* vfs_rename swaps the name and parent link for old_dentry and
54528 + new_dentry
54529 + at this point, old_dentry has the new name, parent link, and inode
54530 + for the renamed file
54531 + if a file is being replaced by a rename, new_dentry has the inode
54532 + and name for the replaced file
54533 + */
54534 +
54535 + if (unlikely(!(gr_status & GR_READY)))
54536 + return;
54537 +
54538 + preempt_disable();
54539 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
54540 +
54541 + /* we wouldn't have to check d_inode if it weren't for
54542 + NFS silly-renaming
54543 + */
54544 +
54545 + write_lock(&gr_inode_lock);
54546 + if (unlikely(replace && new_dentry->d_inode)) {
54547 + ino_t new_ino = new_dentry->d_inode->i_ino;
54548 + dev_t new_dev = __get_dev(new_dentry);
54549 +
54550 + inodev = lookup_inodev_entry(new_ino, new_dev);
54551 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
54552 + do_handle_delete(inodev, new_ino, new_dev);
54553 + }
54554 +
54555 + inodev = lookup_inodev_entry(old_ino, old_dev);
54556 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
54557 + do_handle_delete(inodev, old_ino, old_dev);
54558 +
54559 + if (unlikely((unsigned long)matchn))
54560 + do_handle_create(matchn, old_dentry, mnt);
54561 +
54562 + write_unlock(&gr_inode_lock);
54563 + preempt_enable();
54564 +
54565 + return;
54566 +}
54567 +
54568 +static int
54569 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
54570 + unsigned char **sum)
54571 +{
54572 + struct acl_role_label *r;
54573 + struct role_allowed_ip *ipp;
54574 + struct role_transition *trans;
54575 + unsigned int i;
54576 + int found = 0;
54577 + u32 curr_ip = current->signal->curr_ip;
54578 +
54579 + current->signal->saved_ip = curr_ip;
54580 +
54581 + /* check transition table */
54582 +
54583 + for (trans = current->role->transitions; trans; trans = trans->next) {
54584 + if (!strcmp(rolename, trans->rolename)) {
54585 + found = 1;
54586 + break;
54587 + }
54588 + }
54589 +
54590 + if (!found)
54591 + return 0;
54592 +
54593 + /* handle special roles that do not require authentication
54594 + and check ip */
54595 +
54596 + FOR_EACH_ROLE_START(r)
54597 + if (!strcmp(rolename, r->rolename) &&
54598 + (r->roletype & GR_ROLE_SPECIAL)) {
54599 + found = 0;
54600 + if (r->allowed_ips != NULL) {
54601 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
54602 + if ((ntohl(curr_ip) & ipp->netmask) ==
54603 + (ntohl(ipp->addr) & ipp->netmask))
54604 + found = 1;
54605 + }
54606 + } else
54607 + found = 2;
54608 + if (!found)
54609 + return 0;
54610 +
54611 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
54612 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
54613 + *salt = NULL;
54614 + *sum = NULL;
54615 + return 1;
54616 + }
54617 + }
54618 + FOR_EACH_ROLE_END(r)
54619 +
54620 + for (i = 0; i < num_sprole_pws; i++) {
54621 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
54622 + *salt = acl_special_roles[i]->salt;
54623 + *sum = acl_special_roles[i]->sum;
54624 + return 1;
54625 + }
54626 + }
54627 +
54628 + return 0;
54629 +}
54630 +
54631 +static void
54632 +assign_special_role(char *rolename)
54633 +{
54634 + struct acl_object_label *obj;
54635 + struct acl_role_label *r;
54636 + struct acl_role_label *assigned = NULL;
54637 + struct task_struct *tsk;
54638 + struct file *filp;
54639 +
54640 + FOR_EACH_ROLE_START(r)
54641 + if (!strcmp(rolename, r->rolename) &&
54642 + (r->roletype & GR_ROLE_SPECIAL)) {
54643 + assigned = r;
54644 + break;
54645 + }
54646 + FOR_EACH_ROLE_END(r)
54647 +
54648 + if (!assigned)
54649 + return;
54650 +
54651 + read_lock(&tasklist_lock);
54652 + read_lock(&grsec_exec_file_lock);
54653 +
54654 + tsk = current->real_parent;
54655 + if (tsk == NULL)
54656 + goto out_unlock;
54657 +
54658 + filp = tsk->exec_file;
54659 + if (filp == NULL)
54660 + goto out_unlock;
54661 +
54662 + tsk->is_writable = 0;
54663 +
54664 + tsk->acl_sp_role = 1;
54665 + tsk->acl_role_id = ++acl_sp_role_value;
54666 + tsk->role = assigned;
54667 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
54668 +
54669 + /* ignore additional mmap checks for processes that are writable
54670 + by the default ACL */
54671 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
54672 + if (unlikely(obj->mode & GR_WRITE))
54673 + tsk->is_writable = 1;
54674 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
54675 + if (unlikely(obj->mode & GR_WRITE))
54676 + tsk->is_writable = 1;
54677 +
54678 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54679 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
54680 +#endif
54681 +
54682 +out_unlock:
54683 + read_unlock(&grsec_exec_file_lock);
54684 + read_unlock(&tasklist_lock);
54685 + return;
54686 +}
54687 +
54688 +int gr_check_secure_terminal(struct task_struct *task)
54689 +{
54690 + struct task_struct *p, *p2, *p3;
54691 + struct files_struct *files;
54692 + struct fdtable *fdt;
54693 + struct file *our_file = NULL, *file;
54694 + int i;
54695 +
54696 + if (task->signal->tty == NULL)
54697 + return 1;
54698 +
54699 + files = get_files_struct(task);
54700 + if (files != NULL) {
54701 + rcu_read_lock();
54702 + fdt = files_fdtable(files);
54703 + for (i=0; i < fdt->max_fds; i++) {
54704 + file = fcheck_files(files, i);
54705 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
54706 + get_file(file);
54707 + our_file = file;
54708 + }
54709 + }
54710 + rcu_read_unlock();
54711 + put_files_struct(files);
54712 + }
54713 +
54714 + if (our_file == NULL)
54715 + return 1;
54716 +
54717 + read_lock(&tasklist_lock);
54718 + do_each_thread(p2, p) {
54719 + files = get_files_struct(p);
54720 + if (files == NULL ||
54721 + (p->signal && p->signal->tty == task->signal->tty)) {
54722 + if (files != NULL)
54723 + put_files_struct(files);
54724 + continue;
54725 + }
54726 + rcu_read_lock();
54727 + fdt = files_fdtable(files);
54728 + for (i=0; i < fdt->max_fds; i++) {
54729 + file = fcheck_files(files, i);
54730 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
54731 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
54732 + p3 = task;
54733 + while (p3->pid > 0) {
54734 + if (p3 == p)
54735 + break;
54736 + p3 = p3->real_parent;
54737 + }
54738 + if (p3 == p)
54739 + break;
54740 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
54741 + gr_handle_alertkill(p);
54742 + rcu_read_unlock();
54743 + put_files_struct(files);
54744 + read_unlock(&tasklist_lock);
54745 + fput(our_file);
54746 + return 0;
54747 + }
54748 + }
54749 + rcu_read_unlock();
54750 + put_files_struct(files);
54751 + } while_each_thread(p2, p);
54752 + read_unlock(&tasklist_lock);
54753 +
54754 + fput(our_file);
54755 + return 1;
54756 +}
54757 +
54758 +ssize_t
54759 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
54760 +{
54761 + struct gr_arg_wrapper uwrap;
54762 + unsigned char *sprole_salt = NULL;
54763 + unsigned char *sprole_sum = NULL;
54764 + int error = sizeof (struct gr_arg_wrapper);
54765 + int error2 = 0;
54766 +
54767 + mutex_lock(&gr_dev_mutex);
54768 +
54769 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
54770 + error = -EPERM;
54771 + goto out;
54772 + }
54773 +
54774 + if (count != sizeof (struct gr_arg_wrapper)) {
54775 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
54776 + error = -EINVAL;
54777 + goto out;
54778 + }
54779 +
54780 +
54781 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
54782 + gr_auth_expires = 0;
54783 + gr_auth_attempts = 0;
54784 + }
54785 +
54786 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
54787 + error = -EFAULT;
54788 + goto out;
54789 + }
54790 +
54791 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
54792 + error = -EINVAL;
54793 + goto out;
54794 + }
54795 +
54796 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
54797 + error = -EFAULT;
54798 + goto out;
54799 + }
54800 +
54801 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
54802 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
54803 + time_after(gr_auth_expires, get_seconds())) {
54804 + error = -EBUSY;
54805 + goto out;
54806 + }
54807 +
54808 + /* if non-root trying to do anything other than use a special role,
54809 + do not attempt authentication, do not count towards authentication
54810 + locking
54811 + */
54812 +
54813 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
54814 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
54815 + current_uid()) {
54816 + error = -EPERM;
54817 + goto out;
54818 + }
54819 +
54820 + /* ensure pw and special role name are null terminated */
54821 +
54822 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
54823 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
54824 +
54825 + /* Okay.
54826 + * We have our enough of the argument structure..(we have yet
54827 + * to copy_from_user the tables themselves) . Copy the tables
54828 + * only if we need them, i.e. for loading operations. */
54829 +
54830 + switch (gr_usermode->mode) {
54831 + case GR_STATUS:
54832 + if (gr_status & GR_READY) {
54833 + error = 1;
54834 + if (!gr_check_secure_terminal(current))
54835 + error = 3;
54836 + } else
54837 + error = 2;
54838 + goto out;
54839 + case GR_SHUTDOWN:
54840 + if ((gr_status & GR_READY)
54841 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
54842 + pax_open_kernel();
54843 + gr_status &= ~GR_READY;
54844 + pax_close_kernel();
54845 +
54846 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
54847 + free_variables();
54848 + memset(gr_usermode, 0, sizeof (struct gr_arg));
54849 + memset(gr_system_salt, 0, GR_SALT_LEN);
54850 + memset(gr_system_sum, 0, GR_SHA_LEN);
54851 + } else if (gr_status & GR_READY) {
54852 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
54853 + error = -EPERM;
54854 + } else {
54855 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
54856 + error = -EAGAIN;
54857 + }
54858 + break;
54859 + case GR_ENABLE:
54860 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
54861 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
54862 + else {
54863 + if (gr_status & GR_READY)
54864 + error = -EAGAIN;
54865 + else
54866 + error = error2;
54867 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
54868 + }
54869 + break;
54870 + case GR_RELOAD:
54871 + if (!(gr_status & GR_READY)) {
54872 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
54873 + error = -EAGAIN;
54874 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
54875 + preempt_disable();
54876 +
54877 + pax_open_kernel();
54878 + gr_status &= ~GR_READY;
54879 + pax_close_kernel();
54880 +
54881 + free_variables();
54882 + if (!(error2 = gracl_init(gr_usermode))) {
54883 + preempt_enable();
54884 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
54885 + } else {
54886 + preempt_enable();
54887 + error = error2;
54888 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
54889 + }
54890 + } else {
54891 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
54892 + error = -EPERM;
54893 + }
54894 + break;
54895 + case GR_SEGVMOD:
54896 + if (unlikely(!(gr_status & GR_READY))) {
54897 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
54898 + error = -EAGAIN;
54899 + break;
54900 + }
54901 +
54902 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
54903 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
54904 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
54905 + struct acl_subject_label *segvacl;
54906 + segvacl =
54907 + lookup_acl_subj_label(gr_usermode->segv_inode,
54908 + gr_usermode->segv_device,
54909 + current->role);
54910 + if (segvacl) {
54911 + segvacl->crashes = 0;
54912 + segvacl->expires = 0;
54913 + }
54914 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
54915 + gr_remove_uid(gr_usermode->segv_uid);
54916 + }
54917 + } else {
54918 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
54919 + error = -EPERM;
54920 + }
54921 + break;
54922 + case GR_SPROLE:
54923 + case GR_SPROLEPAM:
54924 + if (unlikely(!(gr_status & GR_READY))) {
54925 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
54926 + error = -EAGAIN;
54927 + break;
54928 + }
54929 +
54930 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
54931 + current->role->expires = 0;
54932 + current->role->auth_attempts = 0;
54933 + }
54934 +
54935 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
54936 + time_after(current->role->expires, get_seconds())) {
54937 + error = -EBUSY;
54938 + goto out;
54939 + }
54940 +
54941 + if (lookup_special_role_auth
54942 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
54943 + && ((!sprole_salt && !sprole_sum)
54944 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
54945 + char *p = "";
54946 + assign_special_role(gr_usermode->sp_role);
54947 + read_lock(&tasklist_lock);
54948 + if (current->real_parent)
54949 + p = current->real_parent->role->rolename;
54950 + read_unlock(&tasklist_lock);
54951 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
54952 + p, acl_sp_role_value);
54953 + } else {
54954 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
54955 + error = -EPERM;
54956 + if(!(current->role->auth_attempts++))
54957 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
54958 +
54959 + goto out;
54960 + }
54961 + break;
54962 + case GR_UNSPROLE:
54963 + if (unlikely(!(gr_status & GR_READY))) {
54964 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
54965 + error = -EAGAIN;
54966 + break;
54967 + }
54968 +
54969 + if (current->role->roletype & GR_ROLE_SPECIAL) {
54970 + char *p = "";
54971 + int i = 0;
54972 +
54973 + read_lock(&tasklist_lock);
54974 + if (current->real_parent) {
54975 + p = current->real_parent->role->rolename;
54976 + i = current->real_parent->acl_role_id;
54977 + }
54978 + read_unlock(&tasklist_lock);
54979 +
54980 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
54981 + gr_set_acls(1);
54982 + } else {
54983 + error = -EPERM;
54984 + goto out;
54985 + }
54986 + break;
54987 + default:
54988 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
54989 + error = -EINVAL;
54990 + break;
54991 + }
54992 +
54993 + if (error != -EPERM)
54994 + goto out;
54995 +
54996 + if(!(gr_auth_attempts++))
54997 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
54998 +
54999 + out:
55000 + mutex_unlock(&gr_dev_mutex);
55001 + return error;
55002 +}
55003 +
55004 +/* must be called with
55005 + rcu_read_lock();
55006 + read_lock(&tasklist_lock);
55007 + read_lock(&grsec_exec_file_lock);
55008 +*/
55009 +int gr_apply_subject_to_task(struct task_struct *task)
55010 +{
55011 + struct acl_object_label *obj;
55012 + char *tmpname;
55013 + struct acl_subject_label *tmpsubj;
55014 + struct file *filp;
55015 + struct name_entry *nmatch;
55016 +
55017 + filp = task->exec_file;
55018 + if (filp == NULL)
55019 + return 0;
55020 +
55021 + /* the following is to apply the correct subject
55022 + on binaries running when the RBAC system
55023 + is enabled, when the binaries have been
55024 + replaced or deleted since their execution
55025 + -----
55026 + when the RBAC system starts, the inode/dev
55027 + from exec_file will be one the RBAC system
55028 + is unaware of. It only knows the inode/dev
55029 + of the present file on disk, or the absence
55030 + of it.
55031 + */
55032 + preempt_disable();
55033 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
55034 +
55035 + nmatch = lookup_name_entry(tmpname);
55036 + preempt_enable();
55037 + tmpsubj = NULL;
55038 + if (nmatch) {
55039 + if (nmatch->deleted)
55040 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
55041 + else
55042 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
55043 + if (tmpsubj != NULL)
55044 + task->acl = tmpsubj;
55045 + }
55046 + if (tmpsubj == NULL)
55047 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
55048 + task->role);
55049 + if (task->acl) {
55050 + struct acl_subject_label *curr;
55051 + curr = task->acl;
55052 +
55053 + task->is_writable = 0;
55054 + /* ignore additional mmap checks for processes that are writable
55055 + by the default ACL */
55056 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
55057 + if (unlikely(obj->mode & GR_WRITE))
55058 + task->is_writable = 1;
55059 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
55060 + if (unlikely(obj->mode & GR_WRITE))
55061 + task->is_writable = 1;
55062 +
55063 + gr_set_proc_res(task);
55064 +
55065 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
55066 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
55067 +#endif
55068 + } else {
55069 + return 1;
55070 + }
55071 +
55072 + return 0;
55073 +}
55074 +
55075 +int
55076 +gr_set_acls(const int type)
55077 +{
55078 + struct task_struct *task, *task2;
55079 + struct acl_role_label *role = current->role;
55080 + __u16 acl_role_id = current->acl_role_id;
55081 + const struct cred *cred;
55082 + int ret;
55083 +
55084 + rcu_read_lock();
55085 + read_lock(&tasklist_lock);
55086 + read_lock(&grsec_exec_file_lock);
55087 + do_each_thread(task2, task) {
55088 + /* check to see if we're called from the exit handler,
55089 + if so, only replace ACLs that have inherited the admin
55090 + ACL */
55091 +
55092 + if (type && (task->role != role ||
55093 + task->acl_role_id != acl_role_id))
55094 + continue;
55095 +
55096 + task->acl_role_id = 0;
55097 + task->acl_sp_role = 0;
55098 +
55099 + if (task->exec_file) {
55100 + cred = __task_cred(task);
55101 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
55102 + ret = gr_apply_subject_to_task(task);
55103 + if (ret) {
55104 + read_unlock(&grsec_exec_file_lock);
55105 + read_unlock(&tasklist_lock);
55106 + rcu_read_unlock();
55107 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
55108 + return ret;
55109 + }
55110 + } else {
55111 + // it's a kernel process
55112 + task->role = kernel_role;
55113 + task->acl = kernel_role->root_label;
55114 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
55115 + task->acl->mode &= ~GR_PROCFIND;
55116 +#endif
55117 + }
55118 + } while_each_thread(task2, task);
55119 + read_unlock(&grsec_exec_file_lock);
55120 + read_unlock(&tasklist_lock);
55121 + rcu_read_unlock();
55122 +
55123 + return 0;
55124 +}
55125 +
55126 +void
55127 +gr_learn_resource(const struct task_struct *task,
55128 + const int res, const unsigned long wanted, const int gt)
55129 +{
55130 + struct acl_subject_label *acl;
55131 + const struct cred *cred;
55132 +
55133 + if (unlikely((gr_status & GR_READY) &&
55134 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
55135 + goto skip_reslog;
55136 +
55137 +#ifdef CONFIG_GRKERNSEC_RESLOG
55138 + gr_log_resource(task, res, wanted, gt);
55139 +#endif
55140 + skip_reslog:
55141 +
55142 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
55143 + return;
55144 +
55145 + acl = task->acl;
55146 +
55147 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
55148 + !(acl->resmask & (1 << (unsigned short) res))))
55149 + return;
55150 +
55151 + if (wanted >= acl->res[res].rlim_cur) {
55152 + unsigned long res_add;
55153 +
55154 + res_add = wanted;
55155 + switch (res) {
55156 + case RLIMIT_CPU:
55157 + res_add += GR_RLIM_CPU_BUMP;
55158 + break;
55159 + case RLIMIT_FSIZE:
55160 + res_add += GR_RLIM_FSIZE_BUMP;
55161 + break;
55162 + case RLIMIT_DATA:
55163 + res_add += GR_RLIM_DATA_BUMP;
55164 + break;
55165 + case RLIMIT_STACK:
55166 + res_add += GR_RLIM_STACK_BUMP;
55167 + break;
55168 + case RLIMIT_CORE:
55169 + res_add += GR_RLIM_CORE_BUMP;
55170 + break;
55171 + case RLIMIT_RSS:
55172 + res_add += GR_RLIM_RSS_BUMP;
55173 + break;
55174 + case RLIMIT_NPROC:
55175 + res_add += GR_RLIM_NPROC_BUMP;
55176 + break;
55177 + case RLIMIT_NOFILE:
55178 + res_add += GR_RLIM_NOFILE_BUMP;
55179 + break;
55180 + case RLIMIT_MEMLOCK:
55181 + res_add += GR_RLIM_MEMLOCK_BUMP;
55182 + break;
55183 + case RLIMIT_AS:
55184 + res_add += GR_RLIM_AS_BUMP;
55185 + break;
55186 + case RLIMIT_LOCKS:
55187 + res_add += GR_RLIM_LOCKS_BUMP;
55188 + break;
55189 + case RLIMIT_SIGPENDING:
55190 + res_add += GR_RLIM_SIGPENDING_BUMP;
55191 + break;
55192 + case RLIMIT_MSGQUEUE:
55193 + res_add += GR_RLIM_MSGQUEUE_BUMP;
55194 + break;
55195 + case RLIMIT_NICE:
55196 + res_add += GR_RLIM_NICE_BUMP;
55197 + break;
55198 + case RLIMIT_RTPRIO:
55199 + res_add += GR_RLIM_RTPRIO_BUMP;
55200 + break;
55201 + case RLIMIT_RTTIME:
55202 + res_add += GR_RLIM_RTTIME_BUMP;
55203 + break;
55204 + }
55205 +
55206 + acl->res[res].rlim_cur = res_add;
55207 +
55208 + if (wanted > acl->res[res].rlim_max)
55209 + acl->res[res].rlim_max = res_add;
55210 +
55211 + /* only log the subject filename, since resource logging is supported for
55212 + single-subject learning only */
55213 + rcu_read_lock();
55214 + cred = __task_cred(task);
55215 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
55216 + task->role->roletype, cred->uid, cred->gid, acl->filename,
55217 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
55218 + "", (unsigned long) res, &task->signal->saved_ip);
55219 + rcu_read_unlock();
55220 + }
55221 +
55222 + return;
55223 +}
55224 +
55225 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
55226 +void
55227 +pax_set_initial_flags(struct linux_binprm *bprm)
55228 +{
55229 + struct task_struct *task = current;
55230 + struct acl_subject_label *proc;
55231 + unsigned long flags;
55232 +
55233 + if (unlikely(!(gr_status & GR_READY)))
55234 + return;
55235 +
55236 + flags = pax_get_flags(task);
55237 +
55238 + proc = task->acl;
55239 +
55240 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
55241 + flags &= ~MF_PAX_PAGEEXEC;
55242 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
55243 + flags &= ~MF_PAX_SEGMEXEC;
55244 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
55245 + flags &= ~MF_PAX_RANDMMAP;
55246 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
55247 + flags &= ~MF_PAX_EMUTRAMP;
55248 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
55249 + flags &= ~MF_PAX_MPROTECT;
55250 +
55251 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
55252 + flags |= MF_PAX_PAGEEXEC;
55253 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
55254 + flags |= MF_PAX_SEGMEXEC;
55255 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
55256 + flags |= MF_PAX_RANDMMAP;
55257 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
55258 + flags |= MF_PAX_EMUTRAMP;
55259 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
55260 + flags |= MF_PAX_MPROTECT;
55261 +
55262 + pax_set_flags(task, flags);
55263 +
55264 + return;
55265 +}
55266 +#endif
55267 +
55268 +#ifdef CONFIG_SYSCTL
55269 +/* Eric Biederman likes breaking userland ABI and every inode-based security
55270 + system to save 35kb of memory */
55271 +
55272 +/* we modify the passed in filename, but adjust it back before returning */
55273 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
55274 +{
55275 + struct name_entry *nmatch;
55276 + char *p, *lastp = NULL;
55277 + struct acl_object_label *obj = NULL, *tmp;
55278 + struct acl_subject_label *tmpsubj;
55279 + char c = '\0';
55280 +
55281 + read_lock(&gr_inode_lock);
55282 +
55283 + p = name + len - 1;
55284 + do {
55285 + nmatch = lookup_name_entry(name);
55286 + if (lastp != NULL)
55287 + *lastp = c;
55288 +
55289 + if (nmatch == NULL)
55290 + goto next_component;
55291 + tmpsubj = current->acl;
55292 + do {
55293 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
55294 + if (obj != NULL) {
55295 + tmp = obj->globbed;
55296 + while (tmp) {
55297 + if (!glob_match(tmp->filename, name)) {
55298 + obj = tmp;
55299 + goto found_obj;
55300 + }
55301 + tmp = tmp->next;
55302 + }
55303 + goto found_obj;
55304 + }
55305 + } while ((tmpsubj = tmpsubj->parent_subject));
55306 +next_component:
55307 + /* end case */
55308 + if (p == name)
55309 + break;
55310 +
55311 + while (*p != '/')
55312 + p--;
55313 + if (p == name)
55314 + lastp = p + 1;
55315 + else {
55316 + lastp = p;
55317 + p--;
55318 + }
55319 + c = *lastp;
55320 + *lastp = '\0';
55321 + } while (1);
55322 +found_obj:
55323 + read_unlock(&gr_inode_lock);
55324 + /* obj returned will always be non-null */
55325 + return obj;
55326 +}
55327 +
55328 +/* returns 0 when allowing, non-zero on error
55329 + op of 0 is used for readdir, so we don't log the names of hidden files
55330 +*/
55331 +__u32
55332 +gr_handle_sysctl(const struct ctl_table *table, const int op)
55333 +{
55334 + struct ctl_table *tmp;
55335 + const char *proc_sys = "/proc/sys";
55336 + char *path;
55337 + struct acl_object_label *obj;
55338 + unsigned short len = 0, pos = 0, depth = 0, i;
55339 + __u32 err = 0;
55340 + __u32 mode = 0;
55341 +
55342 + if (unlikely(!(gr_status & GR_READY)))
55343 + return 0;
55344 +
55345 + /* for now, ignore operations on non-sysctl entries if it's not a
55346 + readdir*/
55347 + if (table->child != NULL && op != 0)
55348 + return 0;
55349 +
55350 + mode |= GR_FIND;
55351 + /* it's only a read if it's an entry, read on dirs is for readdir */
55352 + if (op & MAY_READ)
55353 + mode |= GR_READ;
55354 + if (op & MAY_WRITE)
55355 + mode |= GR_WRITE;
55356 +
55357 + preempt_disable();
55358 +
55359 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
55360 +
55361 + /* it's only a read/write if it's an actual entry, not a dir
55362 + (which are opened for readdir)
55363 + */
55364 +
55365 + /* convert the requested sysctl entry into a pathname */
55366 +
55367 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
55368 + len += strlen(tmp->procname);
55369 + len++;
55370 + depth++;
55371 + }
55372 +
55373 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
55374 + /* deny */
55375 + goto out;
55376 + }
55377 +
55378 + memset(path, 0, PAGE_SIZE);
55379 +
55380 + memcpy(path, proc_sys, strlen(proc_sys));
55381 +
55382 + pos += strlen(proc_sys);
55383 +
55384 + for (; depth > 0; depth--) {
55385 + path[pos] = '/';
55386 + pos++;
55387 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
55388 + if (depth == i) {
55389 + memcpy(path + pos, tmp->procname,
55390 + strlen(tmp->procname));
55391 + pos += strlen(tmp->procname);
55392 + }
55393 + i++;
55394 + }
55395 + }
55396 +
55397 + obj = gr_lookup_by_name(path, pos);
55398 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
55399 +
55400 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
55401 + ((err & mode) != mode))) {
55402 + __u32 new_mode = mode;
55403 +
55404 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
55405 +
55406 + err = 0;
55407 + gr_log_learn_sysctl(path, new_mode);
55408 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
55409 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
55410 + err = -ENOENT;
55411 + } else if (!(err & GR_FIND)) {
55412 + err = -ENOENT;
55413 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
55414 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
55415 + path, (mode & GR_READ) ? " reading" : "",
55416 + (mode & GR_WRITE) ? " writing" : "");
55417 + err = -EACCES;
55418 + } else if ((err & mode) != mode) {
55419 + err = -EACCES;
55420 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
55421 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
55422 + path, (mode & GR_READ) ? " reading" : "",
55423 + (mode & GR_WRITE) ? " writing" : "");
55424 + err = 0;
55425 + } else
55426 + err = 0;
55427 +
55428 + out:
55429 + preempt_enable();
55430 +
55431 + return err;
55432 +}
55433 +#endif
55434 +
55435 +int
55436 +gr_handle_proc_ptrace(struct task_struct *task)
55437 +{
55438 + struct file *filp;
55439 + struct task_struct *tmp = task;
55440 + struct task_struct *curtemp = current;
55441 + __u32 retmode;
55442 +
55443 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
55444 + if (unlikely(!(gr_status & GR_READY)))
55445 + return 0;
55446 +#endif
55447 +
55448 + read_lock(&tasklist_lock);
55449 + read_lock(&grsec_exec_file_lock);
55450 + filp = task->exec_file;
55451 +
55452 + while (tmp->pid > 0) {
55453 + if (tmp == curtemp)
55454 + break;
55455 + tmp = tmp->real_parent;
55456 + }
55457 +
55458 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
55459 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
55460 + read_unlock(&grsec_exec_file_lock);
55461 + read_unlock(&tasklist_lock);
55462 + return 1;
55463 + }
55464 +
55465 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55466 + if (!(gr_status & GR_READY)) {
55467 + read_unlock(&grsec_exec_file_lock);
55468 + read_unlock(&tasklist_lock);
55469 + return 0;
55470 + }
55471 +#endif
55472 +
55473 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
55474 + read_unlock(&grsec_exec_file_lock);
55475 + read_unlock(&tasklist_lock);
55476 +
55477 + if (retmode & GR_NOPTRACE)
55478 + return 1;
55479 +
55480 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
55481 + && (current->acl != task->acl || (current->acl != current->role->root_label
55482 + && current->pid != task->pid)))
55483 + return 1;
55484 +
55485 + return 0;
55486 +}
55487 +
55488 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
55489 +{
55490 + if (unlikely(!(gr_status & GR_READY)))
55491 + return;
55492 +
55493 + if (!(current->role->roletype & GR_ROLE_GOD))
55494 + return;
55495 +
55496 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
55497 + p->role->rolename, gr_task_roletype_to_char(p),
55498 + p->acl->filename);
55499 +}
55500 +
55501 +int
55502 +gr_handle_ptrace(struct task_struct *task, const long request)
55503 +{
55504 + struct task_struct *tmp = task;
55505 + struct task_struct *curtemp = current;
55506 + __u32 retmode;
55507 +
55508 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
55509 + if (unlikely(!(gr_status & GR_READY)))
55510 + return 0;
55511 +#endif
55512 +
55513 + read_lock(&tasklist_lock);
55514 + while (tmp->pid > 0) {
55515 + if (tmp == curtemp)
55516 + break;
55517 + tmp = tmp->real_parent;
55518 + }
55519 +
55520 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
55521 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
55522 + read_unlock(&tasklist_lock);
55523 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
55524 + return 1;
55525 + }
55526 + read_unlock(&tasklist_lock);
55527 +
55528 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55529 + if (!(gr_status & GR_READY))
55530 + return 0;
55531 +#endif
55532 +
55533 + read_lock(&grsec_exec_file_lock);
55534 + if (unlikely(!task->exec_file)) {
55535 + read_unlock(&grsec_exec_file_lock);
55536 + return 0;
55537 + }
55538 +
55539 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
55540 + read_unlock(&grsec_exec_file_lock);
55541 +
55542 + if (retmode & GR_NOPTRACE) {
55543 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
55544 + return 1;
55545 + }
55546 +
55547 + if (retmode & GR_PTRACERD) {
55548 + switch (request) {
55549 + case PTRACE_POKETEXT:
55550 + case PTRACE_POKEDATA:
55551 + case PTRACE_POKEUSR:
55552 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
55553 + case PTRACE_SETREGS:
55554 + case PTRACE_SETFPREGS:
55555 +#endif
55556 +#ifdef CONFIG_X86
55557 + case PTRACE_SETFPXREGS:
55558 +#endif
55559 +#ifdef CONFIG_ALTIVEC
55560 + case PTRACE_SETVRREGS:
55561 +#endif
55562 + return 1;
55563 + default:
55564 + return 0;
55565 + }
55566 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
55567 + !(current->role->roletype & GR_ROLE_GOD) &&
55568 + (current->acl != task->acl)) {
55569 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
55570 + return 1;
55571 + }
55572 +
55573 + return 0;
55574 +}
55575 +
55576 +static int is_writable_mmap(const struct file *filp)
55577 +{
55578 + struct task_struct *task = current;
55579 + struct acl_object_label *obj, *obj2;
55580 +
55581 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
55582 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
55583 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
55584 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
55585 + task->role->root_label);
55586 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
55587 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
55588 + return 1;
55589 + }
55590 + }
55591 + return 0;
55592 +}
55593 +
55594 +int
55595 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
55596 +{
55597 + __u32 mode;
55598 +
55599 + if (unlikely(!file || !(prot & PROT_EXEC)))
55600 + return 1;
55601 +
55602 + if (is_writable_mmap(file))
55603 + return 0;
55604 +
55605 + mode =
55606 + gr_search_file(file->f_path.dentry,
55607 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
55608 + file->f_path.mnt);
55609 +
55610 + if (!gr_tpe_allow(file))
55611 + return 0;
55612 +
55613 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
55614 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55615 + return 0;
55616 + } else if (unlikely(!(mode & GR_EXEC))) {
55617 + return 0;
55618 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
55619 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55620 + return 1;
55621 + }
55622 +
55623 + return 1;
55624 +}
55625 +
55626 +int
55627 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
55628 +{
55629 + __u32 mode;
55630 +
55631 + if (unlikely(!file || !(prot & PROT_EXEC)))
55632 + return 1;
55633 +
55634 + if (is_writable_mmap(file))
55635 + return 0;
55636 +
55637 + mode =
55638 + gr_search_file(file->f_path.dentry,
55639 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
55640 + file->f_path.mnt);
55641 +
55642 + if (!gr_tpe_allow(file))
55643 + return 0;
55644 +
55645 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
55646 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55647 + return 0;
55648 + } else if (unlikely(!(mode & GR_EXEC))) {
55649 + return 0;
55650 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
55651 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55652 + return 1;
55653 + }
55654 +
55655 + return 1;
55656 +}
55657 +
55658 +void
55659 +gr_acl_handle_psacct(struct task_struct *task, const long code)
55660 +{
55661 + unsigned long runtime;
55662 + unsigned long cputime;
55663 + unsigned int wday, cday;
55664 + __u8 whr, chr;
55665 + __u8 wmin, cmin;
55666 + __u8 wsec, csec;
55667 + struct timespec timeval;
55668 +
55669 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
55670 + !(task->acl->mode & GR_PROCACCT)))
55671 + return;
55672 +
55673 + do_posix_clock_monotonic_gettime(&timeval);
55674 + runtime = timeval.tv_sec - task->start_time.tv_sec;
55675 + wday = runtime / (3600 * 24);
55676 + runtime -= wday * (3600 * 24);
55677 + whr = runtime / 3600;
55678 + runtime -= whr * 3600;
55679 + wmin = runtime / 60;
55680 + runtime -= wmin * 60;
55681 + wsec = runtime;
55682 +
55683 + cputime = (task->utime + task->stime) / HZ;
55684 + cday = cputime / (3600 * 24);
55685 + cputime -= cday * (3600 * 24);
55686 + chr = cputime / 3600;
55687 + cputime -= chr * 3600;
55688 + cmin = cputime / 60;
55689 + cputime -= cmin * 60;
55690 + csec = cputime;
55691 +
55692 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
55693 +
55694 + return;
55695 +}
55696 +
55697 +void gr_set_kernel_label(struct task_struct *task)
55698 +{
55699 + if (gr_status & GR_READY) {
55700 + task->role = kernel_role;
55701 + task->acl = kernel_role->root_label;
55702 + }
55703 + return;
55704 +}
55705 +
55706 +#ifdef CONFIG_TASKSTATS
55707 +int gr_is_taskstats_denied(int pid)
55708 +{
55709 + struct task_struct *task;
55710 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55711 + const struct cred *cred;
55712 +#endif
55713 + int ret = 0;
55714 +
55715 + /* restrict taskstats viewing to un-chrooted root users
55716 + who have the 'view' subject flag if the RBAC system is enabled
55717 + */
55718 +
55719 + rcu_read_lock();
55720 + read_lock(&tasklist_lock);
55721 + task = find_task_by_vpid(pid);
55722 + if (task) {
55723 +#ifdef CONFIG_GRKERNSEC_CHROOT
55724 + if (proc_is_chrooted(task))
55725 + ret = -EACCES;
55726 +#endif
55727 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55728 + cred = __task_cred(task);
55729 +#ifdef CONFIG_GRKERNSEC_PROC_USER
55730 + if (cred->uid != 0)
55731 + ret = -EACCES;
55732 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55733 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
55734 + ret = -EACCES;
55735 +#endif
55736 +#endif
55737 + if (gr_status & GR_READY) {
55738 + if (!(task->acl->mode & GR_VIEW))
55739 + ret = -EACCES;
55740 + }
55741 + } else
55742 + ret = -ENOENT;
55743 +
55744 + read_unlock(&tasklist_lock);
55745 + rcu_read_unlock();
55746 +
55747 + return ret;
55748 +}
55749 +#endif
55750 +
55751 +/* AUXV entries are filled via a descendant of search_binary_handler
55752 + after we've already applied the subject for the target
55753 +*/
55754 +int gr_acl_enable_at_secure(void)
55755 +{
55756 + if (unlikely(!(gr_status & GR_READY)))
55757 + return 0;
55758 +
55759 + if (current->acl->mode & GR_ATSECURE)
55760 + return 1;
55761 +
55762 + return 0;
55763 +}
55764 +
55765 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
55766 +{
55767 + struct task_struct *task = current;
55768 + struct dentry *dentry = file->f_path.dentry;
55769 + struct vfsmount *mnt = file->f_path.mnt;
55770 + struct acl_object_label *obj, *tmp;
55771 + struct acl_subject_label *subj;
55772 + unsigned int bufsize;
55773 + int is_not_root;
55774 + char *path;
55775 + dev_t dev = __get_dev(dentry);
55776 +
55777 + if (unlikely(!(gr_status & GR_READY)))
55778 + return 1;
55779 +
55780 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
55781 + return 1;
55782 +
55783 + /* ignore Eric Biederman */
55784 + if (IS_PRIVATE(dentry->d_inode))
55785 + return 1;
55786 +
55787 + subj = task->acl;
55788 + do {
55789 + obj = lookup_acl_obj_label(ino, dev, subj);
55790 + if (obj != NULL)
55791 + return (obj->mode & GR_FIND) ? 1 : 0;
55792 + } while ((subj = subj->parent_subject));
55793 +
55794 + /* this is purely an optimization since we're looking for an object
55795 + for the directory we're doing a readdir on
55796 + if it's possible for any globbed object to match the entry we're
55797 + filling into the directory, then the object we find here will be
55798 + an anchor point with attached globbed objects
55799 + */
55800 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
55801 + if (obj->globbed == NULL)
55802 + return (obj->mode & GR_FIND) ? 1 : 0;
55803 +
55804 + is_not_root = ((obj->filename[0] == '/') &&
55805 + (obj->filename[1] == '\0')) ? 0 : 1;
55806 + bufsize = PAGE_SIZE - namelen - is_not_root;
55807 +
55808 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
55809 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
55810 + return 1;
55811 +
55812 + preempt_disable();
55813 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
55814 + bufsize);
55815 +
55816 + bufsize = strlen(path);
55817 +
55818 + /* if base is "/", don't append an additional slash */
55819 + if (is_not_root)
55820 + *(path + bufsize) = '/';
55821 + memcpy(path + bufsize + is_not_root, name, namelen);
55822 + *(path + bufsize + namelen + is_not_root) = '\0';
55823 +
55824 + tmp = obj->globbed;
55825 + while (tmp) {
55826 + if (!glob_match(tmp->filename, path)) {
55827 + preempt_enable();
55828 + return (tmp->mode & GR_FIND) ? 1 : 0;
55829 + }
55830 + tmp = tmp->next;
55831 + }
55832 + preempt_enable();
55833 + return (obj->mode & GR_FIND) ? 1 : 0;
55834 +}
55835 +
55836 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
55837 +EXPORT_SYMBOL(gr_acl_is_enabled);
55838 +#endif
55839 +EXPORT_SYMBOL(gr_learn_resource);
55840 +EXPORT_SYMBOL(gr_set_kernel_label);
55841 +#ifdef CONFIG_SECURITY
55842 +EXPORT_SYMBOL(gr_check_user_change);
55843 +EXPORT_SYMBOL(gr_check_group_change);
55844 +#endif
55845 +
55846 diff -urNp linux-2.6.39.3/grsecurity/gracl_cap.c linux-2.6.39.3/grsecurity/gracl_cap.c
55847 --- linux-2.6.39.3/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
55848 +++ linux-2.6.39.3/grsecurity/gracl_cap.c 2011-05-22 19:41:42.000000000 -0400
55849 @@ -0,0 +1,139 @@
55850 +#include <linux/kernel.h>
55851 +#include <linux/module.h>
55852 +#include <linux/sched.h>
55853 +#include <linux/gracl.h>
55854 +#include <linux/grsecurity.h>
55855 +#include <linux/grinternal.h>
55856 +
55857 +static const char *captab_log[] = {
55858 + "CAP_CHOWN",
55859 + "CAP_DAC_OVERRIDE",
55860 + "CAP_DAC_READ_SEARCH",
55861 + "CAP_FOWNER",
55862 + "CAP_FSETID",
55863 + "CAP_KILL",
55864 + "CAP_SETGID",
55865 + "CAP_SETUID",
55866 + "CAP_SETPCAP",
55867 + "CAP_LINUX_IMMUTABLE",
55868 + "CAP_NET_BIND_SERVICE",
55869 + "CAP_NET_BROADCAST",
55870 + "CAP_NET_ADMIN",
55871 + "CAP_NET_RAW",
55872 + "CAP_IPC_LOCK",
55873 + "CAP_IPC_OWNER",
55874 + "CAP_SYS_MODULE",
55875 + "CAP_SYS_RAWIO",
55876 + "CAP_SYS_CHROOT",
55877 + "CAP_SYS_PTRACE",
55878 + "CAP_SYS_PACCT",
55879 + "CAP_SYS_ADMIN",
55880 + "CAP_SYS_BOOT",
55881 + "CAP_SYS_NICE",
55882 + "CAP_SYS_RESOURCE",
55883 + "CAP_SYS_TIME",
55884 + "CAP_SYS_TTY_CONFIG",
55885 + "CAP_MKNOD",
55886 + "CAP_LEASE",
55887 + "CAP_AUDIT_WRITE",
55888 + "CAP_AUDIT_CONTROL",
55889 + "CAP_SETFCAP",
55890 + "CAP_MAC_OVERRIDE",
55891 + "CAP_MAC_ADMIN",
55892 + "CAP_SYSLOG"
55893 +};
55894 +
55895 +EXPORT_SYMBOL(gr_is_capable);
55896 +EXPORT_SYMBOL(gr_is_capable_nolog);
55897 +
55898 +int
55899 +gr_is_capable(const int cap)
55900 +{
55901 + struct task_struct *task = current;
55902 + const struct cred *cred = current_cred();
55903 + struct acl_subject_label *curracl;
55904 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
55905 + kernel_cap_t cap_audit = __cap_empty_set;
55906 +
55907 + if (!gr_acl_is_enabled())
55908 + return 1;
55909 +
55910 + curracl = task->acl;
55911 +
55912 + cap_drop = curracl->cap_lower;
55913 + cap_mask = curracl->cap_mask;
55914 + cap_audit = curracl->cap_invert_audit;
55915 +
55916 + while ((curracl = curracl->parent_subject)) {
55917 + /* if the cap isn't specified in the current computed mask but is specified in the
55918 + current level subject, and is lowered in the current level subject, then add
55919 + it to the set of dropped capabilities
55920 + otherwise, add the current level subject's mask to the current computed mask
55921 + */
55922 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
55923 + cap_raise(cap_mask, cap);
55924 + if (cap_raised(curracl->cap_lower, cap))
55925 + cap_raise(cap_drop, cap);
55926 + if (cap_raised(curracl->cap_invert_audit, cap))
55927 + cap_raise(cap_audit, cap);
55928 + }
55929 + }
55930 +
55931 + if (!cap_raised(cap_drop, cap)) {
55932 + if (cap_raised(cap_audit, cap))
55933 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
55934 + return 1;
55935 + }
55936 +
55937 + curracl = task->acl;
55938 +
55939 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
55940 + && cap_raised(cred->cap_effective, cap)) {
55941 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
55942 + task->role->roletype, cred->uid,
55943 + cred->gid, task->exec_file ?
55944 + gr_to_filename(task->exec_file->f_path.dentry,
55945 + task->exec_file->f_path.mnt) : curracl->filename,
55946 + curracl->filename, 0UL,
55947 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
55948 + return 1;
55949 + }
55950 +
55951 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
55952 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
55953 + return 0;
55954 +}
55955 +
55956 +int
55957 +gr_is_capable_nolog(const int cap)
55958 +{
55959 + struct acl_subject_label *curracl;
55960 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
55961 +
55962 + if (!gr_acl_is_enabled())
55963 + return 1;
55964 +
55965 + curracl = current->acl;
55966 +
55967 + cap_drop = curracl->cap_lower;
55968 + cap_mask = curracl->cap_mask;
55969 +
55970 + while ((curracl = curracl->parent_subject)) {
55971 + /* if the cap isn't specified in the current computed mask but is specified in the
55972 + current level subject, and is lowered in the current level subject, then add
55973 + it to the set of dropped capabilities
55974 + otherwise, add the current level subject's mask to the current computed mask
55975 + */
55976 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
55977 + cap_raise(cap_mask, cap);
55978 + if (cap_raised(curracl->cap_lower, cap))
55979 + cap_raise(cap_drop, cap);
55980 + }
55981 + }
55982 +
55983 + if (!cap_raised(cap_drop, cap))
55984 + return 1;
55985 +
55986 + return 0;
55987 +}
55988 +
55989 diff -urNp linux-2.6.39.3/grsecurity/gracl_fs.c linux-2.6.39.3/grsecurity/gracl_fs.c
55990 --- linux-2.6.39.3/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
55991 +++ linux-2.6.39.3/grsecurity/gracl_fs.c 2011-05-22 19:41:42.000000000 -0400
55992 @@ -0,0 +1,431 @@
55993 +#include <linux/kernel.h>
55994 +#include <linux/sched.h>
55995 +#include <linux/types.h>
55996 +#include <linux/fs.h>
55997 +#include <linux/file.h>
55998 +#include <linux/stat.h>
55999 +#include <linux/grsecurity.h>
56000 +#include <linux/grinternal.h>
56001 +#include <linux/gracl.h>
56002 +
56003 +__u32
56004 +gr_acl_handle_hidden_file(const struct dentry * dentry,
56005 + const struct vfsmount * mnt)
56006 +{
56007 + __u32 mode;
56008 +
56009 + if (unlikely(!dentry->d_inode))
56010 + return GR_FIND;
56011 +
56012 + mode =
56013 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
56014 +
56015 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
56016 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
56017 + return mode;
56018 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
56019 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
56020 + return 0;
56021 + } else if (unlikely(!(mode & GR_FIND)))
56022 + return 0;
56023 +
56024 + return GR_FIND;
56025 +}
56026 +
56027 +__u32
56028 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
56029 + const int fmode)
56030 +{
56031 + __u32 reqmode = GR_FIND;
56032 + __u32 mode;
56033 +
56034 + if (unlikely(!dentry->d_inode))
56035 + return reqmode;
56036 +
56037 + if (unlikely(fmode & O_APPEND))
56038 + reqmode |= GR_APPEND;
56039 + else if (unlikely(fmode & FMODE_WRITE))
56040 + reqmode |= GR_WRITE;
56041 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
56042 + reqmode |= GR_READ;
56043 + if ((fmode & FMODE_GREXEC) && (fmode & __FMODE_EXEC))
56044 + reqmode &= ~GR_READ;
56045 + mode =
56046 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
56047 + mnt);
56048 +
56049 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56050 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
56051 + reqmode & GR_READ ? " reading" : "",
56052 + reqmode & GR_WRITE ? " writing" : reqmode &
56053 + GR_APPEND ? " appending" : "");
56054 + return reqmode;
56055 + } else
56056 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56057 + {
56058 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
56059 + reqmode & GR_READ ? " reading" : "",
56060 + reqmode & GR_WRITE ? " writing" : reqmode &
56061 + GR_APPEND ? " appending" : "");
56062 + return 0;
56063 + } else if (unlikely((mode & reqmode) != reqmode))
56064 + return 0;
56065 +
56066 + return reqmode;
56067 +}
56068 +
56069 +__u32
56070 +gr_acl_handle_creat(const struct dentry * dentry,
56071 + const struct dentry * p_dentry,
56072 + const struct vfsmount * p_mnt, const int fmode,
56073 + const int imode)
56074 +{
56075 + __u32 reqmode = GR_WRITE | GR_CREATE;
56076 + __u32 mode;
56077 +
56078 + if (unlikely(fmode & O_APPEND))
56079 + reqmode |= GR_APPEND;
56080 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
56081 + reqmode |= GR_READ;
56082 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
56083 + reqmode |= GR_SETID;
56084 +
56085 + mode =
56086 + gr_check_create(dentry, p_dentry, p_mnt,
56087 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
56088 +
56089 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56090 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
56091 + reqmode & GR_READ ? " reading" : "",
56092 + reqmode & GR_WRITE ? " writing" : reqmode &
56093 + GR_APPEND ? " appending" : "");
56094 + return reqmode;
56095 + } else
56096 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56097 + {
56098 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
56099 + reqmode & GR_READ ? " reading" : "",
56100 + reqmode & GR_WRITE ? " writing" : reqmode &
56101 + GR_APPEND ? " appending" : "");
56102 + return 0;
56103 + } else if (unlikely((mode & reqmode) != reqmode))
56104 + return 0;
56105 +
56106 + return reqmode;
56107 +}
56108 +
56109 +__u32
56110 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
56111 + const int fmode)
56112 +{
56113 + __u32 mode, reqmode = GR_FIND;
56114 +
56115 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
56116 + reqmode |= GR_EXEC;
56117 + if (fmode & S_IWOTH)
56118 + reqmode |= GR_WRITE;
56119 + if (fmode & S_IROTH)
56120 + reqmode |= GR_READ;
56121 +
56122 + mode =
56123 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
56124 + mnt);
56125 +
56126 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56127 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
56128 + reqmode & GR_READ ? " reading" : "",
56129 + reqmode & GR_WRITE ? " writing" : "",
56130 + reqmode & GR_EXEC ? " executing" : "");
56131 + return reqmode;
56132 + } else
56133 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56134 + {
56135 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
56136 + reqmode & GR_READ ? " reading" : "",
56137 + reqmode & GR_WRITE ? " writing" : "",
56138 + reqmode & GR_EXEC ? " executing" : "");
56139 + return 0;
56140 + } else if (unlikely((mode & reqmode) != reqmode))
56141 + return 0;
56142 +
56143 + return reqmode;
56144 +}
56145 +
56146 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
56147 +{
56148 + __u32 mode;
56149 +
56150 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
56151 +
56152 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
56153 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
56154 + return mode;
56155 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
56156 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
56157 + return 0;
56158 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
56159 + return 0;
56160 +
56161 + return (reqmode);
56162 +}
56163 +
56164 +__u32
56165 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
56166 +{
56167 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
56168 +}
56169 +
56170 +__u32
56171 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
56172 +{
56173 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
56174 +}
56175 +
56176 +__u32
56177 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
56178 +{
56179 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
56180 +}
56181 +
56182 +__u32
56183 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
56184 +{
56185 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
56186 +}
56187 +
56188 +__u32
56189 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
56190 + mode_t mode)
56191 +{
56192 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
56193 + return 1;
56194 +
56195 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
56196 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
56197 + GR_FCHMOD_ACL_MSG);
56198 + } else {
56199 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
56200 + }
56201 +}
56202 +
56203 +__u32
56204 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
56205 + mode_t mode)
56206 +{
56207 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
56208 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
56209 + GR_CHMOD_ACL_MSG);
56210 + } else {
56211 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
56212 + }
56213 +}
56214 +
56215 +__u32
56216 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
56217 +{
56218 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
56219 +}
56220 +
56221 +__u32
56222 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
56223 +{
56224 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
56225 +}
56226 +
56227 +__u32
56228 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
56229 +{
56230 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
56231 +}
56232 +
56233 +__u32
56234 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
56235 +{
56236 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
56237 + GR_UNIXCONNECT_ACL_MSG);
56238 +}
56239 +
56240 +/* hardlinks require at minimum create permission,
56241 + any additional privilege required is based on the
56242 + privilege of the file being linked to
56243 +*/
56244 +__u32
56245 +gr_acl_handle_link(const struct dentry * new_dentry,
56246 + const struct dentry * parent_dentry,
56247 + const struct vfsmount * parent_mnt,
56248 + const struct dentry * old_dentry,
56249 + const struct vfsmount * old_mnt, const char *to)
56250 +{
56251 + __u32 mode;
56252 + __u32 needmode = GR_CREATE | GR_LINK;
56253 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
56254 +
56255 + mode =
56256 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
56257 + old_mnt);
56258 +
56259 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
56260 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
56261 + return mode;
56262 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
56263 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
56264 + return 0;
56265 + } else if (unlikely((mode & needmode) != needmode))
56266 + return 0;
56267 +
56268 + return 1;
56269 +}
56270 +
56271 +__u32
56272 +gr_acl_handle_symlink(const struct dentry * new_dentry,
56273 + const struct dentry * parent_dentry,
56274 + const struct vfsmount * parent_mnt, const char *from)
56275 +{
56276 + __u32 needmode = GR_WRITE | GR_CREATE;
56277 + __u32 mode;
56278 +
56279 + mode =
56280 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
56281 + GR_CREATE | GR_AUDIT_CREATE |
56282 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
56283 +
56284 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
56285 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
56286 + return mode;
56287 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
56288 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
56289 + return 0;
56290 + } else if (unlikely((mode & needmode) != needmode))
56291 + return 0;
56292 +
56293 + return (GR_WRITE | GR_CREATE);
56294 +}
56295 +
56296 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
56297 +{
56298 + __u32 mode;
56299 +
56300 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
56301 +
56302 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
56303 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
56304 + return mode;
56305 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
56306 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
56307 + return 0;
56308 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
56309 + return 0;
56310 +
56311 + return (reqmode);
56312 +}
56313 +
56314 +__u32
56315 +gr_acl_handle_mknod(const struct dentry * new_dentry,
56316 + const struct dentry * parent_dentry,
56317 + const struct vfsmount * parent_mnt,
56318 + const int mode)
56319 +{
56320 + __u32 reqmode = GR_WRITE | GR_CREATE;
56321 + if (unlikely(mode & (S_ISUID | S_ISGID)))
56322 + reqmode |= GR_SETID;
56323 +
56324 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
56325 + reqmode, GR_MKNOD_ACL_MSG);
56326 +}
56327 +
56328 +__u32
56329 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
56330 + const struct dentry *parent_dentry,
56331 + const struct vfsmount *parent_mnt)
56332 +{
56333 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
56334 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
56335 +}
56336 +
56337 +#define RENAME_CHECK_SUCCESS(old, new) \
56338 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
56339 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
56340 +
56341 +int
56342 +gr_acl_handle_rename(struct dentry *new_dentry,
56343 + struct dentry *parent_dentry,
56344 + const struct vfsmount *parent_mnt,
56345 + struct dentry *old_dentry,
56346 + struct inode *old_parent_inode,
56347 + struct vfsmount *old_mnt, const char *newname)
56348 +{
56349 + __u32 comp1, comp2;
56350 + int error = 0;
56351 +
56352 + if (unlikely(!gr_acl_is_enabled()))
56353 + return 0;
56354 +
56355 + if (!new_dentry->d_inode) {
56356 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
56357 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
56358 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
56359 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
56360 + GR_DELETE | GR_AUDIT_DELETE |
56361 + GR_AUDIT_READ | GR_AUDIT_WRITE |
56362 + GR_SUPPRESS, old_mnt);
56363 + } else {
56364 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
56365 + GR_CREATE | GR_DELETE |
56366 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
56367 + GR_AUDIT_READ | GR_AUDIT_WRITE |
56368 + GR_SUPPRESS, parent_mnt);
56369 + comp2 =
56370 + gr_search_file(old_dentry,
56371 + GR_READ | GR_WRITE | GR_AUDIT_READ |
56372 + GR_DELETE | GR_AUDIT_DELETE |
56373 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
56374 + }
56375 +
56376 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
56377 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
56378 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
56379 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
56380 + && !(comp2 & GR_SUPPRESS)) {
56381 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
56382 + error = -EACCES;
56383 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
56384 + error = -EACCES;
56385 +
56386 + return error;
56387 +}
56388 +
56389 +void
56390 +gr_acl_handle_exit(void)
56391 +{
56392 + u16 id;
56393 + char *rolename;
56394 + struct file *exec_file;
56395 +
56396 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
56397 + !(current->role->roletype & GR_ROLE_PERSIST))) {
56398 + id = current->acl_role_id;
56399 + rolename = current->role->rolename;
56400 + gr_set_acls(1);
56401 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
56402 + }
56403 +
56404 + write_lock(&grsec_exec_file_lock);
56405 + exec_file = current->exec_file;
56406 + current->exec_file = NULL;
56407 + write_unlock(&grsec_exec_file_lock);
56408 +
56409 + if (exec_file)
56410 + fput(exec_file);
56411 +}
56412 +
56413 +int
56414 +gr_acl_handle_procpidmem(const struct task_struct *task)
56415 +{
56416 + if (unlikely(!gr_acl_is_enabled()))
56417 + return 0;
56418 +
56419 + if (task != current && task->acl->mode & GR_PROTPROCFD)
56420 + return -EACCES;
56421 +
56422 + return 0;
56423 +}
56424 diff -urNp linux-2.6.39.3/grsecurity/gracl_ip.c linux-2.6.39.3/grsecurity/gracl_ip.c
56425 --- linux-2.6.39.3/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
56426 +++ linux-2.6.39.3/grsecurity/gracl_ip.c 2011-05-22 22:47:31.000000000 -0400
56427 @@ -0,0 +1,381 @@
56428 +#include <linux/kernel.h>
56429 +#include <asm/uaccess.h>
56430 +#include <asm/errno.h>
56431 +#include <net/sock.h>
56432 +#include <linux/file.h>
56433 +#include <linux/fs.h>
56434 +#include <linux/net.h>
56435 +#include <linux/in.h>
56436 +#include <linux/skbuff.h>
56437 +#include <linux/ip.h>
56438 +#include <linux/udp.h>
56439 +#include <linux/types.h>
56440 +#include <linux/sched.h>
56441 +#include <linux/netdevice.h>
56442 +#include <linux/inetdevice.h>
56443 +#include <linux/gracl.h>
56444 +#include <linux/grsecurity.h>
56445 +#include <linux/grinternal.h>
56446 +
56447 +#define GR_BIND 0x01
56448 +#define GR_CONNECT 0x02
56449 +#define GR_INVERT 0x04
56450 +#define GR_BINDOVERRIDE 0x08
56451 +#define GR_CONNECTOVERRIDE 0x10
56452 +#define GR_SOCK_FAMILY 0x20
56453 +
56454 +static const char * gr_protocols[IPPROTO_MAX] = {
56455 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
56456 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
56457 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
56458 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
56459 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
56460 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
56461 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
56462 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
56463 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
56464 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
56465 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
56466 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
56467 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
56468 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
56469 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
56470 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
56471 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
56472 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
56473 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
56474 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
56475 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
56476 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
56477 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
56478 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
56479 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
56480 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
56481 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
56482 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
56483 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
56484 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
56485 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
56486 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
56487 + };
56488 +
56489 +static const char * gr_socktypes[SOCK_MAX] = {
56490 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
56491 + "unknown:7", "unknown:8", "unknown:9", "packet"
56492 + };
56493 +
56494 +static const char * gr_sockfamilies[AF_MAX+1] = {
56495 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
56496 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
56497 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
56498 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
56499 + };
56500 +
56501 +const char *
56502 +gr_proto_to_name(unsigned char proto)
56503 +{
56504 + return gr_protocols[proto];
56505 +}
56506 +
56507 +const char *
56508 +gr_socktype_to_name(unsigned char type)
56509 +{
56510 + return gr_socktypes[type];
56511 +}
56512 +
56513 +const char *
56514 +gr_sockfamily_to_name(unsigned char family)
56515 +{
56516 + return gr_sockfamilies[family];
56517 +}
56518 +
56519 +int
56520 +gr_search_socket(const int domain, const int type, const int protocol)
56521 +{
56522 + struct acl_subject_label *curr;
56523 + const struct cred *cred = current_cred();
56524 +
56525 + if (unlikely(!gr_acl_is_enabled()))
56526 + goto exit;
56527 +
56528 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
56529 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
56530 + goto exit; // let the kernel handle it
56531 +
56532 + curr = current->acl;
56533 +
56534 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
56535 + /* the family is allowed, if this is PF_INET allow it only if
56536 + the extra sock type/protocol checks pass */
56537 + if (domain == PF_INET)
56538 + goto inet_check;
56539 + goto exit;
56540 + } else {
56541 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
56542 + __u32 fakeip = 0;
56543 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56544 + current->role->roletype, cred->uid,
56545 + cred->gid, current->exec_file ?
56546 + gr_to_filename(current->exec_file->f_path.dentry,
56547 + current->exec_file->f_path.mnt) :
56548 + curr->filename, curr->filename,
56549 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
56550 + &current->signal->saved_ip);
56551 + goto exit;
56552 + }
56553 + goto exit_fail;
56554 + }
56555 +
56556 +inet_check:
56557 + /* the rest of this checking is for IPv4 only */
56558 + if (!curr->ips)
56559 + goto exit;
56560 +
56561 + if ((curr->ip_type & (1 << type)) &&
56562 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
56563 + goto exit;
56564 +
56565 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
56566 + /* we don't place acls on raw sockets , and sometimes
56567 + dgram/ip sockets are opened for ioctl and not
56568 + bind/connect, so we'll fake a bind learn log */
56569 + if (type == SOCK_RAW || type == SOCK_PACKET) {
56570 + __u32 fakeip = 0;
56571 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56572 + current->role->roletype, cred->uid,
56573 + cred->gid, current->exec_file ?
56574 + gr_to_filename(current->exec_file->f_path.dentry,
56575 + current->exec_file->f_path.mnt) :
56576 + curr->filename, curr->filename,
56577 + &fakeip, 0, type,
56578 + protocol, GR_CONNECT, &current->signal->saved_ip);
56579 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
56580 + __u32 fakeip = 0;
56581 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56582 + current->role->roletype, cred->uid,
56583 + cred->gid, current->exec_file ?
56584 + gr_to_filename(current->exec_file->f_path.dentry,
56585 + current->exec_file->f_path.mnt) :
56586 + curr->filename, curr->filename,
56587 + &fakeip, 0, type,
56588 + protocol, GR_BIND, &current->signal->saved_ip);
56589 + }
56590 + /* we'll log when they use connect or bind */
56591 + goto exit;
56592 + }
56593 +
56594 +exit_fail:
56595 + if (domain == PF_INET)
56596 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
56597 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
56598 + else
56599 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
56600 + gr_socktype_to_name(type), protocol);
56601 +
56602 + return 0;
56603 +exit:
56604 + return 1;
56605 +}
56606 +
56607 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
56608 +{
56609 + if ((ip->mode & mode) &&
56610 + (ip_port >= ip->low) &&
56611 + (ip_port <= ip->high) &&
56612 + ((ntohl(ip_addr) & our_netmask) ==
56613 + (ntohl(our_addr) & our_netmask))
56614 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
56615 + && (ip->type & (1 << type))) {
56616 + if (ip->mode & GR_INVERT)
56617 + return 2; // specifically denied
56618 + else
56619 + return 1; // allowed
56620 + }
56621 +
56622 + return 0; // not specifically allowed, may continue parsing
56623 +}
56624 +
56625 +static int
56626 +gr_search_connectbind(const int full_mode, struct sock *sk,
56627 + struct sockaddr_in *addr, const int type)
56628 +{
56629 + char iface[IFNAMSIZ] = {0};
56630 + struct acl_subject_label *curr;
56631 + struct acl_ip_label *ip;
56632 + struct inet_sock *isk;
56633 + struct net_device *dev;
56634 + struct in_device *idev;
56635 + unsigned long i;
56636 + int ret;
56637 + int mode = full_mode & (GR_BIND | GR_CONNECT);
56638 + __u32 ip_addr = 0;
56639 + __u32 our_addr;
56640 + __u32 our_netmask;
56641 + char *p;
56642 + __u16 ip_port = 0;
56643 + const struct cred *cred = current_cred();
56644 +
56645 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
56646 + return 0;
56647 +
56648 + curr = current->acl;
56649 + isk = inet_sk(sk);
56650 +
56651 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
56652 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
56653 + addr->sin_addr.s_addr = curr->inaddr_any_override;
56654 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
56655 + struct sockaddr_in saddr;
56656 + int err;
56657 +
56658 + saddr.sin_family = AF_INET;
56659 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
56660 + saddr.sin_port = isk->inet_sport;
56661 +
56662 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
56663 + if (err)
56664 + return err;
56665 +
56666 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
56667 + if (err)
56668 + return err;
56669 + }
56670 +
56671 + if (!curr->ips)
56672 + return 0;
56673 +
56674 + ip_addr = addr->sin_addr.s_addr;
56675 + ip_port = ntohs(addr->sin_port);
56676 +
56677 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
56678 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56679 + current->role->roletype, cred->uid,
56680 + cred->gid, current->exec_file ?
56681 + gr_to_filename(current->exec_file->f_path.dentry,
56682 + current->exec_file->f_path.mnt) :
56683 + curr->filename, curr->filename,
56684 + &ip_addr, ip_port, type,
56685 + sk->sk_protocol, mode, &current->signal->saved_ip);
56686 + return 0;
56687 + }
56688 +
56689 + for (i = 0; i < curr->ip_num; i++) {
56690 + ip = *(curr->ips + i);
56691 + if (ip->iface != NULL) {
56692 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
56693 + p = strchr(iface, ':');
56694 + if (p != NULL)
56695 + *p = '\0';
56696 + dev = dev_get_by_name(sock_net(sk), iface);
56697 + if (dev == NULL)
56698 + continue;
56699 + idev = in_dev_get(dev);
56700 + if (idev == NULL) {
56701 + dev_put(dev);
56702 + continue;
56703 + }
56704 + rcu_read_lock();
56705 + for_ifa(idev) {
56706 + if (!strcmp(ip->iface, ifa->ifa_label)) {
56707 + our_addr = ifa->ifa_address;
56708 + our_netmask = 0xffffffff;
56709 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
56710 + if (ret == 1) {
56711 + rcu_read_unlock();
56712 + in_dev_put(idev);
56713 + dev_put(dev);
56714 + return 0;
56715 + } else if (ret == 2) {
56716 + rcu_read_unlock();
56717 + in_dev_put(idev);
56718 + dev_put(dev);
56719 + goto denied;
56720 + }
56721 + }
56722 + } endfor_ifa(idev);
56723 + rcu_read_unlock();
56724 + in_dev_put(idev);
56725 + dev_put(dev);
56726 + } else {
56727 + our_addr = ip->addr;
56728 + our_netmask = ip->netmask;
56729 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
56730 + if (ret == 1)
56731 + return 0;
56732 + else if (ret == 2)
56733 + goto denied;
56734 + }
56735 + }
56736 +
56737 +denied:
56738 + if (mode == GR_BIND)
56739 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
56740 + else if (mode == GR_CONNECT)
56741 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
56742 +
56743 + return -EACCES;
56744 +}
56745 +
56746 +int
56747 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
56748 +{
56749 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
56750 +}
56751 +
56752 +int
56753 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
56754 +{
56755 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
56756 +}
56757 +
56758 +int gr_search_listen(struct socket *sock)
56759 +{
56760 + struct sock *sk = sock->sk;
56761 + struct sockaddr_in addr;
56762 +
56763 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
56764 + addr.sin_port = inet_sk(sk)->inet_sport;
56765 +
56766 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
56767 +}
56768 +
56769 +int gr_search_accept(struct socket *sock)
56770 +{
56771 + struct sock *sk = sock->sk;
56772 + struct sockaddr_in addr;
56773 +
56774 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
56775 + addr.sin_port = inet_sk(sk)->inet_sport;
56776 +
56777 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
56778 +}
56779 +
56780 +int
56781 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
56782 +{
56783 + if (addr)
56784 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
56785 + else {
56786 + struct sockaddr_in sin;
56787 + const struct inet_sock *inet = inet_sk(sk);
56788 +
56789 + sin.sin_addr.s_addr = inet->inet_daddr;
56790 + sin.sin_port = inet->inet_dport;
56791 +
56792 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
56793 + }
56794 +}
56795 +
56796 +int
56797 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
56798 +{
56799 + struct sockaddr_in sin;
56800 +
56801 + if (unlikely(skb->len < sizeof (struct udphdr)))
56802 + return 0; // skip this packet
56803 +
56804 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
56805 + sin.sin_port = udp_hdr(skb)->source;
56806 +
56807 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
56808 +}
56809 diff -urNp linux-2.6.39.3/grsecurity/gracl_learn.c linux-2.6.39.3/grsecurity/gracl_learn.c
56810 --- linux-2.6.39.3/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
56811 +++ linux-2.6.39.3/grsecurity/gracl_learn.c 2011-05-22 22:47:45.000000000 -0400
56812 @@ -0,0 +1,210 @@
56813 +#include <linux/kernel.h>
56814 +#include <linux/mm.h>
56815 +#include <linux/sched.h>
56816 +#include <linux/poll.h>
56817 +#include <linux/string.h>
56818 +#include <linux/file.h>
56819 +#include <linux/types.h>
56820 +#include <linux/vmalloc.h>
56821 +#include <linux/grinternal.h>
56822 +
56823 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
56824 + size_t count, loff_t *ppos);
56825 +extern int gr_acl_is_enabled(void);
56826 +
56827 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
56828 +static int gr_learn_attached;
56829 +
56830 +/* use a 512k buffer */
56831 +#define LEARN_BUFFER_SIZE (512 * 1024)
56832 +
56833 +static DEFINE_SPINLOCK(gr_learn_lock);
56834 +static DEFINE_MUTEX(gr_learn_user_mutex);
56835 +
56836 +/* we need to maintain two buffers, so that the kernel context of grlearn
56837 + uses a semaphore around the userspace copying, and the other kernel contexts
56838 + use a spinlock when copying into the buffer, since they cannot sleep
56839 +*/
56840 +static char *learn_buffer;
56841 +static char *learn_buffer_user;
56842 +static int learn_buffer_len;
56843 +static int learn_buffer_user_len;
56844 +
56845 +static ssize_t
56846 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
56847 +{
56848 + DECLARE_WAITQUEUE(wait, current);
56849 + ssize_t retval = 0;
56850 +
56851 + add_wait_queue(&learn_wait, &wait);
56852 + set_current_state(TASK_INTERRUPTIBLE);
56853 + do {
56854 + mutex_lock(&gr_learn_user_mutex);
56855 + spin_lock(&gr_learn_lock);
56856 + if (learn_buffer_len)
56857 + break;
56858 + spin_unlock(&gr_learn_lock);
56859 + mutex_unlock(&gr_learn_user_mutex);
56860 + if (file->f_flags & O_NONBLOCK) {
56861 + retval = -EAGAIN;
56862 + goto out;
56863 + }
56864 + if (signal_pending(current)) {
56865 + retval = -ERESTARTSYS;
56866 + goto out;
56867 + }
56868 +
56869 + schedule();
56870 + } while (1);
56871 +
56872 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
56873 + learn_buffer_user_len = learn_buffer_len;
56874 + retval = learn_buffer_len;
56875 + learn_buffer_len = 0;
56876 +
56877 + spin_unlock(&gr_learn_lock);
56878 +
56879 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
56880 + retval = -EFAULT;
56881 +
56882 + mutex_unlock(&gr_learn_user_mutex);
56883 +out:
56884 + set_current_state(TASK_RUNNING);
56885 + remove_wait_queue(&learn_wait, &wait);
56886 + return retval;
56887 +}
56888 +
56889 +static unsigned int
56890 +poll_learn(struct file * file, poll_table * wait)
56891 +{
56892 + poll_wait(file, &learn_wait, wait);
56893 +
56894 + if (learn_buffer_len)
56895 + return (POLLIN | POLLRDNORM);
56896 +
56897 + return 0;
56898 +}
56899 +
56900 +void
56901 +gr_clear_learn_entries(void)
56902 +{
56903 + char *tmp;
56904 +
56905 + mutex_lock(&gr_learn_user_mutex);
56906 + if (learn_buffer != NULL) {
56907 + spin_lock(&gr_learn_lock);
56908 + tmp = learn_buffer;
56909 + learn_buffer = NULL;
56910 + spin_unlock(&gr_learn_lock);
56911 + vfree(learn_buffer);
56912 + }
56913 + if (learn_buffer_user != NULL) {
56914 + vfree(learn_buffer_user);
56915 + learn_buffer_user = NULL;
56916 + }
56917 + learn_buffer_len = 0;
56918 + mutex_unlock(&gr_learn_user_mutex);
56919 +
56920 + return;
56921 +}
56922 +
56923 +void
56924 +gr_add_learn_entry(const char *fmt, ...)
56925 +{
56926 + va_list args;
56927 + unsigned int len;
56928 +
56929 + if (!gr_learn_attached)
56930 + return;
56931 +
56932 + spin_lock(&gr_learn_lock);
56933 +
56934 + /* leave a gap at the end so we know when it's "full" but don't have to
56935 + compute the exact length of the string we're trying to append
56936 + */
56937 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
56938 + spin_unlock(&gr_learn_lock);
56939 + wake_up_interruptible(&learn_wait);
56940 + return;
56941 + }
56942 + if (learn_buffer == NULL) {
56943 + spin_unlock(&gr_learn_lock);
56944 + return;
56945 + }
56946 +
56947 + va_start(args, fmt);
56948 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
56949 + va_end(args);
56950 +
56951 + learn_buffer_len += len + 1;
56952 +
56953 + spin_unlock(&gr_learn_lock);
56954 + wake_up_interruptible(&learn_wait);
56955 +
56956 + return;
56957 +}
56958 +
56959 +static int
56960 +open_learn(struct inode *inode, struct file *file)
56961 +{
56962 + if (file->f_mode & FMODE_READ && gr_learn_attached)
56963 + return -EBUSY;
56964 + if (file->f_mode & FMODE_READ) {
56965 + int retval = 0;
56966 + mutex_lock(&gr_learn_user_mutex);
56967 + if (learn_buffer == NULL)
56968 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
56969 + if (learn_buffer_user == NULL)
56970 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
56971 + if (learn_buffer == NULL) {
56972 + retval = -ENOMEM;
56973 + goto out_error;
56974 + }
56975 + if (learn_buffer_user == NULL) {
56976 + retval = -ENOMEM;
56977 + goto out_error;
56978 + }
56979 + learn_buffer_len = 0;
56980 + learn_buffer_user_len = 0;
56981 + gr_learn_attached = 1;
56982 +out_error:
56983 + mutex_unlock(&gr_learn_user_mutex);
56984 + return retval;
56985 + }
56986 + return 0;
56987 +}
56988 +
56989 +static int
56990 +close_learn(struct inode *inode, struct file *file)
56991 +{
56992 + char *tmp;
56993 +
56994 + if (file->f_mode & FMODE_READ) {
56995 + mutex_lock(&gr_learn_user_mutex);
56996 + if (learn_buffer != NULL) {
56997 + spin_lock(&gr_learn_lock);
56998 + tmp = learn_buffer;
56999 + learn_buffer = NULL;
57000 + spin_unlock(&gr_learn_lock);
57001 + vfree(tmp);
57002 + }
57003 + if (learn_buffer_user != NULL) {
57004 + vfree(learn_buffer_user);
57005 + learn_buffer_user = NULL;
57006 + }
57007 + learn_buffer_len = 0;
57008 + learn_buffer_user_len = 0;
57009 + gr_learn_attached = 0;
57010 + mutex_unlock(&gr_learn_user_mutex);
57011 + }
57012 +
57013 + return 0;
57014 +}
57015 +
57016 +const struct file_operations grsec_fops = {
57017 + .read = read_learn,
57018 + .write = write_grsec_handler,
57019 + .open = open_learn,
57020 + .release = close_learn,
57021 + .poll = poll_learn,
57022 +};
57023 diff -urNp linux-2.6.39.3/grsecurity/gracl_res.c linux-2.6.39.3/grsecurity/gracl_res.c
57024 --- linux-2.6.39.3/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
57025 +++ linux-2.6.39.3/grsecurity/gracl_res.c 2011-05-22 19:41:42.000000000 -0400
57026 @@ -0,0 +1,68 @@
57027 +#include <linux/kernel.h>
57028 +#include <linux/sched.h>
57029 +#include <linux/gracl.h>
57030 +#include <linux/grinternal.h>
57031 +
57032 +static const char *restab_log[] = {
57033 + [RLIMIT_CPU] = "RLIMIT_CPU",
57034 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
57035 + [RLIMIT_DATA] = "RLIMIT_DATA",
57036 + [RLIMIT_STACK] = "RLIMIT_STACK",
57037 + [RLIMIT_CORE] = "RLIMIT_CORE",
57038 + [RLIMIT_RSS] = "RLIMIT_RSS",
57039 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
57040 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
57041 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
57042 + [RLIMIT_AS] = "RLIMIT_AS",
57043 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
57044 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
57045 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
57046 + [RLIMIT_NICE] = "RLIMIT_NICE",
57047 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
57048 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
57049 + [GR_CRASH_RES] = "RLIMIT_CRASH"
57050 +};
57051 +
57052 +void
57053 +gr_log_resource(const struct task_struct *task,
57054 + const int res, const unsigned long wanted, const int gt)
57055 +{
57056 + const struct cred *cred;
57057 + unsigned long rlim;
57058 +
57059 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
57060 + return;
57061 +
57062 + // not yet supported resource
57063 + if (unlikely(!restab_log[res]))
57064 + return;
57065 +
57066 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
57067 + rlim = task_rlimit_max(task, res);
57068 + else
57069 + rlim = task_rlimit(task, res);
57070 +
57071 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
57072 + return;
57073 +
57074 + rcu_read_lock();
57075 + cred = __task_cred(task);
57076 +
57077 + if (res == RLIMIT_NPROC &&
57078 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
57079 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
57080 + goto out_rcu_unlock;
57081 + else if (res == RLIMIT_MEMLOCK &&
57082 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
57083 + goto out_rcu_unlock;
57084 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
57085 + goto out_rcu_unlock;
57086 + rcu_read_unlock();
57087 +
57088 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
57089 +
57090 + return;
57091 +out_rcu_unlock:
57092 + rcu_read_unlock();
57093 + return;
57094 +}
57095 diff -urNp linux-2.6.39.3/grsecurity/gracl_segv.c linux-2.6.39.3/grsecurity/gracl_segv.c
57096 --- linux-2.6.39.3/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
57097 +++ linux-2.6.39.3/grsecurity/gracl_segv.c 2011-05-22 22:47:39.000000000 -0400
57098 @@ -0,0 +1,299 @@
57099 +#include <linux/kernel.h>
57100 +#include <linux/mm.h>
57101 +#include <asm/uaccess.h>
57102 +#include <asm/errno.h>
57103 +#include <asm/mman.h>
57104 +#include <net/sock.h>
57105 +#include <linux/file.h>
57106 +#include <linux/fs.h>
57107 +#include <linux/net.h>
57108 +#include <linux/in.h>
57109 +#include <linux/slab.h>
57110 +#include <linux/types.h>
57111 +#include <linux/sched.h>
57112 +#include <linux/timer.h>
57113 +#include <linux/gracl.h>
57114 +#include <linux/grsecurity.h>
57115 +#include <linux/grinternal.h>
57116 +
57117 +static struct crash_uid *uid_set;
57118 +static unsigned short uid_used;
57119 +static DEFINE_SPINLOCK(gr_uid_lock);
57120 +extern rwlock_t gr_inode_lock;
57121 +extern struct acl_subject_label *
57122 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
57123 + struct acl_role_label *role);
57124 +
57125 +#ifdef CONFIG_BTRFS_FS
57126 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
57127 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
57128 +#endif
57129 +
57130 +static inline dev_t __get_dev(const struct dentry *dentry)
57131 +{
57132 +#ifdef CONFIG_BTRFS_FS
57133 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
57134 + return get_btrfs_dev_from_inode(dentry->d_inode);
57135 + else
57136 +#endif
57137 + return dentry->d_inode->i_sb->s_dev;
57138 +}
57139 +
57140 +int
57141 +gr_init_uidset(void)
57142 +{
57143 + uid_set =
57144 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
57145 + uid_used = 0;
57146 +
57147 + return uid_set ? 1 : 0;
57148 +}
57149 +
57150 +void
57151 +gr_free_uidset(void)
57152 +{
57153 + if (uid_set)
57154 + kfree(uid_set);
57155 +
57156 + return;
57157 +}
57158 +
57159 +int
57160 +gr_find_uid(const uid_t uid)
57161 +{
57162 + struct crash_uid *tmp = uid_set;
57163 + uid_t buid;
57164 + int low = 0, high = uid_used - 1, mid;
57165 +
57166 + while (high >= low) {
57167 + mid = (low + high) >> 1;
57168 + buid = tmp[mid].uid;
57169 + if (buid == uid)
57170 + return mid;
57171 + if (buid > uid)
57172 + high = mid - 1;
57173 + if (buid < uid)
57174 + low = mid + 1;
57175 + }
57176 +
57177 + return -1;
57178 +}
57179 +
57180 +static __inline__ void
57181 +gr_insertsort(void)
57182 +{
57183 + unsigned short i, j;
57184 + struct crash_uid index;
57185 +
57186 + for (i = 1; i < uid_used; i++) {
57187 + index = uid_set[i];
57188 + j = i;
57189 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
57190 + uid_set[j] = uid_set[j - 1];
57191 + j--;
57192 + }
57193 + uid_set[j] = index;
57194 + }
57195 +
57196 + return;
57197 +}
57198 +
57199 +static __inline__ void
57200 +gr_insert_uid(const uid_t uid, const unsigned long expires)
57201 +{
57202 + int loc;
57203 +
57204 + if (uid_used == GR_UIDTABLE_MAX)
57205 + return;
57206 +
57207 + loc = gr_find_uid(uid);
57208 +
57209 + if (loc >= 0) {
57210 + uid_set[loc].expires = expires;
57211 + return;
57212 + }
57213 +
57214 + uid_set[uid_used].uid = uid;
57215 + uid_set[uid_used].expires = expires;
57216 + uid_used++;
57217 +
57218 + gr_insertsort();
57219 +
57220 + return;
57221 +}
57222 +
57223 +void
57224 +gr_remove_uid(const unsigned short loc)
57225 +{
57226 + unsigned short i;
57227 +
57228 + for (i = loc + 1; i < uid_used; i++)
57229 + uid_set[i - 1] = uid_set[i];
57230 +
57231 + uid_used--;
57232 +
57233 + return;
57234 +}
57235 +
57236 +int
57237 +gr_check_crash_uid(const uid_t uid)
57238 +{
57239 + int loc;
57240 + int ret = 0;
57241 +
57242 + if (unlikely(!gr_acl_is_enabled()))
57243 + return 0;
57244 +
57245 + spin_lock(&gr_uid_lock);
57246 + loc = gr_find_uid(uid);
57247 +
57248 + if (loc < 0)
57249 + goto out_unlock;
57250 +
57251 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
57252 + gr_remove_uid(loc);
57253 + else
57254 + ret = 1;
57255 +
57256 +out_unlock:
57257 + spin_unlock(&gr_uid_lock);
57258 + return ret;
57259 +}
57260 +
57261 +static __inline__ int
57262 +proc_is_setxid(const struct cred *cred)
57263 +{
57264 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
57265 + cred->uid != cred->fsuid)
57266 + return 1;
57267 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
57268 + cred->gid != cred->fsgid)
57269 + return 1;
57270 +
57271 + return 0;
57272 +}
57273 +
57274 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
57275 +
57276 +void
57277 +gr_handle_crash(struct task_struct *task, const int sig)
57278 +{
57279 + struct acl_subject_label *curr;
57280 + struct acl_subject_label *curr2;
57281 + struct task_struct *tsk, *tsk2;
57282 + const struct cred *cred;
57283 + const struct cred *cred2;
57284 +
57285 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
57286 + return;
57287 +
57288 + if (unlikely(!gr_acl_is_enabled()))
57289 + return;
57290 +
57291 + curr = task->acl;
57292 +
57293 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
57294 + return;
57295 +
57296 + if (time_before_eq(curr->expires, get_seconds())) {
57297 + curr->expires = 0;
57298 + curr->crashes = 0;
57299 + }
57300 +
57301 + curr->crashes++;
57302 +
57303 + if (!curr->expires)
57304 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
57305 +
57306 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
57307 + time_after(curr->expires, get_seconds())) {
57308 + rcu_read_lock();
57309 + cred = __task_cred(task);
57310 + if (cred->uid && proc_is_setxid(cred)) {
57311 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
57312 + spin_lock(&gr_uid_lock);
57313 + gr_insert_uid(cred->uid, curr->expires);
57314 + spin_unlock(&gr_uid_lock);
57315 + curr->expires = 0;
57316 + curr->crashes = 0;
57317 + read_lock(&tasklist_lock);
57318 + do_each_thread(tsk2, tsk) {
57319 + cred2 = __task_cred(tsk);
57320 + if (tsk != task && cred2->uid == cred->uid)
57321 + gr_fake_force_sig(SIGKILL, tsk);
57322 + } while_each_thread(tsk2, tsk);
57323 + read_unlock(&tasklist_lock);
57324 + } else {
57325 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
57326 + read_lock(&tasklist_lock);
57327 + do_each_thread(tsk2, tsk) {
57328 + if (likely(tsk != task)) {
57329 + curr2 = tsk->acl;
57330 +
57331 + if (curr2->device == curr->device &&
57332 + curr2->inode == curr->inode)
57333 + gr_fake_force_sig(SIGKILL, tsk);
57334 + }
57335 + } while_each_thread(tsk2, tsk);
57336 + read_unlock(&tasklist_lock);
57337 + }
57338 + rcu_read_unlock();
57339 + }
57340 +
57341 + return;
57342 +}
57343 +
57344 +int
57345 +gr_check_crash_exec(const struct file *filp)
57346 +{
57347 + struct acl_subject_label *curr;
57348 +
57349 + if (unlikely(!gr_acl_is_enabled()))
57350 + return 0;
57351 +
57352 + read_lock(&gr_inode_lock);
57353 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
57354 + __get_dev(filp->f_path.dentry),
57355 + current->role);
57356 + read_unlock(&gr_inode_lock);
57357 +
57358 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
57359 + (!curr->crashes && !curr->expires))
57360 + return 0;
57361 +
57362 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
57363 + time_after(curr->expires, get_seconds()))
57364 + return 1;
57365 + else if (time_before_eq(curr->expires, get_seconds())) {
57366 + curr->crashes = 0;
57367 + curr->expires = 0;
57368 + }
57369 +
57370 + return 0;
57371 +}
57372 +
57373 +void
57374 +gr_handle_alertkill(struct task_struct *task)
57375 +{
57376 + struct acl_subject_label *curracl;
57377 + __u32 curr_ip;
57378 + struct task_struct *p, *p2;
57379 +
57380 + if (unlikely(!gr_acl_is_enabled()))
57381 + return;
57382 +
57383 + curracl = task->acl;
57384 + curr_ip = task->signal->curr_ip;
57385 +
57386 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
57387 + read_lock(&tasklist_lock);
57388 + do_each_thread(p2, p) {
57389 + if (p->signal->curr_ip == curr_ip)
57390 + gr_fake_force_sig(SIGKILL, p);
57391 + } while_each_thread(p2, p);
57392 + read_unlock(&tasklist_lock);
57393 + } else if (curracl->mode & GR_KILLPROC)
57394 + gr_fake_force_sig(SIGKILL, task);
57395 +
57396 + return;
57397 +}
57398 diff -urNp linux-2.6.39.3/grsecurity/gracl_shm.c linux-2.6.39.3/grsecurity/gracl_shm.c
57399 --- linux-2.6.39.3/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
57400 +++ linux-2.6.39.3/grsecurity/gracl_shm.c 2011-05-22 19:41:42.000000000 -0400
57401 @@ -0,0 +1,40 @@
57402 +#include <linux/kernel.h>
57403 +#include <linux/mm.h>
57404 +#include <linux/sched.h>
57405 +#include <linux/file.h>
57406 +#include <linux/ipc.h>
57407 +#include <linux/gracl.h>
57408 +#include <linux/grsecurity.h>
57409 +#include <linux/grinternal.h>
57410 +
57411 +int
57412 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57413 + const time_t shm_createtime, const uid_t cuid, const int shmid)
57414 +{
57415 + struct task_struct *task;
57416 +
57417 + if (!gr_acl_is_enabled())
57418 + return 1;
57419 +
57420 + rcu_read_lock();
57421 + read_lock(&tasklist_lock);
57422 +
57423 + task = find_task_by_vpid(shm_cprid);
57424 +
57425 + if (unlikely(!task))
57426 + task = find_task_by_vpid(shm_lapid);
57427 +
57428 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
57429 + (task->pid == shm_lapid)) &&
57430 + (task->acl->mode & GR_PROTSHM) &&
57431 + (task->acl != current->acl))) {
57432 + read_unlock(&tasklist_lock);
57433 + rcu_read_unlock();
57434 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
57435 + return 0;
57436 + }
57437 + read_unlock(&tasklist_lock);
57438 + rcu_read_unlock();
57439 +
57440 + return 1;
57441 +}
57442 diff -urNp linux-2.6.39.3/grsecurity/grsec_chdir.c linux-2.6.39.3/grsecurity/grsec_chdir.c
57443 --- linux-2.6.39.3/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
57444 +++ linux-2.6.39.3/grsecurity/grsec_chdir.c 2011-05-22 19:41:42.000000000 -0400
57445 @@ -0,0 +1,19 @@
57446 +#include <linux/kernel.h>
57447 +#include <linux/sched.h>
57448 +#include <linux/fs.h>
57449 +#include <linux/file.h>
57450 +#include <linux/grsecurity.h>
57451 +#include <linux/grinternal.h>
57452 +
57453 +void
57454 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
57455 +{
57456 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
57457 + if ((grsec_enable_chdir && grsec_enable_group &&
57458 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
57459 + !grsec_enable_group)) {
57460 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
57461 + }
57462 +#endif
57463 + return;
57464 +}
57465 diff -urNp linux-2.6.39.3/grsecurity/grsec_chroot.c linux-2.6.39.3/grsecurity/grsec_chroot.c
57466 --- linux-2.6.39.3/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
57467 +++ linux-2.6.39.3/grsecurity/grsec_chroot.c 2011-06-20 19:44:48.000000000 -0400
57468 @@ -0,0 +1,355 @@
57469 +#include <linux/kernel.h>
57470 +#include <linux/module.h>
57471 +#include <linux/sched.h>
57472 +#include <linux/file.h>
57473 +#include <linux/fs.h>
57474 +#include <linux/mount.h>
57475 +#include <linux/types.h>
57476 +#include <linux/pid_namespace.h>
57477 +#include <linux/grsecurity.h>
57478 +#include <linux/grinternal.h>
57479 +
57480 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
57481 +{
57482 +#ifdef CONFIG_GRKERNSEC
57483 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
57484 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
57485 + task->gr_is_chrooted = 1;
57486 + else
57487 + task->gr_is_chrooted = 0;
57488 +
57489 + task->gr_chroot_dentry = path->dentry;
57490 +#endif
57491 + return;
57492 +}
57493 +
57494 +void gr_clear_chroot_entries(struct task_struct *task)
57495 +{
57496 +#ifdef CONFIG_GRKERNSEC
57497 + task->gr_is_chrooted = 0;
57498 + task->gr_chroot_dentry = NULL;
57499 +#endif
57500 + return;
57501 +}
57502 +
57503 +int
57504 +gr_handle_chroot_unix(struct pid *pid)
57505 +{
57506 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
57507 + struct task_struct *p;
57508 +
57509 + if (unlikely(!grsec_enable_chroot_unix))
57510 + return 1;
57511 +
57512 + if (likely(!proc_is_chrooted(current)))
57513 + return 1;
57514 +
57515 + rcu_read_lock();
57516 + read_lock(&tasklist_lock);
57517 + p = pid_task(pid, PIDTYPE_PID);
57518 + if (unlikely(p && !have_same_root(current, p))) {
57519 + read_unlock(&tasklist_lock);
57520 + rcu_read_unlock();
57521 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
57522 + return 0;
57523 + }
57524 + read_unlock(&tasklist_lock);
57525 + rcu_read_unlock();
57526 +#endif
57527 + return 1;
57528 +}
57529 +
57530 +int
57531 +gr_handle_chroot_nice(void)
57532 +{
57533 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
57534 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
57535 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
57536 + return -EPERM;
57537 + }
57538 +#endif
57539 + return 0;
57540 +}
57541 +
57542 +int
57543 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
57544 +{
57545 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
57546 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
57547 + && proc_is_chrooted(current)) {
57548 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
57549 + return -EACCES;
57550 + }
57551 +#endif
57552 + return 0;
57553 +}
57554 +
57555 +int
57556 +gr_handle_chroot_rawio(const struct inode *inode)
57557 +{
57558 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
57559 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
57560 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
57561 + return 1;
57562 +#endif
57563 + return 0;
57564 +}
57565 +
57566 +int
57567 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
57568 +{
57569 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
57570 + struct task_struct *p;
57571 + int ret = 0;
57572 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
57573 + return ret;
57574 +
57575 + read_lock(&tasklist_lock);
57576 + do_each_pid_task(pid, type, p) {
57577 + if (!have_same_root(current, p)) {
57578 + ret = 1;
57579 + goto out;
57580 + }
57581 + } while_each_pid_task(pid, type, p);
57582 +out:
57583 + read_unlock(&tasklist_lock);
57584 + return ret;
57585 +#endif
57586 + return 0;
57587 +}
57588 +
57589 +int
57590 +gr_pid_is_chrooted(struct task_struct *p)
57591 +{
57592 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
57593 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
57594 + return 0;
57595 +
57596 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
57597 + !have_same_root(current, p)) {
57598 + return 1;
57599 + }
57600 +#endif
57601 + return 0;
57602 +}
57603 +
57604 +EXPORT_SYMBOL(gr_pid_is_chrooted);
57605 +
57606 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
57607 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
57608 +{
57609 + struct path path, currentroot;
57610 + int ret = 0;
57611 +
57612 + path.dentry = (struct dentry *)u_dentry;
57613 + path.mnt = (struct vfsmount *)u_mnt;
57614 + get_fs_root(current->fs, &currentroot);
57615 + if (path_is_under(&path, &currentroot))
57616 + ret = 1;
57617 + path_put(&currentroot);
57618 +
57619 + return ret;
57620 +}
57621 +#endif
57622 +
57623 +int
57624 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
57625 +{
57626 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
57627 + if (!grsec_enable_chroot_fchdir)
57628 + return 1;
57629 +
57630 + if (!proc_is_chrooted(current))
57631 + return 1;
57632 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
57633 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
57634 + return 0;
57635 + }
57636 +#endif
57637 + return 1;
57638 +}
57639 +
57640 +int
57641 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57642 + const time_t shm_createtime)
57643 +{
57644 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
57645 + struct pid *pid = NULL;
57646 + time_t starttime;
57647 +
57648 + if (unlikely(!grsec_enable_chroot_shmat))
57649 + return 1;
57650 +
57651 + if (likely(!proc_is_chrooted(current)))
57652 + return 1;
57653 +
57654 + rcu_read_lock();
57655 + read_lock(&tasklist_lock);
57656 +
57657 + pid = find_vpid(shm_cprid);
57658 + if (pid) {
57659 + struct task_struct *p;
57660 + p = pid_task(pid, PIDTYPE_PID);
57661 + if (p == NULL)
57662 + goto unlock;
57663 + starttime = p->start_time.tv_sec;
57664 + if (unlikely(!have_same_root(current, p) &&
57665 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
57666 + read_unlock(&tasklist_lock);
57667 + rcu_read_unlock();
57668 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
57669 + return 0;
57670 + }
57671 + } else {
57672 + pid = find_vpid(shm_lapid);
57673 + if (pid) {
57674 + struct task_struct *p;
57675 + p = pid_task(pid, PIDTYPE_PID);
57676 + if (p == NULL)
57677 + goto unlock;
57678 + if (unlikely(!have_same_root(current, p))) {
57679 + read_unlock(&tasklist_lock);
57680 + rcu_read_unlock();
57681 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
57682 + return 0;
57683 + }
57684 + }
57685 + }
57686 +unlock:
57687 + read_unlock(&tasklist_lock);
57688 + rcu_read_unlock();
57689 +#endif
57690 + return 1;
57691 +}
57692 +
57693 +void
57694 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
57695 +{
57696 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
57697 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
57698 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
57699 +#endif
57700 + return;
57701 +}
57702 +
57703 +int
57704 +gr_handle_chroot_mknod(const struct dentry *dentry,
57705 + const struct vfsmount *mnt, const int mode)
57706 +{
57707 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
57708 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
57709 + proc_is_chrooted(current)) {
57710 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
57711 + return -EPERM;
57712 + }
57713 +#endif
57714 + return 0;
57715 +}
57716 +
57717 +int
57718 +gr_handle_chroot_mount(const struct dentry *dentry,
57719 + const struct vfsmount *mnt, const char *dev_name)
57720 +{
57721 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
57722 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
57723 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none", dentry, mnt);
57724 + return -EPERM;
57725 + }
57726 +#endif
57727 + return 0;
57728 +}
57729 +
57730 +int
57731 +gr_handle_chroot_pivot(void)
57732 +{
57733 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
57734 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
57735 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
57736 + return -EPERM;
57737 + }
57738 +#endif
57739 + return 0;
57740 +}
57741 +
57742 +int
57743 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
57744 +{
57745 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
57746 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
57747 + !gr_is_outside_chroot(dentry, mnt)) {
57748 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
57749 + return -EPERM;
57750 + }
57751 +#endif
57752 + return 0;
57753 +}
57754 +
57755 +int
57756 +gr_handle_chroot_caps(struct path *path)
57757 +{
57758 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
57759 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
57760 + (init_task.fs->root.dentry != path->dentry) &&
57761 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
57762 +
57763 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
57764 + const struct cred *old = current_cred();
57765 + struct cred *new = prepare_creds();
57766 + if (new == NULL)
57767 + return 1;
57768 +
57769 + new->cap_permitted = cap_drop(old->cap_permitted,
57770 + chroot_caps);
57771 + new->cap_inheritable = cap_drop(old->cap_inheritable,
57772 + chroot_caps);
57773 + new->cap_effective = cap_drop(old->cap_effective,
57774 + chroot_caps);
57775 +
57776 + commit_creds(new);
57777 +
57778 + return 0;
57779 + }
57780 +#endif
57781 + return 0;
57782 +}
57783 +
57784 +int
57785 +gr_handle_chroot_sysctl(const int op)
57786 +{
57787 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
57788 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
57789 + proc_is_chrooted(current))
57790 + return -EACCES;
57791 +#endif
57792 + return 0;
57793 +}
57794 +
57795 +void
57796 +gr_handle_chroot_chdir(struct path *path)
57797 +{
57798 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
57799 + if (grsec_enable_chroot_chdir)
57800 + set_fs_pwd(current->fs, path);
57801 +#endif
57802 + return;
57803 +}
57804 +
57805 +int
57806 +gr_handle_chroot_chmod(const struct dentry *dentry,
57807 + const struct vfsmount *mnt, const int mode)
57808 +{
57809 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
57810 + /* allow chmod +s on directories, but not files */
57811 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
57812 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
57813 + proc_is_chrooted(current)) {
57814 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
57815 + return -EPERM;
57816 + }
57817 +#endif
57818 + return 0;
57819 +}
57820 +
57821 +#ifdef CONFIG_SECURITY
57822 +EXPORT_SYMBOL(gr_handle_chroot_caps);
57823 +#endif
57824 diff -urNp linux-2.6.39.3/grsecurity/grsec_disabled.c linux-2.6.39.3/grsecurity/grsec_disabled.c
57825 --- linux-2.6.39.3/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
57826 +++ linux-2.6.39.3/grsecurity/grsec_disabled.c 2011-05-22 19:41:42.000000000 -0400
57827 @@ -0,0 +1,447 @@
57828 +#include <linux/kernel.h>
57829 +#include <linux/module.h>
57830 +#include <linux/sched.h>
57831 +#include <linux/file.h>
57832 +#include <linux/fs.h>
57833 +#include <linux/kdev_t.h>
57834 +#include <linux/net.h>
57835 +#include <linux/in.h>
57836 +#include <linux/ip.h>
57837 +#include <linux/skbuff.h>
57838 +#include <linux/sysctl.h>
57839 +
57840 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
57841 +void
57842 +pax_set_initial_flags(struct linux_binprm *bprm)
57843 +{
57844 + return;
57845 +}
57846 +#endif
57847 +
57848 +#ifdef CONFIG_SYSCTL
57849 +__u32
57850 +gr_handle_sysctl(const struct ctl_table * table, const int op)
57851 +{
57852 + return 0;
57853 +}
57854 +#endif
57855 +
57856 +#ifdef CONFIG_TASKSTATS
57857 +int gr_is_taskstats_denied(int pid)
57858 +{
57859 + return 0;
57860 +}
57861 +#endif
57862 +
57863 +int
57864 +gr_acl_is_enabled(void)
57865 +{
57866 + return 0;
57867 +}
57868 +
57869 +int
57870 +gr_handle_rawio(const struct inode *inode)
57871 +{
57872 + return 0;
57873 +}
57874 +
57875 +void
57876 +gr_acl_handle_psacct(struct task_struct *task, const long code)
57877 +{
57878 + return;
57879 +}
57880 +
57881 +int
57882 +gr_handle_ptrace(struct task_struct *task, const long request)
57883 +{
57884 + return 0;
57885 +}
57886 +
57887 +int
57888 +gr_handle_proc_ptrace(struct task_struct *task)
57889 +{
57890 + return 0;
57891 +}
57892 +
57893 +void
57894 +gr_learn_resource(const struct task_struct *task,
57895 + const int res, const unsigned long wanted, const int gt)
57896 +{
57897 + return;
57898 +}
57899 +
57900 +int
57901 +gr_set_acls(const int type)
57902 +{
57903 + return 0;
57904 +}
57905 +
57906 +int
57907 +gr_check_hidden_task(const struct task_struct *tsk)
57908 +{
57909 + return 0;
57910 +}
57911 +
57912 +int
57913 +gr_check_protected_task(const struct task_struct *task)
57914 +{
57915 + return 0;
57916 +}
57917 +
57918 +int
57919 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
57920 +{
57921 + return 0;
57922 +}
57923 +
57924 +void
57925 +gr_copy_label(struct task_struct *tsk)
57926 +{
57927 + return;
57928 +}
57929 +
57930 +void
57931 +gr_set_pax_flags(struct task_struct *task)
57932 +{
57933 + return;
57934 +}
57935 +
57936 +int
57937 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
57938 + const int unsafe_share)
57939 +{
57940 + return 0;
57941 +}
57942 +
57943 +void
57944 +gr_handle_delete(const ino_t ino, const dev_t dev)
57945 +{
57946 + return;
57947 +}
57948 +
57949 +void
57950 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
57951 +{
57952 + return;
57953 +}
57954 +
57955 +void
57956 +gr_handle_crash(struct task_struct *task, const int sig)
57957 +{
57958 + return;
57959 +}
57960 +
57961 +int
57962 +gr_check_crash_exec(const struct file *filp)
57963 +{
57964 + return 0;
57965 +}
57966 +
57967 +int
57968 +gr_check_crash_uid(const uid_t uid)
57969 +{
57970 + return 0;
57971 +}
57972 +
57973 +void
57974 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
57975 + struct dentry *old_dentry,
57976 + struct dentry *new_dentry,
57977 + struct vfsmount *mnt, const __u8 replace)
57978 +{
57979 + return;
57980 +}
57981 +
57982 +int
57983 +gr_search_socket(const int family, const int type, const int protocol)
57984 +{
57985 + return 1;
57986 +}
57987 +
57988 +int
57989 +gr_search_connectbind(const int mode, const struct socket *sock,
57990 + const struct sockaddr_in *addr)
57991 +{
57992 + return 0;
57993 +}
57994 +
57995 +int
57996 +gr_is_capable(const int cap)
57997 +{
57998 + return 1;
57999 +}
58000 +
58001 +int
58002 +gr_is_capable_nolog(const int cap)
58003 +{
58004 + return 1;
58005 +}
58006 +
58007 +void
58008 +gr_handle_alertkill(struct task_struct *task)
58009 +{
58010 + return;
58011 +}
58012 +
58013 +__u32
58014 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
58015 +{
58016 + return 1;
58017 +}
58018 +
58019 +__u32
58020 +gr_acl_handle_hidden_file(const struct dentry * dentry,
58021 + const struct vfsmount * mnt)
58022 +{
58023 + return 1;
58024 +}
58025 +
58026 +__u32
58027 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
58028 + const int fmode)
58029 +{
58030 + return 1;
58031 +}
58032 +
58033 +__u32
58034 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
58035 +{
58036 + return 1;
58037 +}
58038 +
58039 +__u32
58040 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
58041 +{
58042 + return 1;
58043 +}
58044 +
58045 +int
58046 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
58047 + unsigned int *vm_flags)
58048 +{
58049 + return 1;
58050 +}
58051 +
58052 +__u32
58053 +gr_acl_handle_truncate(const struct dentry * dentry,
58054 + const struct vfsmount * mnt)
58055 +{
58056 + return 1;
58057 +}
58058 +
58059 +__u32
58060 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
58061 +{
58062 + return 1;
58063 +}
58064 +
58065 +__u32
58066 +gr_acl_handle_access(const struct dentry * dentry,
58067 + const struct vfsmount * mnt, const int fmode)
58068 +{
58069 + return 1;
58070 +}
58071 +
58072 +__u32
58073 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
58074 + mode_t mode)
58075 +{
58076 + return 1;
58077 +}
58078 +
58079 +__u32
58080 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
58081 + mode_t mode)
58082 +{
58083 + return 1;
58084 +}
58085 +
58086 +__u32
58087 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
58088 +{
58089 + return 1;
58090 +}
58091 +
58092 +__u32
58093 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
58094 +{
58095 + return 1;
58096 +}
58097 +
58098 +void
58099 +grsecurity_init(void)
58100 +{
58101 + return;
58102 +}
58103 +
58104 +__u32
58105 +gr_acl_handle_mknod(const struct dentry * new_dentry,
58106 + const struct dentry * parent_dentry,
58107 + const struct vfsmount * parent_mnt,
58108 + const int mode)
58109 +{
58110 + return 1;
58111 +}
58112 +
58113 +__u32
58114 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
58115 + const struct dentry * parent_dentry,
58116 + const struct vfsmount * parent_mnt)
58117 +{
58118 + return 1;
58119 +}
58120 +
58121 +__u32
58122 +gr_acl_handle_symlink(const struct dentry * new_dentry,
58123 + const struct dentry * parent_dentry,
58124 + const struct vfsmount * parent_mnt, const char *from)
58125 +{
58126 + return 1;
58127 +}
58128 +
58129 +__u32
58130 +gr_acl_handle_link(const struct dentry * new_dentry,
58131 + const struct dentry * parent_dentry,
58132 + const struct vfsmount * parent_mnt,
58133 + const struct dentry * old_dentry,
58134 + const struct vfsmount * old_mnt, const char *to)
58135 +{
58136 + return 1;
58137 +}
58138 +
58139 +int
58140 +gr_acl_handle_rename(const struct dentry *new_dentry,
58141 + const struct dentry *parent_dentry,
58142 + const struct vfsmount *parent_mnt,
58143 + const struct dentry *old_dentry,
58144 + const struct inode *old_parent_inode,
58145 + const struct vfsmount *old_mnt, const char *newname)
58146 +{
58147 + return 0;
58148 +}
58149 +
58150 +int
58151 +gr_acl_handle_filldir(const struct file *file, const char *name,
58152 + const int namelen, const ino_t ino)
58153 +{
58154 + return 1;
58155 +}
58156 +
58157 +int
58158 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
58159 + const time_t shm_createtime, const uid_t cuid, const int shmid)
58160 +{
58161 + return 1;
58162 +}
58163 +
58164 +int
58165 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
58166 +{
58167 + return 0;
58168 +}
58169 +
58170 +int
58171 +gr_search_accept(const struct socket *sock)
58172 +{
58173 + return 0;
58174 +}
58175 +
58176 +int
58177 +gr_search_listen(const struct socket *sock)
58178 +{
58179 + return 0;
58180 +}
58181 +
58182 +int
58183 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
58184 +{
58185 + return 0;
58186 +}
58187 +
58188 +__u32
58189 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
58190 +{
58191 + return 1;
58192 +}
58193 +
58194 +__u32
58195 +gr_acl_handle_creat(const struct dentry * dentry,
58196 + const struct dentry * p_dentry,
58197 + const struct vfsmount * p_mnt, const int fmode,
58198 + const int imode)
58199 +{
58200 + return 1;
58201 +}
58202 +
58203 +void
58204 +gr_acl_handle_exit(void)
58205 +{
58206 + return;
58207 +}
58208 +
58209 +int
58210 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
58211 +{
58212 + return 1;
58213 +}
58214 +
58215 +void
58216 +gr_set_role_label(const uid_t uid, const gid_t gid)
58217 +{
58218 + return;
58219 +}
58220 +
58221 +int
58222 +gr_acl_handle_procpidmem(const struct task_struct *task)
58223 +{
58224 + return 0;
58225 +}
58226 +
58227 +int
58228 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
58229 +{
58230 + return 0;
58231 +}
58232 +
58233 +int
58234 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
58235 +{
58236 + return 0;
58237 +}
58238 +
58239 +void
58240 +gr_set_kernel_label(struct task_struct *task)
58241 +{
58242 + return;
58243 +}
58244 +
58245 +int
58246 +gr_check_user_change(int real, int effective, int fs)
58247 +{
58248 + return 0;
58249 +}
58250 +
58251 +int
58252 +gr_check_group_change(int real, int effective, int fs)
58253 +{
58254 + return 0;
58255 +}
58256 +
58257 +int gr_acl_enable_at_secure(void)
58258 +{
58259 + return 0;
58260 +}
58261 +
58262 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
58263 +{
58264 + return dentry->d_inode->i_sb->s_dev;
58265 +}
58266 +
58267 +EXPORT_SYMBOL(gr_is_capable);
58268 +EXPORT_SYMBOL(gr_is_capable_nolog);
58269 +EXPORT_SYMBOL(gr_learn_resource);
58270 +EXPORT_SYMBOL(gr_set_kernel_label);
58271 +#ifdef CONFIG_SECURITY
58272 +EXPORT_SYMBOL(gr_check_user_change);
58273 +EXPORT_SYMBOL(gr_check_group_change);
58274 +#endif
58275 diff -urNp linux-2.6.39.3/grsecurity/grsec_exec.c linux-2.6.39.3/grsecurity/grsec_exec.c
58276 --- linux-2.6.39.3/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
58277 +++ linux-2.6.39.3/grsecurity/grsec_exec.c 2011-05-22 22:41:29.000000000 -0400
58278 @@ -0,0 +1,146 @@
58279 +#include <linux/kernel.h>
58280 +#include <linux/sched.h>
58281 +#include <linux/file.h>
58282 +#include <linux/binfmts.h>
58283 +#include <linux/fs.h>
58284 +#include <linux/types.h>
58285 +#include <linux/grdefs.h>
58286 +#include <linux/grinternal.h>
58287 +#include <linux/capability.h>
58288 +#include <linux/compat.h>
58289 +
58290 +#include <asm/uaccess.h>
58291 +
58292 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58293 +static char gr_exec_arg_buf[132];
58294 +static DEFINE_MUTEX(gr_exec_arg_mutex);
58295 +#endif
58296 +
58297 +int
58298 +gr_handle_nproc(void)
58299 +{
58300 +#ifdef CONFIG_GRKERNSEC_EXECVE
58301 + const struct cred *cred = current_cred();
58302 + if (grsec_enable_execve && cred->user &&
58303 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
58304 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
58305 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
58306 + return -EAGAIN;
58307 + }
58308 +#endif
58309 + return 0;
58310 +}
58311 +
58312 +void
58313 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
58314 +{
58315 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58316 + char *grarg = gr_exec_arg_buf;
58317 + unsigned int i, x, execlen = 0;
58318 + char c;
58319 +
58320 + if (!((grsec_enable_execlog && grsec_enable_group &&
58321 + in_group_p(grsec_audit_gid))
58322 + || (grsec_enable_execlog && !grsec_enable_group)))
58323 + return;
58324 +
58325 + mutex_lock(&gr_exec_arg_mutex);
58326 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
58327 +
58328 + if (unlikely(argv == NULL))
58329 + goto log;
58330 +
58331 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
58332 + const char __user *p;
58333 + unsigned int len;
58334 +
58335 + if (copy_from_user(&p, argv + i, sizeof(p)))
58336 + goto log;
58337 + if (!p)
58338 + goto log;
58339 + len = strnlen_user(p, 128 - execlen);
58340 + if (len > 128 - execlen)
58341 + len = 128 - execlen;
58342 + else if (len > 0)
58343 + len--;
58344 + if (copy_from_user(grarg + execlen, p, len))
58345 + goto log;
58346 +
58347 + /* rewrite unprintable characters */
58348 + for (x = 0; x < len; x++) {
58349 + c = *(grarg + execlen + x);
58350 + if (c < 32 || c > 126)
58351 + *(grarg + execlen + x) = ' ';
58352 + }
58353 +
58354 + execlen += len;
58355 + *(grarg + execlen) = ' ';
58356 + *(grarg + execlen + 1) = '\0';
58357 + execlen++;
58358 + }
58359 +
58360 + log:
58361 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
58362 + bprm->file->f_path.mnt, grarg);
58363 + mutex_unlock(&gr_exec_arg_mutex);
58364 +#endif
58365 + return;
58366 +}
58367 +
58368 +#ifdef CONFIG_COMPAT
58369 +void
58370 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
58371 +{
58372 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58373 + char *grarg = gr_exec_arg_buf;
58374 + unsigned int i, x, execlen = 0;
58375 + char c;
58376 +
58377 + if (!((grsec_enable_execlog && grsec_enable_group &&
58378 + in_group_p(grsec_audit_gid))
58379 + || (grsec_enable_execlog && !grsec_enable_group)))
58380 + return;
58381 +
58382 + mutex_lock(&gr_exec_arg_mutex);
58383 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
58384 +
58385 + if (unlikely(argv == NULL))
58386 + goto log;
58387 +
58388 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
58389 + compat_uptr_t p;
58390 + unsigned int len;
58391 +
58392 + if (get_user(p, argv + i))
58393 + goto log;
58394 + len = strnlen_user(compat_ptr(p), 128 - execlen);
58395 + if (len > 128 - execlen)
58396 + len = 128 - execlen;
58397 + else if (len > 0)
58398 + len--;
58399 + else
58400 + goto log;
58401 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
58402 + goto log;
58403 +
58404 + /* rewrite unprintable characters */
58405 + for (x = 0; x < len; x++) {
58406 + c = *(grarg + execlen + x);
58407 + if (c < 32 || c > 126)
58408 + *(grarg + execlen + x) = ' ';
58409 + }
58410 +
58411 + execlen += len;
58412 + *(grarg + execlen) = ' ';
58413 + *(grarg + execlen + 1) = '\0';
58414 + execlen++;
58415 + }
58416 +
58417 + log:
58418 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
58419 + bprm->file->f_path.mnt, grarg);
58420 + mutex_unlock(&gr_exec_arg_mutex);
58421 +#endif
58422 + return;
58423 +}
58424 +#endif
58425 diff -urNp linux-2.6.39.3/grsecurity/grsec_fifo.c linux-2.6.39.3/grsecurity/grsec_fifo.c
58426 --- linux-2.6.39.3/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
58427 +++ linux-2.6.39.3/grsecurity/grsec_fifo.c 2011-05-22 19:41:42.000000000 -0400
58428 @@ -0,0 +1,24 @@
58429 +#include <linux/kernel.h>
58430 +#include <linux/sched.h>
58431 +#include <linux/fs.h>
58432 +#include <linux/file.h>
58433 +#include <linux/grinternal.h>
58434 +
58435 +int
58436 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
58437 + const struct dentry *dir, const int flag, const int acc_mode)
58438 +{
58439 +#ifdef CONFIG_GRKERNSEC_FIFO
58440 + const struct cred *cred = current_cred();
58441 +
58442 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
58443 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
58444 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
58445 + (cred->fsuid != dentry->d_inode->i_uid)) {
58446 + if (!inode_permission(dentry->d_inode, acc_mode))
58447 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
58448 + return -EACCES;
58449 + }
58450 +#endif
58451 + return 0;
58452 +}
58453 diff -urNp linux-2.6.39.3/grsecurity/grsec_fork.c linux-2.6.39.3/grsecurity/grsec_fork.c
58454 --- linux-2.6.39.3/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
58455 +++ linux-2.6.39.3/grsecurity/grsec_fork.c 2011-05-22 19:41:42.000000000 -0400
58456 @@ -0,0 +1,23 @@
58457 +#include <linux/kernel.h>
58458 +#include <linux/sched.h>
58459 +#include <linux/grsecurity.h>
58460 +#include <linux/grinternal.h>
58461 +#include <linux/errno.h>
58462 +
58463 +void
58464 +gr_log_forkfail(const int retval)
58465 +{
58466 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
58467 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
58468 + switch (retval) {
58469 + case -EAGAIN:
58470 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
58471 + break;
58472 + case -ENOMEM:
58473 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
58474 + break;
58475 + }
58476 + }
58477 +#endif
58478 + return;
58479 +}
58480 diff -urNp linux-2.6.39.3/grsecurity/grsec_init.c linux-2.6.39.3/grsecurity/grsec_init.c
58481 --- linux-2.6.39.3/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
58482 +++ linux-2.6.39.3/grsecurity/grsec_init.c 2011-06-29 19:35:59.000000000 -0400
58483 @@ -0,0 +1,273 @@
58484 +#include <linux/kernel.h>
58485 +#include <linux/sched.h>
58486 +#include <linux/mm.h>
58487 +#include <linux/gracl.h>
58488 +#include <linux/slab.h>
58489 +#include <linux/vmalloc.h>
58490 +#include <linux/percpu.h>
58491 +#include <linux/module.h>
58492 +
58493 +int grsec_enable_brute;
58494 +int grsec_enable_link;
58495 +int grsec_enable_dmesg;
58496 +int grsec_enable_harden_ptrace;
58497 +int grsec_enable_fifo;
58498 +int grsec_enable_execve;
58499 +int grsec_enable_execlog;
58500 +int grsec_enable_signal;
58501 +int grsec_enable_forkfail;
58502 +int grsec_enable_audit_ptrace;
58503 +int grsec_enable_time;
58504 +int grsec_enable_audit_textrel;
58505 +int grsec_enable_group;
58506 +int grsec_audit_gid;
58507 +int grsec_enable_chdir;
58508 +int grsec_enable_mount;
58509 +int grsec_enable_rofs;
58510 +int grsec_enable_chroot_findtask;
58511 +int grsec_enable_chroot_mount;
58512 +int grsec_enable_chroot_shmat;
58513 +int grsec_enable_chroot_fchdir;
58514 +int grsec_enable_chroot_double;
58515 +int grsec_enable_chroot_pivot;
58516 +int grsec_enable_chroot_chdir;
58517 +int grsec_enable_chroot_chmod;
58518 +int grsec_enable_chroot_mknod;
58519 +int grsec_enable_chroot_nice;
58520 +int grsec_enable_chroot_execlog;
58521 +int grsec_enable_chroot_caps;
58522 +int grsec_enable_chroot_sysctl;
58523 +int grsec_enable_chroot_unix;
58524 +int grsec_enable_tpe;
58525 +int grsec_tpe_gid;
58526 +int grsec_enable_blackhole;
58527 +#ifdef CONFIG_IPV6_MODULE
58528 +EXPORT_SYMBOL(grsec_enable_blackhole);
58529 +#endif
58530 +int grsec_lastack_retries;
58531 +int grsec_enable_tpe_all;
58532 +int grsec_enable_tpe_invert;
58533 +int grsec_enable_socket_all;
58534 +int grsec_socket_all_gid;
58535 +int grsec_enable_socket_client;
58536 +int grsec_socket_client_gid;
58537 +int grsec_enable_socket_server;
58538 +int grsec_socket_server_gid;
58539 +int grsec_resource_logging;
58540 +int grsec_disable_privio;
58541 +int grsec_enable_log_rwxmaps;
58542 +int grsec_lock;
58543 +
58544 +DEFINE_SPINLOCK(grsec_alert_lock);
58545 +unsigned long grsec_alert_wtime = 0;
58546 +unsigned long grsec_alert_fyet = 0;
58547 +
58548 +DEFINE_SPINLOCK(grsec_audit_lock);
58549 +
58550 +DEFINE_RWLOCK(grsec_exec_file_lock);
58551 +
58552 +char *gr_shared_page[4];
58553 +
58554 +char *gr_alert_log_fmt;
58555 +char *gr_audit_log_fmt;
58556 +char *gr_alert_log_buf;
58557 +char *gr_audit_log_buf;
58558 +
58559 +extern struct gr_arg *gr_usermode;
58560 +extern unsigned char *gr_system_salt;
58561 +extern unsigned char *gr_system_sum;
58562 +
58563 +void __init
58564 +grsecurity_init(void)
58565 +{
58566 + int j;
58567 + /* create the per-cpu shared pages */
58568 +
58569 +#ifdef CONFIG_X86
58570 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
58571 +#endif
58572 +
58573 + for (j = 0; j < 4; j++) {
58574 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
58575 + if (gr_shared_page[j] == NULL) {
58576 + panic("Unable to allocate grsecurity shared page");
58577 + return;
58578 + }
58579 + }
58580 +
58581 + /* allocate log buffers */
58582 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
58583 + if (!gr_alert_log_fmt) {
58584 + panic("Unable to allocate grsecurity alert log format buffer");
58585 + return;
58586 + }
58587 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
58588 + if (!gr_audit_log_fmt) {
58589 + panic("Unable to allocate grsecurity audit log format buffer");
58590 + return;
58591 + }
58592 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
58593 + if (!gr_alert_log_buf) {
58594 + panic("Unable to allocate grsecurity alert log buffer");
58595 + return;
58596 + }
58597 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
58598 + if (!gr_audit_log_buf) {
58599 + panic("Unable to allocate grsecurity audit log buffer");
58600 + return;
58601 + }
58602 +
58603 + /* allocate memory for authentication structure */
58604 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
58605 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
58606 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
58607 +
58608 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
58609 + panic("Unable to allocate grsecurity authentication structure");
58610 + return;
58611 + }
58612 +
58613 +
58614 +#ifdef CONFIG_GRKERNSEC_IO
58615 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
58616 + grsec_disable_privio = 1;
58617 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
58618 + grsec_disable_privio = 1;
58619 +#else
58620 + grsec_disable_privio = 0;
58621 +#endif
58622 +#endif
58623 +
58624 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
58625 + /* for backward compatibility, tpe_invert always defaults to on if
58626 + enabled in the kernel
58627 + */
58628 + grsec_enable_tpe_invert = 1;
58629 +#endif
58630 +
58631 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
58632 +#ifndef CONFIG_GRKERNSEC_SYSCTL
58633 + grsec_lock = 1;
58634 +#endif
58635 +
58636 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
58637 + grsec_enable_audit_textrel = 1;
58638 +#endif
58639 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
58640 + grsec_enable_log_rwxmaps = 1;
58641 +#endif
58642 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
58643 + grsec_enable_group = 1;
58644 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
58645 +#endif
58646 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
58647 + grsec_enable_chdir = 1;
58648 +#endif
58649 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
58650 + grsec_enable_harden_ptrace = 1;
58651 +#endif
58652 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
58653 + grsec_enable_mount = 1;
58654 +#endif
58655 +#ifdef CONFIG_GRKERNSEC_LINK
58656 + grsec_enable_link = 1;
58657 +#endif
58658 +#ifdef CONFIG_GRKERNSEC_BRUTE
58659 + grsec_enable_brute = 1;
58660 +#endif
58661 +#ifdef CONFIG_GRKERNSEC_DMESG
58662 + grsec_enable_dmesg = 1;
58663 +#endif
58664 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58665 + grsec_enable_blackhole = 1;
58666 + grsec_lastack_retries = 4;
58667 +#endif
58668 +#ifdef CONFIG_GRKERNSEC_FIFO
58669 + grsec_enable_fifo = 1;
58670 +#endif
58671 +#ifdef CONFIG_GRKERNSEC_EXECVE
58672 + grsec_enable_execve = 1;
58673 +#endif
58674 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58675 + grsec_enable_execlog = 1;
58676 +#endif
58677 +#ifdef CONFIG_GRKERNSEC_SIGNAL
58678 + grsec_enable_signal = 1;
58679 +#endif
58680 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
58681 + grsec_enable_forkfail = 1;
58682 +#endif
58683 +#ifdef CONFIG_GRKERNSEC_TIME
58684 + grsec_enable_time = 1;
58685 +#endif
58686 +#ifdef CONFIG_GRKERNSEC_RESLOG
58687 + grsec_resource_logging = 1;
58688 +#endif
58689 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
58690 + grsec_enable_chroot_findtask = 1;
58691 +#endif
58692 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
58693 + grsec_enable_chroot_unix = 1;
58694 +#endif
58695 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
58696 + grsec_enable_chroot_mount = 1;
58697 +#endif
58698 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
58699 + grsec_enable_chroot_fchdir = 1;
58700 +#endif
58701 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
58702 + grsec_enable_chroot_shmat = 1;
58703 +#endif
58704 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
58705 + grsec_enable_audit_ptrace = 1;
58706 +#endif
58707 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
58708 + grsec_enable_chroot_double = 1;
58709 +#endif
58710 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
58711 + grsec_enable_chroot_pivot = 1;
58712 +#endif
58713 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
58714 + grsec_enable_chroot_chdir = 1;
58715 +#endif
58716 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
58717 + grsec_enable_chroot_chmod = 1;
58718 +#endif
58719 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
58720 + grsec_enable_chroot_mknod = 1;
58721 +#endif
58722 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
58723 + grsec_enable_chroot_nice = 1;
58724 +#endif
58725 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
58726 + grsec_enable_chroot_execlog = 1;
58727 +#endif
58728 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
58729 + grsec_enable_chroot_caps = 1;
58730 +#endif
58731 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
58732 + grsec_enable_chroot_sysctl = 1;
58733 +#endif
58734 +#ifdef CONFIG_GRKERNSEC_TPE
58735 + grsec_enable_tpe = 1;
58736 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
58737 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
58738 + grsec_enable_tpe_all = 1;
58739 +#endif
58740 +#endif
58741 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
58742 + grsec_enable_socket_all = 1;
58743 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
58744 +#endif
58745 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
58746 + grsec_enable_socket_client = 1;
58747 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
58748 +#endif
58749 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
58750 + grsec_enable_socket_server = 1;
58751 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
58752 +#endif
58753 +#endif
58754 +
58755 + return;
58756 +}
58757 diff -urNp linux-2.6.39.3/grsecurity/grsec_link.c linux-2.6.39.3/grsecurity/grsec_link.c
58758 --- linux-2.6.39.3/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
58759 +++ linux-2.6.39.3/grsecurity/grsec_link.c 2011-05-22 19:41:42.000000000 -0400
58760 @@ -0,0 +1,43 @@
58761 +#include <linux/kernel.h>
58762 +#include <linux/sched.h>
58763 +#include <linux/fs.h>
58764 +#include <linux/file.h>
58765 +#include <linux/grinternal.h>
58766 +
58767 +int
58768 +gr_handle_follow_link(const struct inode *parent,
58769 + const struct inode *inode,
58770 + const struct dentry *dentry, const struct vfsmount *mnt)
58771 +{
58772 +#ifdef CONFIG_GRKERNSEC_LINK
58773 + const struct cred *cred = current_cred();
58774 +
58775 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
58776 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
58777 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
58778 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
58779 + return -EACCES;
58780 + }
58781 +#endif
58782 + return 0;
58783 +}
58784 +
58785 +int
58786 +gr_handle_hardlink(const struct dentry *dentry,
58787 + const struct vfsmount *mnt,
58788 + struct inode *inode, const int mode, const char *to)
58789 +{
58790 +#ifdef CONFIG_GRKERNSEC_LINK
58791 + const struct cred *cred = current_cred();
58792 +
58793 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
58794 + (!S_ISREG(mode) || (mode & S_ISUID) ||
58795 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
58796 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
58797 + !capable(CAP_FOWNER) && cred->uid) {
58798 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
58799 + return -EPERM;
58800 + }
58801 +#endif
58802 + return 0;
58803 +}
58804 diff -urNp linux-2.6.39.3/grsecurity/grsec_log.c linux-2.6.39.3/grsecurity/grsec_log.c
58805 --- linux-2.6.39.3/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
58806 +++ linux-2.6.39.3/grsecurity/grsec_log.c 2011-05-22 19:41:42.000000000 -0400
58807 @@ -0,0 +1,310 @@
58808 +#include <linux/kernel.h>
58809 +#include <linux/sched.h>
58810 +#include <linux/file.h>
58811 +#include <linux/tty.h>
58812 +#include <linux/fs.h>
58813 +#include <linux/grinternal.h>
58814 +
58815 +#ifdef CONFIG_TREE_PREEMPT_RCU
58816 +#define DISABLE_PREEMPT() preempt_disable()
58817 +#define ENABLE_PREEMPT() preempt_enable()
58818 +#else
58819 +#define DISABLE_PREEMPT()
58820 +#define ENABLE_PREEMPT()
58821 +#endif
58822 +
58823 +#define BEGIN_LOCKS(x) \
58824 + DISABLE_PREEMPT(); \
58825 + rcu_read_lock(); \
58826 + read_lock(&tasklist_lock); \
58827 + read_lock(&grsec_exec_file_lock); \
58828 + if (x != GR_DO_AUDIT) \
58829 + spin_lock(&grsec_alert_lock); \
58830 + else \
58831 + spin_lock(&grsec_audit_lock)
58832 +
58833 +#define END_LOCKS(x) \
58834 + if (x != GR_DO_AUDIT) \
58835 + spin_unlock(&grsec_alert_lock); \
58836 + else \
58837 + spin_unlock(&grsec_audit_lock); \
58838 + read_unlock(&grsec_exec_file_lock); \
58839 + read_unlock(&tasklist_lock); \
58840 + rcu_read_unlock(); \
58841 + ENABLE_PREEMPT(); \
58842 + if (x == GR_DONT_AUDIT) \
58843 + gr_handle_alertkill(current)
58844 +
58845 +enum {
58846 + FLOODING,
58847 + NO_FLOODING
58848 +};
58849 +
58850 +extern char *gr_alert_log_fmt;
58851 +extern char *gr_audit_log_fmt;
58852 +extern char *gr_alert_log_buf;
58853 +extern char *gr_audit_log_buf;
58854 +
58855 +static int gr_log_start(int audit)
58856 +{
58857 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
58858 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
58859 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58860 +
58861 + if (audit == GR_DO_AUDIT)
58862 + goto set_fmt;
58863 +
58864 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
58865 + grsec_alert_wtime = jiffies;
58866 + grsec_alert_fyet = 0;
58867 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
58868 + grsec_alert_fyet++;
58869 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
58870 + grsec_alert_wtime = jiffies;
58871 + grsec_alert_fyet++;
58872 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
58873 + return FLOODING;
58874 + } else return FLOODING;
58875 +
58876 +set_fmt:
58877 + memset(buf, 0, PAGE_SIZE);
58878 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
58879 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
58880 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
58881 + } else if (current->signal->curr_ip) {
58882 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
58883 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
58884 + } else if (gr_acl_is_enabled()) {
58885 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
58886 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
58887 + } else {
58888 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
58889 + strcpy(buf, fmt);
58890 + }
58891 +
58892 + return NO_FLOODING;
58893 +}
58894 +
58895 +static void gr_log_middle(int audit, const char *msg, va_list ap)
58896 + __attribute__ ((format (printf, 2, 0)));
58897 +
58898 +static void gr_log_middle(int audit, const char *msg, va_list ap)
58899 +{
58900 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58901 + unsigned int len = strlen(buf);
58902 +
58903 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
58904 +
58905 + return;
58906 +}
58907 +
58908 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
58909 + __attribute__ ((format (printf, 2, 3)));
58910 +
58911 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
58912 +{
58913 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58914 + unsigned int len = strlen(buf);
58915 + va_list ap;
58916 +
58917 + va_start(ap, msg);
58918 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
58919 + va_end(ap);
58920 +
58921 + return;
58922 +}
58923 +
58924 +static void gr_log_end(int audit)
58925 +{
58926 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58927 + unsigned int len = strlen(buf);
58928 +
58929 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
58930 + printk("%s\n", buf);
58931 +
58932 + return;
58933 +}
58934 +
58935 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
58936 +{
58937 + int logtype;
58938 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
58939 + char *str1 = NULL, *str2 = NULL, *str3 = NULL;
58940 + void *voidptr = NULL;
58941 + int num1 = 0, num2 = 0;
58942 + unsigned long ulong1 = 0, ulong2 = 0;
58943 + struct dentry *dentry = NULL;
58944 + struct vfsmount *mnt = NULL;
58945 + struct file *file = NULL;
58946 + struct task_struct *task = NULL;
58947 + const struct cred *cred, *pcred;
58948 + va_list ap;
58949 +
58950 + BEGIN_LOCKS(audit);
58951 + logtype = gr_log_start(audit);
58952 + if (logtype == FLOODING) {
58953 + END_LOCKS(audit);
58954 + return;
58955 + }
58956 + va_start(ap, argtypes);
58957 + switch (argtypes) {
58958 + case GR_TTYSNIFF:
58959 + task = va_arg(ap, struct task_struct *);
58960 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
58961 + break;
58962 + case GR_SYSCTL_HIDDEN:
58963 + str1 = va_arg(ap, char *);
58964 + gr_log_middle_varargs(audit, msg, result, str1);
58965 + break;
58966 + case GR_RBAC:
58967 + dentry = va_arg(ap, struct dentry *);
58968 + mnt = va_arg(ap, struct vfsmount *);
58969 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
58970 + break;
58971 + case GR_RBAC_STR:
58972 + dentry = va_arg(ap, struct dentry *);
58973 + mnt = va_arg(ap, struct vfsmount *);
58974 + str1 = va_arg(ap, char *);
58975 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
58976 + break;
58977 + case GR_STR_RBAC:
58978 + str1 = va_arg(ap, char *);
58979 + dentry = va_arg(ap, struct dentry *);
58980 + mnt = va_arg(ap, struct vfsmount *);
58981 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
58982 + break;
58983 + case GR_RBAC_MODE2:
58984 + dentry = va_arg(ap, struct dentry *);
58985 + mnt = va_arg(ap, struct vfsmount *);
58986 + str1 = va_arg(ap, char *);
58987 + str2 = va_arg(ap, char *);
58988 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
58989 + break;
58990 + case GR_RBAC_MODE3:
58991 + dentry = va_arg(ap, struct dentry *);
58992 + mnt = va_arg(ap, struct vfsmount *);
58993 + str1 = va_arg(ap, char *);
58994 + str2 = va_arg(ap, char *);
58995 + str3 = va_arg(ap, char *);
58996 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
58997 + break;
58998 + case GR_FILENAME:
58999 + dentry = va_arg(ap, struct dentry *);
59000 + mnt = va_arg(ap, struct vfsmount *);
59001 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
59002 + break;
59003 + case GR_STR_FILENAME:
59004 + str1 = va_arg(ap, char *);
59005 + dentry = va_arg(ap, struct dentry *);
59006 + mnt = va_arg(ap, struct vfsmount *);
59007 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
59008 + break;
59009 + case GR_FILENAME_STR:
59010 + dentry = va_arg(ap, struct dentry *);
59011 + mnt = va_arg(ap, struct vfsmount *);
59012 + str1 = va_arg(ap, char *);
59013 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
59014 + break;
59015 + case GR_FILENAME_TWO_INT:
59016 + dentry = va_arg(ap, struct dentry *);
59017 + mnt = va_arg(ap, struct vfsmount *);
59018 + num1 = va_arg(ap, int);
59019 + num2 = va_arg(ap, int);
59020 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
59021 + break;
59022 + case GR_FILENAME_TWO_INT_STR:
59023 + dentry = va_arg(ap, struct dentry *);
59024 + mnt = va_arg(ap, struct vfsmount *);
59025 + num1 = va_arg(ap, int);
59026 + num2 = va_arg(ap, int);
59027 + str1 = va_arg(ap, char *);
59028 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
59029 + break;
59030 + case GR_TEXTREL:
59031 + file = va_arg(ap, struct file *);
59032 + ulong1 = va_arg(ap, unsigned long);
59033 + ulong2 = va_arg(ap, unsigned long);
59034 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
59035 + break;
59036 + case GR_PTRACE:
59037 + task = va_arg(ap, struct task_struct *);
59038 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
59039 + break;
59040 + case GR_RESOURCE:
59041 + task = va_arg(ap, struct task_struct *);
59042 + cred = __task_cred(task);
59043 + pcred = __task_cred(task->real_parent);
59044 + ulong1 = va_arg(ap, unsigned long);
59045 + str1 = va_arg(ap, char *);
59046 + ulong2 = va_arg(ap, unsigned long);
59047 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59048 + break;
59049 + case GR_CAP:
59050 + task = va_arg(ap, struct task_struct *);
59051 + cred = __task_cred(task);
59052 + pcred = __task_cred(task->real_parent);
59053 + str1 = va_arg(ap, char *);
59054 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59055 + break;
59056 + case GR_SIG:
59057 + str1 = va_arg(ap, char *);
59058 + voidptr = va_arg(ap, void *);
59059 + gr_log_middle_varargs(audit, msg, str1, voidptr);
59060 + break;
59061 + case GR_SIG2:
59062 + task = va_arg(ap, struct task_struct *);
59063 + cred = __task_cred(task);
59064 + pcred = __task_cred(task->real_parent);
59065 + num1 = va_arg(ap, int);
59066 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59067 + break;
59068 + case GR_CRASH1:
59069 + task = va_arg(ap, struct task_struct *);
59070 + cred = __task_cred(task);
59071 + pcred = __task_cred(task->real_parent);
59072 + ulong1 = va_arg(ap, unsigned long);
59073 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
59074 + break;
59075 + case GR_CRASH2:
59076 + task = va_arg(ap, struct task_struct *);
59077 + cred = __task_cred(task);
59078 + pcred = __task_cred(task->real_parent);
59079 + ulong1 = va_arg(ap, unsigned long);
59080 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
59081 + break;
59082 + case GR_RWXMAP:
59083 + file = va_arg(ap, struct file *);
59084 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
59085 + break;
59086 + case GR_PSACCT:
59087 + {
59088 + unsigned int wday, cday;
59089 + __u8 whr, chr;
59090 + __u8 wmin, cmin;
59091 + __u8 wsec, csec;
59092 + char cur_tty[64] = { 0 };
59093 + char parent_tty[64] = { 0 };
59094 +
59095 + task = va_arg(ap, struct task_struct *);
59096 + wday = va_arg(ap, unsigned int);
59097 + cday = va_arg(ap, unsigned int);
59098 + whr = va_arg(ap, int);
59099 + chr = va_arg(ap, int);
59100 + wmin = va_arg(ap, int);
59101 + cmin = va_arg(ap, int);
59102 + wsec = va_arg(ap, int);
59103 + csec = va_arg(ap, int);
59104 + ulong1 = va_arg(ap, unsigned long);
59105 + cred = __task_cred(task);
59106 + pcred = __task_cred(task->real_parent);
59107 +
59108 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59109 + }
59110 + break;
59111 + default:
59112 + gr_log_middle(audit, msg, ap);
59113 + }
59114 + va_end(ap);
59115 + gr_log_end(audit);
59116 + END_LOCKS(audit);
59117 +}
59118 diff -urNp linux-2.6.39.3/grsecurity/grsec_mem.c linux-2.6.39.3/grsecurity/grsec_mem.c
59119 --- linux-2.6.39.3/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
59120 +++ linux-2.6.39.3/grsecurity/grsec_mem.c 2011-05-22 19:41:42.000000000 -0400
59121 @@ -0,0 +1,33 @@
59122 +#include <linux/kernel.h>
59123 +#include <linux/sched.h>
59124 +#include <linux/mm.h>
59125 +#include <linux/mman.h>
59126 +#include <linux/grinternal.h>
59127 +
59128 +void
59129 +gr_handle_ioperm(void)
59130 +{
59131 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
59132 + return;
59133 +}
59134 +
59135 +void
59136 +gr_handle_iopl(void)
59137 +{
59138 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
59139 + return;
59140 +}
59141 +
59142 +void
59143 +gr_handle_mem_readwrite(u64 from, u64 to)
59144 +{
59145 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
59146 + return;
59147 +}
59148 +
59149 +void
59150 +gr_handle_vm86(void)
59151 +{
59152 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
59153 + return;
59154 +}
59155 diff -urNp linux-2.6.39.3/grsecurity/grsec_mount.c linux-2.6.39.3/grsecurity/grsec_mount.c
59156 --- linux-2.6.39.3/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
59157 +++ linux-2.6.39.3/grsecurity/grsec_mount.c 2011-06-20 19:46:18.000000000 -0400
59158 @@ -0,0 +1,62 @@
59159 +#include <linux/kernel.h>
59160 +#include <linux/sched.h>
59161 +#include <linux/mount.h>
59162 +#include <linux/grsecurity.h>
59163 +#include <linux/grinternal.h>
59164 +
59165 +void
59166 +gr_log_remount(const char *devname, const int retval)
59167 +{
59168 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59169 + if (grsec_enable_mount && (retval >= 0))
59170 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
59171 +#endif
59172 + return;
59173 +}
59174 +
59175 +void
59176 +gr_log_unmount(const char *devname, const int retval)
59177 +{
59178 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59179 + if (grsec_enable_mount && (retval >= 0))
59180 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
59181 +#endif
59182 + return;
59183 +}
59184 +
59185 +void
59186 +gr_log_mount(const char *from, const char *to, const int retval)
59187 +{
59188 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59189 + if (grsec_enable_mount && (retval >= 0))
59190 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
59191 +#endif
59192 + return;
59193 +}
59194 +
59195 +int
59196 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
59197 +{
59198 +#ifdef CONFIG_GRKERNSEC_ROFS
59199 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
59200 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
59201 + return -EPERM;
59202 + } else
59203 + return 0;
59204 +#endif
59205 + return 0;
59206 +}
59207 +
59208 +int
59209 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
59210 +{
59211 +#ifdef CONFIG_GRKERNSEC_ROFS
59212 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
59213 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
59214 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
59215 + return -EPERM;
59216 + } else
59217 + return 0;
59218 +#endif
59219 + return 0;
59220 +}
59221 diff -urNp linux-2.6.39.3/grsecurity/grsec_pax.c linux-2.6.39.3/grsecurity/grsec_pax.c
59222 --- linux-2.6.39.3/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
59223 +++ linux-2.6.39.3/grsecurity/grsec_pax.c 2011-05-22 19:41:42.000000000 -0400
59224 @@ -0,0 +1,36 @@
59225 +#include <linux/kernel.h>
59226 +#include <linux/sched.h>
59227 +#include <linux/mm.h>
59228 +#include <linux/file.h>
59229 +#include <linux/grinternal.h>
59230 +#include <linux/grsecurity.h>
59231 +
59232 +void
59233 +gr_log_textrel(struct vm_area_struct * vma)
59234 +{
59235 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
59236 + if (grsec_enable_audit_textrel)
59237 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
59238 +#endif
59239 + return;
59240 +}
59241 +
59242 +void
59243 +gr_log_rwxmmap(struct file *file)
59244 +{
59245 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59246 + if (grsec_enable_log_rwxmaps)
59247 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
59248 +#endif
59249 + return;
59250 +}
59251 +
59252 +void
59253 +gr_log_rwxmprotect(struct file *file)
59254 +{
59255 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59256 + if (grsec_enable_log_rwxmaps)
59257 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
59258 +#endif
59259 + return;
59260 +}
59261 diff -urNp linux-2.6.39.3/grsecurity/grsec_ptrace.c linux-2.6.39.3/grsecurity/grsec_ptrace.c
59262 --- linux-2.6.39.3/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
59263 +++ linux-2.6.39.3/grsecurity/grsec_ptrace.c 2011-05-22 19:41:42.000000000 -0400
59264 @@ -0,0 +1,14 @@
59265 +#include <linux/kernel.h>
59266 +#include <linux/sched.h>
59267 +#include <linux/grinternal.h>
59268 +#include <linux/grsecurity.h>
59269 +
59270 +void
59271 +gr_audit_ptrace(struct task_struct *task)
59272 +{
59273 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
59274 + if (grsec_enable_audit_ptrace)
59275 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
59276 +#endif
59277 + return;
59278 +}
59279 diff -urNp linux-2.6.39.3/grsecurity/grsec_sig.c linux-2.6.39.3/grsecurity/grsec_sig.c
59280 --- linux-2.6.39.3/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
59281 +++ linux-2.6.39.3/grsecurity/grsec_sig.c 2011-06-29 19:40:46.000000000 -0400
59282 @@ -0,0 +1,206 @@
59283 +#include <linux/kernel.h>
59284 +#include <linux/sched.h>
59285 +#include <linux/delay.h>
59286 +#include <linux/grsecurity.h>
59287 +#include <linux/grinternal.h>
59288 +#include <linux/hardirq.h>
59289 +
59290 +char *signames[] = {
59291 + [SIGSEGV] = "Segmentation fault",
59292 + [SIGILL] = "Illegal instruction",
59293 + [SIGABRT] = "Abort",
59294 + [SIGBUS] = "Invalid alignment/Bus error"
59295 +};
59296 +
59297 +void
59298 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
59299 +{
59300 +#ifdef CONFIG_GRKERNSEC_SIGNAL
59301 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
59302 + (sig == SIGABRT) || (sig == SIGBUS))) {
59303 + if (t->pid == current->pid) {
59304 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
59305 + } else {
59306 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
59307 + }
59308 + }
59309 +#endif
59310 + return;
59311 +}
59312 +
59313 +int
59314 +gr_handle_signal(const struct task_struct *p, const int sig)
59315 +{
59316 +#ifdef CONFIG_GRKERNSEC
59317 + if (current->pid > 1 && gr_check_protected_task(p)) {
59318 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
59319 + return -EPERM;
59320 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
59321 + return -EPERM;
59322 + }
59323 +#endif
59324 + return 0;
59325 +}
59326 +
59327 +#ifdef CONFIG_GRKERNSEC
59328 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
59329 +
59330 +int gr_fake_force_sig(int sig, struct task_struct *t)
59331 +{
59332 + unsigned long int flags;
59333 + int ret, blocked, ignored;
59334 + struct k_sigaction *action;
59335 +
59336 + spin_lock_irqsave(&t->sighand->siglock, flags);
59337 + action = &t->sighand->action[sig-1];
59338 + ignored = action->sa.sa_handler == SIG_IGN;
59339 + blocked = sigismember(&t->blocked, sig);
59340 + if (blocked || ignored) {
59341 + action->sa.sa_handler = SIG_DFL;
59342 + if (blocked) {
59343 + sigdelset(&t->blocked, sig);
59344 + recalc_sigpending_and_wake(t);
59345 + }
59346 + }
59347 + if (action->sa.sa_handler == SIG_DFL)
59348 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
59349 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
59350 +
59351 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
59352 +
59353 + return ret;
59354 +}
59355 +#endif
59356 +
59357 +#ifdef CONFIG_GRKERNSEC_BRUTE
59358 +#define GR_USER_BAN_TIME (15 * 60)
59359 +
59360 +static int __get_dumpable(unsigned long mm_flags)
59361 +{
59362 + int ret;
59363 +
59364 + ret = mm_flags & MMF_DUMPABLE_MASK;
59365 + return (ret >= 2) ? 2 : ret;
59366 +}
59367 +#endif
59368 +
59369 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
59370 +{
59371 +#ifdef CONFIG_GRKERNSEC_BRUTE
59372 + uid_t uid = 0;
59373 +
59374 + if (!grsec_enable_brute)
59375 + return;
59376 +
59377 + rcu_read_lock();
59378 + read_lock(&tasklist_lock);
59379 + read_lock(&grsec_exec_file_lock);
59380 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
59381 + p->real_parent->brute = 1;
59382 + else {
59383 + const struct cred *cred = __task_cred(p), *cred2;
59384 + struct task_struct *tsk, *tsk2;
59385 +
59386 + if (!__get_dumpable(mm_flags) && cred->uid) {
59387 + struct user_struct *user;
59388 +
59389 + uid = cred->uid;
59390 +
59391 + /* this is put upon execution past expiration */
59392 + user = find_user(uid);
59393 + if (user == NULL)
59394 + goto unlock;
59395 + user->banned = 1;
59396 + user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
59397 + if (user->ban_expires == ~0UL)
59398 + user->ban_expires--;
59399 +
59400 + do_each_thread(tsk2, tsk) {
59401 + cred2 = __task_cred(tsk);
59402 + if (tsk != p && cred2->uid == uid)
59403 + gr_fake_force_sig(SIGKILL, tsk);
59404 + } while_each_thread(tsk2, tsk);
59405 + }
59406 + }
59407 +unlock:
59408 + read_unlock(&grsec_exec_file_lock);
59409 + read_unlock(&tasklist_lock);
59410 + rcu_read_unlock();
59411 +
59412 + if (uid)
59413 + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
59414 +
59415 +#endif
59416 + return;
59417 +}
59418 +
59419 +void gr_handle_brute_check(void)
59420 +{
59421 +#ifdef CONFIG_GRKERNSEC_BRUTE
59422 + if (current->brute)
59423 + msleep(30 * 1000);
59424 +#endif
59425 + return;
59426 +}
59427 +
59428 +void gr_handle_kernel_exploit(void)
59429 +{
59430 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
59431 + const struct cred *cred;
59432 + struct task_struct *tsk, *tsk2;
59433 + struct user_struct *user;
59434 + uid_t uid;
59435 +
59436 + if (in_irq() || in_serving_softirq() || in_nmi())
59437 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
59438 +
59439 + uid = current_uid();
59440 +
59441 + if (uid == 0)
59442 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
59443 + else {
59444 + /* kill all the processes of this user, hold a reference
59445 + to their creds struct, and prevent them from creating
59446 + another process until system reset
59447 + */
59448 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
59449 + /* we intentionally leak this ref */
59450 + user = get_uid(current->cred->user);
59451 + if (user) {
59452 + user->banned = 1;
59453 + user->ban_expires = ~0UL;
59454 + }
59455 +
59456 + read_lock(&tasklist_lock);
59457 + do_each_thread(tsk2, tsk) {
59458 + cred = __task_cred(tsk);
59459 + if (cred->uid == uid)
59460 + gr_fake_force_sig(SIGKILL, tsk);
59461 + } while_each_thread(tsk2, tsk);
59462 + read_unlock(&tasklist_lock);
59463 + }
59464 +#endif
59465 +}
59466 +
59467 +int __gr_process_user_ban(struct user_struct *user)
59468 +{
59469 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
59470 + if (unlikely(user->banned)) {
59471 + if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
59472 + user->banned = 0;
59473 + user->ban_expires = 0;
59474 + free_uid(user);
59475 + } else
59476 + return -EPERM;
59477 + }
59478 +#endif
59479 + return 0;
59480 +}
59481 +
59482 +int gr_process_user_ban(void)
59483 +{
59484 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
59485 + return __gr_process_user_ban(current->cred->user);
59486 +#endif
59487 + return 0;
59488 +}
59489 diff -urNp linux-2.6.39.3/grsecurity/grsec_sock.c linux-2.6.39.3/grsecurity/grsec_sock.c
59490 --- linux-2.6.39.3/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
59491 +++ linux-2.6.39.3/grsecurity/grsec_sock.c 2011-05-22 20:29:21.000000000 -0400
59492 @@ -0,0 +1,244 @@
59493 +#include <linux/kernel.h>
59494 +#include <linux/module.h>
59495 +#include <linux/sched.h>
59496 +#include <linux/file.h>
59497 +#include <linux/net.h>
59498 +#include <linux/in.h>
59499 +#include <linux/ip.h>
59500 +#include <net/sock.h>
59501 +#include <net/inet_sock.h>
59502 +#include <linux/grsecurity.h>
59503 +#include <linux/grinternal.h>
59504 +#include <linux/gracl.h>
59505 +
59506 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
59507 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
59508 +
59509 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
59510 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
59511 +
59512 +#ifdef CONFIG_UNIX_MODULE
59513 +EXPORT_SYMBOL(gr_acl_handle_unix);
59514 +EXPORT_SYMBOL(gr_acl_handle_mknod);
59515 +EXPORT_SYMBOL(gr_handle_chroot_unix);
59516 +EXPORT_SYMBOL(gr_handle_create);
59517 +#endif
59518 +
59519 +#ifdef CONFIG_GRKERNSEC
59520 +#define gr_conn_table_size 32749
59521 +struct conn_table_entry {
59522 + struct conn_table_entry *next;
59523 + struct signal_struct *sig;
59524 +};
59525 +
59526 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
59527 +DEFINE_SPINLOCK(gr_conn_table_lock);
59528 +
59529 +extern const char * gr_socktype_to_name(unsigned char type);
59530 +extern const char * gr_proto_to_name(unsigned char proto);
59531 +extern const char * gr_sockfamily_to_name(unsigned char family);
59532 +
59533 +static __inline__ int
59534 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
59535 +{
59536 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
59537 +}
59538 +
59539 +static __inline__ int
59540 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
59541 + __u16 sport, __u16 dport)
59542 +{
59543 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
59544 + sig->gr_sport == sport && sig->gr_dport == dport))
59545 + return 1;
59546 + else
59547 + return 0;
59548 +}
59549 +
59550 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
59551 +{
59552 + struct conn_table_entry **match;
59553 + unsigned int index;
59554 +
59555 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
59556 + sig->gr_sport, sig->gr_dport,
59557 + gr_conn_table_size);
59558 +
59559 + newent->sig = sig;
59560 +
59561 + match = &gr_conn_table[index];
59562 + newent->next = *match;
59563 + *match = newent;
59564 +
59565 + return;
59566 +}
59567 +
59568 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
59569 +{
59570 + struct conn_table_entry *match, *last = NULL;
59571 + unsigned int index;
59572 +
59573 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
59574 + sig->gr_sport, sig->gr_dport,
59575 + gr_conn_table_size);
59576 +
59577 + match = gr_conn_table[index];
59578 + while (match && !conn_match(match->sig,
59579 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
59580 + sig->gr_dport)) {
59581 + last = match;
59582 + match = match->next;
59583 + }
59584 +
59585 + if (match) {
59586 + if (last)
59587 + last->next = match->next;
59588 + else
59589 + gr_conn_table[index] = NULL;
59590 + kfree(match);
59591 + }
59592 +
59593 + return;
59594 +}
59595 +
59596 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
59597 + __u16 sport, __u16 dport)
59598 +{
59599 + struct conn_table_entry *match;
59600 + unsigned int index;
59601 +
59602 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
59603 +
59604 + match = gr_conn_table[index];
59605 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
59606 + match = match->next;
59607 +
59608 + if (match)
59609 + return match->sig;
59610 + else
59611 + return NULL;
59612 +}
59613 +
59614 +#endif
59615 +
59616 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
59617 +{
59618 +#ifdef CONFIG_GRKERNSEC
59619 + struct signal_struct *sig = task->signal;
59620 + struct conn_table_entry *newent;
59621 +
59622 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
59623 + if (newent == NULL)
59624 + return;
59625 + /* no bh lock needed since we are called with bh disabled */
59626 + spin_lock(&gr_conn_table_lock);
59627 + gr_del_task_from_ip_table_nolock(sig);
59628 + sig->gr_saddr = inet->inet_rcv_saddr;
59629 + sig->gr_daddr = inet->inet_daddr;
59630 + sig->gr_sport = inet->inet_sport;
59631 + sig->gr_dport = inet->inet_dport;
59632 + gr_add_to_task_ip_table_nolock(sig, newent);
59633 + spin_unlock(&gr_conn_table_lock);
59634 +#endif
59635 + return;
59636 +}
59637 +
59638 +void gr_del_task_from_ip_table(struct task_struct *task)
59639 +{
59640 +#ifdef CONFIG_GRKERNSEC
59641 + spin_lock_bh(&gr_conn_table_lock);
59642 + gr_del_task_from_ip_table_nolock(task->signal);
59643 + spin_unlock_bh(&gr_conn_table_lock);
59644 +#endif
59645 + return;
59646 +}
59647 +
59648 +void
59649 +gr_attach_curr_ip(const struct sock *sk)
59650 +{
59651 +#ifdef CONFIG_GRKERNSEC
59652 + struct signal_struct *p, *set;
59653 + const struct inet_sock *inet = inet_sk(sk);
59654 +
59655 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
59656 + return;
59657 +
59658 + set = current->signal;
59659 +
59660 + spin_lock_bh(&gr_conn_table_lock);
59661 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
59662 + inet->inet_dport, inet->inet_sport);
59663 + if (unlikely(p != NULL)) {
59664 + set->curr_ip = p->curr_ip;
59665 + set->used_accept = 1;
59666 + gr_del_task_from_ip_table_nolock(p);
59667 + spin_unlock_bh(&gr_conn_table_lock);
59668 + return;
59669 + }
59670 + spin_unlock_bh(&gr_conn_table_lock);
59671 +
59672 + set->curr_ip = inet->inet_daddr;
59673 + set->used_accept = 1;
59674 +#endif
59675 + return;
59676 +}
59677 +
59678 +int
59679 +gr_handle_sock_all(const int family, const int type, const int protocol)
59680 +{
59681 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
59682 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
59683 + (family != AF_UNIX)) {
59684 + if (family == AF_INET)
59685 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
59686 + else
59687 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
59688 + return -EACCES;
59689 + }
59690 +#endif
59691 + return 0;
59692 +}
59693 +
59694 +int
59695 +gr_handle_sock_server(const struct sockaddr *sck)
59696 +{
59697 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
59698 + if (grsec_enable_socket_server &&
59699 + in_group_p(grsec_socket_server_gid) &&
59700 + sck && (sck->sa_family != AF_UNIX) &&
59701 + (sck->sa_family != AF_LOCAL)) {
59702 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
59703 + return -EACCES;
59704 + }
59705 +#endif
59706 + return 0;
59707 +}
59708 +
59709 +int
59710 +gr_handle_sock_server_other(const struct sock *sck)
59711 +{
59712 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
59713 + if (grsec_enable_socket_server &&
59714 + in_group_p(grsec_socket_server_gid) &&
59715 + sck && (sck->sk_family != AF_UNIX) &&
59716 + (sck->sk_family != AF_LOCAL)) {
59717 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
59718 + return -EACCES;
59719 + }
59720 +#endif
59721 + return 0;
59722 +}
59723 +
59724 +int
59725 +gr_handle_sock_client(const struct sockaddr *sck)
59726 +{
59727 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
59728 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
59729 + sck && (sck->sa_family != AF_UNIX) &&
59730 + (sck->sa_family != AF_LOCAL)) {
59731 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
59732 + return -EACCES;
59733 + }
59734 +#endif
59735 + return 0;
59736 +}
59737 diff -urNp linux-2.6.39.3/grsecurity/grsec_sysctl.c linux-2.6.39.3/grsecurity/grsec_sysctl.c
59738 --- linux-2.6.39.3/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
59739 +++ linux-2.6.39.3/grsecurity/grsec_sysctl.c 2011-06-29 19:38:04.000000000 -0400
59740 @@ -0,0 +1,442 @@
59741 +#include <linux/kernel.h>
59742 +#include <linux/sched.h>
59743 +#include <linux/sysctl.h>
59744 +#include <linux/grsecurity.h>
59745 +#include <linux/grinternal.h>
59746 +
59747 +int
59748 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
59749 +{
59750 +#ifdef CONFIG_GRKERNSEC_SYSCTL
59751 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
59752 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
59753 + return -EACCES;
59754 + }
59755 +#endif
59756 + return 0;
59757 +}
59758 +
59759 +#ifdef CONFIG_GRKERNSEC_ROFS
59760 +static int __maybe_unused one = 1;
59761 +#endif
59762 +
59763 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
59764 +struct ctl_table grsecurity_table[] = {
59765 +#ifdef CONFIG_GRKERNSEC_SYSCTL
59766 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
59767 +#ifdef CONFIG_GRKERNSEC_IO
59768 + {
59769 + .procname = "disable_priv_io",
59770 + .data = &grsec_disable_privio,
59771 + .maxlen = sizeof(int),
59772 + .mode = 0600,
59773 + .proc_handler = &proc_dointvec,
59774 + },
59775 +#endif
59776 +#endif
59777 +#ifdef CONFIG_GRKERNSEC_LINK
59778 + {
59779 + .procname = "linking_restrictions",
59780 + .data = &grsec_enable_link,
59781 + .maxlen = sizeof(int),
59782 + .mode = 0600,
59783 + .proc_handler = &proc_dointvec,
59784 + },
59785 +#endif
59786 +#ifdef CONFIG_GRKERNSEC_BRUTE
59787 + {
59788 + .procname = "deter_bruteforce",
59789 + .data = &grsec_enable_brute,
59790 + .maxlen = sizeof(int),
59791 + .mode = 0600,
59792 + .proc_handler = &proc_dointvec,
59793 + },
59794 +#endif
59795 +#ifdef CONFIG_GRKERNSEC_FIFO
59796 + {
59797 + .procname = "fifo_restrictions",
59798 + .data = &grsec_enable_fifo,
59799 + .maxlen = sizeof(int),
59800 + .mode = 0600,
59801 + .proc_handler = &proc_dointvec,
59802 + },
59803 +#endif
59804 +#ifdef CONFIG_GRKERNSEC_EXECVE
59805 + {
59806 + .procname = "execve_limiting",
59807 + .data = &grsec_enable_execve,
59808 + .maxlen = sizeof(int),
59809 + .mode = 0600,
59810 + .proc_handler = &proc_dointvec,
59811 + },
59812 +#endif
59813 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
59814 + {
59815 + .procname = "ip_blackhole",
59816 + .data = &grsec_enable_blackhole,
59817 + .maxlen = sizeof(int),
59818 + .mode = 0600,
59819 + .proc_handler = &proc_dointvec,
59820 + },
59821 + {
59822 + .procname = "lastack_retries",
59823 + .data = &grsec_lastack_retries,
59824 + .maxlen = sizeof(int),
59825 + .mode = 0600,
59826 + .proc_handler = &proc_dointvec,
59827 + },
59828 +#endif
59829 +#ifdef CONFIG_GRKERNSEC_EXECLOG
59830 + {
59831 + .procname = "exec_logging",
59832 + .data = &grsec_enable_execlog,
59833 + .maxlen = sizeof(int),
59834 + .mode = 0600,
59835 + .proc_handler = &proc_dointvec,
59836 + },
59837 +#endif
59838 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59839 + {
59840 + .procname = "rwxmap_logging",
59841 + .data = &grsec_enable_log_rwxmaps,
59842 + .maxlen = sizeof(int),
59843 + .mode = 0600,
59844 + .proc_handler = &proc_dointvec,
59845 + },
59846 +#endif
59847 +#ifdef CONFIG_GRKERNSEC_SIGNAL
59848 + {
59849 + .procname = "signal_logging",
59850 + .data = &grsec_enable_signal,
59851 + .maxlen = sizeof(int),
59852 + .mode = 0600,
59853 + .proc_handler = &proc_dointvec,
59854 + },
59855 +#endif
59856 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
59857 + {
59858 + .procname = "forkfail_logging",
59859 + .data = &grsec_enable_forkfail,
59860 + .maxlen = sizeof(int),
59861 + .mode = 0600,
59862 + .proc_handler = &proc_dointvec,
59863 + },
59864 +#endif
59865 +#ifdef CONFIG_GRKERNSEC_TIME
59866 + {
59867 + .procname = "timechange_logging",
59868 + .data = &grsec_enable_time,
59869 + .maxlen = sizeof(int),
59870 + .mode = 0600,
59871 + .proc_handler = &proc_dointvec,
59872 + },
59873 +#endif
59874 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
59875 + {
59876 + .procname = "chroot_deny_shmat",
59877 + .data = &grsec_enable_chroot_shmat,
59878 + .maxlen = sizeof(int),
59879 + .mode = 0600,
59880 + .proc_handler = &proc_dointvec,
59881 + },
59882 +#endif
59883 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
59884 + {
59885 + .procname = "chroot_deny_unix",
59886 + .data = &grsec_enable_chroot_unix,
59887 + .maxlen = sizeof(int),
59888 + .mode = 0600,
59889 + .proc_handler = &proc_dointvec,
59890 + },
59891 +#endif
59892 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
59893 + {
59894 + .procname = "chroot_deny_mount",
59895 + .data = &grsec_enable_chroot_mount,
59896 + .maxlen = sizeof(int),
59897 + .mode = 0600,
59898 + .proc_handler = &proc_dointvec,
59899 + },
59900 +#endif
59901 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
59902 + {
59903 + .procname = "chroot_deny_fchdir",
59904 + .data = &grsec_enable_chroot_fchdir,
59905 + .maxlen = sizeof(int),
59906 + .mode = 0600,
59907 + .proc_handler = &proc_dointvec,
59908 + },
59909 +#endif
59910 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
59911 + {
59912 + .procname = "chroot_deny_chroot",
59913 + .data = &grsec_enable_chroot_double,
59914 + .maxlen = sizeof(int),
59915 + .mode = 0600,
59916 + .proc_handler = &proc_dointvec,
59917 + },
59918 +#endif
59919 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
59920 + {
59921 + .procname = "chroot_deny_pivot",
59922 + .data = &grsec_enable_chroot_pivot,
59923 + .maxlen = sizeof(int),
59924 + .mode = 0600,
59925 + .proc_handler = &proc_dointvec,
59926 + },
59927 +#endif
59928 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
59929 + {
59930 + .procname = "chroot_enforce_chdir",
59931 + .data = &grsec_enable_chroot_chdir,
59932 + .maxlen = sizeof(int),
59933 + .mode = 0600,
59934 + .proc_handler = &proc_dointvec,
59935 + },
59936 +#endif
59937 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
59938 + {
59939 + .procname = "chroot_deny_chmod",
59940 + .data = &grsec_enable_chroot_chmod,
59941 + .maxlen = sizeof(int),
59942 + .mode = 0600,
59943 + .proc_handler = &proc_dointvec,
59944 + },
59945 +#endif
59946 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
59947 + {
59948 + .procname = "chroot_deny_mknod",
59949 + .data = &grsec_enable_chroot_mknod,
59950 + .maxlen = sizeof(int),
59951 + .mode = 0600,
59952 + .proc_handler = &proc_dointvec,
59953 + },
59954 +#endif
59955 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
59956 + {
59957 + .procname = "chroot_restrict_nice",
59958 + .data = &grsec_enable_chroot_nice,
59959 + .maxlen = sizeof(int),
59960 + .mode = 0600,
59961 + .proc_handler = &proc_dointvec,
59962 + },
59963 +#endif
59964 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
59965 + {
59966 + .procname = "chroot_execlog",
59967 + .data = &grsec_enable_chroot_execlog,
59968 + .maxlen = sizeof(int),
59969 + .mode = 0600,
59970 + .proc_handler = &proc_dointvec,
59971 + },
59972 +#endif
59973 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
59974 + {
59975 + .procname = "chroot_caps",
59976 + .data = &grsec_enable_chroot_caps,
59977 + .maxlen = sizeof(int),
59978 + .mode = 0600,
59979 + .proc_handler = &proc_dointvec,
59980 + },
59981 +#endif
59982 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
59983 + {
59984 + .procname = "chroot_deny_sysctl",
59985 + .data = &grsec_enable_chroot_sysctl,
59986 + .maxlen = sizeof(int),
59987 + .mode = 0600,
59988 + .proc_handler = &proc_dointvec,
59989 + },
59990 +#endif
59991 +#ifdef CONFIG_GRKERNSEC_TPE
59992 + {
59993 + .procname = "tpe",
59994 + .data = &grsec_enable_tpe,
59995 + .maxlen = sizeof(int),
59996 + .mode = 0600,
59997 + .proc_handler = &proc_dointvec,
59998 + },
59999 + {
60000 + .procname = "tpe_gid",
60001 + .data = &grsec_tpe_gid,
60002 + .maxlen = sizeof(int),
60003 + .mode = 0600,
60004 + .proc_handler = &proc_dointvec,
60005 + },
60006 +#endif
60007 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
60008 + {
60009 + .procname = "tpe_invert",
60010 + .data = &grsec_enable_tpe_invert,
60011 + .maxlen = sizeof(int),
60012 + .mode = 0600,
60013 + .proc_handler = &proc_dointvec,
60014 + },
60015 +#endif
60016 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
60017 + {
60018 + .procname = "tpe_restrict_all",
60019 + .data = &grsec_enable_tpe_all,
60020 + .maxlen = sizeof(int),
60021 + .mode = 0600,
60022 + .proc_handler = &proc_dointvec,
60023 + },
60024 +#endif
60025 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
60026 + {
60027 + .procname = "socket_all",
60028 + .data = &grsec_enable_socket_all,
60029 + .maxlen = sizeof(int),
60030 + .mode = 0600,
60031 + .proc_handler = &proc_dointvec,
60032 + },
60033 + {
60034 + .procname = "socket_all_gid",
60035 + .data = &grsec_socket_all_gid,
60036 + .maxlen = sizeof(int),
60037 + .mode = 0600,
60038 + .proc_handler = &proc_dointvec,
60039 + },
60040 +#endif
60041 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
60042 + {
60043 + .procname = "socket_client",
60044 + .data = &grsec_enable_socket_client,
60045 + .maxlen = sizeof(int),
60046 + .mode = 0600,
60047 + .proc_handler = &proc_dointvec,
60048 + },
60049 + {
60050 + .procname = "socket_client_gid",
60051 + .data = &grsec_socket_client_gid,
60052 + .maxlen = sizeof(int),
60053 + .mode = 0600,
60054 + .proc_handler = &proc_dointvec,
60055 + },
60056 +#endif
60057 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
60058 + {
60059 + .procname = "socket_server",
60060 + .data = &grsec_enable_socket_server,
60061 + .maxlen = sizeof(int),
60062 + .mode = 0600,
60063 + .proc_handler = &proc_dointvec,
60064 + },
60065 + {
60066 + .procname = "socket_server_gid",
60067 + .data = &grsec_socket_server_gid,
60068 + .maxlen = sizeof(int),
60069 + .mode = 0600,
60070 + .proc_handler = &proc_dointvec,
60071 + },
60072 +#endif
60073 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
60074 + {
60075 + .procname = "audit_group",
60076 + .data = &grsec_enable_group,
60077 + .maxlen = sizeof(int),
60078 + .mode = 0600,
60079 + .proc_handler = &proc_dointvec,
60080 + },
60081 + {
60082 + .procname = "audit_gid",
60083 + .data = &grsec_audit_gid,
60084 + .maxlen = sizeof(int),
60085 + .mode = 0600,
60086 + .proc_handler = &proc_dointvec,
60087 + },
60088 +#endif
60089 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
60090 + {
60091 + .procname = "audit_chdir",
60092 + .data = &grsec_enable_chdir,
60093 + .maxlen = sizeof(int),
60094 + .mode = 0600,
60095 + .proc_handler = &proc_dointvec,
60096 + },
60097 +#endif
60098 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
60099 + {
60100 + .procname = "audit_mount",
60101 + .data = &grsec_enable_mount,
60102 + .maxlen = sizeof(int),
60103 + .mode = 0600,
60104 + .proc_handler = &proc_dointvec,
60105 + },
60106 +#endif
60107 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
60108 + {
60109 + .procname = "audit_textrel",
60110 + .data = &grsec_enable_audit_textrel,
60111 + .maxlen = sizeof(int),
60112 + .mode = 0600,
60113 + .proc_handler = &proc_dointvec,
60114 + },
60115 +#endif
60116 +#ifdef CONFIG_GRKERNSEC_DMESG
60117 + {
60118 + .procname = "dmesg",
60119 + .data = &grsec_enable_dmesg,
60120 + .maxlen = sizeof(int),
60121 + .mode = 0600,
60122 + .proc_handler = &proc_dointvec,
60123 + },
60124 +#endif
60125 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
60126 + {
60127 + .procname = "chroot_findtask",
60128 + .data = &grsec_enable_chroot_findtask,
60129 + .maxlen = sizeof(int),
60130 + .mode = 0600,
60131 + .proc_handler = &proc_dointvec,
60132 + },
60133 +#endif
60134 +#ifdef CONFIG_GRKERNSEC_RESLOG
60135 + {
60136 + .procname = "resource_logging",
60137 + .data = &grsec_resource_logging,
60138 + .maxlen = sizeof(int),
60139 + .mode = 0600,
60140 + .proc_handler = &proc_dointvec,
60141 + },
60142 +#endif
60143 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
60144 + {
60145 + .procname = "audit_ptrace",
60146 + .data = &grsec_enable_audit_ptrace,
60147 + .maxlen = sizeof(int),
60148 + .mode = 0600,
60149 + .proc_handler = &proc_dointvec,
60150 + },
60151 +#endif
60152 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
60153 + {
60154 + .procname = "harden_ptrace",
60155 + .data = &grsec_enable_harden_ptrace,
60156 + .maxlen = sizeof(int),
60157 + .mode = 0600,
60158 + .proc_handler = &proc_dointvec,
60159 + },
60160 +#endif
60161 + {
60162 + .procname = "grsec_lock",
60163 + .data = &grsec_lock,
60164 + .maxlen = sizeof(int),
60165 + .mode = 0600,
60166 + .proc_handler = &proc_dointvec,
60167 + },
60168 +#endif
60169 +#ifdef CONFIG_GRKERNSEC_ROFS
60170 + {
60171 + .procname = "romount_protect",
60172 + .data = &grsec_enable_rofs,
60173 + .maxlen = sizeof(int),
60174 + .mode = 0600,
60175 + .proc_handler = &proc_dointvec_minmax,
60176 + .extra1 = &one,
60177 + .extra2 = &one,
60178 + },
60179 +#endif
60180 + { }
60181 +};
60182 +#endif
60183 diff -urNp linux-2.6.39.3/grsecurity/grsec_time.c linux-2.6.39.3/grsecurity/grsec_time.c
60184 --- linux-2.6.39.3/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
60185 +++ linux-2.6.39.3/grsecurity/grsec_time.c 2011-05-22 19:41:42.000000000 -0400
60186 @@ -0,0 +1,16 @@
60187 +#include <linux/kernel.h>
60188 +#include <linux/sched.h>
60189 +#include <linux/grinternal.h>
60190 +#include <linux/module.h>
60191 +
60192 +void
60193 +gr_log_timechange(void)
60194 +{
60195 +#ifdef CONFIG_GRKERNSEC_TIME
60196 + if (grsec_enable_time)
60197 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
60198 +#endif
60199 + return;
60200 +}
60201 +
60202 +EXPORT_SYMBOL(gr_log_timechange);
60203 diff -urNp linux-2.6.39.3/grsecurity/grsec_tpe.c linux-2.6.39.3/grsecurity/grsec_tpe.c
60204 --- linux-2.6.39.3/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
60205 +++ linux-2.6.39.3/grsecurity/grsec_tpe.c 2011-05-22 19:41:42.000000000 -0400
60206 @@ -0,0 +1,39 @@
60207 +#include <linux/kernel.h>
60208 +#include <linux/sched.h>
60209 +#include <linux/file.h>
60210 +#include <linux/fs.h>
60211 +#include <linux/grinternal.h>
60212 +
60213 +extern int gr_acl_tpe_check(void);
60214 +
60215 +int
60216 +gr_tpe_allow(const struct file *file)
60217 +{
60218 +#ifdef CONFIG_GRKERNSEC
60219 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
60220 + const struct cred *cred = current_cred();
60221 +
60222 + if (cred->uid && ((grsec_enable_tpe &&
60223 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
60224 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
60225 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
60226 +#else
60227 + in_group_p(grsec_tpe_gid)
60228 +#endif
60229 + ) || gr_acl_tpe_check()) &&
60230 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
60231 + (inode->i_mode & S_IWOTH))))) {
60232 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
60233 + return 0;
60234 + }
60235 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
60236 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
60237 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
60238 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
60239 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
60240 + return 0;
60241 + }
60242 +#endif
60243 +#endif
60244 + return 1;
60245 +}
60246 diff -urNp linux-2.6.39.3/grsecurity/grsum.c linux-2.6.39.3/grsecurity/grsum.c
60247 --- linux-2.6.39.3/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
60248 +++ linux-2.6.39.3/grsecurity/grsum.c 2011-05-22 19:41:42.000000000 -0400
60249 @@ -0,0 +1,61 @@
60250 +#include <linux/err.h>
60251 +#include <linux/kernel.h>
60252 +#include <linux/sched.h>
60253 +#include <linux/mm.h>
60254 +#include <linux/scatterlist.h>
60255 +#include <linux/crypto.h>
60256 +#include <linux/gracl.h>
60257 +
60258 +
60259 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
60260 +#error "crypto and sha256 must be built into the kernel"
60261 +#endif
60262 +
60263 +int
60264 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
60265 +{
60266 + char *p;
60267 + struct crypto_hash *tfm;
60268 + struct hash_desc desc;
60269 + struct scatterlist sg;
60270 + unsigned char temp_sum[GR_SHA_LEN];
60271 + volatile int retval = 0;
60272 + volatile int dummy = 0;
60273 + unsigned int i;
60274 +
60275 + sg_init_table(&sg, 1);
60276 +
60277 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
60278 + if (IS_ERR(tfm)) {
60279 + /* should never happen, since sha256 should be built in */
60280 + return 1;
60281 + }
60282 +
60283 + desc.tfm = tfm;
60284 + desc.flags = 0;
60285 +
60286 + crypto_hash_init(&desc);
60287 +
60288 + p = salt;
60289 + sg_set_buf(&sg, p, GR_SALT_LEN);
60290 + crypto_hash_update(&desc, &sg, sg.length);
60291 +
60292 + p = entry->pw;
60293 + sg_set_buf(&sg, p, strlen(p));
60294 +
60295 + crypto_hash_update(&desc, &sg, sg.length);
60296 +
60297 + crypto_hash_final(&desc, temp_sum);
60298 +
60299 + memset(entry->pw, 0, GR_PW_LEN);
60300 +
60301 + for (i = 0; i < GR_SHA_LEN; i++)
60302 + if (sum[i] != temp_sum[i])
60303 + retval = 1;
60304 + else
60305 + dummy = 1; // waste a cycle
60306 +
60307 + crypto_free_hash(tfm);
60308 +
60309 + return retval;
60310 +}
60311 diff -urNp linux-2.6.39.3/grsecurity/Kconfig linux-2.6.39.3/grsecurity/Kconfig
60312 --- linux-2.6.39.3/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
60313 +++ linux-2.6.39.3/grsecurity/Kconfig 2011-07-06 19:58:30.000000000 -0400
60314 @@ -0,0 +1,1048 @@
60315 +#
60316 +# grecurity configuration
60317 +#
60318 +
60319 +menu "Grsecurity"
60320 +
60321 +config GRKERNSEC
60322 + bool "Grsecurity"
60323 + select CRYPTO
60324 + select CRYPTO_SHA256
60325 + help
60326 + If you say Y here, you will be able to configure many features
60327 + that will enhance the security of your system. It is highly
60328 + recommended that you say Y here and read through the help
60329 + for each option so that you fully understand the features and
60330 + can evaluate their usefulness for your machine.
60331 +
60332 +choice
60333 + prompt "Security Level"
60334 + depends on GRKERNSEC
60335 + default GRKERNSEC_CUSTOM
60336 +
60337 +config GRKERNSEC_LOW
60338 + bool "Low"
60339 + select GRKERNSEC_LINK
60340 + select GRKERNSEC_FIFO
60341 + select GRKERNSEC_EXECVE
60342 + select GRKERNSEC_RANDNET
60343 + select GRKERNSEC_DMESG
60344 + select GRKERNSEC_CHROOT
60345 + select GRKERNSEC_CHROOT_CHDIR
60346 +
60347 + help
60348 + If you choose this option, several of the grsecurity options will
60349 + be enabled that will give you greater protection against a number
60350 + of attacks, while assuring that none of your software will have any
60351 + conflicts with the additional security measures. If you run a lot
60352 + of unusual software, or you are having problems with the higher
60353 + security levels, you should say Y here. With this option, the
60354 + following features are enabled:
60355 +
60356 + - Linking restrictions
60357 + - FIFO restrictions
60358 + - Enforcing RLIMIT_NPROC on execve
60359 + - Restricted dmesg
60360 + - Enforced chdir("/") on chroot
60361 + - Runtime module disabling
60362 +
60363 +config GRKERNSEC_MEDIUM
60364 + bool "Medium"
60365 + select PAX
60366 + select PAX_EI_PAX
60367 + select PAX_PT_PAX_FLAGS
60368 + select PAX_HAVE_ACL_FLAGS
60369 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
60370 + select GRKERNSEC_CHROOT
60371 + select GRKERNSEC_CHROOT_SYSCTL
60372 + select GRKERNSEC_LINK
60373 + select GRKERNSEC_FIFO
60374 + select GRKERNSEC_EXECVE
60375 + select GRKERNSEC_DMESG
60376 + select GRKERNSEC_RANDNET
60377 + select GRKERNSEC_FORKFAIL
60378 + select GRKERNSEC_TIME
60379 + select GRKERNSEC_SIGNAL
60380 + select GRKERNSEC_CHROOT
60381 + select GRKERNSEC_CHROOT_UNIX
60382 + select GRKERNSEC_CHROOT_MOUNT
60383 + select GRKERNSEC_CHROOT_PIVOT
60384 + select GRKERNSEC_CHROOT_DOUBLE
60385 + select GRKERNSEC_CHROOT_CHDIR
60386 + select GRKERNSEC_CHROOT_MKNOD
60387 + select GRKERNSEC_PROC
60388 + select GRKERNSEC_PROC_USERGROUP
60389 + select PAX_RANDUSTACK
60390 + select PAX_ASLR
60391 + select PAX_RANDMMAP
60392 + select PAX_REFCOUNT if (X86 || SPARC64)
60393 + select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
60394 +
60395 + help
60396 + If you say Y here, several features in addition to those included
60397 + in the low additional security level will be enabled. These
60398 + features provide even more security to your system, though in rare
60399 + cases they may be incompatible with very old or poorly written
60400 + software. If you enable this option, make sure that your auth
60401 + service (identd) is running as gid 1001. With this option,
60402 + the following features (in addition to those provided in the
60403 + low additional security level) will be enabled:
60404 +
60405 + - Failed fork logging
60406 + - Time change logging
60407 + - Signal logging
60408 + - Deny mounts in chroot
60409 + - Deny double chrooting
60410 + - Deny sysctl writes in chroot
60411 + - Deny mknod in chroot
60412 + - Deny access to abstract AF_UNIX sockets out of chroot
60413 + - Deny pivot_root in chroot
60414 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
60415 + - /proc restrictions with special GID set to 10 (usually wheel)
60416 + - Address Space Layout Randomization (ASLR)
60417 + - Prevent exploitation of most refcount overflows
60418 + - Bounds checking of copying between the kernel and userland
60419 +
60420 +config GRKERNSEC_HIGH
60421 + bool "High"
60422 + select GRKERNSEC_LINK
60423 + select GRKERNSEC_FIFO
60424 + select GRKERNSEC_EXECVE
60425 + select GRKERNSEC_DMESG
60426 + select GRKERNSEC_FORKFAIL
60427 + select GRKERNSEC_TIME
60428 + select GRKERNSEC_SIGNAL
60429 + select GRKERNSEC_CHROOT
60430 + select GRKERNSEC_CHROOT_SHMAT
60431 + select GRKERNSEC_CHROOT_UNIX
60432 + select GRKERNSEC_CHROOT_MOUNT
60433 + select GRKERNSEC_CHROOT_FCHDIR
60434 + select GRKERNSEC_CHROOT_PIVOT
60435 + select GRKERNSEC_CHROOT_DOUBLE
60436 + select GRKERNSEC_CHROOT_CHDIR
60437 + select GRKERNSEC_CHROOT_MKNOD
60438 + select GRKERNSEC_CHROOT_CAPS
60439 + select GRKERNSEC_CHROOT_SYSCTL
60440 + select GRKERNSEC_CHROOT_FINDTASK
60441 + select GRKERNSEC_SYSFS_RESTRICT
60442 + select GRKERNSEC_PROC
60443 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
60444 + select GRKERNSEC_HIDESYM
60445 + select GRKERNSEC_BRUTE
60446 + select GRKERNSEC_PROC_USERGROUP
60447 + select GRKERNSEC_KMEM
60448 + select GRKERNSEC_RESLOG
60449 + select GRKERNSEC_RANDNET
60450 + select GRKERNSEC_PROC_ADD
60451 + select GRKERNSEC_CHROOT_CHMOD
60452 + select GRKERNSEC_CHROOT_NICE
60453 + select GRKERNSEC_AUDIT_MOUNT
60454 + select GRKERNSEC_MODHARDEN if (MODULES)
60455 + select GRKERNSEC_HARDEN_PTRACE
60456 + select GRKERNSEC_VM86 if (X86_32)
60457 + select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
60458 + select PAX
60459 + select PAX_RANDUSTACK
60460 + select PAX_ASLR
60461 + select PAX_RANDMMAP
60462 + select PAX_NOEXEC
60463 + select PAX_MPROTECT
60464 + select PAX_EI_PAX
60465 + select PAX_PT_PAX_FLAGS
60466 + select PAX_HAVE_ACL_FLAGS
60467 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
60468 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
60469 + select PAX_RANDKSTACK if (X86_TSC && X86)
60470 + select PAX_SEGMEXEC if (X86_32)
60471 + select PAX_PAGEEXEC
60472 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
60473 + select PAX_EMUTRAMP if (PARISC)
60474 + select PAX_EMUSIGRT if (PARISC)
60475 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
60476 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
60477 + select PAX_REFCOUNT if (X86 || SPARC64)
60478 + select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
60479 + help
60480 + If you say Y here, many of the features of grsecurity will be
60481 + enabled, which will protect you against many kinds of attacks
60482 + against your system. The heightened security comes at a cost
60483 + of an increased chance of incompatibilities with rare software
60484 + on your machine. Since this security level enables PaX, you should
60485 + view <http://pax.grsecurity.net> and read about the PaX
60486 + project. While you are there, download chpax and run it on
60487 + binaries that cause problems with PaX. Also remember that
60488 + since the /proc restrictions are enabled, you must run your
60489 + identd as gid 1001. This security level enables the following
60490 + features in addition to those listed in the low and medium
60491 + security levels:
60492 +
60493 + - Additional /proc restrictions
60494 + - Chmod restrictions in chroot
60495 + - No signals, ptrace, or viewing of processes outside of chroot
60496 + - Capability restrictions in chroot
60497 + - Deny fchdir out of chroot
60498 + - Priority restrictions in chroot
60499 + - Segmentation-based implementation of PaX
60500 + - Mprotect restrictions
60501 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
60502 + - Kernel stack randomization
60503 + - Mount/unmount/remount logging
60504 + - Kernel symbol hiding
60505 + - Prevention of memory exhaustion-based exploits
60506 + - Hardening of module auto-loading
60507 + - Ptrace restrictions
60508 + - Restricted vm86 mode
60509 + - Restricted sysfs/debugfs
60510 + - Active kernel exploit response
60511 +
60512 +config GRKERNSEC_CUSTOM
60513 + bool "Custom"
60514 + help
60515 + If you say Y here, you will be able to configure every grsecurity
60516 + option, which allows you to enable many more features that aren't
60517 + covered in the basic security levels. These additional features
60518 + include TPE, socket restrictions, and the sysctl system for
60519 + grsecurity. It is advised that you read through the help for
60520 + each option to determine its usefulness in your situation.
60521 +
60522 +endchoice
60523 +
60524 +menu "Address Space Protection"
60525 +depends on GRKERNSEC
60526 +
60527 +config GRKERNSEC_KMEM
60528 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
60529 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
60530 + help
60531 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
60532 + be written to via mmap or otherwise to modify the running kernel.
60533 + /dev/port will also not be allowed to be opened. If you have module
60534 + support disabled, enabling this will close up four ways that are
60535 + currently used to insert malicious code into the running kernel.
60536 + Even with all these features enabled, we still highly recommend that
60537 + you use the RBAC system, as it is still possible for an attacker to
60538 + modify the running kernel through privileged I/O granted by ioperm/iopl.
60539 + If you are not using XFree86, you may be able to stop this additional
60540 + case by enabling the 'Disable privileged I/O' option. Though nothing
60541 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
60542 + but only to video memory, which is the only writing we allow in this
60543 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
60544 + not be allowed to mprotect it with PROT_WRITE later.
60545 + It is highly recommended that you say Y here if you meet all the
60546 + conditions above.
60547 +
60548 +config GRKERNSEC_VM86
60549 + bool "Restrict VM86 mode"
60550 + depends on X86_32
60551 +
60552 + help
60553 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
60554 + make use of a special execution mode on 32bit x86 processors called
60555 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
60556 + video cards and will still work with this option enabled. The purpose
60557 + of the option is to prevent exploitation of emulation errors in
60558 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
60559 + Nearly all users should be able to enable this option.
60560 +
60561 +config GRKERNSEC_IO
60562 + bool "Disable privileged I/O"
60563 + depends on X86
60564 + select RTC_CLASS
60565 + select RTC_INTF_DEV
60566 + select RTC_DRV_CMOS
60567 +
60568 + help
60569 + If you say Y here, all ioperm and iopl calls will return an error.
60570 + Ioperm and iopl can be used to modify the running kernel.
60571 + Unfortunately, some programs need this access to operate properly,
60572 + the most notable of which are XFree86 and hwclock. hwclock can be
60573 + remedied by having RTC support in the kernel, so real-time
60574 + clock support is enabled if this option is enabled, to ensure
60575 + that hwclock operates correctly. XFree86 still will not
60576 + operate correctly with this option enabled, so DO NOT CHOOSE Y
60577 + IF YOU USE XFree86. If you use XFree86 and you still want to
60578 + protect your kernel against modification, use the RBAC system.
60579 +
60580 +config GRKERNSEC_PROC_MEMMAP
60581 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
60582 + default y if (PAX_NOEXEC || PAX_ASLR)
60583 + depends on PAX_NOEXEC || PAX_ASLR
60584 + help
60585 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
60586 + give no information about the addresses of its mappings if
60587 + PaX features that rely on random addresses are enabled on the task.
60588 + If you use PaX it is greatly recommended that you say Y here as it
60589 + closes up a hole that makes the full ASLR useless for suid
60590 + binaries.
60591 +
60592 +config GRKERNSEC_BRUTE
60593 + bool "Deter exploit bruteforcing"
60594 + help
60595 + If you say Y here, attempts to bruteforce exploits against forking
60596 + daemons such as apache or sshd, as well as against suid/sgid binaries
60597 + will be deterred. When a child of a forking daemon is killed by PaX
60598 + or crashes due to an illegal instruction or other suspicious signal,
60599 + the parent process will be delayed 30 seconds upon every subsequent
60600 + fork until the administrator is able to assess the situation and
60601 + restart the daemon.
60602 + In the suid/sgid case, the attempt is logged, the user has all their
60603 + processes terminated, and they are prevented from executing any further
60604 + processes for 15 minutes.
60605 + It is recommended that you also enable signal logging in the auditing
60606 + section so that logs are generated when a process triggers a suspicious
60607 + signal.
60608 + If the sysctl option is enabled, a sysctl option with name
60609 + "deter_bruteforce" is created.
60610 +
60611 +
60612 +config GRKERNSEC_MODHARDEN
60613 + bool "Harden module auto-loading"
60614 + depends on MODULES
60615 + help
60616 + If you say Y here, module auto-loading in response to use of some
60617 + feature implemented by an unloaded module will be restricted to
60618 + root users. Enabling this option helps defend against attacks
60619 + by unprivileged users who abuse the auto-loading behavior to
60620 + cause a vulnerable module to load that is then exploited.
60621 +
60622 + If this option prevents a legitimate use of auto-loading for a
60623 + non-root user, the administrator can execute modprobe manually
60624 + with the exact name of the module mentioned in the alert log.
60625 + Alternatively, the administrator can add the module to the list
60626 + of modules loaded at boot by modifying init scripts.
60627 +
60628 + Modification of init scripts will most likely be needed on
60629 + Ubuntu servers with encrypted home directory support enabled,
60630 + as the first non-root user logging in will cause the ecb(aes),
60631 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
60632 +
60633 +config GRKERNSEC_HIDESYM
60634 + bool "Hide kernel symbols"
60635 + help
60636 + If you say Y here, getting information on loaded modules, and
60637 + displaying all kernel symbols through a syscall will be restricted
60638 + to users with CAP_SYS_MODULE. For software compatibility reasons,
60639 + /proc/kallsyms will be restricted to the root user. The RBAC
60640 + system can hide that entry even from root.
60641 +
60642 + This option also prevents leaking of kernel addresses through
60643 + several /proc entries.
60644 +
60645 + Note that this option is only effective provided the following
60646 + conditions are met:
60647 + 1) The kernel using grsecurity is not precompiled by some distribution
60648 + 2) You have also enabled GRKERNSEC_DMESG
60649 + 3) You are using the RBAC system and hiding other files such as your
60650 + kernel image and System.map. Alternatively, enabling this option
60651 + causes the permissions on /boot, /lib/modules, and the kernel
60652 + source directory to change at compile time to prevent
60653 + reading by non-root users.
60654 + If the above conditions are met, this option will aid in providing a
60655 + useful protection against local kernel exploitation of overflows
60656 + and arbitrary read/write vulnerabilities.
60657 +
60658 +config GRKERNSEC_KERN_LOCKOUT
60659 + bool "Active kernel exploit response"
60660 + depends on X86 || ARM || PPC || SPARC
60661 + help
60662 + If you say Y here, when a PaX alert is triggered due to suspicious
60663 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
60664 + or an OOPs occurs due to bad memory accesses, instead of just
60665 + terminating the offending process (and potentially allowing
60666 + a subsequent exploit from the same user), we will take one of two
60667 + actions:
60668 + If the user was root, we will panic the system
60669 + If the user was non-root, we will log the attempt, terminate
60670 + all processes owned by the user, then prevent them from creating
60671 + any new processes until the system is restarted
60672 + This deters repeated kernel exploitation/bruteforcing attempts
60673 + and is useful for later forensics.
60674 +
60675 +endmenu
60676 +menu "Role Based Access Control Options"
60677 +depends on GRKERNSEC
60678 +
60679 +config GRKERNSEC_RBAC_DEBUG
60680 + bool
60681 +
60682 +config GRKERNSEC_NO_RBAC
60683 + bool "Disable RBAC system"
60684 + help
60685 + If you say Y here, the /dev/grsec device will be removed from the kernel,
60686 + preventing the RBAC system from being enabled. You should only say Y
60687 + here if you have no intention of using the RBAC system, so as to prevent
60688 + an attacker with root access from misusing the RBAC system to hide files
60689 + and processes when loadable module support and /dev/[k]mem have been
60690 + locked down.
60691 +
60692 +config GRKERNSEC_ACL_HIDEKERN
60693 + bool "Hide kernel processes"
60694 + help
60695 + If you say Y here, all kernel threads will be hidden to all
60696 + processes but those whose subject has the "view hidden processes"
60697 + flag.
60698 +
60699 +config GRKERNSEC_ACL_MAXTRIES
60700 + int "Maximum tries before password lockout"
60701 + default 3
60702 + help
60703 + This option enforces the maximum number of times a user can attempt
60704 + to authorize themselves with the grsecurity RBAC system before being
60705 + denied the ability to attempt authorization again for a specified time.
60706 + The lower the number, the harder it will be to brute-force a password.
60707 +
60708 +config GRKERNSEC_ACL_TIMEOUT
60709 + int "Time to wait after max password tries, in seconds"
60710 + default 30
60711 + help
60712 + This option specifies the time the user must wait after attempting to
60713 + authorize to the RBAC system with the maximum number of invalid
60714 + passwords. The higher the number, the harder it will be to brute-force
60715 + a password.
60716 +
60717 +endmenu
60718 +menu "Filesystem Protections"
60719 +depends on GRKERNSEC
60720 +
60721 +config GRKERNSEC_PROC
60722 + bool "Proc restrictions"
60723 + help
60724 + If you say Y here, the permissions of the /proc filesystem
60725 + will be altered to enhance system security and privacy. You MUST
60726 + choose either a user only restriction or a user and group restriction.
60727 + Depending upon the option you choose, you can either restrict users to
60728 + see only the processes they themselves run, or choose a group that can
60729 + view all processes and files normally restricted to root if you choose
60730 + the "restrict to user only" option. NOTE: If you're running identd as
60731 + a non-root user, you will have to run it as the group you specify here.
60732 +
60733 +config GRKERNSEC_PROC_USER
60734 + bool "Restrict /proc to user only"
60735 + depends on GRKERNSEC_PROC
60736 + help
60737 + If you say Y here, non-root users will only be able to view their own
60738 + processes, and restricts them from viewing network-related information,
60739 + and viewing kernel symbol and module information.
60740 +
60741 +config GRKERNSEC_PROC_USERGROUP
60742 + bool "Allow special group"
60743 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
60744 + help
60745 + If you say Y here, you will be able to select a group that will be
60746 + able to view all processes and network-related information. If you've
60747 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
60748 + remain hidden. This option is useful if you want to run identd as
60749 + a non-root user.
60750 +
60751 +config GRKERNSEC_PROC_GID
60752 + int "GID for special group"
60753 + depends on GRKERNSEC_PROC_USERGROUP
60754 + default 1001
60755 +
60756 +config GRKERNSEC_PROC_ADD
60757 + bool "Additional restrictions"
60758 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
60759 + help
60760 + If you say Y here, additional restrictions will be placed on
60761 + /proc that keep normal users from viewing device information and
60762 + slabinfo information that could be useful for exploits.
60763 +
60764 +config GRKERNSEC_LINK
60765 + bool "Linking restrictions"
60766 + help
60767 + If you say Y here, /tmp race exploits will be prevented, since users
60768 + will no longer be able to follow symlinks owned by other users in
60769 + world-writable +t directories (e.g. /tmp), unless the owner of the
60770 + symlink is the owner of the directory. users will also not be
60771 + able to hardlink to files they do not own. If the sysctl option is
60772 + enabled, a sysctl option with name "linking_restrictions" is created.
60773 +
60774 +config GRKERNSEC_FIFO
60775 + bool "FIFO restrictions"
60776 + help
60777 + If you say Y here, users will not be able to write to FIFOs they don't
60778 + own in world-writable +t directories (e.g. /tmp), unless the owner of
60779 + the FIFO is the same owner of the directory it's held in. If the sysctl
60780 + option is enabled, a sysctl option with name "fifo_restrictions" is
60781 + created.
60782 +
60783 +config GRKERNSEC_SYSFS_RESTRICT
60784 + bool "Sysfs/debugfs restriction"
60785 + depends on SYSFS
60786 + help
60787 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
60788 + any filesystem normally mounted under it (e.g. debugfs) will only
60789 + be accessible by root. These filesystems generally provide access
60790 + to hardware and debug information that isn't appropriate for unprivileged
60791 + users of the system. Sysfs and debugfs have also become a large source
60792 + of new vulnerabilities, ranging from infoleaks to local compromise.
60793 + There has been very little oversight with an eye toward security involved
60794 + in adding new exporters of information to these filesystems, so their
60795 + use is discouraged.
60796 + This option is equivalent to a chmod 0700 of the mount paths.
60797 +
60798 +config GRKERNSEC_ROFS
60799 + bool "Runtime read-only mount protection"
60800 + help
60801 + If you say Y here, a sysctl option with name "romount_protect" will
60802 + be created. By setting this option to 1 at runtime, filesystems
60803 + will be protected in the following ways:
60804 + * No new writable mounts will be allowed
60805 + * Existing read-only mounts won't be able to be remounted read/write
60806 + * Write operations will be denied on all block devices
60807 + This option acts independently of grsec_lock: once it is set to 1,
60808 + it cannot be turned off. Therefore, please be mindful of the resulting
60809 + behavior if this option is enabled in an init script on a read-only
60810 + filesystem. This feature is mainly intended for secure embedded systems.
60811 +
60812 +config GRKERNSEC_CHROOT
60813 + bool "Chroot jail restrictions"
60814 + help
60815 + If you say Y here, you will be able to choose several options that will
60816 + make breaking out of a chrooted jail much more difficult. If you
60817 + encounter no software incompatibilities with the following options, it
60818 + is recommended that you enable each one.
60819 +
60820 +config GRKERNSEC_CHROOT_MOUNT
60821 + bool "Deny mounts"
60822 + depends on GRKERNSEC_CHROOT
60823 + help
60824 + If you say Y here, processes inside a chroot will not be able to
60825 + mount or remount filesystems. If the sysctl option is enabled, a
60826 + sysctl option with name "chroot_deny_mount" is created.
60827 +
60828 +config GRKERNSEC_CHROOT_DOUBLE
60829 + bool "Deny double-chroots"
60830 + depends on GRKERNSEC_CHROOT
60831 + help
60832 + If you say Y here, processes inside a chroot will not be able to chroot
60833 + again outside the chroot. This is a widely used method of breaking
60834 + out of a chroot jail and should not be allowed. If the sysctl
60835 + option is enabled, a sysctl option with name
60836 + "chroot_deny_chroot" is created.
60837 +
60838 +config GRKERNSEC_CHROOT_PIVOT
60839 + bool "Deny pivot_root in chroot"
60840 + depends on GRKERNSEC_CHROOT
60841 + help
60842 + If you say Y here, processes inside a chroot will not be able to use
60843 + a function called pivot_root() that was introduced in Linux 2.3.41. It
60844 + works similar to chroot in that it changes the root filesystem. This
60845 + function could be misused in a chrooted process to attempt to break out
60846 + of the chroot, and therefore should not be allowed. If the sysctl
60847 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
60848 + created.
60849 +
60850 +config GRKERNSEC_CHROOT_CHDIR
60851 + bool "Enforce chdir(\"/\") on all chroots"
60852 + depends on GRKERNSEC_CHROOT
60853 + help
60854 + If you say Y here, the current working directory of all newly-chrooted
60855 + applications will be set to the the root directory of the chroot.
60856 + The man page on chroot(2) states:
60857 + Note that this call does not change the current working
60858 + directory, so that `.' can be outside the tree rooted at
60859 + `/'. In particular, the super-user can escape from a
60860 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
60861 +
60862 + It is recommended that you say Y here, since it's not known to break
60863 + any software. If the sysctl option is enabled, a sysctl option with
60864 + name "chroot_enforce_chdir" is created.
60865 +
60866 +config GRKERNSEC_CHROOT_CHMOD
60867 + bool "Deny (f)chmod +s"
60868 + depends on GRKERNSEC_CHROOT
60869 + help
60870 + If you say Y here, processes inside a chroot will not be able to chmod
60871 + or fchmod files to make them have suid or sgid bits. This protects
60872 + against another published method of breaking a chroot. If the sysctl
60873 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
60874 + created.
60875 +
60876 +config GRKERNSEC_CHROOT_FCHDIR
60877 + bool "Deny fchdir out of chroot"
60878 + depends on GRKERNSEC_CHROOT
60879 + help
60880 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
60881 + to a file descriptor of the chrooting process that points to a directory
60882 + outside the filesystem will be stopped. If the sysctl option
60883 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
60884 +
60885 +config GRKERNSEC_CHROOT_MKNOD
60886 + bool "Deny mknod"
60887 + depends on GRKERNSEC_CHROOT
60888 + help
60889 + If you say Y here, processes inside a chroot will not be allowed to
60890 + mknod. The problem with using mknod inside a chroot is that it
60891 + would allow an attacker to create a device entry that is the same
60892 + as one on the physical root of your system, which could range from
60893 + anything from the console device to a device for your harddrive (which
60894 + they could then use to wipe the drive or steal data). It is recommended
60895 + that you say Y here, unless you run into software incompatibilities.
60896 + If the sysctl option is enabled, a sysctl option with name
60897 + "chroot_deny_mknod" is created.
60898 +
60899 +config GRKERNSEC_CHROOT_SHMAT
60900 + bool "Deny shmat() out of chroot"
60901 + depends on GRKERNSEC_CHROOT
60902 + help
60903 + If you say Y here, processes inside a chroot will not be able to attach
60904 + to shared memory segments that were created outside of the chroot jail.
60905 + It is recommended that you say Y here. If the sysctl option is enabled,
60906 + a sysctl option with name "chroot_deny_shmat" is created.
60907 +
60908 +config GRKERNSEC_CHROOT_UNIX
60909 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
60910 + depends on GRKERNSEC_CHROOT
60911 + help
60912 + If you say Y here, processes inside a chroot will not be able to
60913 + connect to abstract (meaning not belonging to a filesystem) Unix
60914 + domain sockets that were bound outside of a chroot. It is recommended
60915 + that you say Y here. If the sysctl option is enabled, a sysctl option
60916 + with name "chroot_deny_unix" is created.
60917 +
60918 +config GRKERNSEC_CHROOT_FINDTASK
60919 + bool "Protect outside processes"
60920 + depends on GRKERNSEC_CHROOT
60921 + help
60922 + If you say Y here, processes inside a chroot will not be able to
60923 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
60924 + getsid, or view any process outside of the chroot. If the sysctl
60925 + option is enabled, a sysctl option with name "chroot_findtask" is
60926 + created.
60927 +
60928 +config GRKERNSEC_CHROOT_NICE
60929 + bool "Restrict priority changes"
60930 + depends on GRKERNSEC_CHROOT
60931 + help
60932 + If you say Y here, processes inside a chroot will not be able to raise
60933 + the priority of processes in the chroot, or alter the priority of
60934 + processes outside the chroot. This provides more security than simply
60935 + removing CAP_SYS_NICE from the process' capability set. If the
60936 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
60937 + is created.
60938 +
60939 +config GRKERNSEC_CHROOT_SYSCTL
60940 + bool "Deny sysctl writes"
60941 + depends on GRKERNSEC_CHROOT
60942 + help
60943 + If you say Y here, an attacker in a chroot will not be able to
60944 + write to sysctl entries, either by sysctl(2) or through a /proc
60945 + interface. It is strongly recommended that you say Y here. If the
60946 + sysctl option is enabled, a sysctl option with name
60947 + "chroot_deny_sysctl" is created.
60948 +
60949 +config GRKERNSEC_CHROOT_CAPS
60950 + bool "Capability restrictions"
60951 + depends on GRKERNSEC_CHROOT
60952 + help
60953 + If you say Y here, the capabilities on all root processes within a
60954 + chroot jail will be lowered to stop module insertion, raw i/o,
60955 + system and net admin tasks, rebooting the system, modifying immutable
60956 + files, modifying IPC owned by another, and changing the system time.
60957 + This is left an option because it can break some apps. Disable this
60958 + if your chrooted apps are having problems performing those kinds of
60959 + tasks. If the sysctl option is enabled, a sysctl option with
60960 + name "chroot_caps" is created.
60961 +
60962 +endmenu
60963 +menu "Kernel Auditing"
60964 +depends on GRKERNSEC
60965 +
60966 +config GRKERNSEC_AUDIT_GROUP
60967 + bool "Single group for auditing"
60968 + help
60969 + If you say Y here, the exec, chdir, and (un)mount logging features
60970 + will only operate on a group you specify. This option is recommended
60971 + if you only want to watch certain users instead of having a large
60972 + amount of logs from the entire system. If the sysctl option is enabled,
60973 + a sysctl option with name "audit_group" is created.
60974 +
60975 +config GRKERNSEC_AUDIT_GID
60976 + int "GID for auditing"
60977 + depends on GRKERNSEC_AUDIT_GROUP
60978 + default 1007
60979 +
60980 +config GRKERNSEC_EXECLOG
60981 + bool "Exec logging"
60982 + help
60983 + If you say Y here, all execve() calls will be logged (since the
60984 + other exec*() calls are frontends to execve(), all execution
60985 + will be logged). Useful for shell-servers that like to keep track
60986 + of their users. If the sysctl option is enabled, a sysctl option with
60987 + name "exec_logging" is created.
60988 + WARNING: This option when enabled will produce a LOT of logs, especially
60989 + on an active system.
60990 +
60991 +config GRKERNSEC_RESLOG
60992 + bool "Resource logging"
60993 + help
60994 + If you say Y here, all attempts to overstep resource limits will
60995 + be logged with the resource name, the requested size, and the current
60996 + limit. It is highly recommended that you say Y here. If the sysctl
60997 + option is enabled, a sysctl option with name "resource_logging" is
60998 + created. If the RBAC system is enabled, the sysctl value is ignored.
60999 +
61000 +config GRKERNSEC_CHROOT_EXECLOG
61001 + bool "Log execs within chroot"
61002 + help
61003 + If you say Y here, all executions inside a chroot jail will be logged
61004 + to syslog. This can cause a large amount of logs if certain
61005 + applications (eg. djb's daemontools) are installed on the system, and
61006 + is therefore left as an option. If the sysctl option is enabled, a
61007 + sysctl option with name "chroot_execlog" is created.
61008 +
61009 +config GRKERNSEC_AUDIT_PTRACE
61010 + bool "Ptrace logging"
61011 + help
61012 + If you say Y here, all attempts to attach to a process via ptrace
61013 + will be logged. If the sysctl option is enabled, a sysctl option
61014 + with name "audit_ptrace" is created.
61015 +
61016 +config GRKERNSEC_AUDIT_CHDIR
61017 + bool "Chdir logging"
61018 + help
61019 + If you say Y here, all chdir() calls will be logged. If the sysctl
61020 + option is enabled, a sysctl option with name "audit_chdir" is created.
61021 +
61022 +config GRKERNSEC_AUDIT_MOUNT
61023 + bool "(Un)Mount logging"
61024 + help
61025 + If you say Y here, all mounts and unmounts will be logged. If the
61026 + sysctl option is enabled, a sysctl option with name "audit_mount" is
61027 + created.
61028 +
61029 +config GRKERNSEC_SIGNAL
61030 + bool "Signal logging"
61031 + help
61032 + If you say Y here, certain important signals will be logged, such as
61033 + SIGSEGV, which will as a result inform you of when a error in a program
61034 + occurred, which in some cases could mean a possible exploit attempt.
61035 + If the sysctl option is enabled, a sysctl option with name
61036 + "signal_logging" is created.
61037 +
61038 +config GRKERNSEC_FORKFAIL
61039 + bool "Fork failure logging"
61040 + help
61041 + If you say Y here, all failed fork() attempts will be logged.
61042 + This could suggest a fork bomb, or someone attempting to overstep
61043 + their process limit. If the sysctl option is enabled, a sysctl option
61044 + with name "forkfail_logging" is created.
61045 +
61046 +config GRKERNSEC_TIME
61047 + bool "Time change logging"
61048 + help
61049 + If you say Y here, any changes of the system clock will be logged.
61050 + If the sysctl option is enabled, a sysctl option with name
61051 + "timechange_logging" is created.
61052 +
61053 +config GRKERNSEC_PROC_IPADDR
61054 + bool "/proc/<pid>/ipaddr support"
61055 + help
61056 + If you say Y here, a new entry will be added to each /proc/<pid>
61057 + directory that contains the IP address of the person using the task.
61058 + The IP is carried across local TCP and AF_UNIX stream sockets.
61059 + This information can be useful for IDS/IPSes to perform remote response
61060 + to a local attack. The entry is readable by only the owner of the
61061 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
61062 + the RBAC system), and thus does not create privacy concerns.
61063 +
61064 +config GRKERNSEC_RWXMAP_LOG
61065 + bool 'Denied RWX mmap/mprotect logging'
61066 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
61067 + help
61068 + If you say Y here, calls to mmap() and mprotect() with explicit
61069 + usage of PROT_WRITE and PROT_EXEC together will be logged when
61070 + denied by the PAX_MPROTECT feature. If the sysctl option is
61071 + enabled, a sysctl option with name "rwxmap_logging" is created.
61072 +
61073 +config GRKERNSEC_AUDIT_TEXTREL
61074 + bool 'ELF text relocations logging (READ HELP)'
61075 + depends on PAX_MPROTECT
61076 + help
61077 + If you say Y here, text relocations will be logged with the filename
61078 + of the offending library or binary. The purpose of the feature is
61079 + to help Linux distribution developers get rid of libraries and
61080 + binaries that need text relocations which hinder the future progress
61081 + of PaX. Only Linux distribution developers should say Y here, and
61082 + never on a production machine, as this option creates an information
61083 + leak that could aid an attacker in defeating the randomization of
61084 + a single memory region. If the sysctl option is enabled, a sysctl
61085 + option with name "audit_textrel" is created.
61086 +
61087 +endmenu
61088 +
61089 +menu "Executable Protections"
61090 +depends on GRKERNSEC
61091 +
61092 +config GRKERNSEC_EXECVE
61093 + bool "Enforce RLIMIT_NPROC on execs"
61094 + help
61095 + If you say Y here, users with a resource limit on processes will
61096 + have the value checked during execve() calls. The current system
61097 + only checks the system limit during fork() calls. If the sysctl option
61098 + is enabled, a sysctl option with name "execve_limiting" is created.
61099 +
61100 +config GRKERNSEC_DMESG
61101 + bool "Dmesg(8) restriction"
61102 + help
61103 + If you say Y here, non-root users will not be able to use dmesg(8)
61104 + to view up to the last 4kb of messages in the kernel's log buffer.
61105 + The kernel's log buffer often contains kernel addresses and other
61106 + identifying information useful to an attacker in fingerprinting a
61107 + system for a targeted exploit.
61108 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
61109 + created.
61110 +
61111 +config GRKERNSEC_HARDEN_PTRACE
61112 + bool "Deter ptrace-based process snooping"
61113 + help
61114 + If you say Y here, TTY sniffers and other malicious monitoring
61115 + programs implemented through ptrace will be defeated. If you
61116 + have been using the RBAC system, this option has already been
61117 + enabled for several years for all users, with the ability to make
61118 + fine-grained exceptions.
61119 +
61120 + This option only affects the ability of non-root users to ptrace
61121 + processes that are not a descendent of the ptracing process.
61122 + This means that strace ./binary and gdb ./binary will still work,
61123 + but attaching to arbitrary processes will not. If the sysctl
61124 + option is enabled, a sysctl option with name "harden_ptrace" is
61125 + created.
61126 +
61127 +config GRKERNSEC_TPE
61128 + bool "Trusted Path Execution (TPE)"
61129 + help
61130 + If you say Y here, you will be able to choose a gid to add to the
61131 + supplementary groups of users you want to mark as "untrusted."
61132 + These users will not be able to execute any files that are not in
61133 + root-owned directories writable only by root. If the sysctl option
61134 + is enabled, a sysctl option with name "tpe" is created.
61135 +
61136 +config GRKERNSEC_TPE_ALL
61137 + bool "Partially restrict all non-root users"
61138 + depends on GRKERNSEC_TPE
61139 + help
61140 + If you say Y here, all non-root users will be covered under
61141 + a weaker TPE restriction. This is separate from, and in addition to,
61142 + the main TPE options that you have selected elsewhere. Thus, if a
61143 + "trusted" GID is chosen, this restriction applies to even that GID.
61144 + Under this restriction, all non-root users will only be allowed to
61145 + execute files in directories they own that are not group or
61146 + world-writable, or in directories owned by root and writable only by
61147 + root. If the sysctl option is enabled, a sysctl option with name
61148 + "tpe_restrict_all" is created.
61149 +
61150 +config GRKERNSEC_TPE_INVERT
61151 + bool "Invert GID option"
61152 + depends on GRKERNSEC_TPE
61153 + help
61154 + If you say Y here, the group you specify in the TPE configuration will
61155 + decide what group TPE restrictions will be *disabled* for. This
61156 + option is useful if you want TPE restrictions to be applied to most
61157 + users on the system. If the sysctl option is enabled, a sysctl option
61158 + with name "tpe_invert" is created. Unlike other sysctl options, this
61159 + entry will default to on for backward-compatibility.
61160 +
61161 +config GRKERNSEC_TPE_GID
61162 + int "GID for untrusted users"
61163 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
61164 + default 1005
61165 + help
61166 + Setting this GID determines what group TPE restrictions will be
61167 + *enabled* for. If the sysctl option is enabled, a sysctl option
61168 + with name "tpe_gid" is created.
61169 +
61170 +config GRKERNSEC_TPE_GID
61171 + int "GID for trusted users"
61172 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
61173 + default 1005
61174 + help
61175 + Setting this GID determines what group TPE restrictions will be
61176 + *disabled* for. If the sysctl option is enabled, a sysctl option
61177 + with name "tpe_gid" is created.
61178 +
61179 +endmenu
61180 +menu "Network Protections"
61181 +depends on GRKERNSEC
61182 +
61183 +config GRKERNSEC_RANDNET
61184 + bool "Larger entropy pools"
61185 + help
61186 + If you say Y here, the entropy pools used for many features of Linux
61187 + and grsecurity will be doubled in size. Since several grsecurity
61188 + features use additional randomness, it is recommended that you say Y
61189 + here. Saying Y here has a similar effect as modifying
61190 + /proc/sys/kernel/random/poolsize.
61191 +
61192 +config GRKERNSEC_BLACKHOLE
61193 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
61194 + help
61195 + If you say Y here, neither TCP resets nor ICMP
61196 + destination-unreachable packets will be sent in response to packets
61197 + sent to ports for which no associated listening process exists.
61198 + This feature supports both IPV4 and IPV6 and exempts the
61199 + loopback interface from blackholing. Enabling this feature
61200 + makes a host more resilient to DoS attacks and reduces network
61201 + visibility against scanners.
61202 +
61203 + The blackhole feature as-implemented is equivalent to the FreeBSD
61204 + blackhole feature, as it prevents RST responses to all packets, not
61205 + just SYNs. Under most application behavior this causes no
61206 + problems, but applications (like haproxy) may not close certain
61207 + connections in a way that cleanly terminates them on the remote
61208 + end, leaving the remote host in LAST_ACK state. Because of this
61209 + side-effect and to prevent intentional LAST_ACK DoSes, this
61210 + feature also adds automatic mitigation against such attacks.
61211 + The mitigation drastically reduces the amount of time a socket
61212 + can spend in LAST_ACK state. If you're using haproxy and not
61213 + all servers it connects to have this option enabled, consider
61214 + disabling this feature on the haproxy host.
61215 +
61216 + If the sysctl option is enabled, two sysctl options with names
61217 + "ip_blackhole" and "lastack_retries" will be created.
61218 + While "ip_blackhole" takes the standard zero/non-zero on/off
61219 + toggle, "lastack_retries" uses the same kinds of values as
61220 + "tcp_retries1" and "tcp_retries2". The default value of 4
61221 + prevents a socket from lasting more than 45 seconds in LAST_ACK
61222 + state.
61223 +
61224 +config GRKERNSEC_SOCKET
61225 + bool "Socket restrictions"
61226 + help
61227 + If you say Y here, you will be able to choose from several options.
61228 + If you assign a GID on your system and add it to the supplementary
61229 + groups of users you want to restrict socket access to, this patch
61230 + will perform up to three things, based on the option(s) you choose.
61231 +
61232 +config GRKERNSEC_SOCKET_ALL
61233 + bool "Deny any sockets to group"
61234 + depends on GRKERNSEC_SOCKET
61235 + help
61236 + If you say Y here, you will be able to choose a GID of whose users will
61237 + be unable to connect to other hosts from your machine or run server
61238 + applications from your machine. If the sysctl option is enabled, a
61239 + sysctl option with name "socket_all" is created.
61240 +
61241 +config GRKERNSEC_SOCKET_ALL_GID
61242 + int "GID to deny all sockets for"
61243 + depends on GRKERNSEC_SOCKET_ALL
61244 + default 1004
61245 + help
61246 + Here you can choose the GID to disable socket access for. Remember to
61247 + add the users you want socket access disabled for to the GID
61248 + specified here. If the sysctl option is enabled, a sysctl option
61249 + with name "socket_all_gid" is created.
61250 +
61251 +config GRKERNSEC_SOCKET_CLIENT
61252 + bool "Deny client sockets to group"
61253 + depends on GRKERNSEC_SOCKET
61254 + help
61255 + If you say Y here, you will be able to choose a GID of whose users will
61256 + be unable to connect to other hosts from your machine, but will be
61257 + able to run servers. If this option is enabled, all users in the group
61258 + you specify will have to use passive mode when initiating ftp transfers
61259 + from the shell on your machine. If the sysctl option is enabled, a
61260 + sysctl option with name "socket_client" is created.
61261 +
61262 +config GRKERNSEC_SOCKET_CLIENT_GID
61263 + int "GID to deny client sockets for"
61264 + depends on GRKERNSEC_SOCKET_CLIENT
61265 + default 1003
61266 + help
61267 + Here you can choose the GID to disable client socket access for.
61268 + Remember to add the users you want client socket access disabled for to
61269 + the GID specified here. If the sysctl option is enabled, a sysctl
61270 + option with name "socket_client_gid" is created.
61271 +
61272 +config GRKERNSEC_SOCKET_SERVER
61273 + bool "Deny server sockets to group"
61274 + depends on GRKERNSEC_SOCKET
61275 + help
61276 + If you say Y here, you will be able to choose a GID of whose users will
61277 + be unable to run server applications from your machine. If the sysctl
61278 + option is enabled, a sysctl option with name "socket_server" is created.
61279 +
61280 +config GRKERNSEC_SOCKET_SERVER_GID
61281 + int "GID to deny server sockets for"
61282 + depends on GRKERNSEC_SOCKET_SERVER
61283 + default 1002
61284 + help
61285 + Here you can choose the GID to disable server socket access for.
61286 + Remember to add the users you want server socket access disabled for to
61287 + the GID specified here. If the sysctl option is enabled, a sysctl
61288 + option with name "socket_server_gid" is created.
61289 +
61290 +endmenu
61291 +menu "Sysctl support"
61292 +depends on GRKERNSEC && SYSCTL
61293 +
61294 +config GRKERNSEC_SYSCTL
61295 + bool "Sysctl support"
61296 + help
61297 + If you say Y here, you will be able to change the options that
61298 + grsecurity runs with at bootup, without having to recompile your
61299 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
61300 + to enable (1) or disable (0) various features. All the sysctl entries
61301 + are mutable until the "grsec_lock" entry is set to a non-zero value.
61302 + All features enabled in the kernel configuration are disabled at boot
61303 + if you do not say Y to the "Turn on features by default" option.
61304 + All options should be set at startup, and the grsec_lock entry should
61305 + be set to a non-zero value after all the options are set.
61306 + *THIS IS EXTREMELY IMPORTANT*
61307 +
61308 +config GRKERNSEC_SYSCTL_DISTRO
61309 + bool "Extra sysctl support for distro makers (READ HELP)"
61310 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
61311 + help
61312 + If you say Y here, additional sysctl options will be created
61313 + for features that affect processes running as root. Therefore,
61314 + it is critical when using this option that the grsec_lock entry be
61315 + enabled after boot. Only distros with prebuilt kernel packages
61316 + with this option enabled that can ensure grsec_lock is enabled
61317 + after boot should use this option.
61318 + *Failure to set grsec_lock after boot makes all grsec features
61319 + this option covers useless*
61320 +
61321 + Currently this option creates the following sysctl entries:
61322 + "Disable Privileged I/O": "disable_priv_io"
61323 +
61324 +config GRKERNSEC_SYSCTL_ON
61325 + bool "Turn on features by default"
61326 + depends on GRKERNSEC_SYSCTL
61327 + help
61328 + If you say Y here, instead of having all features enabled in the
61329 + kernel configuration disabled at boot time, the features will be
61330 + enabled at boot time. It is recommended you say Y here unless
61331 + there is some reason you would want all sysctl-tunable features to
61332 + be disabled by default. As mentioned elsewhere, it is important
61333 + to enable the grsec_lock entry once you have finished modifying
61334 + the sysctl entries.
61335 +
61336 +endmenu
61337 +menu "Logging Options"
61338 +depends on GRKERNSEC
61339 +
61340 +config GRKERNSEC_FLOODTIME
61341 + int "Seconds in between log messages (minimum)"
61342 + default 10
61343 + help
61344 + This option allows you to enforce the number of seconds between
61345 + grsecurity log messages. The default should be suitable for most
61346 + people, however, if you choose to change it, choose a value small enough
61347 + to allow informative logs to be produced, but large enough to
61348 + prevent flooding.
61349 +
61350 +config GRKERNSEC_FLOODBURST
61351 + int "Number of messages in a burst (maximum)"
61352 + default 4
61353 + help
61354 + This option allows you to choose the maximum number of messages allowed
61355 + within the flood time interval you chose in a separate option. The
61356 + default should be suitable for most people, however if you find that
61357 + many of your logs are being interpreted as flooding, you may want to
61358 + raise this value.
61359 +
61360 +endmenu
61361 +
61362 +endmenu
61363 diff -urNp linux-2.6.39.3/grsecurity/Makefile linux-2.6.39.3/grsecurity/Makefile
61364 --- linux-2.6.39.3/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
61365 +++ linux-2.6.39.3/grsecurity/Makefile 2011-05-24 20:26:54.000000000 -0400
61366 @@ -0,0 +1,33 @@
61367 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
61368 +# during 2001-2009 it has been completely redesigned by Brad Spengler
61369 +# into an RBAC system
61370 +#
61371 +# All code in this directory and various hooks inserted throughout the kernel
61372 +# are copyright Brad Spengler - Open Source Security, Inc., and released
61373 +# under the GPL v2 or higher
61374 +
61375 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
61376 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
61377 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
61378 +
61379 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
61380 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
61381 + gracl_learn.o grsec_log.o
61382 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
61383 +
61384 +ifdef CONFIG_NET
61385 +obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
61386 +endif
61387 +
61388 +ifndef CONFIG_GRKERNSEC
61389 +obj-y += grsec_disabled.o
61390 +endif
61391 +
61392 +ifdef CONFIG_GRKERNSEC_HIDESYM
61393 +extra-y := grsec_hidesym.o
61394 +$(obj)/grsec_hidesym.o:
61395 + @-chmod -f 500 /boot
61396 + @-chmod -f 500 /lib/modules
61397 + @-chmod -f 700 .
61398 + @echo ' grsec: protected kernel image paths'
61399 +endif
61400 diff -urNp linux-2.6.39.3/include/acpi/acpi_drivers.h linux-2.6.39.3/include/acpi/acpi_drivers.h
61401 --- linux-2.6.39.3/include/acpi/acpi_drivers.h 2011-05-19 00:06:34.000000000 -0400
61402 +++ linux-2.6.39.3/include/acpi/acpi_drivers.h 2011-05-22 19:36:32.000000000 -0400
61403 @@ -119,8 +119,8 @@ void pci_acpi_crs_quirks(void);
61404 Dock Station
61405 -------------------------------------------------------------------------- */
61406 struct acpi_dock_ops {
61407 - acpi_notify_handler handler;
61408 - acpi_notify_handler uevent;
61409 + const acpi_notify_handler handler;
61410 + const acpi_notify_handler uevent;
61411 };
61412
61413 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
61414 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
61415 extern int register_dock_notifier(struct notifier_block *nb);
61416 extern void unregister_dock_notifier(struct notifier_block *nb);
61417 extern int register_hotplug_dock_device(acpi_handle handle,
61418 - struct acpi_dock_ops *ops,
61419 + const struct acpi_dock_ops *ops,
61420 void *context);
61421 extern void unregister_hotplug_dock_device(acpi_handle handle);
61422 #else
61423 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
61424 {
61425 }
61426 static inline int register_hotplug_dock_device(acpi_handle handle,
61427 - struct acpi_dock_ops *ops,
61428 + const struct acpi_dock_ops *ops,
61429 void *context)
61430 {
61431 return -ENODEV;
61432 diff -urNp linux-2.6.39.3/include/acpi/processor.h linux-2.6.39.3/include/acpi/processor.h
61433 --- linux-2.6.39.3/include/acpi/processor.h 2011-05-19 00:06:34.000000000 -0400
61434 +++ linux-2.6.39.3/include/acpi/processor.h 2011-05-22 19:36:32.000000000 -0400
61435 @@ -344,7 +344,7 @@ extern struct cpuidle_driver acpi_idle_d
61436
61437 /* in processor_thermal.c */
61438 int acpi_processor_get_limit_info(struct acpi_processor *pr);
61439 -extern struct thermal_cooling_device_ops processor_cooling_ops;
61440 +extern const struct thermal_cooling_device_ops processor_cooling_ops;
61441 #ifdef CONFIG_CPU_FREQ
61442 void acpi_thermal_cpufreq_init(void);
61443 void acpi_thermal_cpufreq_exit(void);
61444 diff -urNp linux-2.6.39.3/include/asm-generic/atomic-long.h linux-2.6.39.3/include/asm-generic/atomic-long.h
61445 --- linux-2.6.39.3/include/asm-generic/atomic-long.h 2011-05-19 00:06:34.000000000 -0400
61446 +++ linux-2.6.39.3/include/asm-generic/atomic-long.h 2011-05-22 19:36:32.000000000 -0400
61447 @@ -22,6 +22,12 @@
61448
61449 typedef atomic64_t atomic_long_t;
61450
61451 +#ifdef CONFIG_PAX_REFCOUNT
61452 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
61453 +#else
61454 +typedef atomic64_t atomic_long_unchecked_t;
61455 +#endif
61456 +
61457 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
61458
61459 static inline long atomic_long_read(atomic_long_t *l)
61460 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
61461 return (long)atomic64_read(v);
61462 }
61463
61464 +#ifdef CONFIG_PAX_REFCOUNT
61465 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
61466 +{
61467 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61468 +
61469 + return (long)atomic64_read_unchecked(v);
61470 +}
61471 +#endif
61472 +
61473 static inline void atomic_long_set(atomic_long_t *l, long i)
61474 {
61475 atomic64_t *v = (atomic64_t *)l;
61476 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
61477 atomic64_set(v, i);
61478 }
61479
61480 +#ifdef CONFIG_PAX_REFCOUNT
61481 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
61482 +{
61483 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61484 +
61485 + atomic64_set_unchecked(v, i);
61486 +}
61487 +#endif
61488 +
61489 static inline void atomic_long_inc(atomic_long_t *l)
61490 {
61491 atomic64_t *v = (atomic64_t *)l;
61492 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
61493 atomic64_inc(v);
61494 }
61495
61496 +#ifdef CONFIG_PAX_REFCOUNT
61497 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
61498 +{
61499 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61500 +
61501 + atomic64_inc_unchecked(v);
61502 +}
61503 +#endif
61504 +
61505 static inline void atomic_long_dec(atomic_long_t *l)
61506 {
61507 atomic64_t *v = (atomic64_t *)l;
61508 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
61509 atomic64_dec(v);
61510 }
61511
61512 +#ifdef CONFIG_PAX_REFCOUNT
61513 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
61514 +{
61515 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61516 +
61517 + atomic64_dec_unchecked(v);
61518 +}
61519 +#endif
61520 +
61521 static inline void atomic_long_add(long i, atomic_long_t *l)
61522 {
61523 atomic64_t *v = (atomic64_t *)l;
61524 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
61525 atomic64_add(i, v);
61526 }
61527
61528 +#ifdef CONFIG_PAX_REFCOUNT
61529 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
61530 +{
61531 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61532 +
61533 + atomic64_add_unchecked(i, v);
61534 +}
61535 +#endif
61536 +
61537 static inline void atomic_long_sub(long i, atomic_long_t *l)
61538 {
61539 atomic64_t *v = (atomic64_t *)l;
61540 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
61541 atomic64_sub(i, v);
61542 }
61543
61544 +#ifdef CONFIG_PAX_REFCOUNT
61545 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
61546 +{
61547 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61548 +
61549 + atomic64_sub_unchecked(i, v);
61550 +}
61551 +#endif
61552 +
61553 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
61554 {
61555 atomic64_t *v = (atomic64_t *)l;
61556 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
61557 return (long)atomic64_inc_return(v);
61558 }
61559
61560 +#ifdef CONFIG_PAX_REFCOUNT
61561 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
61562 +{
61563 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61564 +
61565 + return (long)atomic64_inc_return_unchecked(v);
61566 +}
61567 +#endif
61568 +
61569 static inline long atomic_long_dec_return(atomic_long_t *l)
61570 {
61571 atomic64_t *v = (atomic64_t *)l;
61572 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
61573
61574 typedef atomic_t atomic_long_t;
61575
61576 +#ifdef CONFIG_PAX_REFCOUNT
61577 +typedef atomic_unchecked_t atomic_long_unchecked_t;
61578 +#else
61579 +typedef atomic_t atomic_long_unchecked_t;
61580 +#endif
61581 +
61582 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
61583 static inline long atomic_long_read(atomic_long_t *l)
61584 {
61585 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
61586 return (long)atomic_read(v);
61587 }
61588
61589 +#ifdef CONFIG_PAX_REFCOUNT
61590 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
61591 +{
61592 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61593 +
61594 + return (long)atomic_read_unchecked(v);
61595 +}
61596 +#endif
61597 +
61598 static inline void atomic_long_set(atomic_long_t *l, long i)
61599 {
61600 atomic_t *v = (atomic_t *)l;
61601 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
61602 atomic_set(v, i);
61603 }
61604
61605 +#ifdef CONFIG_PAX_REFCOUNT
61606 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
61607 +{
61608 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61609 +
61610 + atomic_set_unchecked(v, i);
61611 +}
61612 +#endif
61613 +
61614 static inline void atomic_long_inc(atomic_long_t *l)
61615 {
61616 atomic_t *v = (atomic_t *)l;
61617 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
61618 atomic_inc(v);
61619 }
61620
61621 +#ifdef CONFIG_PAX_REFCOUNT
61622 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
61623 +{
61624 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61625 +
61626 + atomic_inc_unchecked(v);
61627 +}
61628 +#endif
61629 +
61630 static inline void atomic_long_dec(atomic_long_t *l)
61631 {
61632 atomic_t *v = (atomic_t *)l;
61633 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
61634 atomic_dec(v);
61635 }
61636
61637 +#ifdef CONFIG_PAX_REFCOUNT
61638 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
61639 +{
61640 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61641 +
61642 + atomic_dec_unchecked(v);
61643 +}
61644 +#endif
61645 +
61646 static inline void atomic_long_add(long i, atomic_long_t *l)
61647 {
61648 atomic_t *v = (atomic_t *)l;
61649 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
61650 atomic_add(i, v);
61651 }
61652
61653 +#ifdef CONFIG_PAX_REFCOUNT
61654 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
61655 +{
61656 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61657 +
61658 + atomic_add_unchecked(i, v);
61659 +}
61660 +#endif
61661 +
61662 static inline void atomic_long_sub(long i, atomic_long_t *l)
61663 {
61664 atomic_t *v = (atomic_t *)l;
61665 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
61666 atomic_sub(i, v);
61667 }
61668
61669 +#ifdef CONFIG_PAX_REFCOUNT
61670 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
61671 +{
61672 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61673 +
61674 + atomic_sub_unchecked(i, v);
61675 +}
61676 +#endif
61677 +
61678 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
61679 {
61680 atomic_t *v = (atomic_t *)l;
61681 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
61682 return (long)atomic_inc_return(v);
61683 }
61684
61685 +#ifdef CONFIG_PAX_REFCOUNT
61686 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
61687 +{
61688 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61689 +
61690 + return (long)atomic_inc_return_unchecked(v);
61691 +}
61692 +#endif
61693 +
61694 static inline long atomic_long_dec_return(atomic_long_t *l)
61695 {
61696 atomic_t *v = (atomic_t *)l;
61697 @@ -255,4 +393,49 @@ static inline long atomic_long_add_unles
61698
61699 #endif /* BITS_PER_LONG == 64 */
61700
61701 +#ifdef CONFIG_PAX_REFCOUNT
61702 +static inline void pax_refcount_needs_these_functions(void)
61703 +{
61704 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
61705 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
61706 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
61707 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
61708 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
61709 + atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
61710 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
61711 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
61712 + atomic_dec_unchecked((atomic_unchecked_t *)NULL);
61713 + atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
61714 + atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
61715 +
61716 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
61717 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
61718 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
61719 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
61720 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
61721 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
61722 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
61723 +}
61724 +#else
61725 +#define atomic_read_unchecked(v) atomic_read(v)
61726 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
61727 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
61728 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
61729 +#define atomic_inc_unchecked(v) atomic_inc(v)
61730 +#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
61731 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
61732 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
61733 +#define atomic_dec_unchecked(v) atomic_dec(v)
61734 +#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
61735 +#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
61736 +
61737 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
61738 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
61739 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
61740 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
61741 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
61742 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
61743 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
61744 +#endif
61745 +
61746 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
61747 diff -urNp linux-2.6.39.3/include/asm-generic/cache.h linux-2.6.39.3/include/asm-generic/cache.h
61748 --- linux-2.6.39.3/include/asm-generic/cache.h 2011-05-19 00:06:34.000000000 -0400
61749 +++ linux-2.6.39.3/include/asm-generic/cache.h 2011-07-06 20:00:13.000000000 -0400
61750 @@ -6,7 +6,7 @@
61751 * cache lines need to provide their own cache.h.
61752 */
61753
61754 -#define L1_CACHE_SHIFT 5
61755 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
61756 +#define L1_CACHE_SHIFT 5UL
61757 +#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
61758
61759 #endif /* __ASM_GENERIC_CACHE_H */
61760 diff -urNp linux-2.6.39.3/include/asm-generic/dma-mapping-common.h linux-2.6.39.3/include/asm-generic/dma-mapping-common.h
61761 --- linux-2.6.39.3/include/asm-generic/dma-mapping-common.h 2011-05-19 00:06:34.000000000 -0400
61762 +++ linux-2.6.39.3/include/asm-generic/dma-mapping-common.h 2011-05-22 19:36:32.000000000 -0400
61763 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
61764 enum dma_data_direction dir,
61765 struct dma_attrs *attrs)
61766 {
61767 - struct dma_map_ops *ops = get_dma_ops(dev);
61768 + const struct dma_map_ops *ops = get_dma_ops(dev);
61769 dma_addr_t addr;
61770
61771 kmemcheck_mark_initialized(ptr, size);
61772 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
61773 enum dma_data_direction dir,
61774 struct dma_attrs *attrs)
61775 {
61776 - struct dma_map_ops *ops = get_dma_ops(dev);
61777 + const struct dma_map_ops *ops = get_dma_ops(dev);
61778
61779 BUG_ON(!valid_dma_direction(dir));
61780 if (ops->unmap_page)
61781 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
61782 int nents, enum dma_data_direction dir,
61783 struct dma_attrs *attrs)
61784 {
61785 - struct dma_map_ops *ops = get_dma_ops(dev);
61786 + const struct dma_map_ops *ops = get_dma_ops(dev);
61787 int i, ents;
61788 struct scatterlist *s;
61789
61790 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
61791 int nents, enum dma_data_direction dir,
61792 struct dma_attrs *attrs)
61793 {
61794 - struct dma_map_ops *ops = get_dma_ops(dev);
61795 + const struct dma_map_ops *ops = get_dma_ops(dev);
61796
61797 BUG_ON(!valid_dma_direction(dir));
61798 debug_dma_unmap_sg(dev, sg, nents, dir);
61799 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
61800 size_t offset, size_t size,
61801 enum dma_data_direction dir)
61802 {
61803 - struct dma_map_ops *ops = get_dma_ops(dev);
61804 + const struct dma_map_ops *ops = get_dma_ops(dev);
61805 dma_addr_t addr;
61806
61807 kmemcheck_mark_initialized(page_address(page) + offset, size);
61808 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
61809 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
61810 size_t size, enum dma_data_direction dir)
61811 {
61812 - struct dma_map_ops *ops = get_dma_ops(dev);
61813 + const struct dma_map_ops *ops = get_dma_ops(dev);
61814
61815 BUG_ON(!valid_dma_direction(dir));
61816 if (ops->unmap_page)
61817 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
61818 size_t size,
61819 enum dma_data_direction dir)
61820 {
61821 - struct dma_map_ops *ops = get_dma_ops(dev);
61822 + const struct dma_map_ops *ops = get_dma_ops(dev);
61823
61824 BUG_ON(!valid_dma_direction(dir));
61825 if (ops->sync_single_for_cpu)
61826 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
61827 dma_addr_t addr, size_t size,
61828 enum dma_data_direction dir)
61829 {
61830 - struct dma_map_ops *ops = get_dma_ops(dev);
61831 + const struct dma_map_ops *ops = get_dma_ops(dev);
61832
61833 BUG_ON(!valid_dma_direction(dir));
61834 if (ops->sync_single_for_device)
61835 @@ -139,7 +139,7 @@ static inline void
61836 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
61837 int nelems, enum dma_data_direction dir)
61838 {
61839 - struct dma_map_ops *ops = get_dma_ops(dev);
61840 + const struct dma_map_ops *ops = get_dma_ops(dev);
61841
61842 BUG_ON(!valid_dma_direction(dir));
61843 if (ops->sync_sg_for_cpu)
61844 @@ -151,7 +151,7 @@ static inline void
61845 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
61846 int nelems, enum dma_data_direction dir)
61847 {
61848 - struct dma_map_ops *ops = get_dma_ops(dev);
61849 + const struct dma_map_ops *ops = get_dma_ops(dev);
61850
61851 BUG_ON(!valid_dma_direction(dir));
61852 if (ops->sync_sg_for_device)
61853 diff -urNp linux-2.6.39.3/include/asm-generic/int-l64.h linux-2.6.39.3/include/asm-generic/int-l64.h
61854 --- linux-2.6.39.3/include/asm-generic/int-l64.h 2011-05-19 00:06:34.000000000 -0400
61855 +++ linux-2.6.39.3/include/asm-generic/int-l64.h 2011-05-22 19:36:32.000000000 -0400
61856 @@ -46,6 +46,8 @@ typedef unsigned int u32;
61857 typedef signed long s64;
61858 typedef unsigned long u64;
61859
61860 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
61861 +
61862 #define S8_C(x) x
61863 #define U8_C(x) x ## U
61864 #define S16_C(x) x
61865 diff -urNp linux-2.6.39.3/include/asm-generic/int-ll64.h linux-2.6.39.3/include/asm-generic/int-ll64.h
61866 --- linux-2.6.39.3/include/asm-generic/int-ll64.h 2011-05-19 00:06:34.000000000 -0400
61867 +++ linux-2.6.39.3/include/asm-generic/int-ll64.h 2011-05-22 19:36:32.000000000 -0400
61868 @@ -51,6 +51,8 @@ typedef unsigned int u32;
61869 typedef signed long long s64;
61870 typedef unsigned long long u64;
61871
61872 +typedef unsigned long long intoverflow_t;
61873 +
61874 #define S8_C(x) x
61875 #define U8_C(x) x ## U
61876 #define S16_C(x) x
61877 diff -urNp linux-2.6.39.3/include/asm-generic/kmap_types.h linux-2.6.39.3/include/asm-generic/kmap_types.h
61878 --- linux-2.6.39.3/include/asm-generic/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
61879 +++ linux-2.6.39.3/include/asm-generic/kmap_types.h 2011-05-22 19:36:32.000000000 -0400
61880 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
61881 KMAP_D(17) KM_NMI,
61882 KMAP_D(18) KM_NMI_PTE,
61883 KMAP_D(19) KM_KDB,
61884 +KMAP_D(20) KM_CLEARPAGE,
61885 /*
61886 * Remember to update debug_kmap_atomic() when adding new kmap types!
61887 */
61888 -KMAP_D(20) KM_TYPE_NR
61889 +KMAP_D(21) KM_TYPE_NR
61890 };
61891
61892 #undef KMAP_D
61893 diff -urNp linux-2.6.39.3/include/asm-generic/pgtable.h linux-2.6.39.3/include/asm-generic/pgtable.h
61894 --- linux-2.6.39.3/include/asm-generic/pgtable.h 2011-05-19 00:06:34.000000000 -0400
61895 +++ linux-2.6.39.3/include/asm-generic/pgtable.h 2011-05-22 19:36:32.000000000 -0400
61896 @@ -447,6 +447,14 @@ static inline int pmd_write(pmd_t pmd)
61897 #endif /* __HAVE_ARCH_PMD_WRITE */
61898 #endif
61899
61900 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
61901 +static inline unsigned long pax_open_kernel(void) { return 0; }
61902 +#endif
61903 +
61904 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
61905 +static inline unsigned long pax_close_kernel(void) { return 0; }
61906 +#endif
61907 +
61908 #endif /* !__ASSEMBLY__ */
61909
61910 #endif /* _ASM_GENERIC_PGTABLE_H */
61911 diff -urNp linux-2.6.39.3/include/asm-generic/pgtable-nopmd.h linux-2.6.39.3/include/asm-generic/pgtable-nopmd.h
61912 --- linux-2.6.39.3/include/asm-generic/pgtable-nopmd.h 2011-05-19 00:06:34.000000000 -0400
61913 +++ linux-2.6.39.3/include/asm-generic/pgtable-nopmd.h 2011-05-22 19:36:32.000000000 -0400
61914 @@ -1,14 +1,19 @@
61915 #ifndef _PGTABLE_NOPMD_H
61916 #define _PGTABLE_NOPMD_H
61917
61918 -#ifndef __ASSEMBLY__
61919 -
61920 #include <asm-generic/pgtable-nopud.h>
61921
61922 -struct mm_struct;
61923 -
61924 #define __PAGETABLE_PMD_FOLDED
61925
61926 +#define PMD_SHIFT PUD_SHIFT
61927 +#define PTRS_PER_PMD 1
61928 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
61929 +#define PMD_MASK (~(PMD_SIZE-1))
61930 +
61931 +#ifndef __ASSEMBLY__
61932 +
61933 +struct mm_struct;
61934 +
61935 /*
61936 * Having the pmd type consist of a pud gets the size right, and allows
61937 * us to conceptually access the pud entry that this pmd is folded into
61938 @@ -16,11 +21,6 @@ struct mm_struct;
61939 */
61940 typedef struct { pud_t pud; } pmd_t;
61941
61942 -#define PMD_SHIFT PUD_SHIFT
61943 -#define PTRS_PER_PMD 1
61944 -#define PMD_SIZE (1UL << PMD_SHIFT)
61945 -#define PMD_MASK (~(PMD_SIZE-1))
61946 -
61947 /*
61948 * The "pud_xxx()" functions here are trivial for a folded two-level
61949 * setup: the pmd is never bad, and a pmd always exists (as it's folded
61950 diff -urNp linux-2.6.39.3/include/asm-generic/pgtable-nopud.h linux-2.6.39.3/include/asm-generic/pgtable-nopud.h
61951 --- linux-2.6.39.3/include/asm-generic/pgtable-nopud.h 2011-05-19 00:06:34.000000000 -0400
61952 +++ linux-2.6.39.3/include/asm-generic/pgtable-nopud.h 2011-05-22 19:36:32.000000000 -0400
61953 @@ -1,10 +1,15 @@
61954 #ifndef _PGTABLE_NOPUD_H
61955 #define _PGTABLE_NOPUD_H
61956
61957 -#ifndef __ASSEMBLY__
61958 -
61959 #define __PAGETABLE_PUD_FOLDED
61960
61961 +#define PUD_SHIFT PGDIR_SHIFT
61962 +#define PTRS_PER_PUD 1
61963 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
61964 +#define PUD_MASK (~(PUD_SIZE-1))
61965 +
61966 +#ifndef __ASSEMBLY__
61967 +
61968 /*
61969 * Having the pud type consist of a pgd gets the size right, and allows
61970 * us to conceptually access the pgd entry that this pud is folded into
61971 @@ -12,11 +17,6 @@
61972 */
61973 typedef struct { pgd_t pgd; } pud_t;
61974
61975 -#define PUD_SHIFT PGDIR_SHIFT
61976 -#define PTRS_PER_PUD 1
61977 -#define PUD_SIZE (1UL << PUD_SHIFT)
61978 -#define PUD_MASK (~(PUD_SIZE-1))
61979 -
61980 /*
61981 * The "pgd_xxx()" functions here are trivial for a folded two-level
61982 * setup: the pud is never bad, and a pud always exists (as it's folded
61983 diff -urNp linux-2.6.39.3/include/asm-generic/vmlinux.lds.h linux-2.6.39.3/include/asm-generic/vmlinux.lds.h
61984 --- linux-2.6.39.3/include/asm-generic/vmlinux.lds.h 2011-05-19 00:06:34.000000000 -0400
61985 +++ linux-2.6.39.3/include/asm-generic/vmlinux.lds.h 2011-05-22 19:36:32.000000000 -0400
61986 @@ -213,6 +213,7 @@
61987 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
61988 VMLINUX_SYMBOL(__start_rodata) = .; \
61989 *(.rodata) *(.rodata.*) \
61990 + *(.data..read_only) \
61991 *(__vermagic) /* Kernel version magic */ \
61992 . = ALIGN(8); \
61993 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
61994 @@ -707,14 +708,15 @@
61995 * section in the linker script will go there too. @phdr should have
61996 * a leading colon.
61997 *
61998 - * Note that this macros defines __per_cpu_load as an absolute symbol.
61999 + * Note that this macros defines per_cpu_load as an absolute symbol.
62000 * If there is no need to put the percpu section at a predetermined
62001 * address, use PERCPU().
62002 */
62003 #define PERCPU_VADDR(cacheline, vaddr, phdr) \
62004 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
62005 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
62006 + per_cpu_load = .; \
62007 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
62008 - LOAD_OFFSET) { \
62009 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
62010 VMLINUX_SYMBOL(__per_cpu_start) = .; \
62011 *(.data..percpu..first) \
62012 . = ALIGN(PAGE_SIZE); \
62013 @@ -726,7 +728,7 @@
62014 *(.data..percpu..shared_aligned) \
62015 VMLINUX_SYMBOL(__per_cpu_end) = .; \
62016 } phdr \
62017 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
62018 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
62019
62020 /**
62021 * PERCPU - define output section for percpu area, simple version
62022 diff -urNp linux-2.6.39.3/include/drm/drmP.h linux-2.6.39.3/include/drm/drmP.h
62023 --- linux-2.6.39.3/include/drm/drmP.h 2011-05-19 00:06:34.000000000 -0400
62024 +++ linux-2.6.39.3/include/drm/drmP.h 2011-05-22 19:41:42.000000000 -0400
62025 @@ -73,6 +73,7 @@
62026 #include <linux/workqueue.h>
62027 #include <linux/poll.h>
62028 #include <asm/pgalloc.h>
62029 +#include <asm/local.h>
62030 #include "drm.h"
62031
62032 #include <linux/idr.h>
62033 @@ -908,7 +909,7 @@ struct drm_driver {
62034 uint32_t handle);
62035
62036 /* Driver private ops for this object */
62037 - struct vm_operations_struct *gem_vm_ops;
62038 + const struct vm_operations_struct *gem_vm_ops;
62039
62040 int major;
62041 int minor;
62042 @@ -1023,7 +1024,7 @@ struct drm_device {
62043
62044 /** \name Usage Counters */
62045 /*@{ */
62046 - int open_count; /**< Outstanding files open */
62047 + local_t open_count; /**< Outstanding files open */
62048 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
62049 atomic_t vma_count; /**< Outstanding vma areas open */
62050 int buf_use; /**< Buffers in use -- cannot alloc */
62051 @@ -1034,7 +1035,7 @@ struct drm_device {
62052 /*@{ */
62053 unsigned long counters;
62054 enum drm_stat_type types[15];
62055 - atomic_t counts[15];
62056 + atomic_unchecked_t counts[15];
62057 /*@} */
62058
62059 struct list_head filelist;
62060 diff -urNp linux-2.6.39.3/include/linux/a.out.h linux-2.6.39.3/include/linux/a.out.h
62061 --- linux-2.6.39.3/include/linux/a.out.h 2011-05-19 00:06:34.000000000 -0400
62062 +++ linux-2.6.39.3/include/linux/a.out.h 2011-05-22 19:36:32.000000000 -0400
62063 @@ -39,6 +39,14 @@ enum machine_type {
62064 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
62065 };
62066
62067 +/* Constants for the N_FLAGS field */
62068 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
62069 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
62070 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
62071 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
62072 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
62073 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
62074 +
62075 #if !defined (N_MAGIC)
62076 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
62077 #endif
62078 diff -urNp linux-2.6.39.3/include/linux/atmdev.h linux-2.6.39.3/include/linux/atmdev.h
62079 --- linux-2.6.39.3/include/linux/atmdev.h 2011-05-19 00:06:34.000000000 -0400
62080 +++ linux-2.6.39.3/include/linux/atmdev.h 2011-05-22 19:36:32.000000000 -0400
62081 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
62082 #endif
62083
62084 struct k_atm_aal_stats {
62085 -#define __HANDLE_ITEM(i) atomic_t i
62086 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
62087 __AAL_STAT_ITEMS
62088 #undef __HANDLE_ITEM
62089 };
62090 diff -urNp linux-2.6.39.3/include/linux/binfmts.h linux-2.6.39.3/include/linux/binfmts.h
62091 --- linux-2.6.39.3/include/linux/binfmts.h 2011-05-19 00:06:34.000000000 -0400
62092 +++ linux-2.6.39.3/include/linux/binfmts.h 2011-05-22 19:36:32.000000000 -0400
62093 @@ -92,6 +92,7 @@ struct linux_binfmt {
62094 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
62095 int (*load_shlib)(struct file *);
62096 int (*core_dump)(struct coredump_params *cprm);
62097 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
62098 unsigned long min_coredump; /* minimal dump size */
62099 };
62100
62101 diff -urNp linux-2.6.39.3/include/linux/blkdev.h linux-2.6.39.3/include/linux/blkdev.h
62102 --- linux-2.6.39.3/include/linux/blkdev.h 2011-06-03 00:04:14.000000000 -0400
62103 +++ linux-2.6.39.3/include/linux/blkdev.h 2011-06-03 00:32:08.000000000 -0400
62104 @@ -1292,22 +1292,22 @@ queue_max_integrity_segments(struct requ
62105 #endif /* CONFIG_BLK_DEV_INTEGRITY */
62106
62107 struct block_device_operations {
62108 - int (*open) (struct block_device *, fmode_t);
62109 - int (*release) (struct gendisk *, fmode_t);
62110 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
62111 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
62112 - int (*direct_access) (struct block_device *, sector_t,
62113 + int (* const open) (struct block_device *, fmode_t);
62114 + int (* const release) (struct gendisk *, fmode_t);
62115 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
62116 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
62117 + int (* const direct_access) (struct block_device *, sector_t,
62118 void **, unsigned long *);
62119 - unsigned int (*check_events) (struct gendisk *disk,
62120 + unsigned int (* const check_events) (struct gendisk *disk,
62121 unsigned int clearing);
62122 /* ->media_changed() is DEPRECATED, use ->check_events() instead */
62123 - int (*media_changed) (struct gendisk *);
62124 - void (*unlock_native_capacity) (struct gendisk *);
62125 - int (*revalidate_disk) (struct gendisk *);
62126 - int (*getgeo)(struct block_device *, struct hd_geometry *);
62127 + int (* const media_changed) (struct gendisk *);
62128 + void (* const unlock_native_capacity) (struct gendisk *);
62129 + int (* const revalidate_disk) (struct gendisk *);
62130 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
62131 /* this callback is with swap_lock and sometimes page table lock held */
62132 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
62133 - struct module *owner;
62134 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
62135 + struct module * const owner;
62136 };
62137
62138 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
62139 diff -urNp linux-2.6.39.3/include/linux/blktrace_api.h linux-2.6.39.3/include/linux/blktrace_api.h
62140 --- linux-2.6.39.3/include/linux/blktrace_api.h 2011-05-19 00:06:34.000000000 -0400
62141 +++ linux-2.6.39.3/include/linux/blktrace_api.h 2011-05-22 19:36:32.000000000 -0400
62142 @@ -161,7 +161,7 @@ struct blk_trace {
62143 struct dentry *dir;
62144 struct dentry *dropped_file;
62145 struct dentry *msg_file;
62146 - atomic_t dropped;
62147 + atomic_unchecked_t dropped;
62148 };
62149
62150 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
62151 diff -urNp linux-2.6.39.3/include/linux/byteorder/little_endian.h linux-2.6.39.3/include/linux/byteorder/little_endian.h
62152 --- linux-2.6.39.3/include/linux/byteorder/little_endian.h 2011-05-19 00:06:34.000000000 -0400
62153 +++ linux-2.6.39.3/include/linux/byteorder/little_endian.h 2011-05-22 19:36:32.000000000 -0400
62154 @@ -42,51 +42,51 @@
62155
62156 static inline __le64 __cpu_to_le64p(const __u64 *p)
62157 {
62158 - return (__force __le64)*p;
62159 + return (__force const __le64)*p;
62160 }
62161 static inline __u64 __le64_to_cpup(const __le64 *p)
62162 {
62163 - return (__force __u64)*p;
62164 + return (__force const __u64)*p;
62165 }
62166 static inline __le32 __cpu_to_le32p(const __u32 *p)
62167 {
62168 - return (__force __le32)*p;
62169 + return (__force const __le32)*p;
62170 }
62171 static inline __u32 __le32_to_cpup(const __le32 *p)
62172 {
62173 - return (__force __u32)*p;
62174 + return (__force const __u32)*p;
62175 }
62176 static inline __le16 __cpu_to_le16p(const __u16 *p)
62177 {
62178 - return (__force __le16)*p;
62179 + return (__force const __le16)*p;
62180 }
62181 static inline __u16 __le16_to_cpup(const __le16 *p)
62182 {
62183 - return (__force __u16)*p;
62184 + return (__force const __u16)*p;
62185 }
62186 static inline __be64 __cpu_to_be64p(const __u64 *p)
62187 {
62188 - return (__force __be64)__swab64p(p);
62189 + return (__force const __be64)__swab64p(p);
62190 }
62191 static inline __u64 __be64_to_cpup(const __be64 *p)
62192 {
62193 - return __swab64p((__u64 *)p);
62194 + return __swab64p((const __u64 *)p);
62195 }
62196 static inline __be32 __cpu_to_be32p(const __u32 *p)
62197 {
62198 - return (__force __be32)__swab32p(p);
62199 + return (__force const __be32)__swab32p(p);
62200 }
62201 static inline __u32 __be32_to_cpup(const __be32 *p)
62202 {
62203 - return __swab32p((__u32 *)p);
62204 + return __swab32p((const __u32 *)p);
62205 }
62206 static inline __be16 __cpu_to_be16p(const __u16 *p)
62207 {
62208 - return (__force __be16)__swab16p(p);
62209 + return (__force const __be16)__swab16p(p);
62210 }
62211 static inline __u16 __be16_to_cpup(const __be16 *p)
62212 {
62213 - return __swab16p((__u16 *)p);
62214 + return __swab16p((const __u16 *)p);
62215 }
62216 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
62217 #define __le64_to_cpus(x) do { (void)(x); } while (0)
62218 diff -urNp linux-2.6.39.3/include/linux/cache.h linux-2.6.39.3/include/linux/cache.h
62219 --- linux-2.6.39.3/include/linux/cache.h 2011-05-19 00:06:34.000000000 -0400
62220 +++ linux-2.6.39.3/include/linux/cache.h 2011-05-22 19:36:32.000000000 -0400
62221 @@ -16,6 +16,10 @@
62222 #define __read_mostly
62223 #endif
62224
62225 +#ifndef __read_only
62226 +#define __read_only __read_mostly
62227 +#endif
62228 +
62229 #ifndef ____cacheline_aligned
62230 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
62231 #endif
62232 diff -urNp linux-2.6.39.3/include/linux/capability.h linux-2.6.39.3/include/linux/capability.h
62233 --- linux-2.6.39.3/include/linux/capability.h 2011-05-19 00:06:34.000000000 -0400
62234 +++ linux-2.6.39.3/include/linux/capability.h 2011-05-22 21:02:47.000000000 -0400
62235 @@ -547,6 +547,9 @@ extern bool capable(int cap);
62236 extern bool ns_capable(struct user_namespace *ns, int cap);
62237 extern bool task_ns_capable(struct task_struct *t, int cap);
62238 extern bool nsown_capable(int cap);
62239 +extern bool task_ns_capable_nolog(struct task_struct *t, int cap);
62240 +extern bool ns_capable_nolog(struct user_namespace *ns, int cap);
62241 +extern bool capable_nolog(int cap);
62242
62243 /* audit system wants to get cap info from files as well */
62244 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
62245 diff -urNp linux-2.6.39.3/include/linux/compiler-gcc4.h linux-2.6.39.3/include/linux/compiler-gcc4.h
62246 --- linux-2.6.39.3/include/linux/compiler-gcc4.h 2011-05-19 00:06:34.000000000 -0400
62247 +++ linux-2.6.39.3/include/linux/compiler-gcc4.h 2011-05-22 19:36:32.000000000 -0400
62248 @@ -46,6 +46,11 @@
62249 #define __noclone __attribute__((__noclone__))
62250
62251 #endif
62252 +
62253 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
62254 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
62255 +#define __bos0(ptr) __bos((ptr), 0)
62256 +#define __bos1(ptr) __bos((ptr), 1)
62257 #endif
62258
62259 #if __GNUC_MINOR__ > 0
62260 diff -urNp linux-2.6.39.3/include/linux/compiler.h linux-2.6.39.3/include/linux/compiler.h
62261 --- linux-2.6.39.3/include/linux/compiler.h 2011-05-19 00:06:34.000000000 -0400
62262 +++ linux-2.6.39.3/include/linux/compiler.h 2011-05-22 19:36:32.000000000 -0400
62263 @@ -273,6 +273,22 @@ void ftrace_likely_update(struct ftrace_
62264 #define __cold
62265 #endif
62266
62267 +#ifndef __alloc_size
62268 +#define __alloc_size
62269 +#endif
62270 +
62271 +#ifndef __bos
62272 +#define __bos
62273 +#endif
62274 +
62275 +#ifndef __bos0
62276 +#define __bos0
62277 +#endif
62278 +
62279 +#ifndef __bos1
62280 +#define __bos1
62281 +#endif
62282 +
62283 /* Simple shorthand for a section definition */
62284 #ifndef __section
62285 # define __section(S) __attribute__ ((__section__(#S)))
62286 @@ -306,6 +322,7 @@ void ftrace_likely_update(struct ftrace_
62287 * use is to mediate communication between process-level code and irq/NMI
62288 * handlers, all running on the same CPU.
62289 */
62290 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
62291 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
62292 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
62293
62294 #endif /* __LINUX_COMPILER_H */
62295 diff -urNp linux-2.6.39.3/include/linux/concap.h linux-2.6.39.3/include/linux/concap.h
62296 --- linux-2.6.39.3/include/linux/concap.h 2011-05-19 00:06:34.000000000 -0400
62297 +++ linux-2.6.39.3/include/linux/concap.h 2011-05-22 19:36:32.000000000 -0400
62298 @@ -30,7 +30,7 @@ struct concap_device_ops;
62299 struct concap_proto{
62300 struct net_device *net_dev; /* net device using our service */
62301 struct concap_device_ops *dops; /* callbacks provided by device */
62302 - struct concap_proto_ops *pops; /* callbacks provided by us */
62303 + const struct concap_proto_ops *pops; /* callbacks provided by us */
62304 spinlock_t lock;
62305 int flags;
62306 void *proto_data; /* protocol specific private data, to
62307 diff -urNp linux-2.6.39.3/include/linux/configfs.h linux-2.6.39.3/include/linux/configfs.h
62308 --- linux-2.6.39.3/include/linux/configfs.h 2011-05-19 00:06:34.000000000 -0400
62309 +++ linux-2.6.39.3/include/linux/configfs.h 2011-05-22 19:36:32.000000000 -0400
62310 @@ -82,7 +82,7 @@ extern void config_item_put(struct confi
62311 struct config_item_type {
62312 struct module *ct_owner;
62313 struct configfs_item_operations *ct_item_ops;
62314 - struct configfs_group_operations *ct_group_ops;
62315 + const struct configfs_group_operations *ct_group_ops;
62316 struct configfs_attribute **ct_attrs;
62317 };
62318
62319 diff -urNp linux-2.6.39.3/include/linux/cpuset.h linux-2.6.39.3/include/linux/cpuset.h
62320 --- linux-2.6.39.3/include/linux/cpuset.h 2011-05-19 00:06:34.000000000 -0400
62321 +++ linux-2.6.39.3/include/linux/cpuset.h 2011-05-22 19:36:32.000000000 -0400
62322 @@ -118,7 +118,7 @@ static inline void put_mems_allowed(void
62323 * nodemask.
62324 */
62325 smp_mb();
62326 - --ACCESS_ONCE(current->mems_allowed_change_disable);
62327 + --ACCESS_ONCE_RW(current->mems_allowed_change_disable);
62328 }
62329
62330 static inline void set_mems_allowed(nodemask_t nodemask)
62331 diff -urNp linux-2.6.39.3/include/linux/dca.h linux-2.6.39.3/include/linux/dca.h
62332 --- linux-2.6.39.3/include/linux/dca.h 2011-05-19 00:06:34.000000000 -0400
62333 +++ linux-2.6.39.3/include/linux/dca.h 2011-05-22 19:36:32.000000000 -0400
62334 @@ -34,7 +34,7 @@ void dca_unregister_notify(struct notifi
62335
62336 struct dca_provider {
62337 struct list_head node;
62338 - struct dca_ops *ops;
62339 + const struct dca_ops *ops;
62340 struct device *cd;
62341 int id;
62342 };
62343 @@ -53,7 +53,7 @@ struct dca_ops {
62344 int (*dev_managed) (struct dca_provider *, struct device *);
62345 };
62346
62347 -struct dca_provider *alloc_dca_provider(struct dca_ops *ops, int priv_size);
62348 +struct dca_provider *alloc_dca_provider(const struct dca_ops *ops, int priv_size);
62349 void free_dca_provider(struct dca_provider *dca);
62350 int register_dca_provider(struct dca_provider *dca, struct device *dev);
62351 void unregister_dca_provider(struct dca_provider *dca, struct device *dev);
62352 diff -urNp linux-2.6.39.3/include/linux/decompress/mm.h linux-2.6.39.3/include/linux/decompress/mm.h
62353 --- linux-2.6.39.3/include/linux/decompress/mm.h 2011-05-19 00:06:34.000000000 -0400
62354 +++ linux-2.6.39.3/include/linux/decompress/mm.h 2011-05-22 19:36:33.000000000 -0400
62355 @@ -77,7 +77,7 @@ static void free(void *where)
62356 * warnings when not needed (indeed large_malloc / large_free are not
62357 * needed by inflate */
62358
62359 -#define malloc(a) kmalloc(a, GFP_KERNEL)
62360 +#define malloc(a) kmalloc((a), GFP_KERNEL)
62361 #define free(a) kfree(a)
62362
62363 #define large_malloc(a) vmalloc(a)
62364 diff -urNp linux-2.6.39.3/include/linux/dma-mapping.h linux-2.6.39.3/include/linux/dma-mapping.h
62365 --- linux-2.6.39.3/include/linux/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
62366 +++ linux-2.6.39.3/include/linux/dma-mapping.h 2011-05-22 19:36:33.000000000 -0400
62367 @@ -16,40 +16,40 @@ enum dma_data_direction {
62368 };
62369
62370 struct dma_map_ops {
62371 - void* (*alloc_coherent)(struct device *dev, size_t size,
62372 + void* (* const alloc_coherent)(struct device *dev, size_t size,
62373 dma_addr_t *dma_handle, gfp_t gfp);
62374 - void (*free_coherent)(struct device *dev, size_t size,
62375 + void (* const free_coherent)(struct device *dev, size_t size,
62376 void *vaddr, dma_addr_t dma_handle);
62377 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
62378 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
62379 unsigned long offset, size_t size,
62380 enum dma_data_direction dir,
62381 struct dma_attrs *attrs);
62382 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
62383 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
62384 size_t size, enum dma_data_direction dir,
62385 struct dma_attrs *attrs);
62386 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
62387 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
62388 int nents, enum dma_data_direction dir,
62389 struct dma_attrs *attrs);
62390 - void (*unmap_sg)(struct device *dev,
62391 + void (* const unmap_sg)(struct device *dev,
62392 struct scatterlist *sg, int nents,
62393 enum dma_data_direction dir,
62394 struct dma_attrs *attrs);
62395 - void (*sync_single_for_cpu)(struct device *dev,
62396 + void (* const sync_single_for_cpu)(struct device *dev,
62397 dma_addr_t dma_handle, size_t size,
62398 enum dma_data_direction dir);
62399 - void (*sync_single_for_device)(struct device *dev,
62400 + void (* const sync_single_for_device)(struct device *dev,
62401 dma_addr_t dma_handle, size_t size,
62402 enum dma_data_direction dir);
62403 - void (*sync_sg_for_cpu)(struct device *dev,
62404 + void (* const sync_sg_for_cpu)(struct device *dev,
62405 struct scatterlist *sg, int nents,
62406 enum dma_data_direction dir);
62407 - void (*sync_sg_for_device)(struct device *dev,
62408 + void (* const sync_sg_for_device)(struct device *dev,
62409 struct scatterlist *sg, int nents,
62410 enum dma_data_direction dir);
62411 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
62412 - int (*dma_supported)(struct device *dev, u64 mask);
62413 - int (*set_dma_mask)(struct device *dev, u64 mask);
62414 - int is_phys;
62415 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
62416 + int (* const dma_supported)(struct device *dev, u64 mask);
62417 + int (* set_dma_mask)(struct device *dev, u64 mask);
62418 + const int is_phys;
62419 };
62420
62421 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
62422 diff -urNp linux-2.6.39.3/include/linux/elf.h linux-2.6.39.3/include/linux/elf.h
62423 --- linux-2.6.39.3/include/linux/elf.h 2011-05-19 00:06:34.000000000 -0400
62424 +++ linux-2.6.39.3/include/linux/elf.h 2011-05-22 19:36:33.000000000 -0400
62425 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
62426 #define PT_GNU_EH_FRAME 0x6474e550
62427
62428 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
62429 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
62430 +
62431 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
62432 +
62433 +/* Constants for the e_flags field */
62434 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
62435 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
62436 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
62437 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
62438 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
62439 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
62440
62441 /*
62442 * Extended Numbering
62443 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
62444 #define DT_DEBUG 21
62445 #define DT_TEXTREL 22
62446 #define DT_JMPREL 23
62447 +#define DT_FLAGS 30
62448 + #define DF_TEXTREL 0x00000004
62449 #define DT_ENCODING 32
62450 #define OLD_DT_LOOS 0x60000000
62451 #define DT_LOOS 0x6000000d
62452 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
62453 #define PF_W 0x2
62454 #define PF_X 0x1
62455
62456 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
62457 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
62458 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
62459 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
62460 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
62461 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
62462 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
62463 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
62464 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
62465 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
62466 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
62467 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
62468 +
62469 typedef struct elf32_phdr{
62470 Elf32_Word p_type;
62471 Elf32_Off p_offset;
62472 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
62473 #define EI_OSABI 7
62474 #define EI_PAD 8
62475
62476 +#define EI_PAX 14
62477 +
62478 #define ELFMAG0 0x7f /* EI_MAG */
62479 #define ELFMAG1 'E'
62480 #define ELFMAG2 'L'
62481 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
62482 #define elf_note elf32_note
62483 #define elf_addr_t Elf32_Off
62484 #define Elf_Half Elf32_Half
62485 +#define elf_dyn Elf32_Dyn
62486
62487 #else
62488
62489 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
62490 #define elf_note elf64_note
62491 #define elf_addr_t Elf64_Off
62492 #define Elf_Half Elf64_Half
62493 +#define elf_dyn Elf64_Dyn
62494
62495 #endif
62496
62497 diff -urNp linux-2.6.39.3/include/linux/enclosure.h linux-2.6.39.3/include/linux/enclosure.h
62498 --- linux-2.6.39.3/include/linux/enclosure.h 2011-05-19 00:06:34.000000000 -0400
62499 +++ linux-2.6.39.3/include/linux/enclosure.h 2011-05-22 19:36:33.000000000 -0400
62500 @@ -98,7 +98,7 @@ struct enclosure_device {
62501 void *scratch;
62502 struct list_head node;
62503 struct device edev;
62504 - struct enclosure_component_callbacks *cb;
62505 + const struct enclosure_component_callbacks *cb;
62506 int components;
62507 struct enclosure_component component[0];
62508 };
62509 diff -urNp linux-2.6.39.3/include/linux/fscache-cache.h linux-2.6.39.3/include/linux/fscache-cache.h
62510 --- linux-2.6.39.3/include/linux/fscache-cache.h 2011-05-19 00:06:34.000000000 -0400
62511 +++ linux-2.6.39.3/include/linux/fscache-cache.h 2011-05-22 19:36:33.000000000 -0400
62512 @@ -113,7 +113,7 @@ struct fscache_operation {
62513 #endif
62514 };
62515
62516 -extern atomic_t fscache_op_debug_id;
62517 +extern atomic_unchecked_t fscache_op_debug_id;
62518 extern void fscache_op_work_func(struct work_struct *work);
62519
62520 extern void fscache_enqueue_operation(struct fscache_operation *);
62521 @@ -133,7 +133,7 @@ static inline void fscache_operation_ini
62522 {
62523 INIT_WORK(&op->work, fscache_op_work_func);
62524 atomic_set(&op->usage, 1);
62525 - op->debug_id = atomic_inc_return(&fscache_op_debug_id);
62526 + op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
62527 op->processor = processor;
62528 op->release = release;
62529 INIT_LIST_HEAD(&op->pend_link);
62530 diff -urNp linux-2.6.39.3/include/linux/fs.h linux-2.6.39.3/include/linux/fs.h
62531 --- linux-2.6.39.3/include/linux/fs.h 2011-05-19 00:06:34.000000000 -0400
62532 +++ linux-2.6.39.3/include/linux/fs.h 2011-05-22 19:41:42.000000000 -0400
62533 @@ -108,6 +108,11 @@ struct inodes_stat_t {
62534 /* File was opened by fanotify and shouldn't generate fanotify events */
62535 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
62536
62537 +/* Hack for grsec so as not to require read permission simply to execute
62538 + * a binary
62539 + */
62540 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
62541 +
62542 /*
62543 * The below are the various read and write types that we support. Some of
62544 * them include behavioral modifiers that send information down to the
62545 @@ -575,41 +580,41 @@ typedef int (*read_actor_t)(read_descrip
62546 unsigned long, unsigned long);
62547
62548 struct address_space_operations {
62549 - int (*writepage)(struct page *page, struct writeback_control *wbc);
62550 - int (*readpage)(struct file *, struct page *);
62551 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
62552 + int (* const readpage)(struct file *, struct page *);
62553
62554 /* Write back some dirty pages from this mapping. */
62555 - int (*writepages)(struct address_space *, struct writeback_control *);
62556 + int (* const writepages)(struct address_space *, struct writeback_control *);
62557
62558 /* Set a page dirty. Return true if this dirtied it */
62559 - int (*set_page_dirty)(struct page *page);
62560 + int (* const set_page_dirty)(struct page *page);
62561
62562 - int (*readpages)(struct file *filp, struct address_space *mapping,
62563 + int (* const readpages)(struct file *filp, struct address_space *mapping,
62564 struct list_head *pages, unsigned nr_pages);
62565
62566 - int (*write_begin)(struct file *, struct address_space *mapping,
62567 + int (* const write_begin)(struct file *, struct address_space *mapping,
62568 loff_t pos, unsigned len, unsigned flags,
62569 struct page **pagep, void **fsdata);
62570 - int (*write_end)(struct file *, struct address_space *mapping,
62571 + int (* const write_end)(struct file *, struct address_space *mapping,
62572 loff_t pos, unsigned len, unsigned copied,
62573 struct page *page, void *fsdata);
62574
62575 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
62576 - sector_t (*bmap)(struct address_space *, sector_t);
62577 - void (*invalidatepage) (struct page *, unsigned long);
62578 - int (*releasepage) (struct page *, gfp_t);
62579 - void (*freepage)(struct page *);
62580 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
62581 + sector_t (* const bmap)(struct address_space *, sector_t);
62582 + void (* const invalidatepage) (struct page *, unsigned long);
62583 + int (* const releasepage) (struct page *, gfp_t);
62584 + void (* const freepage)(struct page *);
62585 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
62586 loff_t offset, unsigned long nr_segs);
62587 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
62588 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
62589 void **, unsigned long *);
62590 /* migrate the contents of a page to the specified target */
62591 - int (*migratepage) (struct address_space *,
62592 + int (* const migratepage) (struct address_space *,
62593 struct page *, struct page *);
62594 - int (*launder_page) (struct page *);
62595 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
62596 + int (* const launder_page) (struct page *);
62597 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
62598 unsigned long);
62599 - int (*error_remove_page)(struct address_space *, struct page *);
62600 + int (* const error_remove_page)(struct address_space *, struct page *);
62601 };
62602
62603 extern const struct address_space_operations empty_aops;
62604 @@ -1060,17 +1065,17 @@ static inline int file_check_writeable(s
62605 typedef struct files_struct *fl_owner_t;
62606
62607 struct file_lock_operations {
62608 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
62609 - void (*fl_release_private)(struct file_lock *);
62610 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
62611 + void (* const fl_release_private)(struct file_lock *);
62612 };
62613
62614 struct lock_manager_operations {
62615 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
62616 - void (*fl_notify)(struct file_lock *); /* unblock callback */
62617 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
62618 - void (*fl_release_private)(struct file_lock *);
62619 - void (*fl_break)(struct file_lock *);
62620 - int (*fl_change)(struct file_lock **, int);
62621 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
62622 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
62623 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
62624 + void (* const fl_release_private)(struct file_lock *);
62625 + void (* const fl_break)(struct file_lock *);
62626 + int (* const fl_change)(struct file_lock **, int);
62627 };
62628
62629 struct lock_manager {
62630 @@ -1611,31 +1616,31 @@ extern ssize_t vfs_writev(struct file *,
62631 unsigned long, loff_t *);
62632
62633 struct super_operations {
62634 - struct inode *(*alloc_inode)(struct super_block *sb);
62635 - void (*destroy_inode)(struct inode *);
62636 + struct inode *(* const alloc_inode)(struct super_block *sb);
62637 + void (* const destroy_inode)(struct inode *);
62638
62639 - void (*dirty_inode) (struct inode *);
62640 - int (*write_inode) (struct inode *, struct writeback_control *wbc);
62641 - int (*drop_inode) (struct inode *);
62642 - void (*evict_inode) (struct inode *);
62643 - void (*put_super) (struct super_block *);
62644 - void (*write_super) (struct super_block *);
62645 - int (*sync_fs)(struct super_block *sb, int wait);
62646 - int (*freeze_fs) (struct super_block *);
62647 - int (*unfreeze_fs) (struct super_block *);
62648 - int (*statfs) (struct dentry *, struct kstatfs *);
62649 - int (*remount_fs) (struct super_block *, int *, char *);
62650 - void (*umount_begin) (struct super_block *);
62651 -
62652 - int (*show_options)(struct seq_file *, struct vfsmount *);
62653 - int (*show_devname)(struct seq_file *, struct vfsmount *);
62654 - int (*show_path)(struct seq_file *, struct vfsmount *);
62655 - int (*show_stats)(struct seq_file *, struct vfsmount *);
62656 + void (* const dirty_inode) (struct inode *);
62657 + int (* const write_inode) (struct inode *, struct writeback_control *wbc);
62658 + int (* const drop_inode) (struct inode *);
62659 + void (* const evict_inode) (struct inode *);
62660 + void (* const put_super) (struct super_block *);
62661 + void (* const write_super) (struct super_block *);
62662 + int (* const sync_fs)(struct super_block *sb, int wait);
62663 + int (* const freeze_fs) (struct super_block *);
62664 + int (* const unfreeze_fs) (struct super_block *);
62665 + int (* const statfs) (struct dentry *, struct kstatfs *);
62666 + int (* const remount_fs) (struct super_block *, int *, char *);
62667 + void (* const umount_begin) (struct super_block *);
62668 +
62669 + int (* const show_options)(struct seq_file *, struct vfsmount *);
62670 + int (* const show_devname)(struct seq_file *, struct vfsmount *);
62671 + int (* const show_path)(struct seq_file *, struct vfsmount *);
62672 + int (* const show_stats)(struct seq_file *, struct vfsmount *);
62673 #ifdef CONFIG_QUOTA
62674 - ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
62675 - ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
62676 + ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
62677 + ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
62678 #endif
62679 - int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
62680 + int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
62681 };
62682
62683 /*
62684 diff -urNp linux-2.6.39.3/include/linux/fs_struct.h linux-2.6.39.3/include/linux/fs_struct.h
62685 --- linux-2.6.39.3/include/linux/fs_struct.h 2011-05-19 00:06:34.000000000 -0400
62686 +++ linux-2.6.39.3/include/linux/fs_struct.h 2011-05-22 19:36:33.000000000 -0400
62687 @@ -6,7 +6,7 @@
62688 #include <linux/seqlock.h>
62689
62690 struct fs_struct {
62691 - int users;
62692 + atomic_t users;
62693 spinlock_t lock;
62694 seqcount_t seq;
62695 int umask;
62696 diff -urNp linux-2.6.39.3/include/linux/ftrace_event.h linux-2.6.39.3/include/linux/ftrace_event.h
62697 --- linux-2.6.39.3/include/linux/ftrace_event.h 2011-05-19 00:06:34.000000000 -0400
62698 +++ linux-2.6.39.3/include/linux/ftrace_event.h 2011-05-22 19:36:33.000000000 -0400
62699 @@ -235,7 +235,7 @@ extern int trace_define_field(struct ftr
62700 extern int trace_add_event_call(struct ftrace_event_call *call);
62701 extern void trace_remove_event_call(struct ftrace_event_call *call);
62702
62703 -#define is_signed_type(type) (((type)(-1)) < 0)
62704 +#define is_signed_type(type) (((type)(-1)) < (type)1)
62705
62706 int trace_set_clr_event(const char *system, const char *event, int set);
62707
62708 diff -urNp linux-2.6.39.3/include/linux/ftrace.h linux-2.6.39.3/include/linux/ftrace.h
62709 --- linux-2.6.39.3/include/linux/ftrace.h 2011-05-19 00:06:34.000000000 -0400
62710 +++ linux-2.6.39.3/include/linux/ftrace.h 2011-05-22 19:36:33.000000000 -0400
62711 @@ -140,7 +140,7 @@ extern void
62712 unregister_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
62713 void *data);
62714 extern void
62715 -unregister_ftrace_function_probe_func(char *glob, struct ftrace_probe_ops *ops);
62716 +unregister_ftrace_function_probe_func(char *glob, const struct ftrace_probe_ops *ops);
62717 extern void unregister_ftrace_function_probe_all(char *glob);
62718
62719 extern int ftrace_text_reserved(void *start, void *end);
62720 diff -urNp linux-2.6.39.3/include/linux/genhd.h linux-2.6.39.3/include/linux/genhd.h
62721 --- linux-2.6.39.3/include/linux/genhd.h 2011-06-03 00:04:14.000000000 -0400
62722 +++ linux-2.6.39.3/include/linux/genhd.h 2011-06-03 00:32:08.000000000 -0400
62723 @@ -184,7 +184,7 @@ struct gendisk {
62724 struct kobject *slave_dir;
62725
62726 struct timer_rand_state *random;
62727 - atomic_t sync_io; /* RAID */
62728 + atomic_unchecked_t sync_io; /* RAID */
62729 struct disk_events *ev;
62730 #ifdef CONFIG_BLK_DEV_INTEGRITY
62731 struct blk_integrity *integrity;
62732 diff -urNp linux-2.6.39.3/include/linux/gracl.h linux-2.6.39.3/include/linux/gracl.h
62733 --- linux-2.6.39.3/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
62734 +++ linux-2.6.39.3/include/linux/gracl.h 2011-05-22 19:41:42.000000000 -0400
62735 @@ -0,0 +1,317 @@
62736 +#ifndef GR_ACL_H
62737 +#define GR_ACL_H
62738 +
62739 +#include <linux/grdefs.h>
62740 +#include <linux/resource.h>
62741 +#include <linux/capability.h>
62742 +#include <linux/dcache.h>
62743 +#include <asm/resource.h>
62744 +
62745 +/* Major status information */
62746 +
62747 +#define GR_VERSION "grsecurity 2.2.2"
62748 +#define GRSECURITY_VERSION 0x2202
62749 +
62750 +enum {
62751 + GR_SHUTDOWN = 0,
62752 + GR_ENABLE = 1,
62753 + GR_SPROLE = 2,
62754 + GR_RELOAD = 3,
62755 + GR_SEGVMOD = 4,
62756 + GR_STATUS = 5,
62757 + GR_UNSPROLE = 6,
62758 + GR_PASSSET = 7,
62759 + GR_SPROLEPAM = 8,
62760 +};
62761 +
62762 +/* Password setup definitions
62763 + * kernel/grhash.c */
62764 +enum {
62765 + GR_PW_LEN = 128,
62766 + GR_SALT_LEN = 16,
62767 + GR_SHA_LEN = 32,
62768 +};
62769 +
62770 +enum {
62771 + GR_SPROLE_LEN = 64,
62772 +};
62773 +
62774 +enum {
62775 + GR_NO_GLOB = 0,
62776 + GR_REG_GLOB,
62777 + GR_CREATE_GLOB
62778 +};
62779 +
62780 +#define GR_NLIMITS 32
62781 +
62782 +/* Begin Data Structures */
62783 +
62784 +struct sprole_pw {
62785 + unsigned char *rolename;
62786 + unsigned char salt[GR_SALT_LEN];
62787 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
62788 +};
62789 +
62790 +struct name_entry {
62791 + __u32 key;
62792 + ino_t inode;
62793 + dev_t device;
62794 + char *name;
62795 + __u16 len;
62796 + __u8 deleted;
62797 + struct name_entry *prev;
62798 + struct name_entry *next;
62799 +};
62800 +
62801 +struct inodev_entry {
62802 + struct name_entry *nentry;
62803 + struct inodev_entry *prev;
62804 + struct inodev_entry *next;
62805 +};
62806 +
62807 +struct acl_role_db {
62808 + struct acl_role_label **r_hash;
62809 + __u32 r_size;
62810 +};
62811 +
62812 +struct inodev_db {
62813 + struct inodev_entry **i_hash;
62814 + __u32 i_size;
62815 +};
62816 +
62817 +struct name_db {
62818 + struct name_entry **n_hash;
62819 + __u32 n_size;
62820 +};
62821 +
62822 +struct crash_uid {
62823 + uid_t uid;
62824 + unsigned long expires;
62825 +};
62826 +
62827 +struct gr_hash_struct {
62828 + void **table;
62829 + void **nametable;
62830 + void *first;
62831 + __u32 table_size;
62832 + __u32 used_size;
62833 + int type;
62834 +};
62835 +
62836 +/* Userspace Grsecurity ACL data structures */
62837 +
62838 +struct acl_subject_label {
62839 + char *filename;
62840 + ino_t inode;
62841 + dev_t device;
62842 + __u32 mode;
62843 + kernel_cap_t cap_mask;
62844 + kernel_cap_t cap_lower;
62845 + kernel_cap_t cap_invert_audit;
62846 +
62847 + struct rlimit res[GR_NLIMITS];
62848 + __u32 resmask;
62849 +
62850 + __u8 user_trans_type;
62851 + __u8 group_trans_type;
62852 + uid_t *user_transitions;
62853 + gid_t *group_transitions;
62854 + __u16 user_trans_num;
62855 + __u16 group_trans_num;
62856 +
62857 + __u32 sock_families[2];
62858 + __u32 ip_proto[8];
62859 + __u32 ip_type;
62860 + struct acl_ip_label **ips;
62861 + __u32 ip_num;
62862 + __u32 inaddr_any_override;
62863 +
62864 + __u32 crashes;
62865 + unsigned long expires;
62866 +
62867 + struct acl_subject_label *parent_subject;
62868 + struct gr_hash_struct *hash;
62869 + struct acl_subject_label *prev;
62870 + struct acl_subject_label *next;
62871 +
62872 + struct acl_object_label **obj_hash;
62873 + __u32 obj_hash_size;
62874 + __u16 pax_flags;
62875 +};
62876 +
62877 +struct role_allowed_ip {
62878 + __u32 addr;
62879 + __u32 netmask;
62880 +
62881 + struct role_allowed_ip *prev;
62882 + struct role_allowed_ip *next;
62883 +};
62884 +
62885 +struct role_transition {
62886 + char *rolename;
62887 +
62888 + struct role_transition *prev;
62889 + struct role_transition *next;
62890 +};
62891 +
62892 +struct acl_role_label {
62893 + char *rolename;
62894 + uid_t uidgid;
62895 + __u16 roletype;
62896 +
62897 + __u16 auth_attempts;
62898 + unsigned long expires;
62899 +
62900 + struct acl_subject_label *root_label;
62901 + struct gr_hash_struct *hash;
62902 +
62903 + struct acl_role_label *prev;
62904 + struct acl_role_label *next;
62905 +
62906 + struct role_transition *transitions;
62907 + struct role_allowed_ip *allowed_ips;
62908 + uid_t *domain_children;
62909 + __u16 domain_child_num;
62910 +
62911 + struct acl_subject_label **subj_hash;
62912 + __u32 subj_hash_size;
62913 +};
62914 +
62915 +struct user_acl_role_db {
62916 + struct acl_role_label **r_table;
62917 + __u32 num_pointers; /* Number of allocations to track */
62918 + __u32 num_roles; /* Number of roles */
62919 + __u32 num_domain_children; /* Number of domain children */
62920 + __u32 num_subjects; /* Number of subjects */
62921 + __u32 num_objects; /* Number of objects */
62922 +};
62923 +
62924 +struct acl_object_label {
62925 + char *filename;
62926 + ino_t inode;
62927 + dev_t device;
62928 + __u32 mode;
62929 +
62930 + struct acl_subject_label *nested;
62931 + struct acl_object_label *globbed;
62932 +
62933 + /* next two structures not used */
62934 +
62935 + struct acl_object_label *prev;
62936 + struct acl_object_label *next;
62937 +};
62938 +
62939 +struct acl_ip_label {
62940 + char *iface;
62941 + __u32 addr;
62942 + __u32 netmask;
62943 + __u16 low, high;
62944 + __u8 mode;
62945 + __u32 type;
62946 + __u32 proto[8];
62947 +
62948 + /* next two structures not used */
62949 +
62950 + struct acl_ip_label *prev;
62951 + struct acl_ip_label *next;
62952 +};
62953 +
62954 +struct gr_arg {
62955 + struct user_acl_role_db role_db;
62956 + unsigned char pw[GR_PW_LEN];
62957 + unsigned char salt[GR_SALT_LEN];
62958 + unsigned char sum[GR_SHA_LEN];
62959 + unsigned char sp_role[GR_SPROLE_LEN];
62960 + struct sprole_pw *sprole_pws;
62961 + dev_t segv_device;
62962 + ino_t segv_inode;
62963 + uid_t segv_uid;
62964 + __u16 num_sprole_pws;
62965 + __u16 mode;
62966 +};
62967 +
62968 +struct gr_arg_wrapper {
62969 + struct gr_arg *arg;
62970 + __u32 version;
62971 + __u32 size;
62972 +};
62973 +
62974 +struct subject_map {
62975 + struct acl_subject_label *user;
62976 + struct acl_subject_label *kernel;
62977 + struct subject_map *prev;
62978 + struct subject_map *next;
62979 +};
62980 +
62981 +struct acl_subj_map_db {
62982 + struct subject_map **s_hash;
62983 + __u32 s_size;
62984 +};
62985 +
62986 +/* End Data Structures Section */
62987 +
62988 +/* Hash functions generated by empirical testing by Brad Spengler
62989 + Makes good use of the low bits of the inode. Generally 0-1 times
62990 + in loop for successful match. 0-3 for unsuccessful match.
62991 + Shift/add algorithm with modulus of table size and an XOR*/
62992 +
62993 +static __inline__ unsigned int
62994 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
62995 +{
62996 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
62997 +}
62998 +
62999 + static __inline__ unsigned int
63000 +shash(const struct acl_subject_label *userp, const unsigned int sz)
63001 +{
63002 + return ((const unsigned long)userp % sz);
63003 +}
63004 +
63005 +static __inline__ unsigned int
63006 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
63007 +{
63008 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
63009 +}
63010 +
63011 +static __inline__ unsigned int
63012 +nhash(const char *name, const __u16 len, const unsigned int sz)
63013 +{
63014 + return full_name_hash((const unsigned char *)name, len) % sz;
63015 +}
63016 +
63017 +#define FOR_EACH_ROLE_START(role) \
63018 + role = role_list; \
63019 + while (role) {
63020 +
63021 +#define FOR_EACH_ROLE_END(role) \
63022 + role = role->prev; \
63023 + }
63024 +
63025 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
63026 + subj = NULL; \
63027 + iter = 0; \
63028 + while (iter < role->subj_hash_size) { \
63029 + if (subj == NULL) \
63030 + subj = role->subj_hash[iter]; \
63031 + if (subj == NULL) { \
63032 + iter++; \
63033 + continue; \
63034 + }
63035 +
63036 +#define FOR_EACH_SUBJECT_END(subj,iter) \
63037 + subj = subj->next; \
63038 + if (subj == NULL) \
63039 + iter++; \
63040 + }
63041 +
63042 +
63043 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
63044 + subj = role->hash->first; \
63045 + while (subj != NULL) {
63046 +
63047 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
63048 + subj = subj->next; \
63049 + }
63050 +
63051 +#endif
63052 +
63053 diff -urNp linux-2.6.39.3/include/linux/gralloc.h linux-2.6.39.3/include/linux/gralloc.h
63054 --- linux-2.6.39.3/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
63055 +++ linux-2.6.39.3/include/linux/gralloc.h 2011-05-22 19:41:42.000000000 -0400
63056 @@ -0,0 +1,9 @@
63057 +#ifndef __GRALLOC_H
63058 +#define __GRALLOC_H
63059 +
63060 +void acl_free_all(void);
63061 +int acl_alloc_stack_init(unsigned long size);
63062 +void *acl_alloc(unsigned long len);
63063 +void *acl_alloc_num(unsigned long num, unsigned long len);
63064 +
63065 +#endif
63066 diff -urNp linux-2.6.39.3/include/linux/grdefs.h linux-2.6.39.3/include/linux/grdefs.h
63067 --- linux-2.6.39.3/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
63068 +++ linux-2.6.39.3/include/linux/grdefs.h 2011-06-11 16:24:51.000000000 -0400
63069 @@ -0,0 +1,140 @@
63070 +#ifndef GRDEFS_H
63071 +#define GRDEFS_H
63072 +
63073 +/* Begin grsecurity status declarations */
63074 +
63075 +enum {
63076 + GR_READY = 0x01,
63077 + GR_STATUS_INIT = 0x00 // disabled state
63078 +};
63079 +
63080 +/* Begin ACL declarations */
63081 +
63082 +/* Role flags */
63083 +
63084 +enum {
63085 + GR_ROLE_USER = 0x0001,
63086 + GR_ROLE_GROUP = 0x0002,
63087 + GR_ROLE_DEFAULT = 0x0004,
63088 + GR_ROLE_SPECIAL = 0x0008,
63089 + GR_ROLE_AUTH = 0x0010,
63090 + GR_ROLE_NOPW = 0x0020,
63091 + GR_ROLE_GOD = 0x0040,
63092 + GR_ROLE_LEARN = 0x0080,
63093 + GR_ROLE_TPE = 0x0100,
63094 + GR_ROLE_DOMAIN = 0x0200,
63095 + GR_ROLE_PAM = 0x0400,
63096 + GR_ROLE_PERSIST = 0x0800
63097 +};
63098 +
63099 +/* ACL Subject and Object mode flags */
63100 +enum {
63101 + GR_DELETED = 0x80000000
63102 +};
63103 +
63104 +/* ACL Object-only mode flags */
63105 +enum {
63106 + GR_READ = 0x00000001,
63107 + GR_APPEND = 0x00000002,
63108 + GR_WRITE = 0x00000004,
63109 + GR_EXEC = 0x00000008,
63110 + GR_FIND = 0x00000010,
63111 + GR_INHERIT = 0x00000020,
63112 + GR_SETID = 0x00000040,
63113 + GR_CREATE = 0x00000080,
63114 + GR_DELETE = 0x00000100,
63115 + GR_LINK = 0x00000200,
63116 + GR_AUDIT_READ = 0x00000400,
63117 + GR_AUDIT_APPEND = 0x00000800,
63118 + GR_AUDIT_WRITE = 0x00001000,
63119 + GR_AUDIT_EXEC = 0x00002000,
63120 + GR_AUDIT_FIND = 0x00004000,
63121 + GR_AUDIT_INHERIT= 0x00008000,
63122 + GR_AUDIT_SETID = 0x00010000,
63123 + GR_AUDIT_CREATE = 0x00020000,
63124 + GR_AUDIT_DELETE = 0x00040000,
63125 + GR_AUDIT_LINK = 0x00080000,
63126 + GR_PTRACERD = 0x00100000,
63127 + GR_NOPTRACE = 0x00200000,
63128 + GR_SUPPRESS = 0x00400000,
63129 + GR_NOLEARN = 0x00800000,
63130 + GR_INIT_TRANSFER= 0x01000000
63131 +};
63132 +
63133 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
63134 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
63135 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
63136 +
63137 +/* ACL subject-only mode flags */
63138 +enum {
63139 + GR_KILL = 0x00000001,
63140 + GR_VIEW = 0x00000002,
63141 + GR_PROTECTED = 0x00000004,
63142 + GR_LEARN = 0x00000008,
63143 + GR_OVERRIDE = 0x00000010,
63144 + /* just a placeholder, this mode is only used in userspace */
63145 + GR_DUMMY = 0x00000020,
63146 + GR_PROTSHM = 0x00000040,
63147 + GR_KILLPROC = 0x00000080,
63148 + GR_KILLIPPROC = 0x00000100,
63149 + /* just a placeholder, this mode is only used in userspace */
63150 + GR_NOTROJAN = 0x00000200,
63151 + GR_PROTPROCFD = 0x00000400,
63152 + GR_PROCACCT = 0x00000800,
63153 + GR_RELAXPTRACE = 0x00001000,
63154 + GR_NESTED = 0x00002000,
63155 + GR_INHERITLEARN = 0x00004000,
63156 + GR_PROCFIND = 0x00008000,
63157 + GR_POVERRIDE = 0x00010000,
63158 + GR_KERNELAUTH = 0x00020000,
63159 + GR_ATSECURE = 0x00040000,
63160 + GR_SHMEXEC = 0x00080000
63161 +};
63162 +
63163 +enum {
63164 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
63165 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
63166 + GR_PAX_ENABLE_MPROTECT = 0x0004,
63167 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
63168 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
63169 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
63170 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
63171 + GR_PAX_DISABLE_MPROTECT = 0x0400,
63172 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
63173 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
63174 +};
63175 +
63176 +enum {
63177 + GR_ID_USER = 0x01,
63178 + GR_ID_GROUP = 0x02,
63179 +};
63180 +
63181 +enum {
63182 + GR_ID_ALLOW = 0x01,
63183 + GR_ID_DENY = 0x02,
63184 +};
63185 +
63186 +#define GR_CRASH_RES 31
63187 +#define GR_UIDTABLE_MAX 500
63188 +
63189 +/* begin resource learning section */
63190 +enum {
63191 + GR_RLIM_CPU_BUMP = 60,
63192 + GR_RLIM_FSIZE_BUMP = 50000,
63193 + GR_RLIM_DATA_BUMP = 10000,
63194 + GR_RLIM_STACK_BUMP = 1000,
63195 + GR_RLIM_CORE_BUMP = 10000,
63196 + GR_RLIM_RSS_BUMP = 500000,
63197 + GR_RLIM_NPROC_BUMP = 1,
63198 + GR_RLIM_NOFILE_BUMP = 5,
63199 + GR_RLIM_MEMLOCK_BUMP = 50000,
63200 + GR_RLIM_AS_BUMP = 500000,
63201 + GR_RLIM_LOCKS_BUMP = 2,
63202 + GR_RLIM_SIGPENDING_BUMP = 5,
63203 + GR_RLIM_MSGQUEUE_BUMP = 10000,
63204 + GR_RLIM_NICE_BUMP = 1,
63205 + GR_RLIM_RTPRIO_BUMP = 1,
63206 + GR_RLIM_RTTIME_BUMP = 1000000
63207 +};
63208 +
63209 +#endif
63210 diff -urNp linux-2.6.39.3/include/linux/grinternal.h linux-2.6.39.3/include/linux/grinternal.h
63211 --- linux-2.6.39.3/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
63212 +++ linux-2.6.39.3/include/linux/grinternal.h 2011-06-29 19:41:29.000000000 -0400
63213 @@ -0,0 +1,220 @@
63214 +#ifndef __GRINTERNAL_H
63215 +#define __GRINTERNAL_H
63216 +
63217 +#ifdef CONFIG_GRKERNSEC
63218 +
63219 +#include <linux/fs.h>
63220 +#include <linux/mnt_namespace.h>
63221 +#include <linux/nsproxy.h>
63222 +#include <linux/gracl.h>
63223 +#include <linux/grdefs.h>
63224 +#include <linux/grmsg.h>
63225 +
63226 +void gr_add_learn_entry(const char *fmt, ...)
63227 + __attribute__ ((format (printf, 1, 2)));
63228 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
63229 + const struct vfsmount *mnt);
63230 +__u32 gr_check_create(const struct dentry *new_dentry,
63231 + const struct dentry *parent,
63232 + const struct vfsmount *mnt, const __u32 mode);
63233 +int gr_check_protected_task(const struct task_struct *task);
63234 +__u32 to_gr_audit(const __u32 reqmode);
63235 +int gr_set_acls(const int type);
63236 +int gr_apply_subject_to_task(struct task_struct *task);
63237 +int gr_acl_is_enabled(void);
63238 +char gr_roletype_to_char(void);
63239 +
63240 +void gr_handle_alertkill(struct task_struct *task);
63241 +char *gr_to_filename(const struct dentry *dentry,
63242 + const struct vfsmount *mnt);
63243 +char *gr_to_filename1(const struct dentry *dentry,
63244 + const struct vfsmount *mnt);
63245 +char *gr_to_filename2(const struct dentry *dentry,
63246 + const struct vfsmount *mnt);
63247 +char *gr_to_filename3(const struct dentry *dentry,
63248 + const struct vfsmount *mnt);
63249 +
63250 +extern int grsec_enable_harden_ptrace;
63251 +extern int grsec_enable_link;
63252 +extern int grsec_enable_fifo;
63253 +extern int grsec_enable_execve;
63254 +extern int grsec_enable_shm;
63255 +extern int grsec_enable_execlog;
63256 +extern int grsec_enable_signal;
63257 +extern int grsec_enable_audit_ptrace;
63258 +extern int grsec_enable_forkfail;
63259 +extern int grsec_enable_time;
63260 +extern int grsec_enable_rofs;
63261 +extern int grsec_enable_chroot_shmat;
63262 +extern int grsec_enable_chroot_findtask;
63263 +extern int grsec_enable_chroot_mount;
63264 +extern int grsec_enable_chroot_double;
63265 +extern int grsec_enable_chroot_pivot;
63266 +extern int grsec_enable_chroot_chdir;
63267 +extern int grsec_enable_chroot_chmod;
63268 +extern int grsec_enable_chroot_mknod;
63269 +extern int grsec_enable_chroot_fchdir;
63270 +extern int grsec_enable_chroot_nice;
63271 +extern int grsec_enable_chroot_execlog;
63272 +extern int grsec_enable_chroot_caps;
63273 +extern int grsec_enable_chroot_sysctl;
63274 +extern int grsec_enable_chroot_unix;
63275 +extern int grsec_enable_tpe;
63276 +extern int grsec_tpe_gid;
63277 +extern int grsec_enable_tpe_all;
63278 +extern int grsec_enable_tpe_invert;
63279 +extern int grsec_enable_socket_all;
63280 +extern int grsec_socket_all_gid;
63281 +extern int grsec_enable_socket_client;
63282 +extern int grsec_socket_client_gid;
63283 +extern int grsec_enable_socket_server;
63284 +extern int grsec_socket_server_gid;
63285 +extern int grsec_audit_gid;
63286 +extern int grsec_enable_group;
63287 +extern int grsec_enable_audit_textrel;
63288 +extern int grsec_enable_log_rwxmaps;
63289 +extern int grsec_enable_mount;
63290 +extern int grsec_enable_chdir;
63291 +extern int grsec_resource_logging;
63292 +extern int grsec_enable_blackhole;
63293 +extern int grsec_lastack_retries;
63294 +extern int grsec_enable_brute;
63295 +extern int grsec_lock;
63296 +
63297 +extern spinlock_t grsec_alert_lock;
63298 +extern unsigned long grsec_alert_wtime;
63299 +extern unsigned long grsec_alert_fyet;
63300 +
63301 +extern spinlock_t grsec_audit_lock;
63302 +
63303 +extern rwlock_t grsec_exec_file_lock;
63304 +
63305 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
63306 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
63307 + (tsk)->exec_file->f_vfsmnt) : "/")
63308 +
63309 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
63310 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
63311 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
63312 +
63313 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
63314 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
63315 + (tsk)->exec_file->f_vfsmnt) : "/")
63316 +
63317 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
63318 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
63319 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
63320 +
63321 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
63322 +
63323 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
63324 +
63325 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
63326 + (task)->pid, (cred)->uid, \
63327 + (cred)->euid, (cred)->gid, (cred)->egid, \
63328 + gr_parent_task_fullpath(task), \
63329 + (task)->real_parent->comm, (task)->real_parent->pid, \
63330 + (pcred)->uid, (pcred)->euid, \
63331 + (pcred)->gid, (pcred)->egid
63332 +
63333 +#define GR_CHROOT_CAPS {{ \
63334 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
63335 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
63336 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
63337 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
63338 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
63339 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
63340 +
63341 +#define security_learn(normal_msg,args...) \
63342 +({ \
63343 + read_lock(&grsec_exec_file_lock); \
63344 + gr_add_learn_entry(normal_msg "\n", ## args); \
63345 + read_unlock(&grsec_exec_file_lock); \
63346 +})
63347 +
63348 +enum {
63349 + GR_DO_AUDIT,
63350 + GR_DONT_AUDIT,
63351 + /* used for non-audit messages that we shouldn't kill the task on */
63352 + GR_DONT_AUDIT_GOOD
63353 +};
63354 +
63355 +enum {
63356 + GR_TTYSNIFF,
63357 + GR_RBAC,
63358 + GR_RBAC_STR,
63359 + GR_STR_RBAC,
63360 + GR_RBAC_MODE2,
63361 + GR_RBAC_MODE3,
63362 + GR_FILENAME,
63363 + GR_SYSCTL_HIDDEN,
63364 + GR_NOARGS,
63365 + GR_ONE_INT,
63366 + GR_ONE_INT_TWO_STR,
63367 + GR_ONE_STR,
63368 + GR_STR_INT,
63369 + GR_TWO_STR_INT,
63370 + GR_TWO_INT,
63371 + GR_TWO_U64,
63372 + GR_THREE_INT,
63373 + GR_FIVE_INT_TWO_STR,
63374 + GR_TWO_STR,
63375 + GR_THREE_STR,
63376 + GR_FOUR_STR,
63377 + GR_STR_FILENAME,
63378 + GR_FILENAME_STR,
63379 + GR_FILENAME_TWO_INT,
63380 + GR_FILENAME_TWO_INT_STR,
63381 + GR_TEXTREL,
63382 + GR_PTRACE,
63383 + GR_RESOURCE,
63384 + GR_CAP,
63385 + GR_SIG,
63386 + GR_SIG2,
63387 + GR_CRASH1,
63388 + GR_CRASH2,
63389 + GR_PSACCT,
63390 + GR_RWXMAP
63391 +};
63392 +
63393 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
63394 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
63395 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
63396 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
63397 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
63398 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
63399 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
63400 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
63401 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
63402 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
63403 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
63404 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
63405 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
63406 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
63407 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
63408 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
63409 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
63410 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
63411 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
63412 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
63413 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
63414 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
63415 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
63416 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
63417 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
63418 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
63419 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
63420 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
63421 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
63422 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
63423 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
63424 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
63425 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
63426 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
63427 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
63428 +
63429 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
63430 +
63431 +#endif
63432 +
63433 +#endif
63434 diff -urNp linux-2.6.39.3/include/linux/grmsg.h linux-2.6.39.3/include/linux/grmsg.h
63435 --- linux-2.6.39.3/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
63436 +++ linux-2.6.39.3/include/linux/grmsg.h 2011-05-22 19:41:42.000000000 -0400
63437 @@ -0,0 +1,108 @@
63438 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
63439 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
63440 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
63441 +#define GR_STOPMOD_MSG "denied modification of module state by "
63442 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
63443 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
63444 +#define GR_IOPERM_MSG "denied use of ioperm() by "
63445 +#define GR_IOPL_MSG "denied use of iopl() by "
63446 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
63447 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
63448 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
63449 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
63450 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
63451 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
63452 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
63453 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
63454 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
63455 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
63456 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
63457 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
63458 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
63459 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
63460 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
63461 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
63462 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
63463 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
63464 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
63465 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
63466 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
63467 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
63468 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
63469 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
63470 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
63471 +#define GR_NPROC_MSG "denied overstep of process limit by "
63472 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
63473 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
63474 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
63475 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
63476 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
63477 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
63478 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
63479 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
63480 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
63481 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
63482 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
63483 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
63484 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
63485 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
63486 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
63487 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
63488 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
63489 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
63490 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
63491 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
63492 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
63493 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
63494 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
63495 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
63496 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
63497 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
63498 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
63499 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
63500 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
63501 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
63502 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
63503 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
63504 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
63505 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
63506 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
63507 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
63508 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
63509 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
63510 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
63511 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
63512 +#define GR_NICE_CHROOT_MSG "denied priority change by "
63513 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
63514 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
63515 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
63516 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
63517 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
63518 +#define GR_TIME_MSG "time set by "
63519 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
63520 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
63521 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
63522 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
63523 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
63524 +#define GR_BIND_MSG "denied bind() by "
63525 +#define GR_CONNECT_MSG "denied connect() by "
63526 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
63527 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
63528 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
63529 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
63530 +#define GR_CAP_ACL_MSG "use of %s denied for "
63531 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
63532 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
63533 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
63534 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
63535 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
63536 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
63537 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
63538 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
63539 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
63540 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
63541 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
63542 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
63543 +#define GR_VM86_MSG "denied use of vm86 by "
63544 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
63545 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
63546 diff -urNp linux-2.6.39.3/include/linux/grsecurity.h linux-2.6.39.3/include/linux/grsecurity.h
63547 --- linux-2.6.39.3/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
63548 +++ linux-2.6.39.3/include/linux/grsecurity.h 2011-05-22 19:41:42.000000000 -0400
63549 @@ -0,0 +1,212 @@
63550 +#ifndef GR_SECURITY_H
63551 +#define GR_SECURITY_H
63552 +#include <linux/fs.h>
63553 +#include <linux/fs_struct.h>
63554 +#include <linux/binfmts.h>
63555 +#include <linux/gracl.h>
63556 +#include <linux/compat.h>
63557 +
63558 +/* notify of brain-dead configs */
63559 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
63560 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
63561 +#endif
63562 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
63563 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
63564 +#endif
63565 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
63566 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
63567 +#endif
63568 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
63569 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
63570 +#endif
63571 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
63572 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
63573 +#endif
63574 +
63575 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
63576 +void gr_handle_brute_check(void);
63577 +void gr_handle_kernel_exploit(void);
63578 +int gr_process_user_ban(void);
63579 +
63580 +char gr_roletype_to_char(void);
63581 +
63582 +int gr_acl_enable_at_secure(void);
63583 +
63584 +int gr_check_user_change(int real, int effective, int fs);
63585 +int gr_check_group_change(int real, int effective, int fs);
63586 +
63587 +void gr_del_task_from_ip_table(struct task_struct *p);
63588 +
63589 +int gr_pid_is_chrooted(struct task_struct *p);
63590 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
63591 +int gr_handle_chroot_nice(void);
63592 +int gr_handle_chroot_sysctl(const int op);
63593 +int gr_handle_chroot_setpriority(struct task_struct *p,
63594 + const int niceval);
63595 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
63596 +int gr_handle_chroot_chroot(const struct dentry *dentry,
63597 + const struct vfsmount *mnt);
63598 +int gr_handle_chroot_caps(struct path *path);
63599 +void gr_handle_chroot_chdir(struct path *path);
63600 +int gr_handle_chroot_chmod(const struct dentry *dentry,
63601 + const struct vfsmount *mnt, const int mode);
63602 +int gr_handle_chroot_mknod(const struct dentry *dentry,
63603 + const struct vfsmount *mnt, const int mode);
63604 +int gr_handle_chroot_mount(const struct dentry *dentry,
63605 + const struct vfsmount *mnt,
63606 + const char *dev_name);
63607 +int gr_handle_chroot_pivot(void);
63608 +int gr_handle_chroot_unix(struct pid *pid);
63609 +
63610 +int gr_handle_rawio(const struct inode *inode);
63611 +int gr_handle_nproc(void);
63612 +
63613 +void gr_handle_ioperm(void);
63614 +void gr_handle_iopl(void);
63615 +
63616 +int gr_tpe_allow(const struct file *file);
63617 +
63618 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
63619 +void gr_clear_chroot_entries(struct task_struct *task);
63620 +
63621 +void gr_log_forkfail(const int retval);
63622 +void gr_log_timechange(void);
63623 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
63624 +void gr_log_chdir(const struct dentry *dentry,
63625 + const struct vfsmount *mnt);
63626 +void gr_log_chroot_exec(const struct dentry *dentry,
63627 + const struct vfsmount *mnt);
63628 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
63629 +#ifdef CONFIG_COMPAT
63630 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
63631 +#endif
63632 +void gr_log_remount(const char *devname, const int retval);
63633 +void gr_log_unmount(const char *devname, const int retval);
63634 +void gr_log_mount(const char *from, const char *to, const int retval);
63635 +void gr_log_textrel(struct vm_area_struct *vma);
63636 +void gr_log_rwxmmap(struct file *file);
63637 +void gr_log_rwxmprotect(struct file *file);
63638 +
63639 +int gr_handle_follow_link(const struct inode *parent,
63640 + const struct inode *inode,
63641 + const struct dentry *dentry,
63642 + const struct vfsmount *mnt);
63643 +int gr_handle_fifo(const struct dentry *dentry,
63644 + const struct vfsmount *mnt,
63645 + const struct dentry *dir, const int flag,
63646 + const int acc_mode);
63647 +int gr_handle_hardlink(const struct dentry *dentry,
63648 + const struct vfsmount *mnt,
63649 + struct inode *inode,
63650 + const int mode, const char *to);
63651 +
63652 +int gr_is_capable(const int cap);
63653 +int gr_is_capable_nolog(const int cap);
63654 +void gr_learn_resource(const struct task_struct *task, const int limit,
63655 + const unsigned long wanted, const int gt);
63656 +void gr_copy_label(struct task_struct *tsk);
63657 +void gr_handle_crash(struct task_struct *task, const int sig);
63658 +int gr_handle_signal(const struct task_struct *p, const int sig);
63659 +int gr_check_crash_uid(const uid_t uid);
63660 +int gr_check_protected_task(const struct task_struct *task);
63661 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
63662 +int gr_acl_handle_mmap(const struct file *file,
63663 + const unsigned long prot);
63664 +int gr_acl_handle_mprotect(const struct file *file,
63665 + const unsigned long prot);
63666 +int gr_check_hidden_task(const struct task_struct *tsk);
63667 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
63668 + const struct vfsmount *mnt);
63669 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
63670 + const struct vfsmount *mnt);
63671 +__u32 gr_acl_handle_access(const struct dentry *dentry,
63672 + const struct vfsmount *mnt, const int fmode);
63673 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
63674 + const struct vfsmount *mnt, mode_t mode);
63675 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
63676 + const struct vfsmount *mnt, mode_t mode);
63677 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
63678 + const struct vfsmount *mnt);
63679 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
63680 + const struct vfsmount *mnt);
63681 +int gr_handle_ptrace(struct task_struct *task, const long request);
63682 +int gr_handle_proc_ptrace(struct task_struct *task);
63683 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
63684 + const struct vfsmount *mnt);
63685 +int gr_check_crash_exec(const struct file *filp);
63686 +int gr_acl_is_enabled(void);
63687 +void gr_set_kernel_label(struct task_struct *task);
63688 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
63689 + const gid_t gid);
63690 +int gr_set_proc_label(const struct dentry *dentry,
63691 + const struct vfsmount *mnt,
63692 + const int unsafe_share);
63693 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
63694 + const struct vfsmount *mnt);
63695 +__u32 gr_acl_handle_open(const struct dentry *dentry,
63696 + const struct vfsmount *mnt, const int fmode);
63697 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
63698 + const struct dentry *p_dentry,
63699 + const struct vfsmount *p_mnt, const int fmode,
63700 + const int imode);
63701 +void gr_handle_create(const struct dentry *dentry,
63702 + const struct vfsmount *mnt);
63703 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
63704 + const struct dentry *parent_dentry,
63705 + const struct vfsmount *parent_mnt,
63706 + const int mode);
63707 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
63708 + const struct dentry *parent_dentry,
63709 + const struct vfsmount *parent_mnt);
63710 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
63711 + const struct vfsmount *mnt);
63712 +void gr_handle_delete(const ino_t ino, const dev_t dev);
63713 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
63714 + const struct vfsmount *mnt);
63715 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
63716 + const struct dentry *parent_dentry,
63717 + const struct vfsmount *parent_mnt,
63718 + const char *from);
63719 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
63720 + const struct dentry *parent_dentry,
63721 + const struct vfsmount *parent_mnt,
63722 + const struct dentry *old_dentry,
63723 + const struct vfsmount *old_mnt, const char *to);
63724 +int gr_acl_handle_rename(struct dentry *new_dentry,
63725 + struct dentry *parent_dentry,
63726 + const struct vfsmount *parent_mnt,
63727 + struct dentry *old_dentry,
63728 + struct inode *old_parent_inode,
63729 + struct vfsmount *old_mnt, const char *newname);
63730 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
63731 + struct dentry *old_dentry,
63732 + struct dentry *new_dentry,
63733 + struct vfsmount *mnt, const __u8 replace);
63734 +__u32 gr_check_link(const struct dentry *new_dentry,
63735 + const struct dentry *parent_dentry,
63736 + const struct vfsmount *parent_mnt,
63737 + const struct dentry *old_dentry,
63738 + const struct vfsmount *old_mnt);
63739 +int gr_acl_handle_filldir(const struct file *file, const char *name,
63740 + const unsigned int namelen, const ino_t ino);
63741 +
63742 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
63743 + const struct vfsmount *mnt);
63744 +void gr_acl_handle_exit(void);
63745 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
63746 +int gr_acl_handle_procpidmem(const struct task_struct *task);
63747 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
63748 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
63749 +void gr_audit_ptrace(struct task_struct *task);
63750 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
63751 +
63752 +#ifdef CONFIG_GRKERNSEC
63753 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
63754 +void gr_handle_vm86(void);
63755 +void gr_handle_mem_readwrite(u64 from, u64 to);
63756 +
63757 +extern int grsec_enable_dmesg;
63758 +extern int grsec_disable_privio;
63759 +#endif
63760 +
63761 +#endif
63762 diff -urNp linux-2.6.39.3/include/linux/grsock.h linux-2.6.39.3/include/linux/grsock.h
63763 --- linux-2.6.39.3/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
63764 +++ linux-2.6.39.3/include/linux/grsock.h 2011-05-22 19:41:42.000000000 -0400
63765 @@ -0,0 +1,19 @@
63766 +#ifndef __GRSOCK_H
63767 +#define __GRSOCK_H
63768 +
63769 +extern void gr_attach_curr_ip(const struct sock *sk);
63770 +extern int gr_handle_sock_all(const int family, const int type,
63771 + const int protocol);
63772 +extern int gr_handle_sock_server(const struct sockaddr *sck);
63773 +extern int gr_handle_sock_server_other(const struct sock *sck);
63774 +extern int gr_handle_sock_client(const struct sockaddr *sck);
63775 +extern int gr_search_connect(struct socket * sock,
63776 + struct sockaddr_in * addr);
63777 +extern int gr_search_bind(struct socket * sock,
63778 + struct sockaddr_in * addr);
63779 +extern int gr_search_listen(struct socket * sock);
63780 +extern int gr_search_accept(struct socket * sock);
63781 +extern int gr_search_socket(const int domain, const int type,
63782 + const int protocol);
63783 +
63784 +#endif
63785 diff -urNp linux-2.6.39.3/include/linux/highmem.h linux-2.6.39.3/include/linux/highmem.h
63786 --- linux-2.6.39.3/include/linux/highmem.h 2011-05-19 00:06:34.000000000 -0400
63787 +++ linux-2.6.39.3/include/linux/highmem.h 2011-05-22 19:36:33.000000000 -0400
63788 @@ -185,6 +185,18 @@ static inline void clear_highpage(struct
63789 kunmap_atomic(kaddr, KM_USER0);
63790 }
63791
63792 +static inline void sanitize_highpage(struct page *page)
63793 +{
63794 + void *kaddr;
63795 + unsigned long flags;
63796 +
63797 + local_irq_save(flags);
63798 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
63799 + clear_page(kaddr);
63800 + kunmap_atomic(kaddr, KM_CLEARPAGE);
63801 + local_irq_restore(flags);
63802 +}
63803 +
63804 static inline void zero_user_segments(struct page *page,
63805 unsigned start1, unsigned end1,
63806 unsigned start2, unsigned end2)
63807 diff -urNp linux-2.6.39.3/include/linux/i2o.h linux-2.6.39.3/include/linux/i2o.h
63808 --- linux-2.6.39.3/include/linux/i2o.h 2011-05-19 00:06:34.000000000 -0400
63809 +++ linux-2.6.39.3/include/linux/i2o.h 2011-05-22 19:36:33.000000000 -0400
63810 @@ -564,7 +564,7 @@ struct i2o_controller {
63811 struct i2o_device *exec; /* Executive */
63812 #if BITS_PER_LONG == 64
63813 spinlock_t context_list_lock; /* lock for context_list */
63814 - atomic_t context_list_counter; /* needed for unique contexts */
63815 + atomic_unchecked_t context_list_counter; /* needed for unique contexts */
63816 struct list_head context_list; /* list of context id's
63817 and pointers */
63818 #endif
63819 diff -urNp linux-2.6.39.3/include/linux/if_phonet.h linux-2.6.39.3/include/linux/if_phonet.h
63820 --- linux-2.6.39.3/include/linux/if_phonet.h 2011-05-19 00:06:34.000000000 -0400
63821 +++ linux-2.6.39.3/include/linux/if_phonet.h 2011-05-22 19:36:33.000000000 -0400
63822 @@ -13,7 +13,7 @@
63823 #define PHONET_DEV_MTU PHONET_MAX_MTU
63824
63825 #ifdef __KERNEL__
63826 -extern struct header_ops phonet_header_ops;
63827 +extern const struct header_ops phonet_header_ops;
63828 #endif
63829
63830 #endif
63831 diff -urNp linux-2.6.39.3/include/linux/init.h linux-2.6.39.3/include/linux/init.h
63832 --- linux-2.6.39.3/include/linux/init.h 2011-05-19 00:06:34.000000000 -0400
63833 +++ linux-2.6.39.3/include/linux/init.h 2011-05-22 19:36:33.000000000 -0400
63834 @@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
63835
63836 /* Each module must use one module_init(). */
63837 #define module_init(initfn) \
63838 - static inline initcall_t __inittest(void) \
63839 + static inline __used initcall_t __inittest(void) \
63840 { return initfn; } \
63841 int init_module(void) __attribute__((alias(#initfn)));
63842
63843 /* This is only required if you want to be unloadable. */
63844 #define module_exit(exitfn) \
63845 - static inline exitcall_t __exittest(void) \
63846 + static inline __used exitcall_t __exittest(void) \
63847 { return exitfn; } \
63848 void cleanup_module(void) __attribute__((alias(#exitfn)));
63849
63850 diff -urNp linux-2.6.39.3/include/linux/init_task.h linux-2.6.39.3/include/linux/init_task.h
63851 --- linux-2.6.39.3/include/linux/init_task.h 2011-05-19 00:06:34.000000000 -0400
63852 +++ linux-2.6.39.3/include/linux/init_task.h 2011-05-22 19:36:33.000000000 -0400
63853 @@ -83,6 +83,12 @@ extern struct group_info init_groups;
63854 #define INIT_IDS
63855 #endif
63856
63857 +#ifdef CONFIG_X86
63858 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
63859 +#else
63860 +#define INIT_TASK_THREAD_INFO
63861 +#endif
63862 +
63863 /*
63864 * Because of the reduced scope of CAP_SETPCAP when filesystem
63865 * capabilities are in effect, it is safe to allow CAP_SETPCAP to
63866 @@ -163,6 +169,7 @@ extern struct cred init_cred;
63867 RCU_INIT_POINTER(.cred, &init_cred), \
63868 .comm = "swapper", \
63869 .thread = INIT_THREAD, \
63870 + INIT_TASK_THREAD_INFO \
63871 .fs = &init_fs, \
63872 .files = &init_files, \
63873 .signal = &init_signals, \
63874 diff -urNp linux-2.6.39.3/include/linux/interrupt.h linux-2.6.39.3/include/linux/interrupt.h
63875 --- linux-2.6.39.3/include/linux/interrupt.h 2011-05-19 00:06:34.000000000 -0400
63876 +++ linux-2.6.39.3/include/linux/interrupt.h 2011-05-22 19:36:33.000000000 -0400
63877 @@ -422,7 +422,7 @@ enum
63878 /* map softirq index to softirq name. update 'softirq_to_name' in
63879 * kernel/softirq.c when adding a new softirq.
63880 */
63881 -extern char *softirq_to_name[NR_SOFTIRQS];
63882 +extern const char * const softirq_to_name[NR_SOFTIRQS];
63883
63884 /* softirq mask and active fields moved to irq_cpustat_t in
63885 * asm/hardirq.h to get better cache usage. KAO
63886 @@ -430,12 +430,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
63887
63888 struct softirq_action
63889 {
63890 - void (*action)(struct softirq_action *);
63891 + void (*action)(void);
63892 };
63893
63894 asmlinkage void do_softirq(void);
63895 asmlinkage void __do_softirq(void);
63896 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
63897 +extern void open_softirq(int nr, void (*action)(void));
63898 extern void softirq_init(void);
63899 static inline void __raise_softirq_irqoff(unsigned int nr)
63900 {
63901 diff -urNp linux-2.6.39.3/include/linux/iommu.h linux-2.6.39.3/include/linux/iommu.h
63902 --- linux-2.6.39.3/include/linux/iommu.h 2011-05-19 00:06:34.000000000 -0400
63903 +++ linux-2.6.39.3/include/linux/iommu.h 2011-05-22 19:36:33.000000000 -0400
63904 @@ -49,7 +49,7 @@ struct iommu_ops {
63905
63906 #ifdef CONFIG_IOMMU_API
63907
63908 -extern void register_iommu(struct iommu_ops *ops);
63909 +extern void register_iommu(const struct iommu_ops *ops);
63910 extern bool iommu_found(void);
63911 extern struct iommu_domain *iommu_domain_alloc(void);
63912 extern void iommu_domain_free(struct iommu_domain *domain);
63913 diff -urNp linux-2.6.39.3/include/linux/ipmi.h linux-2.6.39.3/include/linux/ipmi.h
63914 --- linux-2.6.39.3/include/linux/ipmi.h 2011-05-19 00:06:34.000000000 -0400
63915 +++ linux-2.6.39.3/include/linux/ipmi.h 2011-05-22 19:36:33.000000000 -0400
63916 @@ -282,7 +282,7 @@ struct ipmi_user_hndl {
63917
63918 /* Create a new user of the IPMI layer on the given interface number. */
63919 int ipmi_create_user(unsigned int if_num,
63920 - struct ipmi_user_hndl *handler,
63921 + const struct ipmi_user_hndl *handler,
63922 void *handler_data,
63923 ipmi_user_t *user);
63924
63925 diff -urNp linux-2.6.39.3/include/linux/kallsyms.h linux-2.6.39.3/include/linux/kallsyms.h
63926 --- linux-2.6.39.3/include/linux/kallsyms.h 2011-05-19 00:06:34.000000000 -0400
63927 +++ linux-2.6.39.3/include/linux/kallsyms.h 2011-05-22 22:52:54.000000000 -0400
63928 @@ -15,7 +15,8 @@
63929
63930 struct module;
63931
63932 -#ifdef CONFIG_KALLSYMS
63933 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
63934 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
63935 /* Lookup the address for a symbol. Returns 0 if not found. */
63936 unsigned long kallsyms_lookup_name(const char *name);
63937
63938 @@ -99,6 +100,16 @@ static inline int lookup_symbol_attrs(un
63939 /* Stupid that this does nothing, but I didn't create this mess. */
63940 #define __print_symbol(fmt, addr)
63941 #endif /*CONFIG_KALLSYMS*/
63942 +#else /* when included by kallsyms.c, vsnprintf.c, or
63943 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
63944 +extern void __print_symbol(const char *fmt, unsigned long address);
63945 +extern int sprint_backtrace(char *buffer, unsigned long address);
63946 +extern int sprint_symbol(char *buffer, unsigned long address);
63947 +const char *kallsyms_lookup(unsigned long addr,
63948 + unsigned long *symbolsize,
63949 + unsigned long *offset,
63950 + char **modname, char *namebuf);
63951 +#endif
63952
63953 /* This macro allows us to keep printk typechecking */
63954 static void __check_printsym_format(const char *fmt, ...)
63955 diff -urNp linux-2.6.39.3/include/linux/kgdb.h linux-2.6.39.3/include/linux/kgdb.h
63956 --- linux-2.6.39.3/include/linux/kgdb.h 2011-05-19 00:06:34.000000000 -0400
63957 +++ linux-2.6.39.3/include/linux/kgdb.h 2011-05-22 19:36:33.000000000 -0400
63958 @@ -53,7 +53,7 @@ extern int kgdb_connected;
63959 extern int kgdb_io_module_registered;
63960
63961 extern atomic_t kgdb_setting_breakpoint;
63962 -extern atomic_t kgdb_cpu_doing_single_step;
63963 +extern atomic_unchecked_t kgdb_cpu_doing_single_step;
63964
63965 extern struct task_struct *kgdb_usethread;
63966 extern struct task_struct *kgdb_contthread;
63967 @@ -269,22 +269,22 @@ struct kgdb_arch {
63968 */
63969 struct kgdb_io {
63970 const char *name;
63971 - int (*read_char) (void);
63972 - void (*write_char) (u8);
63973 - void (*flush) (void);
63974 - int (*init) (void);
63975 - void (*pre_exception) (void);
63976 - void (*post_exception) (void);
63977 + int (* const read_char) (void);
63978 + void (* const write_char) (u8);
63979 + void (* const flush) (void);
63980 + int (* const init) (void);
63981 + void (* const pre_exception) (void);
63982 + void (* const post_exception) (void);
63983 int is_console;
63984 };
63985
63986 -extern struct kgdb_arch arch_kgdb_ops;
63987 +extern const struct kgdb_arch arch_kgdb_ops;
63988
63989 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
63990
63991 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
63992 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
63993 -extern struct kgdb_io *dbg_io_ops;
63994 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
63995 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
63996 +extern const struct kgdb_io *dbg_io_ops;
63997
63998 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
63999 extern char *kgdb_mem2hex(char *mem, char *buf, int count);
64000 diff -urNp linux-2.6.39.3/include/linux/kmod.h linux-2.6.39.3/include/linux/kmod.h
64001 --- linux-2.6.39.3/include/linux/kmod.h 2011-05-19 00:06:34.000000000 -0400
64002 +++ linux-2.6.39.3/include/linux/kmod.h 2011-05-22 19:41:42.000000000 -0400
64003 @@ -33,6 +33,8 @@ extern char modprobe_path[]; /* for sysc
64004 * usually useless though. */
64005 extern int __request_module(bool wait, const char *name, ...) \
64006 __attribute__((format(printf, 2, 3)));
64007 +extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
64008 + __attribute__((format(printf, 3, 4)));
64009 #define request_module(mod...) __request_module(true, mod)
64010 #define request_module_nowait(mod...) __request_module(false, mod)
64011 #define try_then_request_module(x, mod...) \
64012 diff -urNp linux-2.6.39.3/include/linux/kvm_host.h linux-2.6.39.3/include/linux/kvm_host.h
64013 --- linux-2.6.39.3/include/linux/kvm_host.h 2011-05-19 00:06:34.000000000 -0400
64014 +++ linux-2.6.39.3/include/linux/kvm_host.h 2011-05-22 19:36:33.000000000 -0400
64015 @@ -302,7 +302,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
64016 void vcpu_load(struct kvm_vcpu *vcpu);
64017 void vcpu_put(struct kvm_vcpu *vcpu);
64018
64019 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
64020 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
64021 struct module *module);
64022 void kvm_exit(void);
64023
64024 @@ -442,7 +442,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
64025 struct kvm_guest_debug *dbg);
64026 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
64027
64028 -int kvm_arch_init(void *opaque);
64029 +int kvm_arch_init(const void *opaque);
64030 void kvm_arch_exit(void);
64031
64032 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
64033 diff -urNp linux-2.6.39.3/include/linux/lapb.h linux-2.6.39.3/include/linux/lapb.h
64034 --- linux-2.6.39.3/include/linux/lapb.h 2011-05-19 00:06:34.000000000 -0400
64035 +++ linux-2.6.39.3/include/linux/lapb.h 2011-05-22 19:36:33.000000000 -0400
64036 @@ -44,7 +44,7 @@ struct lapb_parms_struct {
64037 unsigned int mode;
64038 };
64039
64040 -extern int lapb_register(struct net_device *dev, struct lapb_register_struct *callbacks);
64041 +extern int lapb_register(struct net_device *dev, const struct lapb_register_struct *callbacks);
64042 extern int lapb_unregister(struct net_device *dev);
64043 extern int lapb_getparms(struct net_device *dev, struct lapb_parms_struct *parms);
64044 extern int lapb_setparms(struct net_device *dev, struct lapb_parms_struct *parms);
64045 diff -urNp linux-2.6.39.3/include/linux/lcd.h linux-2.6.39.3/include/linux/lcd.h
64046 --- linux-2.6.39.3/include/linux/lcd.h 2011-05-19 00:06:34.000000000 -0400
64047 +++ linux-2.6.39.3/include/linux/lcd.h 2011-05-22 19:36:33.000000000 -0400
64048 @@ -60,7 +60,7 @@ struct lcd_device {
64049 points to something in the body of that driver, it is also invalid. */
64050 struct mutex ops_lock;
64051 /* If this is NULL, the backing module is unloaded */
64052 - struct lcd_ops *ops;
64053 + const struct lcd_ops *ops;
64054 /* Serialise access to set_power method */
64055 struct mutex update_lock;
64056 /* The framebuffer notifier block */
64057 @@ -101,7 +101,7 @@ static inline void lcd_set_power(struct
64058 }
64059
64060 extern struct lcd_device *lcd_device_register(const char *name,
64061 - struct device *parent, void *devdata, struct lcd_ops *ops);
64062 + struct device *parent, void *devdata, const struct lcd_ops *ops);
64063 extern void lcd_device_unregister(struct lcd_device *ld);
64064
64065 #define to_lcd_device(obj) container_of(obj, struct lcd_device, dev)
64066 diff -urNp linux-2.6.39.3/include/linux/libata.h linux-2.6.39.3/include/linux/libata.h
64067 --- linux-2.6.39.3/include/linux/libata.h 2011-05-19 00:06:34.000000000 -0400
64068 +++ linux-2.6.39.3/include/linux/libata.h 2011-05-22 19:36:33.000000000 -0400
64069 @@ -524,11 +524,11 @@ struct ata_ioports {
64070
64071 struct ata_host {
64072 spinlock_t lock;
64073 - struct device *dev;
64074 + struct device *dev;
64075 void __iomem * const *iomap;
64076 unsigned int n_ports;
64077 void *private_data;
64078 - struct ata_port_operations *ops;
64079 + const struct ata_port_operations *ops;
64080 unsigned long flags;
64081
64082 struct mutex eh_mutex;
64083 @@ -719,7 +719,7 @@ struct ata_link {
64084
64085 struct ata_port {
64086 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
64087 - struct ata_port_operations *ops;
64088 + const struct ata_port_operations *ops;
64089 spinlock_t *lock;
64090 /* Flags owned by the EH context. Only EH should touch these once the
64091 port is active */
64092 @@ -907,7 +907,7 @@ struct ata_port_info {
64093 unsigned long pio_mask;
64094 unsigned long mwdma_mask;
64095 unsigned long udma_mask;
64096 - struct ata_port_operations *port_ops;
64097 + const struct ata_port_operations *port_ops;
64098 void *private_data;
64099 };
64100
64101 @@ -931,7 +931,7 @@ extern const unsigned long sata_deb_timi
64102 extern const unsigned long sata_deb_timing_hotplug[];
64103 extern const unsigned long sata_deb_timing_long[];
64104
64105 -extern struct ata_port_operations ata_dummy_port_ops;
64106 +extern const struct ata_port_operations ata_dummy_port_ops;
64107 extern const struct ata_port_info ata_dummy_port_info;
64108
64109 static inline const unsigned long *
64110 @@ -977,7 +977,7 @@ extern int ata_host_activate(struct ata_
64111 struct scsi_host_template *sht);
64112 extern void ata_host_detach(struct ata_host *host);
64113 extern void ata_host_init(struct ata_host *, struct device *,
64114 - unsigned long, struct ata_port_operations *);
64115 + unsigned long, const struct ata_port_operations *);
64116 extern int ata_scsi_detect(struct scsi_host_template *sht);
64117 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
64118 extern int ata_scsi_queuecmd(struct Scsi_Host *h, struct scsi_cmnd *cmd);
64119 diff -urNp linux-2.6.39.3/include/linux/lockd/bind.h linux-2.6.39.3/include/linux/lockd/bind.h
64120 --- linux-2.6.39.3/include/linux/lockd/bind.h 2011-05-19 00:06:34.000000000 -0400
64121 +++ linux-2.6.39.3/include/linux/lockd/bind.h 2011-05-22 19:36:33.000000000 -0400
64122 @@ -23,13 +23,13 @@ struct svc_rqst;
64123 * This is the set of functions for lockd->nfsd communication
64124 */
64125 struct nlmsvc_binding {
64126 - __be32 (*fopen)(struct svc_rqst *,
64127 + __be32 (* const fopen)(struct svc_rqst *,
64128 struct nfs_fh *,
64129 struct file **);
64130 - void (*fclose)(struct file *);
64131 + void (* const fclose)(struct file *);
64132 };
64133
64134 -extern struct nlmsvc_binding * nlmsvc_ops;
64135 +extern const struct nlmsvc_binding * nlmsvc_ops;
64136
64137 /*
64138 * Similar to nfs_client_initdata, but without the NFS-specific
64139 diff -urNp linux-2.6.39.3/include/linux/mfd/abx500.h linux-2.6.39.3/include/linux/mfd/abx500.h
64140 --- linux-2.6.39.3/include/linux/mfd/abx500.h 2011-05-19 00:06:34.000000000 -0400
64141 +++ linux-2.6.39.3/include/linux/mfd/abx500.h 2011-05-22 19:36:33.000000000 -0400
64142 @@ -227,6 +227,6 @@ struct abx500_ops {
64143 int (*startup_irq_enabled) (struct device *, unsigned int);
64144 };
64145
64146 -int abx500_register_ops(struct device *core_dev, struct abx500_ops *ops);
64147 +int abx500_register_ops(struct device *core_dev, const struct abx500_ops *ops);
64148 void abx500_remove_ops(struct device *dev);
64149 #endif
64150 diff -urNp linux-2.6.39.3/include/linux/mm.h linux-2.6.39.3/include/linux/mm.h
64151 --- linux-2.6.39.3/include/linux/mm.h 2011-05-19 00:06:34.000000000 -0400
64152 +++ linux-2.6.39.3/include/linux/mm.h 2011-05-22 19:36:33.000000000 -0400
64153 @@ -113,7 +113,14 @@ extern unsigned int kobjsize(const void
64154
64155 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
64156 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
64157 +
64158 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
64159 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
64160 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
64161 +#else
64162 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
64163 +#endif
64164 +
64165 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
64166 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
64167
64168 @@ -1010,34 +1017,6 @@ int set_page_dirty(struct page *page);
64169 int set_page_dirty_lock(struct page *page);
64170 int clear_page_dirty_for_io(struct page *page);
64171
64172 -/* Is the vma a continuation of the stack vma above it? */
64173 -static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
64174 -{
64175 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
64176 -}
64177 -
64178 -static inline int stack_guard_page_start(struct vm_area_struct *vma,
64179 - unsigned long addr)
64180 -{
64181 - return (vma->vm_flags & VM_GROWSDOWN) &&
64182 - (vma->vm_start == addr) &&
64183 - !vma_growsdown(vma->vm_prev, addr);
64184 -}
64185 -
64186 -/* Is the vma a continuation of the stack vma below it? */
64187 -static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
64188 -{
64189 - return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
64190 -}
64191 -
64192 -static inline int stack_guard_page_end(struct vm_area_struct *vma,
64193 - unsigned long addr)
64194 -{
64195 - return (vma->vm_flags & VM_GROWSUP) &&
64196 - (vma->vm_end == addr) &&
64197 - !vma_growsup(vma->vm_next, addr);
64198 -}
64199 -
64200 extern unsigned long move_page_tables(struct vm_area_struct *vma,
64201 unsigned long old_addr, struct vm_area_struct *new_vma,
64202 unsigned long new_addr, unsigned long len);
64203 @@ -1189,6 +1168,15 @@ struct shrinker {
64204 extern void register_shrinker(struct shrinker *);
64205 extern void unregister_shrinker(struct shrinker *);
64206
64207 +#ifdef CONFIG_MMU
64208 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
64209 +#else
64210 +static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
64211 +{
64212 + return __pgprot(0);
64213 +}
64214 +#endif
64215 +
64216 int vma_wants_writenotify(struct vm_area_struct *vma);
64217
64218 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
64219 @@ -1476,6 +1464,7 @@ out:
64220 }
64221
64222 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
64223 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
64224
64225 extern unsigned long do_brk(unsigned long, unsigned long);
64226
64227 @@ -1532,6 +1521,10 @@ extern struct vm_area_struct * find_vma(
64228 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
64229 struct vm_area_struct **pprev);
64230
64231 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
64232 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
64233 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
64234 +
64235 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
64236 NULL if none. Assume start_addr < end_addr. */
64237 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
64238 @@ -1548,15 +1541,6 @@ static inline unsigned long vma_pages(st
64239 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
64240 }
64241
64242 -#ifdef CONFIG_MMU
64243 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
64244 -#else
64245 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
64246 -{
64247 - return __pgprot(0);
64248 -}
64249 -#endif
64250 -
64251 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
64252 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
64253 unsigned long pfn, unsigned long size, pgprot_t);
64254 @@ -1668,7 +1652,7 @@ extern int unpoison_memory(unsigned long
64255 extern int sysctl_memory_failure_early_kill;
64256 extern int sysctl_memory_failure_recovery;
64257 extern void shake_page(struct page *p, int access);
64258 -extern atomic_long_t mce_bad_pages;
64259 +extern atomic_long_unchecked_t mce_bad_pages;
64260 extern int soft_offline_page(struct page *page, int flags);
64261
64262 extern void dump_page(struct page *page);
64263 @@ -1682,5 +1666,11 @@ extern void copy_user_huge_page(struct p
64264 unsigned int pages_per_huge_page);
64265 #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
64266
64267 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
64268 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
64269 +#else
64270 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
64271 +#endif
64272 +
64273 #endif /* __KERNEL__ */
64274 #endif /* _LINUX_MM_H */
64275 diff -urNp linux-2.6.39.3/include/linux/mm_types.h linux-2.6.39.3/include/linux/mm_types.h
64276 --- linux-2.6.39.3/include/linux/mm_types.h 2011-05-19 00:06:34.000000000 -0400
64277 +++ linux-2.6.39.3/include/linux/mm_types.h 2011-05-22 19:36:33.000000000 -0400
64278 @@ -183,6 +183,8 @@ struct vm_area_struct {
64279 #ifdef CONFIG_NUMA
64280 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
64281 #endif
64282 +
64283 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
64284 };
64285
64286 struct core_thread {
64287 @@ -317,6 +319,24 @@ struct mm_struct {
64288 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
64289 pgtable_t pmd_huge_pte; /* protected by page_table_lock */
64290 #endif
64291 +
64292 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
64293 + unsigned long pax_flags;
64294 +#endif
64295 +
64296 +#ifdef CONFIG_PAX_DLRESOLVE
64297 + unsigned long call_dl_resolve;
64298 +#endif
64299 +
64300 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
64301 + unsigned long call_syscall;
64302 +#endif
64303 +
64304 +#ifdef CONFIG_PAX_ASLR
64305 + unsigned long delta_mmap; /* randomized offset */
64306 + unsigned long delta_stack; /* randomized offset */
64307 +#endif
64308 +
64309 };
64310
64311 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
64312 diff -urNp linux-2.6.39.3/include/linux/mmu_notifier.h linux-2.6.39.3/include/linux/mmu_notifier.h
64313 --- linux-2.6.39.3/include/linux/mmu_notifier.h 2011-05-19 00:06:34.000000000 -0400
64314 +++ linux-2.6.39.3/include/linux/mmu_notifier.h 2011-05-22 19:36:33.000000000 -0400
64315 @@ -255,12 +255,12 @@ static inline void mmu_notifier_mm_destr
64316 */
64317 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
64318 ({ \
64319 - pte_t __pte; \
64320 + pte_t ___pte; \
64321 struct vm_area_struct *___vma = __vma; \
64322 unsigned long ___address = __address; \
64323 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
64324 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
64325 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
64326 - __pte; \
64327 + ___pte; \
64328 })
64329
64330 #define pmdp_clear_flush_notify(__vma, __address, __pmdp) \
64331 diff -urNp linux-2.6.39.3/include/linux/mmzone.h linux-2.6.39.3/include/linux/mmzone.h
64332 --- linux-2.6.39.3/include/linux/mmzone.h 2011-05-19 00:06:34.000000000 -0400
64333 +++ linux-2.6.39.3/include/linux/mmzone.h 2011-05-22 19:36:33.000000000 -0400
64334 @@ -355,7 +355,7 @@ struct zone {
64335 unsigned long flags; /* zone flags, see below */
64336
64337 /* Zone statistics */
64338 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
64339 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
64340
64341 /*
64342 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
64343 diff -urNp linux-2.6.39.3/include/linux/mod_devicetable.h linux-2.6.39.3/include/linux/mod_devicetable.h
64344 --- linux-2.6.39.3/include/linux/mod_devicetable.h 2011-05-19 00:06:34.000000000 -0400
64345 +++ linux-2.6.39.3/include/linux/mod_devicetable.h 2011-05-22 19:36:33.000000000 -0400
64346 @@ -12,7 +12,7 @@
64347 typedef unsigned long kernel_ulong_t;
64348 #endif
64349
64350 -#define PCI_ANY_ID (~0)
64351 +#define PCI_ANY_ID ((__u16)~0)
64352
64353 struct pci_device_id {
64354 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
64355 @@ -131,7 +131,7 @@ struct usb_device_id {
64356 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
64357 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
64358
64359 -#define HID_ANY_ID (~0)
64360 +#define HID_ANY_ID (~0U)
64361
64362 struct hid_device_id {
64363 __u16 bus;
64364 diff -urNp linux-2.6.39.3/include/linux/module.h linux-2.6.39.3/include/linux/module.h
64365 --- linux-2.6.39.3/include/linux/module.h 2011-05-19 00:06:34.000000000 -0400
64366 +++ linux-2.6.39.3/include/linux/module.h 2011-05-22 19:36:33.000000000 -0400
64367 @@ -324,19 +324,16 @@ struct module
64368 int (*init)(void);
64369
64370 /* If this is non-NULL, vfree after init() returns */
64371 - void *module_init;
64372 + void *module_init_rx, *module_init_rw;
64373
64374 /* Here is the actual code + data, vfree'd on unload. */
64375 - void *module_core;
64376 + void *module_core_rx, *module_core_rw;
64377
64378 /* Here are the sizes of the init and core sections */
64379 - unsigned int init_size, core_size;
64380 + unsigned int init_size_rw, core_size_rw;
64381
64382 /* The size of the executable code in each section. */
64383 - unsigned int init_text_size, core_text_size;
64384 -
64385 - /* Size of RO sections of the module (text+rodata) */
64386 - unsigned int init_ro_size, core_ro_size;
64387 + unsigned int init_size_rx, core_size_rx;
64388
64389 /* Arch-specific module values */
64390 struct mod_arch_specific arch;
64391 @@ -441,16 +438,46 @@ bool is_module_address(unsigned long add
64392 bool is_module_percpu_address(unsigned long addr);
64393 bool is_module_text_address(unsigned long addr);
64394
64395 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
64396 +{
64397 +
64398 +#ifdef CONFIG_PAX_KERNEXEC
64399 + if (ktla_ktva(addr) >= (unsigned long)start &&
64400 + ktla_ktva(addr) < (unsigned long)start + size)
64401 + return 1;
64402 +#endif
64403 +
64404 + return ((void *)addr >= start && (void *)addr < start + size);
64405 +}
64406 +
64407 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
64408 +{
64409 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
64410 +}
64411 +
64412 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
64413 +{
64414 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
64415 +}
64416 +
64417 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
64418 +{
64419 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
64420 +}
64421 +
64422 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
64423 +{
64424 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
64425 +}
64426 +
64427 static inline int within_module_core(unsigned long addr, struct module *mod)
64428 {
64429 - return (unsigned long)mod->module_core <= addr &&
64430 - addr < (unsigned long)mod->module_core + mod->core_size;
64431 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
64432 }
64433
64434 static inline int within_module_init(unsigned long addr, struct module *mod)
64435 {
64436 - return (unsigned long)mod->module_init <= addr &&
64437 - addr < (unsigned long)mod->module_init + mod->init_size;
64438 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
64439 }
64440
64441 /* Search for module by name: must hold module_mutex. */
64442 diff -urNp linux-2.6.39.3/include/linux/moduleloader.h linux-2.6.39.3/include/linux/moduleloader.h
64443 --- linux-2.6.39.3/include/linux/moduleloader.h 2011-05-19 00:06:34.000000000 -0400
64444 +++ linux-2.6.39.3/include/linux/moduleloader.h 2011-05-22 19:36:33.000000000 -0400
64445 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
64446 sections. Returns NULL on failure. */
64447 void *module_alloc(unsigned long size);
64448
64449 +#ifdef CONFIG_PAX_KERNEXEC
64450 +void *module_alloc_exec(unsigned long size);
64451 +#else
64452 +#define module_alloc_exec(x) module_alloc(x)
64453 +#endif
64454 +
64455 /* Free memory returned from module_alloc. */
64456 void module_free(struct module *mod, void *module_region);
64457
64458 +#ifdef CONFIG_PAX_KERNEXEC
64459 +void module_free_exec(struct module *mod, void *module_region);
64460 +#else
64461 +#define module_free_exec(x, y) module_free((x), (y))
64462 +#endif
64463 +
64464 /* Apply the given relocation to the (simplified) ELF. Return -error
64465 or 0. */
64466 int apply_relocate(Elf_Shdr *sechdrs,
64467 diff -urNp linux-2.6.39.3/include/linux/moduleparam.h linux-2.6.39.3/include/linux/moduleparam.h
64468 --- linux-2.6.39.3/include/linux/moduleparam.h 2011-05-19 00:06:34.000000000 -0400
64469 +++ linux-2.6.39.3/include/linux/moduleparam.h 2011-05-22 19:36:33.000000000 -0400
64470 @@ -255,7 +255,7 @@ static inline void __kernel_param_unlock
64471 * @len is usually just sizeof(string).
64472 */
64473 #define module_param_string(name, string, len, perm) \
64474 - static const struct kparam_string __param_string_##name \
64475 + static const struct kparam_string __param_string_##name __used \
64476 = { len, string }; \
64477 __module_param_call(MODULE_PARAM_PREFIX, name, \
64478 &param_ops_string, \
64479 @@ -285,48 +285,48 @@ static inline void destroy_params(const
64480 #define __param_check(name, p, type) \
64481 static inline type *__check_##name(void) { return(p); }
64482
64483 -extern struct kernel_param_ops param_ops_byte;
64484 +extern const struct kernel_param_ops param_ops_byte;
64485 extern int param_set_byte(const char *val, const struct kernel_param *kp);
64486 extern int param_get_byte(char *buffer, const struct kernel_param *kp);
64487 #define param_check_byte(name, p) __param_check(name, p, unsigned char)
64488
64489 -extern struct kernel_param_ops param_ops_short;
64490 +extern const struct kernel_param_ops param_ops_short;
64491 extern int param_set_short(const char *val, const struct kernel_param *kp);
64492 extern int param_get_short(char *buffer, const struct kernel_param *kp);
64493 #define param_check_short(name, p) __param_check(name, p, short)
64494
64495 -extern struct kernel_param_ops param_ops_ushort;
64496 +extern const struct kernel_param_ops param_ops_ushort;
64497 extern int param_set_ushort(const char *val, const struct kernel_param *kp);
64498 extern int param_get_ushort(char *buffer, const struct kernel_param *kp);
64499 #define param_check_ushort(name, p) __param_check(name, p, unsigned short)
64500
64501 -extern struct kernel_param_ops param_ops_int;
64502 +extern const struct kernel_param_ops param_ops_int;
64503 extern int param_set_int(const char *val, const struct kernel_param *kp);
64504 extern int param_get_int(char *buffer, const struct kernel_param *kp);
64505 #define param_check_int(name, p) __param_check(name, p, int)
64506
64507 -extern struct kernel_param_ops param_ops_uint;
64508 +extern const struct kernel_param_ops param_ops_uint;
64509 extern int param_set_uint(const char *val, const struct kernel_param *kp);
64510 extern int param_get_uint(char *buffer, const struct kernel_param *kp);
64511 #define param_check_uint(name, p) __param_check(name, p, unsigned int)
64512
64513 -extern struct kernel_param_ops param_ops_long;
64514 +extern const struct kernel_param_ops param_ops_long;
64515 extern int param_set_long(const char *val, const struct kernel_param *kp);
64516 extern int param_get_long(char *buffer, const struct kernel_param *kp);
64517 #define param_check_long(name, p) __param_check(name, p, long)
64518
64519 -extern struct kernel_param_ops param_ops_ulong;
64520 +extern const struct kernel_param_ops param_ops_ulong;
64521 extern int param_set_ulong(const char *val, const struct kernel_param *kp);
64522 extern int param_get_ulong(char *buffer, const struct kernel_param *kp);
64523 #define param_check_ulong(name, p) __param_check(name, p, unsigned long)
64524
64525 -extern struct kernel_param_ops param_ops_charp;
64526 +extern const struct kernel_param_ops param_ops_charp;
64527 extern int param_set_charp(const char *val, const struct kernel_param *kp);
64528 extern int param_get_charp(char *buffer, const struct kernel_param *kp);
64529 #define param_check_charp(name, p) __param_check(name, p, char *)
64530
64531 /* For historical reasons "bool" parameters can be (unsigned) "int". */
64532 -extern struct kernel_param_ops param_ops_bool;
64533 +extern const struct kernel_param_ops param_ops_bool;
64534 extern int param_set_bool(const char *val, const struct kernel_param *kp);
64535 extern int param_get_bool(char *buffer, const struct kernel_param *kp);
64536 #define param_check_bool(name, p) \
64537 @@ -337,7 +337,7 @@ extern int param_get_bool(char *buffer,
64538 !__same_type((p), int *)); \
64539 }
64540
64541 -extern struct kernel_param_ops param_ops_invbool;
64542 +extern const struct kernel_param_ops param_ops_invbool;
64543 extern int param_set_invbool(const char *val, const struct kernel_param *kp);
64544 extern int param_get_invbool(char *buffer, const struct kernel_param *kp);
64545 #define param_check_invbool(name, p) __param_check(name, p, bool)
64546 @@ -370,7 +370,7 @@ extern int param_get_invbool(char *buffe
64547 * module_param_named() for why this might be necessary.
64548 */
64549 #define module_param_array_named(name, array, type, nump, perm) \
64550 - static const struct kparam_array __param_arr_##name \
64551 + static const struct kparam_array __param_arr_##name __used \
64552 = { ARRAY_SIZE(array), nump, &param_ops_##type, \
64553 sizeof(array[0]), array }; \
64554 __module_param_call(MODULE_PARAM_PREFIX, name, \
64555 @@ -379,9 +379,9 @@ extern int param_get_invbool(char *buffe
64556 __same_type(array[0], bool), perm); \
64557 __MODULE_PARM_TYPE(name, "array of " #type)
64558
64559 -extern struct kernel_param_ops param_array_ops;
64560 +extern const struct kernel_param_ops param_array_ops;
64561
64562 -extern struct kernel_param_ops param_ops_string;
64563 +extern const struct kernel_param_ops param_ops_string;
64564 extern int param_set_copystring(const char *val, const struct kernel_param *);
64565 extern int param_get_string(char *buffer, const struct kernel_param *kp);
64566
64567 diff -urNp linux-2.6.39.3/include/linux/mutex.h linux-2.6.39.3/include/linux/mutex.h
64568 --- linux-2.6.39.3/include/linux/mutex.h 2011-05-19 00:06:34.000000000 -0400
64569 +++ linux-2.6.39.3/include/linux/mutex.h 2011-05-22 19:36:33.000000000 -0400
64570 @@ -51,7 +51,7 @@ struct mutex {
64571 spinlock_t wait_lock;
64572 struct list_head wait_list;
64573 #if defined(CONFIG_DEBUG_MUTEXES) || defined(CONFIG_SMP)
64574 - struct thread_info *owner;
64575 + struct task_struct *owner;
64576 #endif
64577 #ifdef CONFIG_DEBUG_MUTEXES
64578 const char *name;
64579 diff -urNp linux-2.6.39.3/include/linux/namei.h linux-2.6.39.3/include/linux/namei.h
64580 --- linux-2.6.39.3/include/linux/namei.h 2011-05-19 00:06:34.000000000 -0400
64581 +++ linux-2.6.39.3/include/linux/namei.h 2011-05-22 19:36:33.000000000 -0400
64582 @@ -24,7 +24,7 @@ struct nameidata {
64583 unsigned seq;
64584 int last_type;
64585 unsigned depth;
64586 - char *saved_names[MAX_NESTED_LINKS + 1];
64587 + const char *saved_names[MAX_NESTED_LINKS + 1];
64588
64589 /* Intent data */
64590 union {
64591 @@ -91,12 +91,12 @@ extern int follow_up(struct path *);
64592 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
64593 extern void unlock_rename(struct dentry *, struct dentry *);
64594
64595 -static inline void nd_set_link(struct nameidata *nd, char *path)
64596 +static inline void nd_set_link(struct nameidata *nd, const char *path)
64597 {
64598 nd->saved_names[nd->depth] = path;
64599 }
64600
64601 -static inline char *nd_get_link(struct nameidata *nd)
64602 +static inline const char *nd_get_link(const struct nameidata *nd)
64603 {
64604 return nd->saved_names[nd->depth];
64605 }
64606 diff -urNp linux-2.6.39.3/include/linux/netfilter/xt_gradm.h linux-2.6.39.3/include/linux/netfilter/xt_gradm.h
64607 --- linux-2.6.39.3/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
64608 +++ linux-2.6.39.3/include/linux/netfilter/xt_gradm.h 2011-05-22 19:41:42.000000000 -0400
64609 @@ -0,0 +1,9 @@
64610 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
64611 +#define _LINUX_NETFILTER_XT_GRADM_H 1
64612 +
64613 +struct xt_gradm_mtinfo {
64614 + __u16 flags;
64615 + __u16 invflags;
64616 +};
64617 +
64618 +#endif
64619 diff -urNp linux-2.6.39.3/include/linux/oprofile.h linux-2.6.39.3/include/linux/oprofile.h
64620 --- linux-2.6.39.3/include/linux/oprofile.h 2011-05-19 00:06:34.000000000 -0400
64621 +++ linux-2.6.39.3/include/linux/oprofile.h 2011-05-22 19:36:33.000000000 -0400
64622 @@ -139,9 +139,9 @@ int oprofilefs_create_ulong(struct super
64623 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
64624 char const * name, ulong * val);
64625
64626 -/** Create a file for read-only access to an atomic_t. */
64627 +/** Create a file for read-only access to an atomic_unchecked_t. */
64628 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
64629 - char const * name, atomic_t * val);
64630 + char const * name, atomic_unchecked_t * val);
64631
64632 /** create a directory */
64633 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
64634 diff -urNp linux-2.6.39.3/include/linux/padata.h linux-2.6.39.3/include/linux/padata.h
64635 --- linux-2.6.39.3/include/linux/padata.h 2011-05-19 00:06:34.000000000 -0400
64636 +++ linux-2.6.39.3/include/linux/padata.h 2011-05-22 19:36:33.000000000 -0400
64637 @@ -129,7 +129,7 @@ struct parallel_data {
64638 struct padata_instance *pinst;
64639 struct padata_parallel_queue __percpu *pqueue;
64640 struct padata_serial_queue __percpu *squeue;
64641 - atomic_t seq_nr;
64642 + atomic_unchecked_t seq_nr;
64643 atomic_t reorder_objects;
64644 atomic_t refcnt;
64645 unsigned int max_seq_nr;
64646 diff -urNp linux-2.6.39.3/include/linux/pci.h linux-2.6.39.3/include/linux/pci.h
64647 --- linux-2.6.39.3/include/linux/pci.h 2011-05-19 00:06:34.000000000 -0400
64648 +++ linux-2.6.39.3/include/linux/pci.h 2011-05-22 19:36:33.000000000 -0400
64649 @@ -411,7 +411,7 @@ struct pci_bus {
64650 struct resource *resource[PCI_BRIDGE_RESOURCE_NUM];
64651 struct list_head resources; /* address space routed to this bus */
64652
64653 - struct pci_ops *ops; /* configuration access functions */
64654 + const struct pci_ops *ops; /* configuration access functions */
64655 void *sysdata; /* hook for sys-specific extension */
64656 struct proc_dir_entry *procdir; /* directory entry in /proc/bus/pci */
64657
64658 @@ -550,7 +550,7 @@ struct pci_driver {
64659 int (*resume_early) (struct pci_dev *dev);
64660 int (*resume) (struct pci_dev *dev); /* Device woken up */
64661 void (*shutdown) (struct pci_dev *dev);
64662 - struct pci_error_handlers *err_handler;
64663 + const struct pci_error_handlers *err_handler;
64664 struct device_driver driver;
64665 struct pci_dynids dynids;
64666 };
64667 @@ -639,7 +639,7 @@ void pcibios_scan_specific_bus(int busn)
64668 extern struct pci_bus *pci_find_bus(int domain, int busnr);
64669 void pci_bus_add_devices(const struct pci_bus *bus);
64670 struct pci_bus *pci_scan_bus_parented(struct device *parent, int bus,
64671 - struct pci_ops *ops, void *sysdata);
64672 + const struct pci_ops *ops, void *sysdata);
64673 static inline struct pci_bus * __devinit pci_scan_bus(int bus, struct pci_ops *ops,
64674 void *sysdata)
64675 {
64676 @@ -650,7 +650,7 @@ static inline struct pci_bus * __devinit
64677 return root_bus;
64678 }
64679 struct pci_bus *pci_create_bus(struct device *parent, int bus,
64680 - struct pci_ops *ops, void *sysdata);
64681 + const struct pci_ops *ops, void *sysdata);
64682 struct pci_bus *pci_add_new_bus(struct pci_bus *parent, struct pci_dev *dev,
64683 int busnr);
64684 void pcie_update_link_speed(struct pci_bus *bus, u16 link_status);
64685 @@ -727,7 +727,7 @@ int pci_bus_write_config_word(struct pci
64686 int where, u16 val);
64687 int pci_bus_write_config_dword(struct pci_bus *bus, unsigned int devfn,
64688 int where, u32 val);
64689 -struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, struct pci_ops *ops);
64690 +const struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, const struct pci_ops *ops);
64691
64692 static inline int pci_read_config_byte(struct pci_dev *dev, int where, u8 *val)
64693 {
64694 diff -urNp linux-2.6.39.3/include/linux/perf_event.h linux-2.6.39.3/include/linux/perf_event.h
64695 --- linux-2.6.39.3/include/linux/perf_event.h 2011-05-19 00:06:34.000000000 -0400
64696 +++ linux-2.6.39.3/include/linux/perf_event.h 2011-05-22 19:36:33.000000000 -0400
64697 @@ -759,8 +759,8 @@ struct perf_event {
64698
64699 enum perf_event_active_state state;
64700 unsigned int attach_state;
64701 - local64_t count;
64702 - atomic64_t child_count;
64703 + local64_t count; /* PaX: fix it one day */
64704 + atomic64_unchecked_t child_count;
64705
64706 /*
64707 * These are the total time in nanoseconds that the event
64708 @@ -811,8 +811,8 @@ struct perf_event {
64709 * These accumulate total time (in nanoseconds) that children
64710 * events have been enabled and running, respectively.
64711 */
64712 - atomic64_t child_total_time_enabled;
64713 - atomic64_t child_total_time_running;
64714 + atomic64_unchecked_t child_total_time_enabled;
64715 + atomic64_unchecked_t child_total_time_running;
64716
64717 /*
64718 * Protect attach/detach and child_list:
64719 @@ -1090,9 +1090,9 @@ void perf_event_task_sched_out(struct ta
64720 }
64721
64722 extern void perf_event_mmap(struct vm_area_struct *vma);
64723 -extern struct perf_guest_info_callbacks *perf_guest_cbs;
64724 -extern int perf_register_guest_info_callbacks(struct perf_guest_info_callbacks *callbacks);
64725 -extern int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *callbacks);
64726 +extern const struct perf_guest_info_callbacks *perf_guest_cbs;
64727 +extern int perf_register_guest_info_callbacks(const struct perf_guest_info_callbacks *callbacks);
64728 +extern int perf_unregister_guest_info_callbacks(const struct perf_guest_info_callbacks *callbacks);
64729
64730 extern void perf_event_comm(struct task_struct *tsk);
64731 extern void perf_event_fork(struct task_struct *tsk);
64732 diff -urNp linux-2.6.39.3/include/linux/pipe_fs_i.h linux-2.6.39.3/include/linux/pipe_fs_i.h
64733 --- linux-2.6.39.3/include/linux/pipe_fs_i.h 2011-05-19 00:06:34.000000000 -0400
64734 +++ linux-2.6.39.3/include/linux/pipe_fs_i.h 2011-05-22 19:36:33.000000000 -0400
64735 @@ -46,9 +46,9 @@ struct pipe_buffer {
64736 struct pipe_inode_info {
64737 wait_queue_head_t wait;
64738 unsigned int nrbufs, curbuf, buffers;
64739 - unsigned int readers;
64740 - unsigned int writers;
64741 - unsigned int waiting_writers;
64742 + atomic_t readers;
64743 + atomic_t writers;
64744 + atomic_t waiting_writers;
64745 unsigned int r_counter;
64746 unsigned int w_counter;
64747 struct page *tmp_page;
64748 diff -urNp linux-2.6.39.3/include/linux/pm.h linux-2.6.39.3/include/linux/pm.h
64749 --- linux-2.6.39.3/include/linux/pm.h 2011-07-09 09:18:51.000000000 -0400
64750 +++ linux-2.6.39.3/include/linux/pm.h 2011-07-09 09:19:24.000000000 -0400
64751 @@ -268,7 +268,7 @@ const struct dev_pm_ops name = { \
64752 * runtime PM, make the pm member point to generic_subsys_pm_ops.
64753 */
64754 #ifdef CONFIG_PM
64755 -extern struct dev_pm_ops generic_subsys_pm_ops;
64756 +extern const struct dev_pm_ops generic_subsys_pm_ops;
64757 #define GENERIC_SUBSYS_PM_OPS (&generic_subsys_pm_ops)
64758 #else
64759 #define GENERIC_SUBSYS_PM_OPS NULL
64760 @@ -472,7 +472,7 @@ extern void update_pm_runtime_accounting
64761 * subsystem-level and driver-level callbacks.
64762 */
64763 struct dev_power_domain {
64764 - struct dev_pm_ops ops;
64765 + const struct dev_pm_ops ops;
64766 };
64767
64768 /*
64769 diff -urNp linux-2.6.39.3/include/linux/pm_runtime.h linux-2.6.39.3/include/linux/pm_runtime.h
64770 --- linux-2.6.39.3/include/linux/pm_runtime.h 2011-05-19 00:06:34.000000000 -0400
64771 +++ linux-2.6.39.3/include/linux/pm_runtime.h 2011-05-22 19:36:33.000000000 -0400
64772 @@ -94,7 +94,7 @@ static inline bool pm_runtime_callbacks_
64773
64774 static inline void pm_runtime_mark_last_busy(struct device *dev)
64775 {
64776 - ACCESS_ONCE(dev->power.last_busy) = jiffies;
64777 + ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
64778 }
64779
64780 #else /* !CONFIG_PM_RUNTIME */
64781 diff -urNp linux-2.6.39.3/include/linux/poison.h linux-2.6.39.3/include/linux/poison.h
64782 --- linux-2.6.39.3/include/linux/poison.h 2011-05-19 00:06:34.000000000 -0400
64783 +++ linux-2.6.39.3/include/linux/poison.h 2011-05-22 19:36:33.000000000 -0400
64784 @@ -19,8 +19,8 @@
64785 * under normal circumstances, used to verify that nobody uses
64786 * non-initialized list entries.
64787 */
64788 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
64789 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
64790 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
64791 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
64792
64793 /********** include/linux/timer.h **********/
64794 /*
64795 diff -urNp linux-2.6.39.3/include/linux/posix-timers.h linux-2.6.39.3/include/linux/posix-timers.h
64796 --- linux-2.6.39.3/include/linux/posix-timers.h 2011-05-19 00:06:34.000000000 -0400
64797 +++ linux-2.6.39.3/include/linux/posix-timers.h 2011-05-22 19:36:33.000000000 -0400
64798 @@ -102,10 +102,10 @@ struct k_clock {
64799 struct itimerspec * cur_setting);
64800 };
64801
64802 -extern struct k_clock clock_posix_cpu;
64803 -extern struct k_clock clock_posix_dynamic;
64804 +extern const struct k_clock clock_posix_cpu;
64805 +extern const struct k_clock clock_posix_dynamic;
64806
64807 -void posix_timers_register_clock(const clockid_t clock_id, struct k_clock *new_clock);
64808 +void posix_timers_register_clock(const clockid_t clock_id, const struct k_clock *new_clock);
64809
64810 /* function to call to trigger timer event */
64811 int posix_timer_event(struct k_itimer *timr, int si_private);
64812 diff -urNp linux-2.6.39.3/include/linux/proc_fs.h linux-2.6.39.3/include/linux/proc_fs.h
64813 --- linux-2.6.39.3/include/linux/proc_fs.h 2011-05-19 00:06:34.000000000 -0400
64814 +++ linux-2.6.39.3/include/linux/proc_fs.h 2011-05-22 19:41:42.000000000 -0400
64815 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
64816 return proc_create_data(name, mode, parent, proc_fops, NULL);
64817 }
64818
64819 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
64820 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
64821 +{
64822 +#ifdef CONFIG_GRKERNSEC_PROC_USER
64823 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
64824 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64825 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
64826 +#else
64827 + return proc_create_data(name, mode, parent, proc_fops, NULL);
64828 +#endif
64829 +}
64830 +
64831 +
64832 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
64833 mode_t mode, struct proc_dir_entry *base,
64834 read_proc_t *read_proc, void * data)
64835 diff -urNp linux-2.6.39.3/include/linux/ptrace.h linux-2.6.39.3/include/linux/ptrace.h
64836 --- linux-2.6.39.3/include/linux/ptrace.h 2011-05-19 00:06:34.000000000 -0400
64837 +++ linux-2.6.39.3/include/linux/ptrace.h 2011-05-22 19:41:42.000000000 -0400
64838 @@ -115,10 +115,10 @@ extern void __ptrace_unlink(struct task_
64839 extern void exit_ptrace(struct task_struct *tracer);
64840 #define PTRACE_MODE_READ 1
64841 #define PTRACE_MODE_ATTACH 2
64842 -/* Returns 0 on success, -errno on denial. */
64843 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
64844 /* Returns true on success, false on denial. */
64845 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
64846 +/* Returns true on success, false on denial. */
64847 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
64848
64849 static inline int ptrace_reparented(struct task_struct *child)
64850 {
64851 diff -urNp linux-2.6.39.3/include/linux/random.h linux-2.6.39.3/include/linux/random.h
64852 --- linux-2.6.39.3/include/linux/random.h 2011-05-19 00:06:34.000000000 -0400
64853 +++ linux-2.6.39.3/include/linux/random.h 2011-05-22 19:36:33.000000000 -0400
64854 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
64855
64856 u32 prandom32(struct rnd_state *);
64857
64858 +static inline unsigned long pax_get_random_long(void)
64859 +{
64860 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
64861 +}
64862 +
64863 /*
64864 * Handle minimum values for seeds
64865 */
64866 static inline u32 __seed(u32 x, u32 m)
64867 {
64868 - return (x < m) ? x + m : x;
64869 + return (x <= m) ? x + m + 1 : x;
64870 }
64871
64872 /**
64873 diff -urNp linux-2.6.39.3/include/linux/reboot.h linux-2.6.39.3/include/linux/reboot.h
64874 --- linux-2.6.39.3/include/linux/reboot.h 2011-05-19 00:06:34.000000000 -0400
64875 +++ linux-2.6.39.3/include/linux/reboot.h 2011-05-22 19:36:33.000000000 -0400
64876 @@ -47,9 +47,9 @@ extern int unregister_reboot_notifier(st
64877 * Architecture-specific implementations of sys_reboot commands.
64878 */
64879
64880 -extern void machine_restart(char *cmd);
64881 -extern void machine_halt(void);
64882 -extern void machine_power_off(void);
64883 +extern void machine_restart(char *cmd) __noreturn;
64884 +extern void machine_halt(void) __noreturn;
64885 +extern void machine_power_off(void) __noreturn;
64886
64887 extern void machine_shutdown(void);
64888 struct pt_regs;
64889 @@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struc
64890 */
64891
64892 extern void kernel_restart_prepare(char *cmd);
64893 -extern void kernel_restart(char *cmd);
64894 -extern void kernel_halt(void);
64895 -extern void kernel_power_off(void);
64896 +extern void kernel_restart(char *cmd) __noreturn;
64897 +extern void kernel_halt(void) __noreturn;
64898 +extern void kernel_power_off(void) __noreturn;
64899
64900 extern int C_A_D; /* for sysctl */
64901 void ctrl_alt_del(void);
64902 @@ -76,7 +76,7 @@ extern int orderly_poweroff(bool force);
64903 * Emergency restart, callable from an interrupt handler.
64904 */
64905
64906 -extern void emergency_restart(void);
64907 +extern void emergency_restart(void) __noreturn;
64908 #include <asm/emergency-restart.h>
64909
64910 #endif
64911 diff -urNp linux-2.6.39.3/include/linux/reiserfs_fs.h linux-2.6.39.3/include/linux/reiserfs_fs.h
64912 --- linux-2.6.39.3/include/linux/reiserfs_fs.h 2011-05-19 00:06:34.000000000 -0400
64913 +++ linux-2.6.39.3/include/linux/reiserfs_fs.h 2011-05-22 19:36:33.000000000 -0400
64914 @@ -1406,7 +1406,7 @@ static inline loff_t max_reiserfs_offset
64915 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
64916
64917 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
64918 -#define get_generation(s) atomic_read (&fs_generation(s))
64919 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
64920 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
64921 #define __fs_changed(gen,s) (gen != get_generation (s))
64922 #define fs_changed(gen,s) \
64923 @@ -1618,24 +1618,24 @@ static inline struct super_block *sb_fro
64924 */
64925
64926 struct item_operations {
64927 - int (*bytes_number) (struct item_head * ih, int block_size);
64928 - void (*decrement_key) (struct cpu_key *);
64929 - int (*is_left_mergeable) (struct reiserfs_key * ih,
64930 + int (* const bytes_number) (struct item_head * ih, int block_size);
64931 + void (* const decrement_key) (struct cpu_key *);
64932 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
64933 unsigned long bsize);
64934 - void (*print_item) (struct item_head *, char *item);
64935 - void (*check_item) (struct item_head *, char *item);
64936 + void (* const print_item) (struct item_head *, char *item);
64937 + void (* const check_item) (struct item_head *, char *item);
64938
64939 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
64940 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
64941 int is_affected, int insert_size);
64942 - int (*check_left) (struct virtual_item * vi, int free,
64943 + int (* const check_left) (struct virtual_item * vi, int free,
64944 int start_skip, int end_skip);
64945 - int (*check_right) (struct virtual_item * vi, int free);
64946 - int (*part_size) (struct virtual_item * vi, int from, int to);
64947 - int (*unit_num) (struct virtual_item * vi);
64948 - void (*print_vi) (struct virtual_item * vi);
64949 + int (* const check_right) (struct virtual_item * vi, int free);
64950 + int (* const part_size) (struct virtual_item * vi, int from, int to);
64951 + int (* const unit_num) (struct virtual_item * vi);
64952 + void (* const print_vi) (struct virtual_item * vi);
64953 };
64954
64955 -extern struct item_operations *item_ops[TYPE_ANY + 1];
64956 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
64957
64958 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
64959 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
64960 diff -urNp linux-2.6.39.3/include/linux/reiserfs_fs_sb.h linux-2.6.39.3/include/linux/reiserfs_fs_sb.h
64961 --- linux-2.6.39.3/include/linux/reiserfs_fs_sb.h 2011-05-19 00:06:34.000000000 -0400
64962 +++ linux-2.6.39.3/include/linux/reiserfs_fs_sb.h 2011-05-22 19:36:33.000000000 -0400
64963 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
64964 /* Comment? -Hans */
64965 wait_queue_head_t s_wait;
64966 /* To be obsoleted soon by per buffer seals.. -Hans */
64967 - atomic_t s_generation_counter; // increased by one every time the
64968 + atomic_unchecked_t s_generation_counter; // increased by one every time the
64969 // tree gets re-balanced
64970 unsigned long s_properties; /* File system properties. Currently holds
64971 on-disk FS format */
64972 diff -urNp linux-2.6.39.3/include/linux/rmap.h linux-2.6.39.3/include/linux/rmap.h
64973 --- linux-2.6.39.3/include/linux/rmap.h 2011-05-19 00:06:34.000000000 -0400
64974 +++ linux-2.6.39.3/include/linux/rmap.h 2011-05-22 19:36:33.000000000 -0400
64975 @@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struc
64976 void anon_vma_init(void); /* create anon_vma_cachep */
64977 int anon_vma_prepare(struct vm_area_struct *);
64978 void unlink_anon_vmas(struct vm_area_struct *);
64979 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
64980 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
64981 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
64982 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
64983 void __anon_vma_link(struct vm_area_struct *);
64984
64985 static inline void anon_vma_merge(struct vm_area_struct *vma,
64986 diff -urNp linux-2.6.39.3/include/linux/sched.h linux-2.6.39.3/include/linux/sched.h
64987 --- linux-2.6.39.3/include/linux/sched.h 2011-05-19 00:06:34.000000000 -0400
64988 +++ linux-2.6.39.3/include/linux/sched.h 2011-07-06 20:00:13.000000000 -0400
64989 @@ -100,6 +100,7 @@ struct bio_list;
64990 struct fs_struct;
64991 struct perf_event_context;
64992 struct blk_plug;
64993 +struct linux_binprm;
64994
64995 /*
64996 * List of flags we want to share for kernel threads,
64997 @@ -360,7 +361,7 @@ extern signed long schedule_timeout_inte
64998 extern signed long schedule_timeout_killable(signed long timeout);
64999 extern signed long schedule_timeout_uninterruptible(signed long timeout);
65000 asmlinkage void schedule(void);
65001 -extern int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner);
65002 +extern int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner);
65003
65004 struct nsproxy;
65005 struct user_namespace;
65006 @@ -381,10 +382,13 @@ struct user_namespace;
65007 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
65008
65009 extern int sysctl_max_map_count;
65010 +extern unsigned long sysctl_heap_stack_gap;
65011
65012 #include <linux/aio.h>
65013
65014 #ifdef CONFIG_MMU
65015 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
65016 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
65017 extern void arch_pick_mmap_layout(struct mm_struct *mm);
65018 extern unsigned long
65019 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
65020 @@ -629,6 +633,17 @@ struct signal_struct {
65021 #ifdef CONFIG_TASKSTATS
65022 struct taskstats *stats;
65023 #endif
65024 +
65025 +#ifdef CONFIG_GRKERNSEC
65026 + u32 curr_ip;
65027 + u32 saved_ip;
65028 + u32 gr_saddr;
65029 + u32 gr_daddr;
65030 + u16 gr_sport;
65031 + u16 gr_dport;
65032 + u8 used_accept:1;
65033 +#endif
65034 +
65035 #ifdef CONFIG_AUDIT
65036 unsigned audit_tty;
65037 struct tty_audit_buf *tty_audit_buf;
65038 @@ -701,6 +716,11 @@ struct user_struct {
65039 struct key *session_keyring; /* UID's default session keyring */
65040 #endif
65041
65042 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
65043 + unsigned int banned;
65044 + unsigned long ban_expires;
65045 +#endif
65046 +
65047 /* Hash table maintenance information */
65048 struct hlist_node uidhash_node;
65049 uid_t uid;
65050 @@ -1310,8 +1330,8 @@ struct task_struct {
65051 struct list_head thread_group;
65052
65053 struct completion *vfork_done; /* for vfork() */
65054 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
65055 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
65056 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
65057 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
65058
65059 cputime_t utime, stime, utimescaled, stimescaled;
65060 cputime_t gtime;
65061 @@ -1327,13 +1347,6 @@ struct task_struct {
65062 struct task_cputime cputime_expires;
65063 struct list_head cpu_timers[3];
65064
65065 -/* process credentials */
65066 - const struct cred __rcu *real_cred; /* objective and real subjective task
65067 - * credentials (COW) */
65068 - const struct cred __rcu *cred; /* effective (overridable) subjective task
65069 - * credentials (COW) */
65070 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
65071 -
65072 char comm[TASK_COMM_LEN]; /* executable name excluding path
65073 - access with [gs]et_task_comm (which lock
65074 it with task_lock())
65075 @@ -1350,8 +1363,16 @@ struct task_struct {
65076 #endif
65077 /* CPU-specific state of this task */
65078 struct thread_struct thread;
65079 +/* thread_info moved to task_struct */
65080 +#ifdef CONFIG_X86
65081 + struct thread_info tinfo;
65082 +#endif
65083 /* filesystem information */
65084 struct fs_struct *fs;
65085 +
65086 + const struct cred __rcu *cred; /* effective (overridable) subjective task
65087 + * credentials (COW) */
65088 +
65089 /* open file information */
65090 struct files_struct *files;
65091 /* namespaces */
65092 @@ -1398,6 +1419,11 @@ struct task_struct {
65093 struct rt_mutex_waiter *pi_blocked_on;
65094 #endif
65095
65096 +/* process credentials */
65097 + const struct cred __rcu *real_cred; /* objective and real subjective task
65098 + * credentials (COW) */
65099 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
65100 +
65101 #ifdef CONFIG_DEBUG_MUTEXES
65102 /* mutex deadlock detection */
65103 struct mutex_waiter *blocked_on;
65104 @@ -1508,6 +1534,21 @@ struct task_struct {
65105 unsigned long default_timer_slack_ns;
65106
65107 struct list_head *scm_work_list;
65108 +
65109 +#ifdef CONFIG_GRKERNSEC
65110 + /* grsecurity */
65111 + struct dentry *gr_chroot_dentry;
65112 + struct acl_subject_label *acl;
65113 + struct acl_role_label *role;
65114 + struct file *exec_file;
65115 + u16 acl_role_id;
65116 + /* is this the task that authenticated to the special role */
65117 + u8 acl_sp_role;
65118 + u8 is_writable;
65119 + u8 brute;
65120 + u8 gr_is_chrooted;
65121 +#endif
65122 +
65123 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
65124 /* Index of current stored address in ret_stack */
65125 int curr_ret_stack;
65126 @@ -1542,6 +1583,57 @@ struct task_struct {
65127 #endif
65128 };
65129
65130 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
65131 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
65132 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
65133 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
65134 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
65135 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
65136 +
65137 +#ifdef CONFIG_PAX_SOFTMODE
65138 +extern unsigned int pax_softmode;
65139 +#endif
65140 +
65141 +extern int pax_check_flags(unsigned long *);
65142 +
65143 +/* if tsk != current then task_lock must be held on it */
65144 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
65145 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
65146 +{
65147 + if (likely(tsk->mm))
65148 + return tsk->mm->pax_flags;
65149 + else
65150 + return 0UL;
65151 +}
65152 +
65153 +/* if tsk != current then task_lock must be held on it */
65154 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
65155 +{
65156 + if (likely(tsk->mm)) {
65157 + tsk->mm->pax_flags = flags;
65158 + return 0;
65159 + }
65160 + return -EINVAL;
65161 +}
65162 +#endif
65163 +
65164 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
65165 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
65166 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
65167 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
65168 +#endif
65169 +
65170 +extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
65171 +extern void pax_report_insns(void *pc, void *sp);
65172 +extern void pax_report_refcount_overflow(struct pt_regs *regs);
65173 +extern NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) ATTRIB_NORET;
65174 +
65175 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
65176 +extern void pax_track_stack(void);
65177 +#else
65178 +static inline void pax_track_stack(void) {}
65179 +#endif
65180 +
65181 /* Future-safe accessor for struct task_struct's cpus_allowed. */
65182 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
65183
65184 @@ -2009,7 +2101,9 @@ void yield(void);
65185 extern struct exec_domain default_exec_domain;
65186
65187 union thread_union {
65188 +#ifndef CONFIG_X86
65189 struct thread_info thread_info;
65190 +#endif
65191 unsigned long stack[THREAD_SIZE/sizeof(long)];
65192 };
65193
65194 @@ -2179,7 +2273,7 @@ extern void __cleanup_sighand(struct sig
65195 extern void exit_itimers(struct signal_struct *);
65196 extern void flush_itimer_signals(void);
65197
65198 -extern NORET_TYPE void do_group_exit(int);
65199 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
65200
65201 extern void daemonize(const char *, ...);
65202 extern int allow_signal(int);
65203 @@ -2320,13 +2414,17 @@ static inline unsigned long *end_of_stac
65204
65205 #endif
65206
65207 -static inline int object_is_on_stack(void *obj)
65208 +static inline int object_starts_on_stack(void *obj)
65209 {
65210 - void *stack = task_stack_page(current);
65211 + const void *stack = task_stack_page(current);
65212
65213 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
65214 }
65215
65216 +#ifdef CONFIG_PAX_USERCOPY
65217 +extern int object_is_on_stack(const void *obj, unsigned long len);
65218 +#endif
65219 +
65220 extern void thread_info_cache_init(void);
65221
65222 #ifdef CONFIG_DEBUG_STACK_USAGE
65223 diff -urNp linux-2.6.39.3/include/linux/screen_info.h linux-2.6.39.3/include/linux/screen_info.h
65224 --- linux-2.6.39.3/include/linux/screen_info.h 2011-05-19 00:06:34.000000000 -0400
65225 +++ linux-2.6.39.3/include/linux/screen_info.h 2011-05-22 19:36:33.000000000 -0400
65226 @@ -43,7 +43,8 @@ struct screen_info {
65227 __u16 pages; /* 0x32 */
65228 __u16 vesa_attributes; /* 0x34 */
65229 __u32 capabilities; /* 0x36 */
65230 - __u8 _reserved[6]; /* 0x3a */
65231 + __u16 vesapm_size; /* 0x3a */
65232 + __u8 _reserved[4]; /* 0x3c */
65233 } __attribute__((packed));
65234
65235 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
65236 diff -urNp linux-2.6.39.3/include/linux/security.h linux-2.6.39.3/include/linux/security.h
65237 --- linux-2.6.39.3/include/linux/security.h 2011-05-19 00:06:34.000000000 -0400
65238 +++ linux-2.6.39.3/include/linux/security.h 2011-05-22 19:41:42.000000000 -0400
65239 @@ -36,6 +36,7 @@
65240 #include <linux/key.h>
65241 #include <linux/xfrm.h>
65242 #include <linux/slab.h>
65243 +#include <linux/grsecurity.h>
65244 #include <net/flow.h>
65245
65246 /* Maximum number of letters for an LSM name string */
65247 diff -urNp linux-2.6.39.3/include/linux/shm.h linux-2.6.39.3/include/linux/shm.h
65248 --- linux-2.6.39.3/include/linux/shm.h 2011-05-19 00:06:34.000000000 -0400
65249 +++ linux-2.6.39.3/include/linux/shm.h 2011-05-22 19:41:42.000000000 -0400
65250 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
65251 pid_t shm_cprid;
65252 pid_t shm_lprid;
65253 struct user_struct *mlock_user;
65254 +#ifdef CONFIG_GRKERNSEC
65255 + time_t shm_createtime;
65256 + pid_t shm_lapid;
65257 +#endif
65258 };
65259
65260 /* shm_mode upper byte flags */
65261 diff -urNp linux-2.6.39.3/include/linux/skbuff.h linux-2.6.39.3/include/linux/skbuff.h
65262 --- linux-2.6.39.3/include/linux/skbuff.h 2011-05-19 00:06:34.000000000 -0400
65263 +++ linux-2.6.39.3/include/linux/skbuff.h 2011-07-06 20:00:13.000000000 -0400
65264 @@ -592,7 +592,7 @@ static inline struct skb_shared_hwtstamp
65265 */
65266 static inline int skb_queue_empty(const struct sk_buff_head *list)
65267 {
65268 - return list->next == (struct sk_buff *)list;
65269 + return list->next == (const struct sk_buff *)list;
65270 }
65271
65272 /**
65273 @@ -605,7 +605,7 @@ static inline int skb_queue_empty(const
65274 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
65275 const struct sk_buff *skb)
65276 {
65277 - return skb->next == (struct sk_buff *)list;
65278 + return skb->next == (const struct sk_buff *)list;
65279 }
65280
65281 /**
65282 @@ -618,7 +618,7 @@ static inline bool skb_queue_is_last(con
65283 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
65284 const struct sk_buff *skb)
65285 {
65286 - return skb->prev == (struct sk_buff *)list;
65287 + return skb->prev == (const struct sk_buff *)list;
65288 }
65289
65290 /**
65291 @@ -1435,7 +1435,7 @@ static inline int pskb_network_may_pull(
65292 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
65293 */
65294 #ifndef NET_SKB_PAD
65295 -#define NET_SKB_PAD max(32, L1_CACHE_BYTES)
65296 +#define NET_SKB_PAD max(_AC(32,UL), L1_CACHE_BYTES)
65297 #endif
65298
65299 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
65300 diff -urNp linux-2.6.39.3/include/linux/slab_def.h linux-2.6.39.3/include/linux/slab_def.h
65301 --- linux-2.6.39.3/include/linux/slab_def.h 2011-05-19 00:06:34.000000000 -0400
65302 +++ linux-2.6.39.3/include/linux/slab_def.h 2011-05-22 19:36:33.000000000 -0400
65303 @@ -96,10 +96,10 @@ struct kmem_cache {
65304 unsigned long node_allocs;
65305 unsigned long node_frees;
65306 unsigned long node_overflow;
65307 - atomic_t allochit;
65308 - atomic_t allocmiss;
65309 - atomic_t freehit;
65310 - atomic_t freemiss;
65311 + atomic_unchecked_t allochit;
65312 + atomic_unchecked_t allocmiss;
65313 + atomic_unchecked_t freehit;
65314 + atomic_unchecked_t freemiss;
65315
65316 /*
65317 * If debugging is enabled, then the allocator can add additional
65318 diff -urNp linux-2.6.39.3/include/linux/slab.h linux-2.6.39.3/include/linux/slab.h
65319 --- linux-2.6.39.3/include/linux/slab.h 2011-05-19 00:06:34.000000000 -0400
65320 +++ linux-2.6.39.3/include/linux/slab.h 2011-05-23 17:07:00.000000000 -0400
65321 @@ -11,12 +11,20 @@
65322
65323 #include <linux/gfp.h>
65324 #include <linux/types.h>
65325 +#include <linux/err.h>
65326
65327 /*
65328 * Flags to pass to kmem_cache_create().
65329 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
65330 */
65331 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
65332 +
65333 +#ifdef CONFIG_PAX_USERCOPY
65334 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
65335 +#else
65336 +#define SLAB_USERCOPY 0x00000000UL
65337 +#endif
65338 +
65339 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
65340 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
65341 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
65342 @@ -87,10 +95,13 @@
65343 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
65344 * Both make kfree a no-op.
65345 */
65346 -#define ZERO_SIZE_PTR ((void *)16)
65347 +#define ZERO_SIZE_PTR \
65348 +({ \
65349 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
65350 + (void *)(-MAX_ERRNO-1L); \
65351 +})
65352
65353 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
65354 - (unsigned long)ZERO_SIZE_PTR)
65355 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
65356
65357 /*
65358 * struct kmem_cache related prototypes
65359 @@ -141,6 +152,7 @@ void * __must_check krealloc(const void
65360 void kfree(const void *);
65361 void kzfree(const void *);
65362 size_t ksize(const void *);
65363 +void check_object_size(const void *ptr, unsigned long n, bool to);
65364
65365 /*
65366 * Allocator specific definitions. These are mainly used to establish optimized
65367 @@ -333,4 +345,59 @@ static inline void *kzalloc_node(size_t
65368
65369 void __init kmem_cache_init_late(void);
65370
65371 +#define kmalloc(x, y) \
65372 +({ \
65373 + void *___retval; \
65374 + intoverflow_t ___x = (intoverflow_t)x; \
65375 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n")) \
65376 + ___retval = NULL; \
65377 + else \
65378 + ___retval = kmalloc((size_t)___x, (y)); \
65379 + ___retval; \
65380 +})
65381 +
65382 +#define kmalloc_node(x, y, z) \
65383 +({ \
65384 + void *___retval; \
65385 + intoverflow_t ___x = (intoverflow_t)x; \
65386 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
65387 + ___retval = NULL; \
65388 + else \
65389 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
65390 + ___retval; \
65391 +})
65392 +
65393 +#define kzalloc(x, y) \
65394 +({ \
65395 + void *___retval; \
65396 + intoverflow_t ___x = (intoverflow_t)x; \
65397 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n")) \
65398 + ___retval = NULL; \
65399 + else \
65400 + ___retval = kzalloc((size_t)___x, (y)); \
65401 + ___retval; \
65402 +})
65403 +
65404 +#define __krealloc(x, y, z) \
65405 +({ \
65406 + void *___retval; \
65407 + intoverflow_t ___y = (intoverflow_t)y; \
65408 + if (WARN(___y > ULONG_MAX, "__krealloc size overflow\n"))\
65409 + ___retval = NULL; \
65410 + else \
65411 + ___retval = __krealloc((x), (size_t)___y, (z)); \
65412 + ___retval; \
65413 +})
65414 +
65415 +#define krealloc(x, y, z) \
65416 +({ \
65417 + void *___retval; \
65418 + intoverflow_t ___y = (intoverflow_t)y; \
65419 + if (WARN(___y > ULONG_MAX, "krealloc size overflow\n")) \
65420 + ___retval = NULL; \
65421 + else \
65422 + ___retval = krealloc((x), (size_t)___y, (z)); \
65423 + ___retval; \
65424 +})
65425 +
65426 #endif /* _LINUX_SLAB_H */
65427 diff -urNp linux-2.6.39.3/include/linux/slub_def.h linux-2.6.39.3/include/linux/slub_def.h
65428 --- linux-2.6.39.3/include/linux/slub_def.h 2011-05-19 00:06:34.000000000 -0400
65429 +++ linux-2.6.39.3/include/linux/slub_def.h 2011-05-22 19:36:33.000000000 -0400
65430 @@ -84,7 +84,7 @@ struct kmem_cache {
65431 struct kmem_cache_order_objects max;
65432 struct kmem_cache_order_objects min;
65433 gfp_t allocflags; /* gfp flags to use on each alloc */
65434 - int refcount; /* Refcount for slab cache destroy */
65435 + atomic_t refcount; /* Refcount for slab cache destroy */
65436 void (*ctor)(void *);
65437 int inuse; /* Offset to metadata */
65438 int align; /* Alignment */
65439 diff -urNp linux-2.6.39.3/include/linux/sonet.h linux-2.6.39.3/include/linux/sonet.h
65440 --- linux-2.6.39.3/include/linux/sonet.h 2011-05-19 00:06:34.000000000 -0400
65441 +++ linux-2.6.39.3/include/linux/sonet.h 2011-05-22 19:36:33.000000000 -0400
65442 @@ -61,7 +61,7 @@ struct sonet_stats {
65443 #include <asm/atomic.h>
65444
65445 struct k_sonet_stats {
65446 -#define __HANDLE_ITEM(i) atomic_t i
65447 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
65448 __SONET_ITEMS
65449 #undef __HANDLE_ITEM
65450 };
65451 diff -urNp linux-2.6.39.3/include/linux/ssb/ssb_driver_gige.h linux-2.6.39.3/include/linux/ssb/ssb_driver_gige.h
65452 --- linux-2.6.39.3/include/linux/ssb/ssb_driver_gige.h 2011-05-19 00:06:34.000000000 -0400
65453 +++ linux-2.6.39.3/include/linux/ssb/ssb_driver_gige.h 2011-05-22 19:36:33.000000000 -0400
65454 @@ -44,7 +44,7 @@ struct ssb_gige {
65455
65456 /* The PCI controller device. */
65457 struct pci_controller pci_controller;
65458 - struct pci_ops pci_ops;
65459 + const struct pci_ops pci_ops;
65460 struct resource mem_resource;
65461 struct resource io_resource;
65462 };
65463 diff -urNp linux-2.6.39.3/include/linux/sunrpc/clnt.h linux-2.6.39.3/include/linux/sunrpc/clnt.h
65464 --- linux-2.6.39.3/include/linux/sunrpc/clnt.h 2011-05-19 00:06:34.000000000 -0400
65465 +++ linux-2.6.39.3/include/linux/sunrpc/clnt.h 2011-05-22 19:36:33.000000000 -0400
65466 @@ -169,9 +169,9 @@ static inline unsigned short rpc_get_por
65467 {
65468 switch (sap->sa_family) {
65469 case AF_INET:
65470 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
65471 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
65472 case AF_INET6:
65473 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
65474 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
65475 }
65476 return 0;
65477 }
65478 @@ -204,7 +204,7 @@ static inline bool __rpc_cmp_addr4(const
65479 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
65480 const struct sockaddr *src)
65481 {
65482 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
65483 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
65484 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
65485
65486 dsin->sin_family = ssin->sin_family;
65487 @@ -301,7 +301,7 @@ static inline u32 rpc_get_scope_id(const
65488 if (sa->sa_family != AF_INET6)
65489 return 0;
65490
65491 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
65492 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
65493 }
65494
65495 #endif /* __KERNEL__ */
65496 diff -urNp linux-2.6.39.3/include/linux/sunrpc/svc_rdma.h linux-2.6.39.3/include/linux/sunrpc/svc_rdma.h
65497 --- linux-2.6.39.3/include/linux/sunrpc/svc_rdma.h 2011-05-19 00:06:34.000000000 -0400
65498 +++ linux-2.6.39.3/include/linux/sunrpc/svc_rdma.h 2011-05-22 19:36:33.000000000 -0400
65499 @@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
65500 extern unsigned int svcrdma_max_requests;
65501 extern unsigned int svcrdma_max_req_size;
65502
65503 -extern atomic_t rdma_stat_recv;
65504 -extern atomic_t rdma_stat_read;
65505 -extern atomic_t rdma_stat_write;
65506 -extern atomic_t rdma_stat_sq_starve;
65507 -extern atomic_t rdma_stat_rq_starve;
65508 -extern atomic_t rdma_stat_rq_poll;
65509 -extern atomic_t rdma_stat_rq_prod;
65510 -extern atomic_t rdma_stat_sq_poll;
65511 -extern atomic_t rdma_stat_sq_prod;
65512 +extern atomic_unchecked_t rdma_stat_recv;
65513 +extern atomic_unchecked_t rdma_stat_read;
65514 +extern atomic_unchecked_t rdma_stat_write;
65515 +extern atomic_unchecked_t rdma_stat_sq_starve;
65516 +extern atomic_unchecked_t rdma_stat_rq_starve;
65517 +extern atomic_unchecked_t rdma_stat_rq_poll;
65518 +extern atomic_unchecked_t rdma_stat_rq_prod;
65519 +extern atomic_unchecked_t rdma_stat_sq_poll;
65520 +extern atomic_unchecked_t rdma_stat_sq_prod;
65521
65522 #define RPCRDMA_VERSION 1
65523
65524 diff -urNp linux-2.6.39.3/include/linux/suspend.h linux-2.6.39.3/include/linux/suspend.h
65525 --- linux-2.6.39.3/include/linux/suspend.h 2011-05-19 00:06:34.000000000 -0400
65526 +++ linux-2.6.39.3/include/linux/suspend.h 2011-05-22 19:36:33.000000000 -0400
65527 @@ -106,15 +106,15 @@ typedef int __bitwise suspend_state_t;
65528 * which require special recovery actions in that situation.
65529 */
65530 struct platform_suspend_ops {
65531 - int (*valid)(suspend_state_t state);
65532 - int (*begin)(suspend_state_t state);
65533 - int (*prepare)(void);
65534 - int (*prepare_late)(void);
65535 - int (*enter)(suspend_state_t state);
65536 - void (*wake)(void);
65537 - void (*finish)(void);
65538 - void (*end)(void);
65539 - void (*recover)(void);
65540 + int (* const valid)(suspend_state_t state);
65541 + int (* const begin)(suspend_state_t state);
65542 + int (* const prepare)(void);
65543 + int (* const prepare_late)(void);
65544 + int (* const enter)(suspend_state_t state);
65545 + void (* const wake)(void);
65546 + void (* const finish)(void);
65547 + void (* const end)(void);
65548 + void (* const recover)(void);
65549 };
65550
65551 #ifdef CONFIG_SUSPEND
65552 @@ -217,16 +217,16 @@ extern void mark_free_pages(struct zone
65553 * platforms which require special recovery actions in that situation.
65554 */
65555 struct platform_hibernation_ops {
65556 - int (*begin)(void);
65557 - void (*end)(void);
65558 - int (*pre_snapshot)(void);
65559 - void (*finish)(void);
65560 - int (*prepare)(void);
65561 - int (*enter)(void);
65562 - void (*leave)(void);
65563 - int (*pre_restore)(void);
65564 - void (*restore_cleanup)(void);
65565 - void (*recover)(void);
65566 + int (* const begin)(void);
65567 + void (* const end)(void);
65568 + int (* const pre_snapshot)(void);
65569 + void (* const finish)(void);
65570 + int (* const prepare)(void);
65571 + int (* const enter)(void);
65572 + void (* const leave)(void);
65573 + int (* const pre_restore)(void);
65574 + void (* const restore_cleanup)(void);
65575 + void (* const recover)(void);
65576 };
65577
65578 #ifdef CONFIG_HIBERNATION
65579 diff -urNp linux-2.6.39.3/include/linux/sysctl.h linux-2.6.39.3/include/linux/sysctl.h
65580 --- linux-2.6.39.3/include/linux/sysctl.h 2011-05-19 00:06:34.000000000 -0400
65581 +++ linux-2.6.39.3/include/linux/sysctl.h 2011-05-22 19:41:42.000000000 -0400
65582 @@ -155,7 +155,11 @@ enum
65583 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
65584 };
65585
65586 -
65587 +#ifdef CONFIG_PAX_SOFTMODE
65588 +enum {
65589 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
65590 +};
65591 +#endif
65592
65593 /* CTL_VM names: */
65594 enum
65595 @@ -967,6 +971,8 @@ typedef int proc_handler (struct ctl_tab
65596
65597 extern int proc_dostring(struct ctl_table *, int,
65598 void __user *, size_t *, loff_t *);
65599 +extern int proc_dostring_modpriv(struct ctl_table *, int,
65600 + void __user *, size_t *, loff_t *);
65601 extern int proc_dointvec(struct ctl_table *, int,
65602 void __user *, size_t *, loff_t *);
65603 extern int proc_dointvec_minmax(struct ctl_table *, int,
65604 diff -urNp linux-2.6.39.3/include/linux/sysfs.h linux-2.6.39.3/include/linux/sysfs.h
65605 --- linux-2.6.39.3/include/linux/sysfs.h 2011-05-19 00:06:34.000000000 -0400
65606 +++ linux-2.6.39.3/include/linux/sysfs.h 2011-05-22 19:36:33.000000000 -0400
65607 @@ -110,8 +110,8 @@ struct bin_attribute {
65608 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
65609
65610 struct sysfs_ops {
65611 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
65612 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
65613 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
65614 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
65615 };
65616
65617 struct sysfs_dirent;
65618 diff -urNp linux-2.6.39.3/include/linux/tty.h linux-2.6.39.3/include/linux/tty.h
65619 --- linux-2.6.39.3/include/linux/tty.h 2011-05-19 00:06:34.000000000 -0400
65620 +++ linux-2.6.39.3/include/linux/tty.h 2011-05-22 19:36:33.000000000 -0400
65621 @@ -13,6 +13,7 @@
65622 #include <linux/tty_driver.h>
65623 #include <linux/tty_ldisc.h>
65624 #include <linux/mutex.h>
65625 +#include <linux/poll.h>
65626
65627 #include <asm/system.h>
65628
65629 @@ -466,7 +467,6 @@ extern int tty_perform_flush(struct tty_
65630 extern dev_t tty_devnum(struct tty_struct *tty);
65631 extern void proc_clear_tty(struct task_struct *p);
65632 extern struct tty_struct *get_current_tty(void);
65633 -extern void tty_default_fops(struct file_operations *fops);
65634 extern struct tty_struct *alloc_tty_struct(void);
65635 extern int tty_add_file(struct tty_struct *tty, struct file *file);
65636 extern void free_tty_struct(struct tty_struct *tty);
65637 @@ -529,6 +529,18 @@ extern void tty_ldisc_begin(void);
65638 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
65639 extern void tty_ldisc_enable(struct tty_struct *tty);
65640
65641 +/* tty_io.c */
65642 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
65643 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
65644 +extern unsigned int tty_poll(struct file *, poll_table *);
65645 +#ifdef CONFIG_COMPAT
65646 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
65647 + unsigned long arg);
65648 +#else
65649 +#define tty_compat_ioctl NULL
65650 +#endif
65651 +extern int tty_release(struct inode *, struct file *);
65652 +extern int tty_fasync(int fd, struct file *filp, int on);
65653
65654 /* n_tty.c */
65655 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
65656 diff -urNp linux-2.6.39.3/include/linux/tty_ldisc.h linux-2.6.39.3/include/linux/tty_ldisc.h
65657 --- linux-2.6.39.3/include/linux/tty_ldisc.h 2011-05-19 00:06:34.000000000 -0400
65658 +++ linux-2.6.39.3/include/linux/tty_ldisc.h 2011-05-22 19:36:33.000000000 -0400
65659 @@ -148,7 +148,7 @@ struct tty_ldisc_ops {
65660
65661 struct module *owner;
65662
65663 - int refcount;
65664 + atomic_t refcount;
65665 };
65666
65667 struct tty_ldisc {
65668 diff -urNp linux-2.6.39.3/include/linux/types.h linux-2.6.39.3/include/linux/types.h
65669 --- linux-2.6.39.3/include/linux/types.h 2011-05-19 00:06:34.000000000 -0400
65670 +++ linux-2.6.39.3/include/linux/types.h 2011-05-22 19:36:33.000000000 -0400
65671 @@ -213,10 +213,26 @@ typedef struct {
65672 int counter;
65673 } atomic_t;
65674
65675 +#ifdef CONFIG_PAX_REFCOUNT
65676 +typedef struct {
65677 + int counter;
65678 +} atomic_unchecked_t;
65679 +#else
65680 +typedef atomic_t atomic_unchecked_t;
65681 +#endif
65682 +
65683 #ifdef CONFIG_64BIT
65684 typedef struct {
65685 long counter;
65686 } atomic64_t;
65687 +
65688 +#ifdef CONFIG_PAX_REFCOUNT
65689 +typedef struct {
65690 + long counter;
65691 +} atomic64_unchecked_t;
65692 +#else
65693 +typedef atomic64_t atomic64_unchecked_t;
65694 +#endif
65695 #endif
65696
65697 struct list_head {
65698 diff -urNp linux-2.6.39.3/include/linux/uaccess.h linux-2.6.39.3/include/linux/uaccess.h
65699 --- linux-2.6.39.3/include/linux/uaccess.h 2011-05-19 00:06:34.000000000 -0400
65700 +++ linux-2.6.39.3/include/linux/uaccess.h 2011-05-22 19:36:33.000000000 -0400
65701 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
65702 long ret; \
65703 mm_segment_t old_fs = get_fs(); \
65704 \
65705 - set_fs(KERNEL_DS); \
65706 pagefault_disable(); \
65707 + set_fs(KERNEL_DS); \
65708 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
65709 - pagefault_enable(); \
65710 set_fs(old_fs); \
65711 + pagefault_enable(); \
65712 ret; \
65713 })
65714
65715 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
65716 * Safely read from address @src to the buffer at @dst. If a kernel fault
65717 * happens, handle that and return -EFAULT.
65718 */
65719 -extern long probe_kernel_read(void *dst, void *src, size_t size);
65720 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
65721 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
65722 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
65723
65724 /*
65725 * probe_kernel_write(): safely attempt to write to a location
65726 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
65727 * Safely write to address @dst from the buffer at @src. If a kernel fault
65728 * happens, handle that and return -EFAULT.
65729 */
65730 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
65731 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
65732 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
65733 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
65734
65735 #endif /* __LINUX_UACCESS_H__ */
65736 diff -urNp linux-2.6.39.3/include/linux/unaligned/access_ok.h linux-2.6.39.3/include/linux/unaligned/access_ok.h
65737 --- linux-2.6.39.3/include/linux/unaligned/access_ok.h 2011-05-19 00:06:34.000000000 -0400
65738 +++ linux-2.6.39.3/include/linux/unaligned/access_ok.h 2011-05-22 19:36:33.000000000 -0400
65739 @@ -6,32 +6,32 @@
65740
65741 static inline u16 get_unaligned_le16(const void *p)
65742 {
65743 - return le16_to_cpup((__le16 *)p);
65744 + return le16_to_cpup((const __le16 *)p);
65745 }
65746
65747 static inline u32 get_unaligned_le32(const void *p)
65748 {
65749 - return le32_to_cpup((__le32 *)p);
65750 + return le32_to_cpup((const __le32 *)p);
65751 }
65752
65753 static inline u64 get_unaligned_le64(const void *p)
65754 {
65755 - return le64_to_cpup((__le64 *)p);
65756 + return le64_to_cpup((const __le64 *)p);
65757 }
65758
65759 static inline u16 get_unaligned_be16(const void *p)
65760 {
65761 - return be16_to_cpup((__be16 *)p);
65762 + return be16_to_cpup((const __be16 *)p);
65763 }
65764
65765 static inline u32 get_unaligned_be32(const void *p)
65766 {
65767 - return be32_to_cpup((__be32 *)p);
65768 + return be32_to_cpup((const __be32 *)p);
65769 }
65770
65771 static inline u64 get_unaligned_be64(const void *p)
65772 {
65773 - return be64_to_cpup((__be64 *)p);
65774 + return be64_to_cpup((const __be64 *)p);
65775 }
65776
65777 static inline void put_unaligned_le16(u16 val, void *p)
65778 diff -urNp linux-2.6.39.3/include/linux/usb/hcd.h linux-2.6.39.3/include/linux/usb/hcd.h
65779 --- linux-2.6.39.3/include/linux/usb/hcd.h 2011-05-19 00:06:34.000000000 -0400
65780 +++ linux-2.6.39.3/include/linux/usb/hcd.h 2011-05-22 19:36:33.000000000 -0400
65781 @@ -615,7 +615,7 @@ struct usb_mon_operations {
65782 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
65783 };
65784
65785 -extern struct usb_mon_operations *mon_ops;
65786 +extern const struct usb_mon_operations *mon_ops;
65787
65788 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
65789 {
65790 @@ -637,7 +637,7 @@ static inline void usbmon_urb_complete(s
65791 (*mon_ops->urb_complete)(bus, urb, status);
65792 }
65793
65794 -int usb_mon_register(struct usb_mon_operations *ops);
65795 +int usb_mon_register(const struct usb_mon_operations *ops);
65796 void usb_mon_deregister(void);
65797
65798 #else
65799 diff -urNp linux-2.6.39.3/include/linux/usb/intel_mid_otg.h linux-2.6.39.3/include/linux/usb/intel_mid_otg.h
65800 --- linux-2.6.39.3/include/linux/usb/intel_mid_otg.h 2011-05-19 00:06:34.000000000 -0400
65801 +++ linux-2.6.39.3/include/linux/usb/intel_mid_otg.h 2011-05-22 19:36:33.000000000 -0400
65802 @@ -115,7 +115,7 @@ struct intel_mid_otg_xceiv {
65803 void __iomem *base;
65804
65805 /* ops to access ulpi */
65806 - struct iotg_ulpi_access_ops ulpi_ops;
65807 + const struct iotg_ulpi_access_ops ulpi_ops;
65808
65809 /* atomic notifier for interrupt context */
65810 struct atomic_notifier_head iotg_notifier;
65811 diff -urNp linux-2.6.39.3/include/linux/usb/ulpi.h linux-2.6.39.3/include/linux/usb/ulpi.h
65812 --- linux-2.6.39.3/include/linux/usb/ulpi.h 2011-05-19 00:06:34.000000000 -0400
65813 +++ linux-2.6.39.3/include/linux/usb/ulpi.h 2011-05-22 19:36:33.000000000 -0400
65814 @@ -186,7 +186,7 @@ struct otg_transceiver *otg_ulpi_create(
65815
65816 #ifdef CONFIG_USB_ULPI_VIEWPORT
65817 /* access ops for controllers with a viewport register */
65818 -extern struct otg_io_access_ops ulpi_viewport_access_ops;
65819 +extern const struct otg_io_access_ops ulpi_viewport_access_ops;
65820 #endif
65821
65822 #endif /* __LINUX_USB_ULPI_H */
65823 diff -urNp linux-2.6.39.3/include/linux/vga_switcheroo.h linux-2.6.39.3/include/linux/vga_switcheroo.h
65824 --- linux-2.6.39.3/include/linux/vga_switcheroo.h 2011-05-19 00:06:34.000000000 -0400
65825 +++ linux-2.6.39.3/include/linux/vga_switcheroo.h 2011-05-22 19:36:33.000000000 -0400
65826 @@ -39,7 +39,7 @@ int vga_switcheroo_register_client(struc
65827 void vga_switcheroo_client_fb_set(struct pci_dev *dev,
65828 struct fb_info *info);
65829
65830 -int vga_switcheroo_register_handler(struct vga_switcheroo_handler *handler);
65831 +int vga_switcheroo_register_handler(const struct vga_switcheroo_handler *handler);
65832 void vga_switcheroo_unregister_handler(void);
65833
65834 int vga_switcheroo_process_delayed_switch(void);
65835 @@ -52,7 +52,7 @@ static inline int vga_switcheroo_registe
65836 void (*reprobe)(struct pci_dev *dev),
65837 bool (*can_switch)(struct pci_dev *dev)) { return 0; }
65838 static inline void vga_switcheroo_client_fb_set(struct pci_dev *dev, struct fb_info *info) {}
65839 -static inline int vga_switcheroo_register_handler(struct vga_switcheroo_handler *handler) { return 0; }
65840 +static inline int vga_switcheroo_register_handler(const struct vga_switcheroo_handler *handler) { return 0; }
65841 static inline void vga_switcheroo_unregister_handler(void) {}
65842 static inline int vga_switcheroo_process_delayed_switch(void) { return 0; }
65843
65844 diff -urNp linux-2.6.39.3/include/linux/virtio.h linux-2.6.39.3/include/linux/virtio.h
65845 --- linux-2.6.39.3/include/linux/virtio.h 2011-05-19 00:06:34.000000000 -0400
65846 +++ linux-2.6.39.3/include/linux/virtio.h 2011-05-22 19:36:33.000000000 -0400
65847 @@ -102,7 +102,7 @@ struct virtio_device {
65848 int index;
65849 struct device dev;
65850 struct virtio_device_id id;
65851 - struct virtio_config_ops *config;
65852 + const struct virtio_config_ops *config;
65853 struct list_head vqs;
65854 /* Note that this is a Linux set_bit-style bitmap. */
65855 unsigned long features[1];
65856 diff -urNp linux-2.6.39.3/include/linux/vmalloc.h linux-2.6.39.3/include/linux/vmalloc.h
65857 --- linux-2.6.39.3/include/linux/vmalloc.h 2011-05-19 00:06:34.000000000 -0400
65858 +++ linux-2.6.39.3/include/linux/vmalloc.h 2011-05-22 19:36:33.000000000 -0400
65859 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
65860 #define VM_MAP 0x00000004 /* vmap()ed pages */
65861 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
65862 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
65863 +
65864 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
65865 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
65866 +#endif
65867 +
65868 /* bits [20..32] reserved for arch specific ioremap internals */
65869
65870 /*
65871 @@ -155,4 +160,103 @@ pcpu_free_vm_areas(struct vm_struct **vm
65872 # endif
65873 #endif
65874
65875 +#define vmalloc(x) \
65876 +({ \
65877 + void *___retval; \
65878 + intoverflow_t ___x = (intoverflow_t)x; \
65879 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
65880 + ___retval = NULL; \
65881 + else \
65882 + ___retval = vmalloc((unsigned long)___x); \
65883 + ___retval; \
65884 +})
65885 +
65886 +#define vzalloc(x) \
65887 +({ \
65888 + void *___retval; \
65889 + intoverflow_t ___x = (intoverflow_t)x; \
65890 + if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
65891 + ___retval = NULL; \
65892 + else \
65893 + ___retval = vzalloc((unsigned long)___x); \
65894 + ___retval; \
65895 +})
65896 +
65897 +#define __vmalloc(x, y, z) \
65898 +({ \
65899 + void *___retval; \
65900 + intoverflow_t ___x = (intoverflow_t)x; \
65901 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
65902 + ___retval = NULL; \
65903 + else \
65904 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
65905 + ___retval; \
65906 +})
65907 +
65908 +#define vmalloc_user(x) \
65909 +({ \
65910 + void *___retval; \
65911 + intoverflow_t ___x = (intoverflow_t)x; \
65912 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
65913 + ___retval = NULL; \
65914 + else \
65915 + ___retval = vmalloc_user((unsigned long)___x); \
65916 + ___retval; \
65917 +})
65918 +
65919 +#define vmalloc_exec(x) \
65920 +({ \
65921 + void *___retval; \
65922 + intoverflow_t ___x = (intoverflow_t)x; \
65923 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
65924 + ___retval = NULL; \
65925 + else \
65926 + ___retval = vmalloc_exec((unsigned long)___x); \
65927 + ___retval; \
65928 +})
65929 +
65930 +#define vmalloc_node(x, y) \
65931 +({ \
65932 + void *___retval; \
65933 + intoverflow_t ___x = (intoverflow_t)x; \
65934 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
65935 + ___retval = NULL; \
65936 + else \
65937 + ___retval = vmalloc_node((unsigned long)___x, (y));\
65938 + ___retval; \
65939 +})
65940 +
65941 +#define vzalloc_node(x, y) \
65942 +({ \
65943 + void *___retval; \
65944 + intoverflow_t ___x = (intoverflow_t)x; \
65945 + if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
65946 + ___retval = NULL; \
65947 + else \
65948 + ___retval = vzalloc_node((unsigned long)___x, (y));\
65949 + ___retval; \
65950 +})
65951 +
65952 +#define vmalloc_32(x) \
65953 +({ \
65954 + void *___retval; \
65955 + intoverflow_t ___x = (intoverflow_t)x; \
65956 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
65957 + ___retval = NULL; \
65958 + else \
65959 + ___retval = vmalloc_32((unsigned long)___x); \
65960 + ___retval; \
65961 +})
65962 +
65963 +#define vmalloc_32_user(x) \
65964 +({ \
65965 +void *___retval; \
65966 + intoverflow_t ___x = (intoverflow_t)x; \
65967 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
65968 + ___retval = NULL; \
65969 + else \
65970 + ___retval = vmalloc_32_user((unsigned long)___x);\
65971 + ___retval; \
65972 +})
65973 +
65974 #endif /* _LINUX_VMALLOC_H */
65975 diff -urNp linux-2.6.39.3/include/linux/vmstat.h linux-2.6.39.3/include/linux/vmstat.h
65976 --- linux-2.6.39.3/include/linux/vmstat.h 2011-05-19 00:06:34.000000000 -0400
65977 +++ linux-2.6.39.3/include/linux/vmstat.h 2011-05-22 19:36:33.000000000 -0400
65978 @@ -147,18 +147,18 @@ static inline void vm_events_fold_cpu(in
65979 /*
65980 * Zone based page accounting with per cpu differentials.
65981 */
65982 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65983 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65984
65985 static inline void zone_page_state_add(long x, struct zone *zone,
65986 enum zone_stat_item item)
65987 {
65988 - atomic_long_add(x, &zone->vm_stat[item]);
65989 - atomic_long_add(x, &vm_stat[item]);
65990 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
65991 + atomic_long_add_unchecked(x, &vm_stat[item]);
65992 }
65993
65994 static inline unsigned long global_page_state(enum zone_stat_item item)
65995 {
65996 - long x = atomic_long_read(&vm_stat[item]);
65997 + long x = atomic_long_read_unchecked(&vm_stat[item]);
65998 #ifdef CONFIG_SMP
65999 if (x < 0)
66000 x = 0;
66001 @@ -169,7 +169,7 @@ static inline unsigned long global_page_
66002 static inline unsigned long zone_page_state(struct zone *zone,
66003 enum zone_stat_item item)
66004 {
66005 - long x = atomic_long_read(&zone->vm_stat[item]);
66006 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
66007 #ifdef CONFIG_SMP
66008 if (x < 0)
66009 x = 0;
66010 @@ -186,7 +186,7 @@ static inline unsigned long zone_page_st
66011 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
66012 enum zone_stat_item item)
66013 {
66014 - long x = atomic_long_read(&zone->vm_stat[item]);
66015 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
66016
66017 #ifdef CONFIG_SMP
66018 int cpu;
66019 @@ -280,8 +280,8 @@ static inline void __mod_zone_page_state
66020
66021 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
66022 {
66023 - atomic_long_inc(&zone->vm_stat[item]);
66024 - atomic_long_inc(&vm_stat[item]);
66025 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
66026 + atomic_long_inc_unchecked(&vm_stat[item]);
66027 }
66028
66029 static inline void __inc_zone_page_state(struct page *page,
66030 @@ -292,8 +292,8 @@ static inline void __inc_zone_page_state
66031
66032 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
66033 {
66034 - atomic_long_dec(&zone->vm_stat[item]);
66035 - atomic_long_dec(&vm_stat[item]);
66036 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
66037 + atomic_long_dec_unchecked(&vm_stat[item]);
66038 }
66039
66040 static inline void __dec_zone_page_state(struct page *page,
66041 diff -urNp linux-2.6.39.3/include/media/saa7146_vv.h linux-2.6.39.3/include/media/saa7146_vv.h
66042 --- linux-2.6.39.3/include/media/saa7146_vv.h 2011-05-19 00:06:34.000000000 -0400
66043 +++ linux-2.6.39.3/include/media/saa7146_vv.h 2011-05-22 19:36:33.000000000 -0400
66044 @@ -202,13 +202,13 @@ void saa7146_set_gpio(struct saa7146_dev
66045
66046 /* from saa7146_video.c */
66047 extern const struct v4l2_ioctl_ops saa7146_video_ioctl_ops;
66048 -extern struct saa7146_use_ops saa7146_video_uops;
66049 +extern const struct saa7146_use_ops saa7146_video_uops;
66050 int saa7146_start_preview(struct saa7146_fh *fh);
66051 int saa7146_stop_preview(struct saa7146_fh *fh);
66052 long saa7146_video_do_ioctl(struct file *file, unsigned int cmd, void *arg);
66053
66054 /* from saa7146_vbi.c */
66055 -extern struct saa7146_use_ops saa7146_vbi_uops;
66056 +extern const struct saa7146_use_ops saa7146_vbi_uops;
66057
66058 /* resource management functions */
66059 int saa7146_res_get(struct saa7146_fh *fh, unsigned int bit);
66060 diff -urNp linux-2.6.39.3/include/media/v4l2-device.h linux-2.6.39.3/include/media/v4l2-device.h
66061 --- linux-2.6.39.3/include/media/v4l2-device.h 2011-05-19 00:06:34.000000000 -0400
66062 +++ linux-2.6.39.3/include/media/v4l2-device.h 2011-05-22 19:36:33.000000000 -0400
66063 @@ -95,7 +95,7 @@ int __must_check v4l2_device_register(st
66064 this function returns 0. If the name ends with a digit (e.g. cx18),
66065 then the name will be set to cx18-0 since cx180 looks really odd. */
66066 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
66067 - atomic_t *instance);
66068 + atomic_unchecked_t *instance);
66069
66070 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
66071 Since the parent disappears this ensures that v4l2_dev doesn't have an
66072 diff -urNp linux-2.6.39.3/include/net/caif/cfctrl.h linux-2.6.39.3/include/net/caif/cfctrl.h
66073 --- linux-2.6.39.3/include/net/caif/cfctrl.h 2011-05-19 00:06:34.000000000 -0400
66074 +++ linux-2.6.39.3/include/net/caif/cfctrl.h 2011-05-22 19:36:33.000000000 -0400
66075 @@ -101,8 +101,8 @@ struct cfctrl_request_info {
66076 struct cfctrl {
66077 struct cfsrvl serv;
66078 struct cfctrl_rsp res;
66079 - atomic_t req_seq_no;
66080 - atomic_t rsp_seq_no;
66081 + atomic_unchecked_t req_seq_no;
66082 + atomic_unchecked_t rsp_seq_no;
66083 struct list_head list;
66084 /* Protects from simultaneous access to first_req list */
66085 spinlock_t info_list_lock;
66086 diff -urNp linux-2.6.39.3/include/net/flow.h linux-2.6.39.3/include/net/flow.h
66087 --- linux-2.6.39.3/include/net/flow.h 2011-05-19 00:06:34.000000000 -0400
66088 +++ linux-2.6.39.3/include/net/flow.h 2011-05-22 19:36:33.000000000 -0400
66089 @@ -167,6 +167,6 @@ extern struct flow_cache_object *flow_ca
66090 u8 dir, flow_resolve_t resolver, void *ctx);
66091
66092 extern void flow_cache_flush(void);
66093 -extern atomic_t flow_cache_genid;
66094 +extern atomic_unchecked_t flow_cache_genid;
66095
66096 #endif
66097 diff -urNp linux-2.6.39.3/include/net/inetpeer.h linux-2.6.39.3/include/net/inetpeer.h
66098 --- linux-2.6.39.3/include/net/inetpeer.h 2011-05-19 00:06:34.000000000 -0400
66099 +++ linux-2.6.39.3/include/net/inetpeer.h 2011-05-22 19:36:33.000000000 -0400
66100 @@ -43,8 +43,8 @@ struct inet_peer {
66101 */
66102 union {
66103 struct {
66104 - atomic_t rid; /* Frag reception counter */
66105 - atomic_t ip_id_count; /* IP ID for the next packet */
66106 + atomic_unchecked_t rid; /* Frag reception counter */
66107 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
66108 __u32 tcp_ts;
66109 __u32 tcp_ts_stamp;
66110 u32 metrics[RTAX_MAX];
66111 @@ -108,7 +108,7 @@ static inline __u16 inet_getid(struct in
66112 {
66113 more++;
66114 inet_peer_refcheck(p);
66115 - return atomic_add_return(more, &p->ip_id_count) - more;
66116 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
66117 }
66118
66119 #endif /* _NET_INETPEER_H */
66120 diff -urNp linux-2.6.39.3/include/net/ip_fib.h linux-2.6.39.3/include/net/ip_fib.h
66121 --- linux-2.6.39.3/include/net/ip_fib.h 2011-05-19 00:06:34.000000000 -0400
66122 +++ linux-2.6.39.3/include/net/ip_fib.h 2011-05-22 19:36:33.000000000 -0400
66123 @@ -146,7 +146,7 @@ extern __be32 fib_info_update_nh_saddr(s
66124
66125 #define FIB_RES_SADDR(net, res) \
66126 ((FIB_RES_NH(res).nh_saddr_genid == \
66127 - atomic_read(&(net)->ipv4.dev_addr_genid)) ? \
66128 + atomic_read_unchecked(&(net)->ipv4.dev_addr_genid)) ? \
66129 FIB_RES_NH(res).nh_saddr : \
66130 fib_info_update_nh_saddr((net), &FIB_RES_NH(res)))
66131 #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw)
66132 diff -urNp linux-2.6.39.3/include/net/ip_vs.h linux-2.6.39.3/include/net/ip_vs.h
66133 --- linux-2.6.39.3/include/net/ip_vs.h 2011-07-09 09:18:51.000000000 -0400
66134 +++ linux-2.6.39.3/include/net/ip_vs.h 2011-07-09 09:19:24.000000000 -0400
66135 @@ -512,7 +512,7 @@ struct ip_vs_conn {
66136 struct ip_vs_conn *control; /* Master control connection */
66137 atomic_t n_control; /* Number of controlled ones */
66138 struct ip_vs_dest *dest; /* real server */
66139 - atomic_t in_pkts; /* incoming packet counter */
66140 + atomic_unchecked_t in_pkts; /* incoming packet counter */
66141
66142 /* packet transmitter for different forwarding methods. If it
66143 mangles the packet, it must return NF_DROP or better NF_STOLEN,
66144 @@ -650,7 +650,7 @@ struct ip_vs_dest {
66145 __be16 port; /* port number of the server */
66146 union nf_inet_addr addr; /* IP address of the server */
66147 volatile unsigned flags; /* dest status flags */
66148 - atomic_t conn_flags; /* flags to copy to conn */
66149 + atomic_unchecked_t conn_flags; /* flags to copy to conn */
66150 atomic_t weight; /* server weight */
66151
66152 atomic_t refcnt; /* reference counter */
66153 diff -urNp linux-2.6.39.3/include/net/irda/ircomm_tty.h linux-2.6.39.3/include/net/irda/ircomm_tty.h
66154 --- linux-2.6.39.3/include/net/irda/ircomm_tty.h 2011-05-19 00:06:34.000000000 -0400
66155 +++ linux-2.6.39.3/include/net/irda/ircomm_tty.h 2011-05-22 19:36:33.000000000 -0400
66156 @@ -35,6 +35,7 @@
66157 #include <linux/termios.h>
66158 #include <linux/timer.h>
66159 #include <linux/tty.h> /* struct tty_struct */
66160 +#include <asm/local.h>
66161
66162 #include <net/irda/irias_object.h>
66163 #include <net/irda/ircomm_core.h>
66164 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
66165 unsigned short close_delay;
66166 unsigned short closing_wait; /* time to wait before closing */
66167
66168 - int open_count;
66169 - int blocked_open; /* # of blocked opens */
66170 + local_t open_count;
66171 + local_t blocked_open; /* # of blocked opens */
66172
66173 /* Protect concurent access to :
66174 * o self->open_count
66175 diff -urNp linux-2.6.39.3/include/net/iucv/af_iucv.h linux-2.6.39.3/include/net/iucv/af_iucv.h
66176 --- linux-2.6.39.3/include/net/iucv/af_iucv.h 2011-05-19 00:06:34.000000000 -0400
66177 +++ linux-2.6.39.3/include/net/iucv/af_iucv.h 2011-05-22 19:36:33.000000000 -0400
66178 @@ -87,7 +87,7 @@ struct iucv_sock {
66179 struct iucv_sock_list {
66180 struct hlist_head head;
66181 rwlock_t lock;
66182 - atomic_t autobind_name;
66183 + atomic_unchecked_t autobind_name;
66184 };
66185
66186 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
66187 diff -urNp linux-2.6.39.3/include/net/neighbour.h linux-2.6.39.3/include/net/neighbour.h
66188 --- linux-2.6.39.3/include/net/neighbour.h 2011-05-19 00:06:34.000000000 -0400
66189 +++ linux-2.6.39.3/include/net/neighbour.h 2011-05-22 19:36:33.000000000 -0400
66190 @@ -118,12 +118,12 @@ struct neighbour {
66191
66192 struct neigh_ops {
66193 int family;
66194 - void (*solicit)(struct neighbour *, struct sk_buff*);
66195 - void (*error_report)(struct neighbour *, struct sk_buff*);
66196 - int (*output)(struct sk_buff*);
66197 - int (*connected_output)(struct sk_buff*);
66198 - int (*hh_output)(struct sk_buff*);
66199 - int (*queue_xmit)(struct sk_buff*);
66200 + void (* const solicit)(struct neighbour *, struct sk_buff*);
66201 + void (* const error_report)(struct neighbour *, struct sk_buff*);
66202 + int (* const output)(struct sk_buff*);
66203 + int (* const connected_output)(struct sk_buff*);
66204 + int (* const hh_output)(struct sk_buff*);
66205 + int (* const queue_xmit)(struct sk_buff*);
66206 };
66207
66208 struct pneigh_entry {
66209 diff -urNp linux-2.6.39.3/include/net/netfilter/nf_conntrack_ecache.h linux-2.6.39.3/include/net/netfilter/nf_conntrack_ecache.h
66210 --- linux-2.6.39.3/include/net/netfilter/nf_conntrack_ecache.h 2011-05-19 00:06:34.000000000 -0400
66211 +++ linux-2.6.39.3/include/net/netfilter/nf_conntrack_ecache.h 2011-05-22 19:36:33.000000000 -0400
66212 @@ -95,7 +95,7 @@ nf_conntrack_eventmask_report(unsigned i
66213 int report)
66214 {
66215 int ret = 0;
66216 - struct nf_ct_event_notifier *notify;
66217 + const struct nf_ct_event_notifier *notify;
66218 struct nf_conntrack_ecache *e;
66219
66220 rcu_read_lock();
66221 @@ -174,7 +174,7 @@ nf_ct_expect_event_report(enum ip_conntr
66222 u32 pid,
66223 int report)
66224 {
66225 - struct nf_exp_event_notifier *notify;
66226 + const struct nf_exp_event_notifier *notify;
66227 struct nf_conntrack_ecache *e;
66228
66229 rcu_read_lock();
66230 diff -urNp linux-2.6.39.3/include/net/netlink.h linux-2.6.39.3/include/net/netlink.h
66231 --- linux-2.6.39.3/include/net/netlink.h 2011-05-19 00:06:34.000000000 -0400
66232 +++ linux-2.6.39.3/include/net/netlink.h 2011-05-22 19:36:33.000000000 -0400
66233 @@ -562,7 +562,7 @@ static inline void *nlmsg_get_pos(struct
66234 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
66235 {
66236 if (mark)
66237 - skb_trim(skb, (unsigned char *) mark - skb->data);
66238 + skb_trim(skb, (const unsigned char *) mark - skb->data);
66239 }
66240
66241 /**
66242 diff -urNp linux-2.6.39.3/include/net/netns/ipv4.h linux-2.6.39.3/include/net/netns/ipv4.h
66243 --- linux-2.6.39.3/include/net/netns/ipv4.h 2011-05-19 00:06:34.000000000 -0400
66244 +++ linux-2.6.39.3/include/net/netns/ipv4.h 2011-05-22 19:36:33.000000000 -0400
66245 @@ -54,8 +54,8 @@ struct netns_ipv4 {
66246 int sysctl_rt_cache_rebuild_count;
66247 int current_rt_cache_rebuild_count;
66248
66249 - atomic_t rt_genid;
66250 - atomic_t dev_addr_genid;
66251 + atomic_unchecked_t rt_genid;
66252 + atomic_unchecked_t dev_addr_genid;
66253
66254 #ifdef CONFIG_IP_MROUTE
66255 #ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES
66256 diff -urNp linux-2.6.39.3/include/net/sctp/sctp.h linux-2.6.39.3/include/net/sctp/sctp.h
66257 --- linux-2.6.39.3/include/net/sctp/sctp.h 2011-05-19 00:06:34.000000000 -0400
66258 +++ linux-2.6.39.3/include/net/sctp/sctp.h 2011-05-22 19:36:33.000000000 -0400
66259 @@ -316,9 +316,9 @@ do { \
66260
66261 #else /* SCTP_DEBUG */
66262
66263 -#define SCTP_DEBUG_PRINTK(whatever...)
66264 -#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
66265 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
66266 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
66267 +#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
66268 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
66269 #define SCTP_ENABLE_DEBUG
66270 #define SCTP_DISABLE_DEBUG
66271 #define SCTP_ASSERT(expr, str, func)
66272 diff -urNp linux-2.6.39.3/include/net/sock.h linux-2.6.39.3/include/net/sock.h
66273 --- linux-2.6.39.3/include/net/sock.h 2011-05-19 00:06:34.000000000 -0400
66274 +++ linux-2.6.39.3/include/net/sock.h 2011-05-22 19:36:33.000000000 -0400
66275 @@ -277,7 +277,7 @@ struct sock {
66276 #ifdef CONFIG_RPS
66277 __u32 sk_rxhash;
66278 #endif
66279 - atomic_t sk_drops;
66280 + atomic_unchecked_t sk_drops;
66281 int sk_rcvbuf;
66282
66283 struct sk_filter __rcu *sk_filter;
66284 diff -urNp linux-2.6.39.3/include/net/tcp.h linux-2.6.39.3/include/net/tcp.h
66285 --- linux-2.6.39.3/include/net/tcp.h 2011-05-19 00:06:34.000000000 -0400
66286 +++ linux-2.6.39.3/include/net/tcp.h 2011-05-22 19:36:33.000000000 -0400
66287 @@ -1374,7 +1374,7 @@ enum tcp_seq_states {
66288 struct tcp_seq_afinfo {
66289 char *name;
66290 sa_family_t family;
66291 - struct file_operations seq_fops;
66292 + struct file_operations seq_fops; /* cannot be const */
66293 struct seq_operations seq_ops;
66294 };
66295
66296 diff -urNp linux-2.6.39.3/include/net/udp.h linux-2.6.39.3/include/net/udp.h
66297 --- linux-2.6.39.3/include/net/udp.h 2011-05-19 00:06:34.000000000 -0400
66298 +++ linux-2.6.39.3/include/net/udp.h 2011-05-22 19:36:33.000000000 -0400
66299 @@ -234,7 +234,7 @@ struct udp_seq_afinfo {
66300 char *name;
66301 sa_family_t family;
66302 struct udp_table *udp_table;
66303 - struct file_operations seq_fops;
66304 + struct file_operations seq_fops; /* cannot be const */
66305 struct seq_operations seq_ops;
66306 };
66307
66308 diff -urNp linux-2.6.39.3/include/net/xfrm.h linux-2.6.39.3/include/net/xfrm.h
66309 --- linux-2.6.39.3/include/net/xfrm.h 2011-05-19 00:06:34.000000000 -0400
66310 +++ linux-2.6.39.3/include/net/xfrm.h 2011-05-22 19:36:33.000000000 -0400
66311 @@ -505,7 +505,7 @@ struct xfrm_policy {
66312 struct timer_list timer;
66313
66314 struct flow_cache_object flo;
66315 - atomic_t genid;
66316 + atomic_unchecked_t genid;
66317 u32 priority;
66318 u32 index;
66319 struct xfrm_mark mark;
66320 diff -urNp linux-2.6.39.3/include/pcmcia/ss.h linux-2.6.39.3/include/pcmcia/ss.h
66321 --- linux-2.6.39.3/include/pcmcia/ss.h 2011-05-19 00:06:34.000000000 -0400
66322 +++ linux-2.6.39.3/include/pcmcia/ss.h 2011-05-22 19:36:33.000000000 -0400
66323 @@ -241,9 +241,9 @@ struct pcmcia_socket {
66324 * "select PCCARD_NONSTATIC" in Kconfig.
66325 *
66326 */
66327 -extern struct pccard_resource_ops pccard_static_ops;
66328 +extern const struct pccard_resource_ops pccard_static_ops;
66329 #if defined(CONFIG_PCMCIA) || defined(CONFIG_PCMCIA_MODULE)
66330 -extern struct pccard_resource_ops pccard_iodyn_ops;
66331 +extern const struct pccard_resource_ops pccard_iodyn_ops;
66332 extern struct pccard_resource_ops pccard_nonstatic_ops;
66333 #else
66334 /* If PCMCIA is not used, but only CARDBUS, these functions are not used
66335 diff -urNp linux-2.6.39.3/include/rdma/ib_verbs.h linux-2.6.39.3/include/rdma/ib_verbs.h
66336 --- linux-2.6.39.3/include/rdma/ib_verbs.h 2011-05-19 00:06:34.000000000 -0400
66337 +++ linux-2.6.39.3/include/rdma/ib_verbs.h 2011-05-22 19:36:33.000000000 -0400
66338 @@ -1149,7 +1149,7 @@ struct ib_device {
66339 struct ib_mad *in_mad,
66340 struct ib_mad *out_mad);
66341
66342 - struct ib_dma_mapping_ops *dma_ops;
66343 + const struct ib_dma_mapping_ops *dma_ops;
66344
66345 struct module *owner;
66346 struct device dev;
66347 diff -urNp linux-2.6.39.3/include/scsi/libfc.h linux-2.6.39.3/include/scsi/libfc.h
66348 --- linux-2.6.39.3/include/scsi/libfc.h 2011-05-19 00:06:34.000000000 -0400
66349 +++ linux-2.6.39.3/include/scsi/libfc.h 2011-05-22 19:36:33.000000000 -0400
66350 @@ -202,7 +202,7 @@ struct fc_rport_priv {
66351 struct mutex rp_mutex;
66352 struct delayed_work retry_work;
66353 enum fc_rport_event event;
66354 - struct fc_rport_operations *ops;
66355 + const struct fc_rport_operations *ops;
66356 struct list_head peers;
66357 struct work_struct event_work;
66358 u32 supported_classes;
66359 diff -urNp linux-2.6.39.3/include/scsi/scsi_device.h linux-2.6.39.3/include/scsi/scsi_device.h
66360 --- linux-2.6.39.3/include/scsi/scsi_device.h 2011-05-19 00:06:34.000000000 -0400
66361 +++ linux-2.6.39.3/include/scsi/scsi_device.h 2011-05-22 19:36:33.000000000 -0400
66362 @@ -161,9 +161,9 @@ struct scsi_device {
66363 unsigned int max_device_blocked; /* what device_blocked counts down from */
66364 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
66365
66366 - atomic_t iorequest_cnt;
66367 - atomic_t iodone_cnt;
66368 - atomic_t ioerr_cnt;
66369 + atomic_unchecked_t iorequest_cnt;
66370 + atomic_unchecked_t iodone_cnt;
66371 + atomic_unchecked_t ioerr_cnt;
66372
66373 struct device sdev_gendev,
66374 sdev_dev;
66375 diff -urNp linux-2.6.39.3/include/sound/ac97_codec.h linux-2.6.39.3/include/sound/ac97_codec.h
66376 --- linux-2.6.39.3/include/sound/ac97_codec.h 2011-05-19 00:06:34.000000000 -0400
66377 +++ linux-2.6.39.3/include/sound/ac97_codec.h 2011-05-22 19:36:33.000000000 -0400
66378 @@ -424,15 +424,15 @@
66379 struct snd_ac97;
66380
66381 struct snd_ac97_build_ops {
66382 - int (*build_3d) (struct snd_ac97 *ac97);
66383 - int (*build_specific) (struct snd_ac97 *ac97);
66384 - int (*build_spdif) (struct snd_ac97 *ac97);
66385 - int (*build_post_spdif) (struct snd_ac97 *ac97);
66386 + int (* const build_3d) (struct snd_ac97 *ac97);
66387 + int (* const build_specific) (struct snd_ac97 *ac97);
66388 + int (* const build_spdif) (struct snd_ac97 *ac97);
66389 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
66390 #ifdef CONFIG_PM
66391 - void (*suspend) (struct snd_ac97 *ac97);
66392 - void (*resume) (struct snd_ac97 *ac97);
66393 + void (* const suspend) (struct snd_ac97 *ac97);
66394 + void (* const resume) (struct snd_ac97 *ac97);
66395 #endif
66396 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
66397 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
66398 };
66399
66400 struct snd_ac97_bus_ops {
66401 @@ -446,7 +446,7 @@ struct snd_ac97_bus_ops {
66402
66403 struct snd_ac97_bus {
66404 /* -- lowlevel (hardware) driver specific -- */
66405 - struct snd_ac97_bus_ops *ops;
66406 + const struct snd_ac97_bus_ops *ops;
66407 void *private_data;
66408 void (*private_free) (struct snd_ac97_bus *bus);
66409 /* --- */
66410 @@ -556,7 +556,7 @@ static inline int ac97_can_spdif(struct
66411
66412 /* functions */
66413 /* create new AC97 bus */
66414 -int snd_ac97_bus(struct snd_card *card, int num, struct snd_ac97_bus_ops *ops,
66415 +int snd_ac97_bus(struct snd_card *card, int num, const struct snd_ac97_bus_ops *ops,
66416 void *private_data, struct snd_ac97_bus **rbus);
66417 /* create mixer controls */
66418 int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template,
66419 diff -urNp linux-2.6.39.3/include/sound/core.h linux-2.6.39.3/include/sound/core.h
66420 --- linux-2.6.39.3/include/sound/core.h 2011-05-19 00:06:34.000000000 -0400
66421 +++ linux-2.6.39.3/include/sound/core.h 2011-05-22 19:36:33.000000000 -0400
66422 @@ -88,7 +88,7 @@ struct snd_device {
66423 snd_device_state_t state; /* state of the device */
66424 snd_device_type_t type; /* device type */
66425 void *device_data; /* device structure */
66426 - struct snd_device_ops *ops; /* operations */
66427 + const struct snd_device_ops *ops; /* operations */
66428 };
66429
66430 #define snd_device(n) list_entry(n, struct snd_device, list)
66431 @@ -301,7 +301,7 @@ int snd_card_file_remove(struct snd_card
66432 /* device.c */
66433
66434 int snd_device_new(struct snd_card *card, snd_device_type_t type,
66435 - void *device_data, struct snd_device_ops *ops);
66436 + void *device_data, const struct snd_device_ops *ops);
66437 int snd_device_register(struct snd_card *card, void *device_data);
66438 int snd_device_register_all(struct snd_card *card);
66439 int snd_device_disconnect(struct snd_card *card, void *device_data);
66440 diff -urNp linux-2.6.39.3/include/sound/pcm.h linux-2.6.39.3/include/sound/pcm.h
66441 --- linux-2.6.39.3/include/sound/pcm.h 2011-05-19 00:06:34.000000000 -0400
66442 +++ linux-2.6.39.3/include/sound/pcm.h 2011-05-22 19:36:33.000000000 -0400
66443 @@ -379,7 +379,7 @@ struct snd_pcm_substream {
66444 unsigned int dma_buf_id;
66445 size_t dma_max;
66446 /* -- hardware operations -- */
66447 - struct snd_pcm_ops *ops;
66448 + const struct snd_pcm_ops *ops;
66449 /* -- runtime information -- */
66450 struct snd_pcm_runtime *runtime;
66451 /* -- timer section -- */
66452 @@ -845,7 +845,7 @@ const unsigned char *snd_pcm_format_sile
66453 int snd_pcm_format_set_silence(snd_pcm_format_t format, void *buf, unsigned int frames);
66454 snd_pcm_format_t snd_pcm_build_linear_format(int width, int unsignd, int big_endian);
66455
66456 -void snd_pcm_set_ops(struct snd_pcm * pcm, int direction, struct snd_pcm_ops *ops);
66457 +void snd_pcm_set_ops(struct snd_pcm * pcm, int direction, const struct snd_pcm_ops *ops);
66458 void snd_pcm_set_sync(struct snd_pcm_substream *substream);
66459 int snd_pcm_lib_interleave_len(struct snd_pcm_substream *substream);
66460 int snd_pcm_lib_ioctl(struct snd_pcm_substream *substream,
66461 diff -urNp linux-2.6.39.3/include/sound/rawmidi.h linux-2.6.39.3/include/sound/rawmidi.h
66462 --- linux-2.6.39.3/include/sound/rawmidi.h 2011-05-19 00:06:34.000000000 -0400
66463 +++ linux-2.6.39.3/include/sound/rawmidi.h 2011-05-22 19:36:33.000000000 -0400
66464 @@ -100,7 +100,7 @@ struct snd_rawmidi_substream {
66465 struct snd_rawmidi_runtime *runtime;
66466 struct pid *pid;
66467 /* hardware layer */
66468 - struct snd_rawmidi_ops *ops;
66469 + const struct snd_rawmidi_ops *ops;
66470 };
66471
66472 struct snd_rawmidi_file {
66473 @@ -127,7 +127,7 @@ struct snd_rawmidi {
66474 int ossreg;
66475 #endif
66476
66477 - struct snd_rawmidi_global_ops *ops;
66478 + const struct snd_rawmidi_global_ops *ops;
66479
66480 struct snd_rawmidi_str streams[2];
66481
66482 @@ -151,7 +151,7 @@ int snd_rawmidi_new(struct snd_card *car
66483 int output_count, int input_count,
66484 struct snd_rawmidi **rmidi);
66485 void snd_rawmidi_set_ops(struct snd_rawmidi *rmidi, int stream,
66486 - struct snd_rawmidi_ops *ops);
66487 + const struct snd_rawmidi_ops *ops);
66488
66489 /* callbacks */
66490
66491 diff -urNp linux-2.6.39.3/include/sound/seq_device.h linux-2.6.39.3/include/sound/seq_device.h
66492 --- linux-2.6.39.3/include/sound/seq_device.h 2011-05-19 00:06:34.000000000 -0400
66493 +++ linux-2.6.39.3/include/sound/seq_device.h 2011-05-22 19:36:33.000000000 -0400
66494 @@ -69,7 +69,7 @@ struct snd_seq_dev_ops {
66495 */
66496 void snd_seq_device_load_drivers(void);
66497 int snd_seq_device_new(struct snd_card *card, int device, char *id, int argsize, struct snd_seq_device **result);
66498 -int snd_seq_device_register_driver(char *id, struct snd_seq_dev_ops *entry, int argsize);
66499 +int snd_seq_device_register_driver(char *id, const struct snd_seq_dev_ops *entry, int argsize);
66500 int snd_seq_device_unregister_driver(char *id);
66501
66502 #define SNDRV_SEQ_DEVICE_ARGPTR(dev) (void *)((char *)(dev) + sizeof(struct snd_seq_device))
66503 diff -urNp linux-2.6.39.3/include/sound/snd_wavefront.h linux-2.6.39.3/include/sound/snd_wavefront.h
66504 --- linux-2.6.39.3/include/sound/snd_wavefront.h 2011-05-19 00:06:34.000000000 -0400
66505 +++ linux-2.6.39.3/include/sound/snd_wavefront.h 2011-05-22 19:36:33.000000000 -0400
66506 @@ -37,8 +37,8 @@ struct _snd_wavefront_midi {
66507 #define MPU_ACK 0xFE
66508 #define UART_MODE_ON 0x3F
66509
66510 -extern struct snd_rawmidi_ops snd_wavefront_midi_output;
66511 -extern struct snd_rawmidi_ops snd_wavefront_midi_input;
66512 +extern const struct snd_rawmidi_ops snd_wavefront_midi_output;
66513 +extern const struct snd_rawmidi_ops snd_wavefront_midi_input;
66514
66515 extern void snd_wavefront_midi_enable_virtual (snd_wavefront_card_t *);
66516 extern void snd_wavefront_midi_disable_virtual (snd_wavefront_card_t *);
66517 diff -urNp linux-2.6.39.3/include/sound/soc.h linux-2.6.39.3/include/sound/soc.h
66518 --- linux-2.6.39.3/include/sound/soc.h 2011-05-19 00:06:34.000000000 -0400
66519 +++ linux-2.6.39.3/include/sound/soc.h 2011-05-22 19:36:33.000000000 -0400
66520 @@ -245,7 +245,7 @@ struct snd_soc_jack_gpio;
66521
66522 typedef int (*hw_write_t)(void *,const char* ,int);
66523
66524 -extern struct snd_ac97_bus_ops soc_ac97_ops;
66525 +extern const struct snd_ac97_bus_ops soc_ac97_ops;
66526
66527 enum snd_soc_control_type {
66528 SND_SOC_CUSTOM,
66529 diff -urNp linux-2.6.39.3/include/sound/ymfpci.h linux-2.6.39.3/include/sound/ymfpci.h
66530 --- linux-2.6.39.3/include/sound/ymfpci.h 2011-05-19 00:06:34.000000000 -0400
66531 +++ linux-2.6.39.3/include/sound/ymfpci.h 2011-05-22 19:36:33.000000000 -0400
66532 @@ -358,7 +358,7 @@ struct snd_ymfpci {
66533 spinlock_t reg_lock;
66534 spinlock_t voice_lock;
66535 wait_queue_head_t interrupt_sleep;
66536 - atomic_t interrupt_sleep_count;
66537 + atomic_unchecked_t interrupt_sleep_count;
66538 struct snd_info_entry *proc_entry;
66539 const struct firmware *dsp_microcode;
66540 const struct firmware *controller_microcode;
66541 diff -urNp linux-2.6.39.3/include/target/target_core_base.h linux-2.6.39.3/include/target/target_core_base.h
66542 --- linux-2.6.39.3/include/target/target_core_base.h 2011-06-03 00:04:14.000000000 -0400
66543 +++ linux-2.6.39.3/include/target/target_core_base.h 2011-06-03 00:32:08.000000000 -0400
66544 @@ -432,8 +432,8 @@ struct se_transport_task {
66545 atomic_t t_task_cdbs_left;
66546 atomic_t t_task_cdbs_ex_left;
66547 atomic_t t_task_cdbs_timeout_left;
66548 - atomic_t t_task_cdbs_sent;
66549 - atomic_t t_transport_aborted;
66550 + atomic_unchecked_t t_task_cdbs_sent;
66551 + atomic_unchecked_t t_transport_aborted;
66552 atomic_t t_transport_active;
66553 atomic_t t_transport_complete;
66554 atomic_t t_transport_queue_active;
66555 @@ -774,7 +774,7 @@ struct se_device {
66556 atomic_t active_cmds;
66557 atomic_t simple_cmds;
66558 atomic_t depth_left;
66559 - atomic_t dev_ordered_id;
66560 + atomic_unchecked_t dev_ordered_id;
66561 atomic_t dev_tur_active;
66562 atomic_t execute_tasks;
66563 atomic_t dev_status_thr_count;
66564 diff -urNp linux-2.6.39.3/include/trace/events/irq.h linux-2.6.39.3/include/trace/events/irq.h
66565 --- linux-2.6.39.3/include/trace/events/irq.h 2011-05-19 00:06:34.000000000 -0400
66566 +++ linux-2.6.39.3/include/trace/events/irq.h 2011-05-22 19:36:33.000000000 -0400
66567 @@ -36,7 +36,7 @@ struct softirq_action;
66568 */
66569 TRACE_EVENT(irq_handler_entry,
66570
66571 - TP_PROTO(int irq, struct irqaction *action),
66572 + TP_PROTO(int irq, const struct irqaction *action),
66573
66574 TP_ARGS(irq, action),
66575
66576 @@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
66577 */
66578 TRACE_EVENT(irq_handler_exit,
66579
66580 - TP_PROTO(int irq, struct irqaction *action, int ret),
66581 + TP_PROTO(int irq, const struct irqaction *action, int ret),
66582
66583 TP_ARGS(irq, action, ret),
66584
66585 diff -urNp linux-2.6.39.3/include/video/udlfb.h linux-2.6.39.3/include/video/udlfb.h
66586 --- linux-2.6.39.3/include/video/udlfb.h 2011-05-19 00:06:34.000000000 -0400
66587 +++ linux-2.6.39.3/include/video/udlfb.h 2011-05-22 19:36:33.000000000 -0400
66588 @@ -51,10 +51,10 @@ struct dlfb_data {
66589 int base8;
66590 u32 pseudo_palette[256];
66591 /* blit-only rendering path metrics, exposed through sysfs */
66592 - atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
66593 - atomic_t bytes_identical; /* saved effort with backbuffer comparison */
66594 - atomic_t bytes_sent; /* to usb, after compression including overhead */
66595 - atomic_t cpu_kcycles_used; /* transpired during pixel processing */
66596 + atomic_unchecked_t bytes_rendered; /* raw pixel-bytes driver asked to render */
66597 + atomic_unchecked_t bytes_identical; /* saved effort with backbuffer comparison */
66598 + atomic_unchecked_t bytes_sent; /* to usb, after compression including overhead */
66599 + atomic_unchecked_t cpu_kcycles_used; /* transpired during pixel processing */
66600 };
66601
66602 #define NR_USB_REQUEST_I2C_SUB_IO 0x02
66603 diff -urNp linux-2.6.39.3/include/video/uvesafb.h linux-2.6.39.3/include/video/uvesafb.h
66604 --- linux-2.6.39.3/include/video/uvesafb.h 2011-05-19 00:06:34.000000000 -0400
66605 +++ linux-2.6.39.3/include/video/uvesafb.h 2011-05-22 19:36:33.000000000 -0400
66606 @@ -177,6 +177,7 @@ struct uvesafb_par {
66607 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
66608 u8 pmi_setpal; /* PMI for palette changes */
66609 u16 *pmi_base; /* protected mode interface location */
66610 + u8 *pmi_code; /* protected mode code location */
66611 void *pmi_start;
66612 void *pmi_pal;
66613 u8 *vbe_state_orig; /*
66614 diff -urNp linux-2.6.39.3/init/do_mounts.c linux-2.6.39.3/init/do_mounts.c
66615 --- linux-2.6.39.3/init/do_mounts.c 2011-05-19 00:06:34.000000000 -0400
66616 +++ linux-2.6.39.3/init/do_mounts.c 2011-05-22 19:36:33.000000000 -0400
66617 @@ -287,7 +287,7 @@ static void __init get_fs_names(char *pa
66618
66619 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
66620 {
66621 - int err = sys_mount(name, "/root", fs, flags, data);
66622 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
66623 if (err)
66624 return err;
66625
66626 @@ -383,18 +383,18 @@ void __init change_floppy(char *fmt, ...
66627 va_start(args, fmt);
66628 vsprintf(buf, fmt, args);
66629 va_end(args);
66630 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
66631 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
66632 if (fd >= 0) {
66633 sys_ioctl(fd, FDEJECT, 0);
66634 sys_close(fd);
66635 }
66636 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
66637 - fd = sys_open("/dev/console", O_RDWR, 0);
66638 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
66639 if (fd >= 0) {
66640 sys_ioctl(fd, TCGETS, (long)&termios);
66641 termios.c_lflag &= ~ICANON;
66642 sys_ioctl(fd, TCSETSF, (long)&termios);
66643 - sys_read(fd, &c, 1);
66644 + sys_read(fd, (char __user *)&c, 1);
66645 termios.c_lflag |= ICANON;
66646 sys_ioctl(fd, TCSETSF, (long)&termios);
66647 sys_close(fd);
66648 @@ -488,6 +488,6 @@ void __init prepare_namespace(void)
66649 mount_root();
66650 out:
66651 devtmpfs_mount("dev");
66652 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
66653 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
66654 sys_chroot((const char __user __force *)".");
66655 }
66656 diff -urNp linux-2.6.39.3/init/do_mounts.h linux-2.6.39.3/init/do_mounts.h
66657 --- linux-2.6.39.3/init/do_mounts.h 2011-05-19 00:06:34.000000000 -0400
66658 +++ linux-2.6.39.3/init/do_mounts.h 2011-05-22 19:36:33.000000000 -0400
66659 @@ -15,15 +15,15 @@ extern int root_mountflags;
66660
66661 static inline int create_dev(char *name, dev_t dev)
66662 {
66663 - sys_unlink(name);
66664 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
66665 + sys_unlink((__force char __user *)name);
66666 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
66667 }
66668
66669 #if BITS_PER_LONG == 32
66670 static inline u32 bstat(char *name)
66671 {
66672 struct stat64 stat;
66673 - if (sys_stat64(name, &stat) != 0)
66674 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
66675 return 0;
66676 if (!S_ISBLK(stat.st_mode))
66677 return 0;
66678 diff -urNp linux-2.6.39.3/init/do_mounts_initrd.c linux-2.6.39.3/init/do_mounts_initrd.c
66679 --- linux-2.6.39.3/init/do_mounts_initrd.c 2011-05-19 00:06:34.000000000 -0400
66680 +++ linux-2.6.39.3/init/do_mounts_initrd.c 2011-05-22 19:36:33.000000000 -0400
66681 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
66682 create_dev("/dev/root.old", Root_RAM0);
66683 /* mount initrd on rootfs' /root */
66684 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
66685 - sys_mkdir("/old", 0700);
66686 - root_fd = sys_open("/", 0, 0);
66687 - old_fd = sys_open("/old", 0, 0);
66688 + sys_mkdir((__force const char __user *)"/old", 0700);
66689 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
66690 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
66691 /* move initrd over / and chdir/chroot in initrd root */
66692 - sys_chdir("/root");
66693 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
66694 - sys_chroot(".");
66695 + sys_chdir((__force const char __user *)"/root");
66696 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
66697 + sys_chroot((__force const char __user *)".");
66698
66699 /*
66700 * In case that a resume from disk is carried out by linuxrc or one of
66701 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
66702
66703 /* move initrd to rootfs' /old */
66704 sys_fchdir(old_fd);
66705 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
66706 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
66707 /* switch root and cwd back to / of rootfs */
66708 sys_fchdir(root_fd);
66709 - sys_chroot(".");
66710 + sys_chroot((__force const char __user *)".");
66711 sys_close(old_fd);
66712 sys_close(root_fd);
66713
66714 if (new_decode_dev(real_root_dev) == Root_RAM0) {
66715 - sys_chdir("/old");
66716 + sys_chdir((__force const char __user *)"/old");
66717 return;
66718 }
66719
66720 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
66721 mount_root();
66722
66723 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
66724 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
66725 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
66726 if (!error)
66727 printk("okay\n");
66728 else {
66729 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
66730 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
66731 if (error == -ENOENT)
66732 printk("/initrd does not exist. Ignored.\n");
66733 else
66734 printk("failed\n");
66735 printk(KERN_NOTICE "Unmounting old root\n");
66736 - sys_umount("/old", MNT_DETACH);
66737 + sys_umount((__force char __user *)"/old", MNT_DETACH);
66738 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
66739 if (fd < 0) {
66740 error = fd;
66741 @@ -116,11 +116,11 @@ int __init initrd_load(void)
66742 * mounted in the normal path.
66743 */
66744 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
66745 - sys_unlink("/initrd.image");
66746 + sys_unlink((__force const char __user *)"/initrd.image");
66747 handle_initrd();
66748 return 1;
66749 }
66750 }
66751 - sys_unlink("/initrd.image");
66752 + sys_unlink((__force const char __user *)"/initrd.image");
66753 return 0;
66754 }
66755 diff -urNp linux-2.6.39.3/init/do_mounts_md.c linux-2.6.39.3/init/do_mounts_md.c
66756 --- linux-2.6.39.3/init/do_mounts_md.c 2011-05-19 00:06:34.000000000 -0400
66757 +++ linux-2.6.39.3/init/do_mounts_md.c 2011-05-22 19:36:33.000000000 -0400
66758 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
66759 partitioned ? "_d" : "", minor,
66760 md_setup_args[ent].device_names);
66761
66762 - fd = sys_open(name, 0, 0);
66763 + fd = sys_open((__force char __user *)name, 0, 0);
66764 if (fd < 0) {
66765 printk(KERN_ERR "md: open failed - cannot start "
66766 "array %s\n", name);
66767 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
66768 * array without it
66769 */
66770 sys_close(fd);
66771 - fd = sys_open(name, 0, 0);
66772 + fd = sys_open((__force char __user *)name, 0, 0);
66773 sys_ioctl(fd, BLKRRPART, 0);
66774 }
66775 sys_close(fd);
66776 diff -urNp linux-2.6.39.3/init/initramfs.c linux-2.6.39.3/init/initramfs.c
66777 --- linux-2.6.39.3/init/initramfs.c 2011-05-19 00:06:34.000000000 -0400
66778 +++ linux-2.6.39.3/init/initramfs.c 2011-05-22 19:36:33.000000000 -0400
66779 @@ -74,7 +74,7 @@ static void __init free_hash(void)
66780 }
66781 }
66782
66783 -static long __init do_utime(char __user *filename, time_t mtime)
66784 +static long __init do_utime(__force char __user *filename, time_t mtime)
66785 {
66786 struct timespec t[2];
66787
66788 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
66789 struct dir_entry *de, *tmp;
66790 list_for_each_entry_safe(de, tmp, &dir_list, list) {
66791 list_del(&de->list);
66792 - do_utime(de->name, de->mtime);
66793 + do_utime((__force char __user *)de->name, de->mtime);
66794 kfree(de->name);
66795 kfree(de);
66796 }
66797 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
66798 if (nlink >= 2) {
66799 char *old = find_link(major, minor, ino, mode, collected);
66800 if (old)
66801 - return (sys_link(old, collected) < 0) ? -1 : 1;
66802 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
66803 }
66804 return 0;
66805 }
66806 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
66807 {
66808 struct stat st;
66809
66810 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
66811 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
66812 if (S_ISDIR(st.st_mode))
66813 - sys_rmdir(path);
66814 + sys_rmdir((__force char __user *)path);
66815 else
66816 - sys_unlink(path);
66817 + sys_unlink((__force char __user *)path);
66818 }
66819 }
66820
66821 @@ -305,7 +305,7 @@ static int __init do_name(void)
66822 int openflags = O_WRONLY|O_CREAT;
66823 if (ml != 1)
66824 openflags |= O_TRUNC;
66825 - wfd = sys_open(collected, openflags, mode);
66826 + wfd = sys_open((__force char __user *)collected, openflags, mode);
66827
66828 if (wfd >= 0) {
66829 sys_fchown(wfd, uid, gid);
66830 @@ -317,17 +317,17 @@ static int __init do_name(void)
66831 }
66832 }
66833 } else if (S_ISDIR(mode)) {
66834 - sys_mkdir(collected, mode);
66835 - sys_chown(collected, uid, gid);
66836 - sys_chmod(collected, mode);
66837 + sys_mkdir((__force char __user *)collected, mode);
66838 + sys_chown((__force char __user *)collected, uid, gid);
66839 + sys_chmod((__force char __user *)collected, mode);
66840 dir_add(collected, mtime);
66841 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
66842 S_ISFIFO(mode) || S_ISSOCK(mode)) {
66843 if (maybe_link() == 0) {
66844 - sys_mknod(collected, mode, rdev);
66845 - sys_chown(collected, uid, gid);
66846 - sys_chmod(collected, mode);
66847 - do_utime(collected, mtime);
66848 + sys_mknod((__force char __user *)collected, mode, rdev);
66849 + sys_chown((__force char __user *)collected, uid, gid);
66850 + sys_chmod((__force char __user *)collected, mode);
66851 + do_utime((__force char __user *)collected, mtime);
66852 }
66853 }
66854 return 0;
66855 @@ -336,15 +336,15 @@ static int __init do_name(void)
66856 static int __init do_copy(void)
66857 {
66858 if (count >= body_len) {
66859 - sys_write(wfd, victim, body_len);
66860 + sys_write(wfd, (__force char __user *)victim, body_len);
66861 sys_close(wfd);
66862 - do_utime(vcollected, mtime);
66863 + do_utime((__force char __user *)vcollected, mtime);
66864 kfree(vcollected);
66865 eat(body_len);
66866 state = SkipIt;
66867 return 0;
66868 } else {
66869 - sys_write(wfd, victim, count);
66870 + sys_write(wfd, (__force char __user *)victim, count);
66871 body_len -= count;
66872 eat(count);
66873 return 1;
66874 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
66875 {
66876 collected[N_ALIGN(name_len) + body_len] = '\0';
66877 clean_path(collected, 0);
66878 - sys_symlink(collected + N_ALIGN(name_len), collected);
66879 - sys_lchown(collected, uid, gid);
66880 - do_utime(collected, mtime);
66881 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
66882 + sys_lchown((__force char __user *)collected, uid, gid);
66883 + do_utime((__force char __user *)collected, mtime);
66884 state = SkipIt;
66885 next_state = Reset;
66886 return 0;
66887 diff -urNp linux-2.6.39.3/init/Kconfig linux-2.6.39.3/init/Kconfig
66888 --- linux-2.6.39.3/init/Kconfig 2011-05-19 00:06:34.000000000 -0400
66889 +++ linux-2.6.39.3/init/Kconfig 2011-05-22 19:36:33.000000000 -0400
66890 @@ -1202,7 +1202,7 @@ config SLUB_DEBUG
66891
66892 config COMPAT_BRK
66893 bool "Disable heap randomization"
66894 - default y
66895 + default n
66896 help
66897 Randomizing heap placement makes heap exploits harder, but it
66898 also breaks ancient binaries (including anything libc5 based).
66899 diff -urNp linux-2.6.39.3/init/main.c linux-2.6.39.3/init/main.c
66900 --- linux-2.6.39.3/init/main.c 2011-06-03 00:04:14.000000000 -0400
66901 +++ linux-2.6.39.3/init/main.c 2011-06-03 00:32:08.000000000 -0400
66902 @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void)
66903 extern void tc_init(void);
66904 #endif
66905
66906 +extern void grsecurity_init(void);
66907 +
66908 /*
66909 * Debug helper: via this flag we know that we are in 'early bootup code'
66910 * where only the boot processor is running with IRQ disabled. This means
66911 @@ -149,6 +151,49 @@ static int __init set_reset_devices(char
66912
66913 __setup("reset_devices", set_reset_devices);
66914
66915 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
66916 +extern char pax_enter_kernel_user[];
66917 +extern char pax_exit_kernel_user[];
66918 +extern pgdval_t clone_pgd_mask;
66919 +#endif
66920 +
66921 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
66922 +static int __init setup_pax_nouderef(char *str)
66923 +{
66924 +#ifdef CONFIG_X86_32
66925 + unsigned int cpu;
66926 + struct desc_struct *gdt;
66927 +
66928 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
66929 + gdt = get_cpu_gdt_table(cpu);
66930 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
66931 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
66932 + gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
66933 + gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
66934 + }
66935 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
66936 +#else
66937 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
66938 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
66939 + clone_pgd_mask = ~(pgdval_t)0UL;
66940 +#endif
66941 +
66942 + return 0;
66943 +}
66944 +early_param("pax_nouderef", setup_pax_nouderef);
66945 +#endif
66946 +
66947 +#ifdef CONFIG_PAX_SOFTMODE
66948 +unsigned int pax_softmode;
66949 +
66950 +static int __init setup_pax_softmode(char *str)
66951 +{
66952 + get_option(&str, &pax_softmode);
66953 + return 1;
66954 +}
66955 +__setup("pax_softmode=", setup_pax_softmode);
66956 +#endif
66957 +
66958 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
66959 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
66960 static const char *panic_later, *panic_param;
66961 @@ -663,6 +708,7 @@ int __init_or_module do_one_initcall(ini
66962 {
66963 int count = preempt_count();
66964 int ret;
66965 + const char *msg1 = "", *msg2 = "";
66966
66967 if (initcall_debug)
66968 ret = do_one_initcall_debug(fn);
66969 @@ -675,15 +721,15 @@ int __init_or_module do_one_initcall(ini
66970 sprintf(msgbuf, "error code %d ", ret);
66971
66972 if (preempt_count() != count) {
66973 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
66974 + msg1 = " preemption imbalance";
66975 preempt_count() = count;
66976 }
66977 if (irqs_disabled()) {
66978 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
66979 + msg2 = " disabled interrupts";
66980 local_irq_enable();
66981 }
66982 - if (msgbuf[0]) {
66983 - printk("initcall %pF returned with %s\n", fn, msgbuf);
66984 + if (msgbuf[0] || *msg1 || *msg2) {
66985 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
66986 }
66987
66988 return ret;
66989 @@ -801,7 +847,7 @@ static int __init kernel_init(void * unu
66990 do_basic_setup();
66991
66992 /* Open the /dev/console on the rootfs, this should never fail */
66993 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
66994 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
66995 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
66996
66997 (void) sys_dup(0);
66998 @@ -814,11 +860,13 @@ static int __init kernel_init(void * unu
66999 if (!ramdisk_execute_command)
67000 ramdisk_execute_command = "/init";
67001
67002 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
67003 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
67004 ramdisk_execute_command = NULL;
67005 prepare_namespace();
67006 }
67007
67008 + grsecurity_init();
67009 +
67010 /*
67011 * Ok, we have completed the initial bootup, and
67012 * we're essentially up and running. Get rid of the
67013 diff -urNp linux-2.6.39.3/ipc/mqueue.c linux-2.6.39.3/ipc/mqueue.c
67014 --- linux-2.6.39.3/ipc/mqueue.c 2011-05-19 00:06:34.000000000 -0400
67015 +++ linux-2.6.39.3/ipc/mqueue.c 2011-05-22 19:41:42.000000000 -0400
67016 @@ -154,6 +154,7 @@ static struct inode *mqueue_get_inode(st
67017 mq_bytes = (mq_msg_tblsz +
67018 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
67019
67020 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
67021 spin_lock(&mq_lock);
67022 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
67023 u->mq_bytes + mq_bytes >
67024 diff -urNp linux-2.6.39.3/ipc/sem.c linux-2.6.39.3/ipc/sem.c
67025 --- linux-2.6.39.3/ipc/sem.c 2011-05-19 00:06:34.000000000 -0400
67026 +++ linux-2.6.39.3/ipc/sem.c 2011-05-22 19:36:33.000000000 -0400
67027 @@ -854,6 +854,8 @@ static int semctl_main(struct ipc_namesp
67028 int nsems;
67029 struct list_head tasks;
67030
67031 + pax_track_stack();
67032 +
67033 sma = sem_lock_check(ns, semid);
67034 if (IS_ERR(sma))
67035 return PTR_ERR(sma);
67036 @@ -1301,6 +1303,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
67037 struct ipc_namespace *ns;
67038 struct list_head tasks;
67039
67040 + pax_track_stack();
67041 +
67042 ns = current->nsproxy->ipc_ns;
67043
67044 if (nsops < 1 || semid < 0)
67045 diff -urNp linux-2.6.39.3/ipc/shm.c linux-2.6.39.3/ipc/shm.c
67046 --- linux-2.6.39.3/ipc/shm.c 2011-05-19 00:06:34.000000000 -0400
67047 +++ linux-2.6.39.3/ipc/shm.c 2011-05-22 19:41:42.000000000 -0400
67048 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
67049 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
67050 #endif
67051
67052 +#ifdef CONFIG_GRKERNSEC
67053 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
67054 + const time_t shm_createtime, const uid_t cuid,
67055 + const int shmid);
67056 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
67057 + const time_t shm_createtime);
67058 +#endif
67059 +
67060 void shm_init_ns(struct ipc_namespace *ns)
67061 {
67062 ns->shm_ctlmax = SHMMAX;
67063 @@ -401,6 +409,14 @@ static int newseg(struct ipc_namespace *
67064 shp->shm_lprid = 0;
67065 shp->shm_atim = shp->shm_dtim = 0;
67066 shp->shm_ctim = get_seconds();
67067 +#ifdef CONFIG_GRKERNSEC
67068 + {
67069 + struct timespec timeval;
67070 + do_posix_clock_monotonic_gettime(&timeval);
67071 +
67072 + shp->shm_createtime = timeval.tv_sec;
67073 + }
67074 +#endif
67075 shp->shm_segsz = size;
67076 shp->shm_nattch = 0;
67077 shp->shm_file = file;
67078 @@ -762,8 +778,6 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
67079 case SHM_LOCK:
67080 case SHM_UNLOCK:
67081 {
67082 - struct file *uninitialized_var(shm_file);
67083 -
67084 lru_add_drain_all(); /* drain pagevecs to lru lists */
67085
67086 shp = shm_lock_check(ns, shmid);
67087 @@ -896,9 +910,21 @@ long do_shmat(int shmid, char __user *sh
67088 if (err)
67089 goto out_unlock;
67090
67091 +#ifdef CONFIG_GRKERNSEC
67092 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
67093 + shp->shm_perm.cuid, shmid) ||
67094 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
67095 + err = -EACCES;
67096 + goto out_unlock;
67097 + }
67098 +#endif
67099 +
67100 path = shp->shm_file->f_path;
67101 path_get(&path);
67102 shp->shm_nattch++;
67103 +#ifdef CONFIG_GRKERNSEC
67104 + shp->shm_lapid = current->pid;
67105 +#endif
67106 size = i_size_read(path.dentry->d_inode);
67107 shm_unlock(shp);
67108
67109 diff -urNp linux-2.6.39.3/kernel/acct.c linux-2.6.39.3/kernel/acct.c
67110 --- linux-2.6.39.3/kernel/acct.c 2011-05-19 00:06:34.000000000 -0400
67111 +++ linux-2.6.39.3/kernel/acct.c 2011-05-22 19:36:33.000000000 -0400
67112 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
67113 */
67114 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
67115 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
67116 - file->f_op->write(file, (char *)&ac,
67117 + file->f_op->write(file, (__force char __user *)&ac,
67118 sizeof(acct_t), &file->f_pos);
67119 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
67120 set_fs(fs);
67121 diff -urNp linux-2.6.39.3/kernel/audit.c linux-2.6.39.3/kernel/audit.c
67122 --- linux-2.6.39.3/kernel/audit.c 2011-05-19 00:06:34.000000000 -0400
67123 +++ linux-2.6.39.3/kernel/audit.c 2011-05-22 19:36:33.000000000 -0400
67124 @@ -112,7 +112,7 @@ u32 audit_sig_sid = 0;
67125 3) suppressed due to audit_rate_limit
67126 4) suppressed due to audit_backlog_limit
67127 */
67128 -static atomic_t audit_lost = ATOMIC_INIT(0);
67129 +static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
67130
67131 /* The netlink socket. */
67132 static struct sock *audit_sock;
67133 @@ -234,7 +234,7 @@ void audit_log_lost(const char *message)
67134 unsigned long now;
67135 int print;
67136
67137 - atomic_inc(&audit_lost);
67138 + atomic_inc_unchecked(&audit_lost);
67139
67140 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
67141
67142 @@ -253,7 +253,7 @@ void audit_log_lost(const char *message)
67143 printk(KERN_WARNING
67144 "audit: audit_lost=%d audit_rate_limit=%d "
67145 "audit_backlog_limit=%d\n",
67146 - atomic_read(&audit_lost),
67147 + atomic_read_unchecked(&audit_lost),
67148 audit_rate_limit,
67149 audit_backlog_limit);
67150 audit_panic(message);
67151 @@ -686,7 +686,7 @@ static int audit_receive_msg(struct sk_b
67152 status_set.pid = audit_pid;
67153 status_set.rate_limit = audit_rate_limit;
67154 status_set.backlog_limit = audit_backlog_limit;
67155 - status_set.lost = atomic_read(&audit_lost);
67156 + status_set.lost = atomic_read_unchecked(&audit_lost);
67157 status_set.backlog = skb_queue_len(&audit_skb_queue);
67158 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
67159 &status_set, sizeof(status_set));
67160 diff -urNp linux-2.6.39.3/kernel/auditsc.c linux-2.6.39.3/kernel/auditsc.c
67161 --- linux-2.6.39.3/kernel/auditsc.c 2011-05-19 00:06:34.000000000 -0400
67162 +++ linux-2.6.39.3/kernel/auditsc.c 2011-05-22 19:36:33.000000000 -0400
67163 @@ -2111,7 +2111,7 @@ int auditsc_get_stamp(struct audit_conte
67164 }
67165
67166 /* global counter which is incremented every time something logs in */
67167 -static atomic_t session_id = ATOMIC_INIT(0);
67168 +static atomic_unchecked_t session_id = ATOMIC_INIT(0);
67169
67170 /**
67171 * audit_set_loginuid - set a task's audit_context loginuid
67172 @@ -2124,7 +2124,7 @@ static atomic_t session_id = ATOMIC_INIT
67173 */
67174 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
67175 {
67176 - unsigned int sessionid = atomic_inc_return(&session_id);
67177 + unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
67178 struct audit_context *context = task->audit_context;
67179
67180 if (context && context->in_syscall) {
67181 diff -urNp linux-2.6.39.3/kernel/capability.c linux-2.6.39.3/kernel/capability.c
67182 --- linux-2.6.39.3/kernel/capability.c 2011-05-19 00:06:34.000000000 -0400
67183 +++ linux-2.6.39.3/kernel/capability.c 2011-05-22 21:02:23.000000000 -0400
67184 @@ -206,6 +206,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
67185 * before modification is attempted and the application
67186 * fails.
67187 */
67188 + if (tocopy > ARRAY_SIZE(kdata))
67189 + return -EFAULT;
67190 +
67191 if (copy_to_user(dataptr, kdata, tocopy
67192 * sizeof(struct __user_cap_data_struct))) {
67193 return -EFAULT;
67194 @@ -378,7 +381,7 @@ bool ns_capable(struct user_namespace *n
67195 BUG();
67196 }
67197
67198 - if (security_capable(ns, current_cred(), cap) == 0) {
67199 + if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable(cap)) {
67200 current->flags |= PF_SUPERPRIV;
67201 return true;
67202 }
67203 @@ -386,6 +389,27 @@ bool ns_capable(struct user_namespace *n
67204 }
67205 EXPORT_SYMBOL(ns_capable);
67206
67207 +bool ns_capable_nolog(struct user_namespace *ns, int cap)
67208 +{
67209 + if (unlikely(!cap_valid(cap))) {
67210 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
67211 + BUG();
67212 + }
67213 +
67214 + if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) {
67215 + current->flags |= PF_SUPERPRIV;
67216 + return true;
67217 + }
67218 + return false;
67219 +}
67220 +EXPORT_SYMBOL(ns_capable_nolog);
67221 +
67222 +bool capable_nolog(int cap)
67223 +{
67224 + return ns_capable_nolog(&init_user_ns, cap);
67225 +}
67226 +EXPORT_SYMBOL(capable_nolog);
67227 +
67228 /**
67229 * task_ns_capable - Determine whether current task has a superior
67230 * capability targeted at a specific task's user namespace.
67231 @@ -400,6 +424,12 @@ bool task_ns_capable(struct task_struct
67232 }
67233 EXPORT_SYMBOL(task_ns_capable);
67234
67235 +bool task_ns_capable_nolog(struct task_struct *t, int cap)
67236 +{
67237 + return ns_capable_nolog(task_cred_xxx(t, user)->user_ns, cap);
67238 +}
67239 +EXPORT_SYMBOL(task_ns_capable_nolog);
67240 +
67241 /**
67242 * nsown_capable - Check superior capability to one's own user_ns
67243 * @cap: The capability in question
67244 diff -urNp linux-2.6.39.3/kernel/cgroup.c linux-2.6.39.3/kernel/cgroup.c
67245 --- linux-2.6.39.3/kernel/cgroup.c 2011-05-19 00:06:34.000000000 -0400
67246 +++ linux-2.6.39.3/kernel/cgroup.c 2011-05-22 19:36:33.000000000 -0400
67247 @@ -598,6 +598,8 @@ static struct css_set *find_css_set(
67248 struct hlist_head *hhead;
67249 struct cg_cgroup_link *link;
67250
67251 + pax_track_stack();
67252 +
67253 /* First see if we already have a cgroup group that matches
67254 * the desired set */
67255 read_lock(&css_set_lock);
67256 diff -urNp linux-2.6.39.3/kernel/compat.c linux-2.6.39.3/kernel/compat.c
67257 --- linux-2.6.39.3/kernel/compat.c 2011-05-19 00:06:34.000000000 -0400
67258 +++ linux-2.6.39.3/kernel/compat.c 2011-05-22 19:41:42.000000000 -0400
67259 @@ -13,6 +13,7 @@
67260
67261 #include <linux/linkage.h>
67262 #include <linux/compat.h>
67263 +#include <linux/module.h>
67264 #include <linux/errno.h>
67265 #include <linux/time.h>
67266 #include <linux/signal.h>
67267 diff -urNp linux-2.6.39.3/kernel/configs.c linux-2.6.39.3/kernel/configs.c
67268 --- linux-2.6.39.3/kernel/configs.c 2011-05-19 00:06:34.000000000 -0400
67269 +++ linux-2.6.39.3/kernel/configs.c 2011-05-22 19:41:42.000000000 -0400
67270 @@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
67271 struct proc_dir_entry *entry;
67272
67273 /* create the current config file */
67274 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
67275 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
67276 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
67277 + &ikconfig_file_ops);
67278 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
67279 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
67280 + &ikconfig_file_ops);
67281 +#endif
67282 +#else
67283 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
67284 &ikconfig_file_ops);
67285 +#endif
67286 +
67287 if (!entry)
67288 return -ENOMEM;
67289
67290 diff -urNp linux-2.6.39.3/kernel/cred.c linux-2.6.39.3/kernel/cred.c
67291 --- linux-2.6.39.3/kernel/cred.c 2011-05-19 00:06:34.000000000 -0400
67292 +++ linux-2.6.39.3/kernel/cred.c 2011-05-22 19:41:42.000000000 -0400
67293 @@ -158,6 +158,8 @@ static void put_cred_rcu(struct rcu_head
67294 */
67295 void __put_cred(struct cred *cred)
67296 {
67297 + pax_track_stack();
67298 +
67299 kdebug("__put_cred(%p{%d,%d})", cred,
67300 atomic_read(&cred->usage),
67301 read_cred_subscribers(cred));
67302 @@ -182,6 +184,8 @@ void exit_creds(struct task_struct *tsk)
67303 {
67304 struct cred *cred;
67305
67306 + pax_track_stack();
67307 +
67308 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
67309 atomic_read(&tsk->cred->usage),
67310 read_cred_subscribers(tsk->cred));
67311 @@ -220,6 +224,8 @@ const struct cred *get_task_cred(struct
67312 {
67313 const struct cred *cred;
67314
67315 + pax_track_stack();
67316 +
67317 rcu_read_lock();
67318
67319 do {
67320 @@ -239,6 +245,8 @@ struct cred *cred_alloc_blank(void)
67321 {
67322 struct cred *new;
67323
67324 + pax_track_stack();
67325 +
67326 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
67327 if (!new)
67328 return NULL;
67329 @@ -287,6 +295,8 @@ struct cred *prepare_creds(void)
67330 const struct cred *old;
67331 struct cred *new;
67332
67333 + pax_track_stack();
67334 +
67335 validate_process_creds();
67336
67337 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
67338 @@ -333,6 +343,8 @@ struct cred *prepare_exec_creds(void)
67339 struct thread_group_cred *tgcred = NULL;
67340 struct cred *new;
67341
67342 + pax_track_stack();
67343 +
67344 #ifdef CONFIG_KEYS
67345 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
67346 if (!tgcred)
67347 @@ -385,6 +397,8 @@ int copy_creds(struct task_struct *p, un
67348 struct cred *new;
67349 int ret;
67350
67351 + pax_track_stack();
67352 +
67353 if (
67354 #ifdef CONFIG_KEYS
67355 !p->cred->thread_keyring &&
67356 @@ -475,6 +489,8 @@ int commit_creds(struct cred *new)
67357 struct task_struct *task = current;
67358 const struct cred *old = task->real_cred;
67359
67360 + pax_track_stack();
67361 +
67362 kdebug("commit_creds(%p{%d,%d})", new,
67363 atomic_read(&new->usage),
67364 read_cred_subscribers(new));
67365 @@ -489,6 +505,8 @@ int commit_creds(struct cred *new)
67366
67367 get_cred(new); /* we will require a ref for the subj creds too */
67368
67369 + gr_set_role_label(task, new->uid, new->gid);
67370 +
67371 /* dumpability changes */
67372 if (old->euid != new->euid ||
67373 old->egid != new->egid ||
67374 @@ -551,6 +569,8 @@ EXPORT_SYMBOL(commit_creds);
67375 */
67376 void abort_creds(struct cred *new)
67377 {
67378 + pax_track_stack();
67379 +
67380 kdebug("abort_creds(%p{%d,%d})", new,
67381 atomic_read(&new->usage),
67382 read_cred_subscribers(new));
67383 @@ -574,6 +594,8 @@ const struct cred *override_creds(const
67384 {
67385 const struct cred *old = current->cred;
67386
67387 + pax_track_stack();
67388 +
67389 kdebug("override_creds(%p{%d,%d})", new,
67390 atomic_read(&new->usage),
67391 read_cred_subscribers(new));
67392 @@ -603,6 +625,8 @@ void revert_creds(const struct cred *old
67393 {
67394 const struct cred *override = current->cred;
67395
67396 + pax_track_stack();
67397 +
67398 kdebug("revert_creds(%p{%d,%d})", old,
67399 atomic_read(&old->usage),
67400 read_cred_subscribers(old));
67401 @@ -649,6 +673,8 @@ struct cred *prepare_kernel_cred(struct
67402 const struct cred *old;
67403 struct cred *new;
67404
67405 + pax_track_stack();
67406 +
67407 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
67408 if (!new)
67409 return NULL;
67410 @@ -703,6 +729,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
67411 */
67412 int set_security_override(struct cred *new, u32 secid)
67413 {
67414 + pax_track_stack();
67415 +
67416 return security_kernel_act_as(new, secid);
67417 }
67418 EXPORT_SYMBOL(set_security_override);
67419 @@ -722,6 +750,8 @@ int set_security_override_from_ctx(struc
67420 u32 secid;
67421 int ret;
67422
67423 + pax_track_stack();
67424 +
67425 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
67426 if (ret < 0)
67427 return ret;
67428 diff -urNp linux-2.6.39.3/kernel/debug/debug_core.c linux-2.6.39.3/kernel/debug/debug_core.c
67429 --- linux-2.6.39.3/kernel/debug/debug_core.c 2011-05-19 00:06:34.000000000 -0400
67430 +++ linux-2.6.39.3/kernel/debug/debug_core.c 2011-05-22 19:36:33.000000000 -0400
67431 @@ -72,7 +72,7 @@ int kgdb_io_module_registered;
67432 /* Guard for recursive entry */
67433 static int exception_level;
67434
67435 -struct kgdb_io *dbg_io_ops;
67436 +const struct kgdb_io *dbg_io_ops;
67437 static DEFINE_SPINLOCK(kgdb_registration_lock);
67438
67439 /* kgdb console driver is loaded */
67440 @@ -119,7 +119,7 @@ static DEFINE_RAW_SPINLOCK(dbg_slave_loc
67441 */
67442 static atomic_t masters_in_kgdb;
67443 static atomic_t slaves_in_kgdb;
67444 -static atomic_t kgdb_break_tasklet_var;
67445 +static atomic_unchecked_t kgdb_break_tasklet_var;
67446 atomic_t kgdb_setting_breakpoint;
67447
67448 struct task_struct *kgdb_usethread;
67449 @@ -129,7 +129,7 @@ int kgdb_single_step;
67450 static pid_t kgdb_sstep_pid;
67451
67452 /* to keep track of the CPU which is doing the single stepping*/
67453 -atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
67454 +atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
67455
67456 /*
67457 * If you are debugging a problem where roundup (the collection of
67458 @@ -542,7 +542,7 @@ return_normal:
67459 * kernel will only try for the value of sstep_tries before
67460 * giving up and continuing on.
67461 */
67462 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
67463 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
67464 (kgdb_info[cpu].task &&
67465 kgdb_info[cpu].task->pid != kgdb_sstep_pid) && --sstep_tries) {
67466 atomic_set(&kgdb_active, -1);
67467 @@ -636,8 +636,8 @@ cpu_master_loop:
67468 }
67469
67470 kgdb_restore:
67471 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
67472 - int sstep_cpu = atomic_read(&kgdb_cpu_doing_single_step);
67473 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
67474 + int sstep_cpu = atomic_read_unchecked(&kgdb_cpu_doing_single_step);
67475 if (kgdb_info[sstep_cpu].task)
67476 kgdb_sstep_pid = kgdb_info[sstep_cpu].task->pid;
67477 else
67478 @@ -834,18 +834,18 @@ static void kgdb_unregister_callbacks(vo
67479 static void kgdb_tasklet_bpt(unsigned long ing)
67480 {
67481 kgdb_breakpoint();
67482 - atomic_set(&kgdb_break_tasklet_var, 0);
67483 + atomic_set_unchecked(&kgdb_break_tasklet_var, 0);
67484 }
67485
67486 static DECLARE_TASKLET(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt, 0);
67487
67488 void kgdb_schedule_breakpoint(void)
67489 {
67490 - if (atomic_read(&kgdb_break_tasklet_var) ||
67491 + if (atomic_read_unchecked(&kgdb_break_tasklet_var) ||
67492 atomic_read(&kgdb_active) != -1 ||
67493 atomic_read(&kgdb_setting_breakpoint))
67494 return;
67495 - atomic_inc(&kgdb_break_tasklet_var);
67496 + atomic_inc_unchecked(&kgdb_break_tasklet_var);
67497 tasklet_schedule(&kgdb_tasklet_breakpoint);
67498 }
67499 EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint);
67500 @@ -864,7 +864,7 @@ static void kgdb_initial_breakpoint(void
67501 *
67502 * Register it with the KGDB core.
67503 */
67504 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
67505 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
67506 {
67507 int err;
67508
67509 @@ -909,7 +909,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
67510 *
67511 * Unregister it with the KGDB core.
67512 */
67513 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
67514 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
67515 {
67516 BUG_ON(kgdb_connected);
67517
67518 diff -urNp linux-2.6.39.3/kernel/debug/kdb/kdb_main.c linux-2.6.39.3/kernel/debug/kdb/kdb_main.c
67519 --- linux-2.6.39.3/kernel/debug/kdb/kdb_main.c 2011-05-19 00:06:34.000000000 -0400
67520 +++ linux-2.6.39.3/kernel/debug/kdb/kdb_main.c 2011-05-22 19:36:33.000000000 -0400
67521 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
67522 list_for_each_entry(mod, kdb_modules, list) {
67523
67524 kdb_printf("%-20s%8u 0x%p ", mod->name,
67525 - mod->core_size, (void *)mod);
67526 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
67527 #ifdef CONFIG_MODULE_UNLOAD
67528 kdb_printf("%4d ", module_refcount(mod));
67529 #endif
67530 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
67531 kdb_printf(" (Loading)");
67532 else
67533 kdb_printf(" (Live)");
67534 - kdb_printf(" 0x%p", mod->module_core);
67535 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
67536
67537 #ifdef CONFIG_MODULE_UNLOAD
67538 {
67539 diff -urNp linux-2.6.39.3/kernel/exit.c linux-2.6.39.3/kernel/exit.c
67540 --- linux-2.6.39.3/kernel/exit.c 2011-05-19 00:06:34.000000000 -0400
67541 +++ linux-2.6.39.3/kernel/exit.c 2011-05-22 20:02:30.000000000 -0400
67542 @@ -57,6 +57,10 @@
67543 #include <asm/pgtable.h>
67544 #include <asm/mmu_context.h>
67545
67546 +#ifdef CONFIG_GRKERNSEC
67547 +extern rwlock_t grsec_exec_file_lock;
67548 +#endif
67549 +
67550 static void exit_mm(struct task_struct * tsk);
67551
67552 static void __unhash_process(struct task_struct *p, bool group_dead)
67553 @@ -169,6 +173,8 @@ void release_task(struct task_struct * p
67554 struct task_struct *leader;
67555 int zap_leader;
67556 repeat:
67557 + gr_del_task_from_ip_table(p);
67558 +
67559 tracehook_prepare_release_task(p);
67560 /* don't need to get the RCU readlock here - the process is dead and
67561 * can't be modifying its own credentials. But shut RCU-lockdep up */
67562 @@ -338,11 +344,22 @@ static void reparent_to_kthreadd(void)
67563 {
67564 write_lock_irq(&tasklist_lock);
67565
67566 +#ifdef CONFIG_GRKERNSEC
67567 + write_lock(&grsec_exec_file_lock);
67568 + if (current->exec_file) {
67569 + fput(current->exec_file);
67570 + current->exec_file = NULL;
67571 + }
67572 + write_unlock(&grsec_exec_file_lock);
67573 +#endif
67574 +
67575 ptrace_unlink(current);
67576 /* Reparent to init */
67577 current->real_parent = current->parent = kthreadd_task;
67578 list_move_tail(&current->sibling, &current->real_parent->children);
67579
67580 + gr_set_kernel_label(current);
67581 +
67582 /* Set the exit signal to SIGCHLD so we signal init on exit */
67583 current->exit_signal = SIGCHLD;
67584
67585 @@ -394,7 +411,7 @@ int allow_signal(int sig)
67586 * know it'll be handled, so that they don't get converted to
67587 * SIGKILL or just silently dropped.
67588 */
67589 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
67590 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
67591 recalc_sigpending();
67592 spin_unlock_irq(&current->sighand->siglock);
67593 return 0;
67594 @@ -430,6 +447,17 @@ void daemonize(const char *name, ...)
67595 vsnprintf(current->comm, sizeof(current->comm), name, args);
67596 va_end(args);
67597
67598 +#ifdef CONFIG_GRKERNSEC
67599 + write_lock(&grsec_exec_file_lock);
67600 + if (current->exec_file) {
67601 + fput(current->exec_file);
67602 + current->exec_file = NULL;
67603 + }
67604 + write_unlock(&grsec_exec_file_lock);
67605 +#endif
67606 +
67607 + gr_set_kernel_label(current);
67608 +
67609 /*
67610 * If we were started as result of loading a module, close all of the
67611 * user space pages. We don't need them, and if we didn't close them
67612 @@ -905,15 +933,8 @@ NORET_TYPE void do_exit(long code)
67613 struct task_struct *tsk = current;
67614 int group_dead;
67615
67616 - profile_task_exit(tsk);
67617 -
67618 - WARN_ON(atomic_read(&tsk->fs_excl));
67619 - WARN_ON(blk_needs_flush_plug(tsk));
67620 -
67621 if (unlikely(in_interrupt()))
67622 panic("Aiee, killing interrupt handler!");
67623 - if (unlikely(!tsk->pid))
67624 - panic("Attempted to kill the idle task!");
67625
67626 /*
67627 * If do_exit is called because this processes oopsed, it's possible
67628 @@ -924,6 +945,14 @@ NORET_TYPE void do_exit(long code)
67629 */
67630 set_fs(USER_DS);
67631
67632 + profile_task_exit(tsk);
67633 +
67634 + WARN_ON(atomic_read(&tsk->fs_excl));
67635 + WARN_ON(blk_needs_flush_plug(tsk));
67636 +
67637 + if (unlikely(!tsk->pid))
67638 + panic("Attempted to kill the idle task!");
67639 +
67640 tracehook_report_exit(&code);
67641
67642 validate_creds_for_do_exit(tsk);
67643 @@ -984,6 +1013,9 @@ NORET_TYPE void do_exit(long code)
67644 tsk->exit_code = code;
67645 taskstats_exit(tsk, group_dead);
67646
67647 + gr_acl_handle_psacct(tsk, code);
67648 + gr_acl_handle_exit();
67649 +
67650 exit_mm(tsk);
67651
67652 if (group_dead)
67653 diff -urNp linux-2.6.39.3/kernel/fork.c linux-2.6.39.3/kernel/fork.c
67654 --- linux-2.6.39.3/kernel/fork.c 2011-05-19 00:06:34.000000000 -0400
67655 +++ linux-2.6.39.3/kernel/fork.c 2011-05-22 19:41:42.000000000 -0400
67656 @@ -287,7 +287,7 @@ static struct task_struct *dup_task_stru
67657 *stackend = STACK_END_MAGIC; /* for overflow detection */
67658
67659 #ifdef CONFIG_CC_STACKPROTECTOR
67660 - tsk->stack_canary = get_random_int();
67661 + tsk->stack_canary = pax_get_random_long();
67662 #endif
67663
67664 /* One for us, one for whoever does the "release_task()" (usually parent) */
67665 @@ -309,13 +309,78 @@ out:
67666 }
67667
67668 #ifdef CONFIG_MMU
67669 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
67670 +{
67671 + struct vm_area_struct *tmp;
67672 + unsigned long charge;
67673 + struct mempolicy *pol;
67674 + struct file *file;
67675 +
67676 + charge = 0;
67677 + if (mpnt->vm_flags & VM_ACCOUNT) {
67678 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
67679 + if (security_vm_enough_memory(len))
67680 + goto fail_nomem;
67681 + charge = len;
67682 + }
67683 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
67684 + if (!tmp)
67685 + goto fail_nomem;
67686 + *tmp = *mpnt;
67687 + tmp->vm_mm = mm;
67688 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
67689 + pol = mpol_dup(vma_policy(mpnt));
67690 + if (IS_ERR(pol))
67691 + goto fail_nomem_policy;
67692 + vma_set_policy(tmp, pol);
67693 + if (anon_vma_fork(tmp, mpnt))
67694 + goto fail_nomem_anon_vma_fork;
67695 + tmp->vm_flags &= ~VM_LOCKED;
67696 + tmp->vm_next = tmp->vm_prev = NULL;
67697 + tmp->vm_mirror = NULL;
67698 + file = tmp->vm_file;
67699 + if (file) {
67700 + struct inode *inode = file->f_path.dentry->d_inode;
67701 + struct address_space *mapping = file->f_mapping;
67702 +
67703 + get_file(file);
67704 + if (tmp->vm_flags & VM_DENYWRITE)
67705 + atomic_dec(&inode->i_writecount);
67706 + spin_lock(&mapping->i_mmap_lock);
67707 + if (tmp->vm_flags & VM_SHARED)
67708 + mapping->i_mmap_writable++;
67709 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
67710 + flush_dcache_mmap_lock(mapping);
67711 + /* insert tmp into the share list, just after mpnt */
67712 + vma_prio_tree_add(tmp, mpnt);
67713 + flush_dcache_mmap_unlock(mapping);
67714 + spin_unlock(&mapping->i_mmap_lock);
67715 + }
67716 +
67717 + /*
67718 + * Clear hugetlb-related page reserves for children. This only
67719 + * affects MAP_PRIVATE mappings. Faults generated by the child
67720 + * are not guaranteed to succeed, even if read-only
67721 + */
67722 + if (is_vm_hugetlb_page(tmp))
67723 + reset_vma_resv_huge_pages(tmp);
67724 +
67725 + return tmp;
67726 +
67727 +fail_nomem_anon_vma_fork:
67728 + mpol_put(pol);
67729 +fail_nomem_policy:
67730 + kmem_cache_free(vm_area_cachep, tmp);
67731 +fail_nomem:
67732 + vm_unacct_memory(charge);
67733 + return NULL;
67734 +}
67735 +
67736 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
67737 {
67738 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
67739 struct rb_node **rb_link, *rb_parent;
67740 int retval;
67741 - unsigned long charge;
67742 - struct mempolicy *pol;
67743
67744 down_write(&oldmm->mmap_sem);
67745 flush_cache_dup_mm(oldmm);
67746 @@ -327,8 +392,8 @@ static int dup_mmap(struct mm_struct *mm
67747 mm->locked_vm = 0;
67748 mm->mmap = NULL;
67749 mm->mmap_cache = NULL;
67750 - mm->free_area_cache = oldmm->mmap_base;
67751 - mm->cached_hole_size = ~0UL;
67752 + mm->free_area_cache = oldmm->free_area_cache;
67753 + mm->cached_hole_size = oldmm->cached_hole_size;
67754 mm->map_count = 0;
67755 cpumask_clear(mm_cpumask(mm));
67756 mm->mm_rb = RB_ROOT;
67757 @@ -344,8 +409,6 @@ static int dup_mmap(struct mm_struct *mm
67758
67759 prev = NULL;
67760 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
67761 - struct file *file;
67762 -
67763 if (mpnt->vm_flags & VM_DONTCOPY) {
67764 long pages = vma_pages(mpnt);
67765 mm->total_vm -= pages;
67766 @@ -353,56 +416,13 @@ static int dup_mmap(struct mm_struct *mm
67767 -pages);
67768 continue;
67769 }
67770 - charge = 0;
67771 - if (mpnt->vm_flags & VM_ACCOUNT) {
67772 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
67773 - if (security_vm_enough_memory(len))
67774 - goto fail_nomem;
67775 - charge = len;
67776 - }
67777 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
67778 - if (!tmp)
67779 - goto fail_nomem;
67780 - *tmp = *mpnt;
67781 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
67782 - pol = mpol_dup(vma_policy(mpnt));
67783 - retval = PTR_ERR(pol);
67784 - if (IS_ERR(pol))
67785 - goto fail_nomem_policy;
67786 - vma_set_policy(tmp, pol);
67787 - tmp->vm_mm = mm;
67788 - if (anon_vma_fork(tmp, mpnt))
67789 - goto fail_nomem_anon_vma_fork;
67790 - tmp->vm_flags &= ~VM_LOCKED;
67791 - tmp->vm_next = tmp->vm_prev = NULL;
67792 - file = tmp->vm_file;
67793 - if (file) {
67794 - struct inode *inode = file->f_path.dentry->d_inode;
67795 - struct address_space *mapping = file->f_mapping;
67796 -
67797 - get_file(file);
67798 - if (tmp->vm_flags & VM_DENYWRITE)
67799 - atomic_dec(&inode->i_writecount);
67800 - spin_lock(&mapping->i_mmap_lock);
67801 - if (tmp->vm_flags & VM_SHARED)
67802 - mapping->i_mmap_writable++;
67803 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
67804 - flush_dcache_mmap_lock(mapping);
67805 - /* insert tmp into the share list, just after mpnt */
67806 - vma_prio_tree_add(tmp, mpnt);
67807 - flush_dcache_mmap_unlock(mapping);
67808 - spin_unlock(&mapping->i_mmap_lock);
67809 + tmp = dup_vma(mm, mpnt);
67810 + if (!tmp) {
67811 + retval = -ENOMEM;
67812 + goto out;
67813 }
67814
67815 /*
67816 - * Clear hugetlb-related page reserves for children. This only
67817 - * affects MAP_PRIVATE mappings. Faults generated by the child
67818 - * are not guaranteed to succeed, even if read-only
67819 - */
67820 - if (is_vm_hugetlb_page(tmp))
67821 - reset_vma_resv_huge_pages(tmp);
67822 -
67823 - /*
67824 * Link in the new vma and copy the page table entries.
67825 */
67826 *pprev = tmp;
67827 @@ -423,6 +443,31 @@ static int dup_mmap(struct mm_struct *mm
67828 if (retval)
67829 goto out;
67830 }
67831 +
67832 +#ifdef CONFIG_PAX_SEGMEXEC
67833 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
67834 + struct vm_area_struct *mpnt_m;
67835 +
67836 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
67837 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
67838 +
67839 + if (!mpnt->vm_mirror)
67840 + continue;
67841 +
67842 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
67843 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
67844 + mpnt->vm_mirror = mpnt_m;
67845 + } else {
67846 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
67847 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
67848 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
67849 + mpnt->vm_mirror->vm_mirror = mpnt;
67850 + }
67851 + }
67852 + BUG_ON(mpnt_m);
67853 + }
67854 +#endif
67855 +
67856 /* a new mm has just been created */
67857 arch_dup_mmap(oldmm, mm);
67858 retval = 0;
67859 @@ -431,14 +476,6 @@ out:
67860 flush_tlb_mm(oldmm);
67861 up_write(&oldmm->mmap_sem);
67862 return retval;
67863 -fail_nomem_anon_vma_fork:
67864 - mpol_put(pol);
67865 -fail_nomem_policy:
67866 - kmem_cache_free(vm_area_cachep, tmp);
67867 -fail_nomem:
67868 - retval = -ENOMEM;
67869 - vm_unacct_memory(charge);
67870 - goto out;
67871 }
67872
67873 static inline int mm_alloc_pgd(struct mm_struct * mm)
67874 @@ -785,13 +822,14 @@ static int copy_fs(unsigned long clone_f
67875 spin_unlock(&fs->lock);
67876 return -EAGAIN;
67877 }
67878 - fs->users++;
67879 + atomic_inc(&fs->users);
67880 spin_unlock(&fs->lock);
67881 return 0;
67882 }
67883 tsk->fs = copy_fs_struct(fs);
67884 if (!tsk->fs)
67885 return -ENOMEM;
67886 + gr_set_chroot_entries(tsk, &tsk->fs->root);
67887 return 0;
67888 }
67889
67890 @@ -1049,10 +1087,13 @@ static struct task_struct *copy_process(
67891 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
67892 #endif
67893 retval = -EAGAIN;
67894 +
67895 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
67896 +
67897 if (atomic_read(&p->real_cred->user->processes) >=
67898 task_rlimit(p, RLIMIT_NPROC)) {
67899 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
67900 - p->real_cred->user != INIT_USER)
67901 + if (p->real_cred->user != INIT_USER &&
67902 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
67903 goto bad_fork_free;
67904 }
67905
67906 @@ -1200,6 +1241,8 @@ static struct task_struct *copy_process(
67907 goto bad_fork_free_pid;
67908 }
67909
67910 + gr_copy_label(p);
67911 +
67912 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
67913 /*
67914 * Clear TID on mm_release()?
67915 @@ -1360,6 +1403,8 @@ bad_fork_cleanup_count:
67916 bad_fork_free:
67917 free_task(p);
67918 fork_out:
67919 + gr_log_forkfail(retval);
67920 +
67921 return ERR_PTR(retval);
67922 }
67923
67924 @@ -1448,6 +1493,8 @@ long do_fork(unsigned long clone_flags,
67925 if (clone_flags & CLONE_PARENT_SETTID)
67926 put_user(nr, parent_tidptr);
67927
67928 + gr_handle_brute_check();
67929 +
67930 if (clone_flags & CLONE_VFORK) {
67931 p->vfork_done = &vfork;
67932 init_completion(&vfork);
67933 @@ -1549,7 +1596,7 @@ static int unshare_fs(unsigned long unsh
67934 return 0;
67935
67936 /* don't need lock here; in the worst case we'll do useless copy */
67937 - if (fs->users == 1)
67938 + if (atomic_read(&fs->users) == 1)
67939 return 0;
67940
67941 *new_fsp = copy_fs_struct(fs);
67942 @@ -1636,7 +1683,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
67943 fs = current->fs;
67944 spin_lock(&fs->lock);
67945 current->fs = new_fs;
67946 - if (--fs->users)
67947 + gr_set_chroot_entries(current, &current->fs->root);
67948 + if (atomic_dec_return(&fs->users))
67949 new_fs = NULL;
67950 else
67951 new_fs = fs;
67952 diff -urNp linux-2.6.39.3/kernel/futex.c linux-2.6.39.3/kernel/futex.c
67953 --- linux-2.6.39.3/kernel/futex.c 2011-05-19 00:06:34.000000000 -0400
67954 +++ linux-2.6.39.3/kernel/futex.c 2011-05-22 22:41:57.000000000 -0400
67955 @@ -54,6 +54,7 @@
67956 #include <linux/mount.h>
67957 #include <linux/pagemap.h>
67958 #include <linux/syscalls.h>
67959 +#include <linux/ptrace.h>
67960 #include <linux/signal.h>
67961 #include <linux/module.h>
67962 #include <linux/magic.h>
67963 @@ -236,6 +237,11 @@ get_futex_key(u32 __user *uaddr, int fsh
67964 struct page *page, *page_head;
67965 int err;
67966
67967 +#ifdef CONFIG_PAX_SEGMEXEC
67968 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
67969 + return -EFAULT;
67970 +#endif
67971 +
67972 /*
67973 * The futex address must be "naturally" aligned.
67974 */
67975 @@ -1833,6 +1839,8 @@ static int futex_wait(u32 __user *uaddr,
67976 struct futex_q q = futex_q_init;
67977 int ret;
67978
67979 + pax_track_stack();
67980 +
67981 if (!bitset)
67982 return -EINVAL;
67983 q.bitset = bitset;
67984 @@ -2229,6 +2237,8 @@ static int futex_wait_requeue_pi(u32 __u
67985 struct futex_q q = futex_q_init;
67986 int res, ret;
67987
67988 + pax_track_stack();
67989 +
67990 if (!bitset)
67991 return -EINVAL;
67992
67993 @@ -2401,7 +2411,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
67994 {
67995 struct robust_list_head __user *head;
67996 unsigned long ret;
67997 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
67998 const struct cred *cred = current_cred(), *pcred;
67999 +#endif
68000
68001 if (!futex_cmpxchg_enabled)
68002 return -ENOSYS;
68003 @@ -2417,6 +2429,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
68004 if (!p)
68005 goto err_unlock;
68006 ret = -EPERM;
68007 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68008 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
68009 + goto err_unlock;
68010 +#else
68011 pcred = __task_cred(p);
68012 /* If victim is in different user_ns, then uids are not
68013 comparable, so we must have CAP_SYS_PTRACE */
68014 @@ -2431,6 +2447,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
68015 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
68016 goto err_unlock;
68017 ok:
68018 +#endif
68019 head = p->robust_list;
68020 rcu_read_unlock();
68021 }
68022 @@ -2682,6 +2699,7 @@ static int __init futex_init(void)
68023 {
68024 u32 curval;
68025 int i;
68026 + mm_segment_t oldfs;
68027
68028 /*
68029 * This will fail and we want it. Some arch implementations do
68030 @@ -2693,8 +2711,11 @@ static int __init futex_init(void)
68031 * implementation, the non-functional ones will return
68032 * -ENOSYS.
68033 */
68034 + oldfs = get_fs();
68035 + set_fs(USER_DS);
68036 if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
68037 futex_cmpxchg_enabled = 1;
68038 + set_fs(oldfs);
68039
68040 for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {
68041 plist_head_init(&futex_queues[i].chain, &futex_queues[i].lock);
68042 diff -urNp linux-2.6.39.3/kernel/futex_compat.c linux-2.6.39.3/kernel/futex_compat.c
68043 --- linux-2.6.39.3/kernel/futex_compat.c 2011-05-19 00:06:34.000000000 -0400
68044 +++ linux-2.6.39.3/kernel/futex_compat.c 2011-05-22 22:42:09.000000000 -0400
68045 @@ -10,6 +10,7 @@
68046 #include <linux/compat.h>
68047 #include <linux/nsproxy.h>
68048 #include <linux/futex.h>
68049 +#include <linux/ptrace.h>
68050
68051 #include <asm/uaccess.h>
68052
68053 @@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, comp
68054 {
68055 struct compat_robust_list_head __user *head;
68056 unsigned long ret;
68057 - const struct cred *cred = current_cred(), *pcred;
68058 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
68059 + const struct cred *cred = current_cred();
68060 + const struct cred *pcred;
68061 +#endif
68062
68063 if (!futex_cmpxchg_enabled)
68064 return -ENOSYS;
68065 @@ -152,6 +156,10 @@ compat_sys_get_robust_list(int pid, comp
68066 if (!p)
68067 goto err_unlock;
68068 ret = -EPERM;
68069 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68070 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
68071 + goto err_unlock;
68072 +#else
68073 pcred = __task_cred(p);
68074 /* If victim is in different user_ns, then uids are not
68075 comparable, so we must have CAP_SYS_PTRACE */
68076 @@ -166,6 +174,7 @@ compat_sys_get_robust_list(int pid, comp
68077 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
68078 goto err_unlock;
68079 ok:
68080 +#endif
68081 head = p->compat_robust_list;
68082 rcu_read_unlock();
68083 }
68084 diff -urNp linux-2.6.39.3/kernel/gcov/base.c linux-2.6.39.3/kernel/gcov/base.c
68085 --- linux-2.6.39.3/kernel/gcov/base.c 2011-05-19 00:06:34.000000000 -0400
68086 +++ linux-2.6.39.3/kernel/gcov/base.c 2011-05-22 19:36:33.000000000 -0400
68087 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
68088 }
68089
68090 #ifdef CONFIG_MODULES
68091 -static inline int within(void *addr, void *start, unsigned long size)
68092 -{
68093 - return ((addr >= start) && (addr < start + size));
68094 -}
68095 -
68096 /* Update list and generate events when modules are unloaded. */
68097 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
68098 void *data)
68099 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
68100 prev = NULL;
68101 /* Remove entries located in module from linked list. */
68102 for (info = gcov_info_head; info; info = info->next) {
68103 - if (within(info, mod->module_core, mod->core_size)) {
68104 + if (within_module_core_rw((unsigned long)info, mod)) {
68105 if (prev)
68106 prev->next = info->next;
68107 else
68108 diff -urNp linux-2.6.39.3/kernel/hrtimer.c linux-2.6.39.3/kernel/hrtimer.c
68109 --- linux-2.6.39.3/kernel/hrtimer.c 2011-05-19 00:06:34.000000000 -0400
68110 +++ linux-2.6.39.3/kernel/hrtimer.c 2011-05-22 19:36:33.000000000 -0400
68111 @@ -1383,7 +1383,7 @@ void hrtimer_peek_ahead_timers(void)
68112 local_irq_restore(flags);
68113 }
68114
68115 -static void run_hrtimer_softirq(struct softirq_action *h)
68116 +static void run_hrtimer_softirq(void)
68117 {
68118 hrtimer_peek_ahead_timers();
68119 }
68120 diff -urNp linux-2.6.39.3/kernel/irq/manage.c linux-2.6.39.3/kernel/irq/manage.c
68121 --- linux-2.6.39.3/kernel/irq/manage.c 2011-05-19 00:06:34.000000000 -0400
68122 +++ linux-2.6.39.3/kernel/irq/manage.c 2011-06-13 17:09:06.000000000 -0400
68123 @@ -491,6 +491,9 @@ int irq_set_irq_wake(unsigned int irq, u
68124 struct irq_desc *desc = irq_get_desc_buslock(irq, &flags);
68125 int ret = 0;
68126
68127 + if (!desc)
68128 + return -EINVAL;
68129 +
68130 /* wakeup-capable irqs can be shared between drivers that
68131 * don't need to have the same sleep mode behaviors.
68132 */
68133 diff -urNp linux-2.6.39.3/kernel/jump_label.c linux-2.6.39.3/kernel/jump_label.c
68134 --- linux-2.6.39.3/kernel/jump_label.c 2011-05-19 00:06:34.000000000 -0400
68135 +++ linux-2.6.39.3/kernel/jump_label.c 2011-05-22 19:36:33.000000000 -0400
68136 @@ -49,6 +49,17 @@ void jump_label_unlock(void)
68137 mutex_unlock(&jump_label_mutex);
68138 }
68139
68140 +static void jump_label_swap(void *a, void *b, int size)
68141 +{
68142 + struct jump_entry t;
68143 +
68144 + t = *(struct jump_entry *)a;
68145 + pax_open_kernel();
68146 + *(struct jump_entry *)a = *(struct jump_entry *)b;
68147 + *(struct jump_entry *)b = t;
68148 + pax_close_kernel();
68149 +}
68150 +
68151 static int jump_label_cmp(const void *a, const void *b)
68152 {
68153 const struct jump_entry *jea = a;
68154 @@ -70,7 +81,7 @@ sort_jump_label_entries(struct jump_entr
68155
68156 size = (((unsigned long)stop - (unsigned long)start)
68157 / sizeof(struct jump_entry));
68158 - sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
68159 + sort(start, size, sizeof(struct jump_entry), jump_label_cmp, jump_label_swap);
68160 }
68161
68162 static struct jump_label_entry *get_jump_label_entry(jump_label_t key)
68163 @@ -407,8 +418,11 @@ static void remove_jump_label_module_ini
68164 count = e_module->nr_entries;
68165 iter = e_module->table;
68166 while (count--) {
68167 - if (within_module_init(iter->code, mod))
68168 + if (within_module_init(iter->code, mod)) {
68169 + pax_open_kernel();
68170 iter->key = 0;
68171 + pax_close_kernel();
68172 + }
68173 iter++;
68174 }
68175 }
68176 diff -urNp linux-2.6.39.3/kernel/kallsyms.c linux-2.6.39.3/kernel/kallsyms.c
68177 --- linux-2.6.39.3/kernel/kallsyms.c 2011-05-19 00:06:34.000000000 -0400
68178 +++ linux-2.6.39.3/kernel/kallsyms.c 2011-05-22 19:41:42.000000000 -0400
68179 @@ -11,6 +11,9 @@
68180 * Changed the compression method from stem compression to "table lookup"
68181 * compression (see scripts/kallsyms.c for a more complete description)
68182 */
68183 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68184 +#define __INCLUDED_BY_HIDESYM 1
68185 +#endif
68186 #include <linux/kallsyms.h>
68187 #include <linux/module.h>
68188 #include <linux/init.h>
68189 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
68190
68191 static inline int is_kernel_inittext(unsigned long addr)
68192 {
68193 + if (system_state != SYSTEM_BOOTING)
68194 + return 0;
68195 +
68196 if (addr >= (unsigned long)_sinittext
68197 && addr <= (unsigned long)_einittext)
68198 return 1;
68199 return 0;
68200 }
68201
68202 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68203 +#ifdef CONFIG_MODULES
68204 +static inline int is_module_text(unsigned long addr)
68205 +{
68206 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
68207 + return 1;
68208 +
68209 + addr = ktla_ktva(addr);
68210 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
68211 +}
68212 +#else
68213 +static inline int is_module_text(unsigned long addr)
68214 +{
68215 + return 0;
68216 +}
68217 +#endif
68218 +#endif
68219 +
68220 static inline int is_kernel_text(unsigned long addr)
68221 {
68222 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
68223 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
68224
68225 static inline int is_kernel(unsigned long addr)
68226 {
68227 +
68228 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68229 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
68230 + return 1;
68231 +
68232 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
68233 +#else
68234 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
68235 +#endif
68236 +
68237 return 1;
68238 return in_gate_area_no_mm(addr);
68239 }
68240
68241 static int is_ksym_addr(unsigned long addr)
68242 {
68243 +
68244 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68245 + if (is_module_text(addr))
68246 + return 0;
68247 +#endif
68248 +
68249 if (all_var)
68250 return is_kernel(addr);
68251
68252 @@ -454,7 +493,6 @@ static unsigned long get_ksymbol_core(st
68253
68254 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
68255 {
68256 - iter->name[0] = '\0';
68257 iter->nameoff = get_symbol_offset(new_pos);
68258 iter->pos = new_pos;
68259 }
68260 @@ -502,6 +540,11 @@ static int s_show(struct seq_file *m, vo
68261 {
68262 struct kallsym_iter *iter = m->private;
68263
68264 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68265 + if (current_uid())
68266 + return 0;
68267 +#endif
68268 +
68269 /* Some debugging symbols have no name. Ignore them. */
68270 if (!iter->name[0])
68271 return 0;
68272 @@ -540,7 +583,7 @@ static int kallsyms_open(struct inode *i
68273 struct kallsym_iter *iter;
68274 int ret;
68275
68276 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
68277 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
68278 if (!iter)
68279 return -ENOMEM;
68280 reset_iter(iter, 0);
68281 diff -urNp linux-2.6.39.3/kernel/kmod.c linux-2.6.39.3/kernel/kmod.c
68282 --- linux-2.6.39.3/kernel/kmod.c 2011-05-19 00:06:34.000000000 -0400
68283 +++ linux-2.6.39.3/kernel/kmod.c 2011-05-22 19:41:42.000000000 -0400
68284 @@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
68285 * If module auto-loading support is disabled then this function
68286 * becomes a no-operation.
68287 */
68288 -int __request_module(bool wait, const char *fmt, ...)
68289 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
68290 {
68291 - va_list args;
68292 char module_name[MODULE_NAME_LEN];
68293 unsigned int max_modprobes;
68294 int ret;
68295 - char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
68296 + char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
68297 static char *envp[] = { "HOME=/",
68298 "TERM=linux",
68299 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
68300 @@ -80,9 +79,7 @@ int __request_module(bool wait, const ch
68301 #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
68302 static int kmod_loop_msg;
68303
68304 - va_start(args, fmt);
68305 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
68306 - va_end(args);
68307 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
68308 if (ret >= MODULE_NAME_LEN)
68309 return -ENAMETOOLONG;
68310
68311 @@ -90,6 +87,20 @@ int __request_module(bool wait, const ch
68312 if (ret)
68313 return ret;
68314
68315 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68316 + if (!current_uid()) {
68317 + /* hack to workaround consolekit/udisks stupidity */
68318 + read_lock(&tasklist_lock);
68319 + if (!strcmp(current->comm, "mount") &&
68320 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
68321 + read_unlock(&tasklist_lock);
68322 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
68323 + return -EPERM;
68324 + }
68325 + read_unlock(&tasklist_lock);
68326 + }
68327 +#endif
68328 +
68329 /* If modprobe needs a service that is in a module, we get a recursive
68330 * loop. Limit the number of running kmod threads to max_threads/2 or
68331 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
68332 @@ -123,6 +134,47 @@ int __request_module(bool wait, const ch
68333 atomic_dec(&kmod_concurrent);
68334 return ret;
68335 }
68336 +
68337 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
68338 +{
68339 + va_list args;
68340 + int ret;
68341 +
68342 + va_start(args, fmt);
68343 + ret = ____request_module(wait, module_param, fmt, args);
68344 + va_end(args);
68345 +
68346 + return ret;
68347 +}
68348 +
68349 +int __request_module(bool wait, const char *fmt, ...)
68350 +{
68351 + va_list args;
68352 + int ret;
68353 +
68354 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68355 + if (current_uid()) {
68356 + char module_param[MODULE_NAME_LEN];
68357 +
68358 + memset(module_param, 0, sizeof(module_param));
68359 +
68360 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
68361 +
68362 + va_start(args, fmt);
68363 + ret = ____request_module(wait, module_param, fmt, args);
68364 + va_end(args);
68365 +
68366 + return ret;
68367 + }
68368 +#endif
68369 +
68370 + va_start(args, fmt);
68371 + ret = ____request_module(wait, NULL, fmt, args);
68372 + va_end(args);
68373 +
68374 + return ret;
68375 +}
68376 +
68377 EXPORT_SYMBOL(__request_module);
68378 #endif /* CONFIG_MODULES */
68379
68380 diff -urNp linux-2.6.39.3/kernel/kprobes.c linux-2.6.39.3/kernel/kprobes.c
68381 --- linux-2.6.39.3/kernel/kprobes.c 2011-05-19 00:06:34.000000000 -0400
68382 +++ linux-2.6.39.3/kernel/kprobes.c 2011-05-22 19:36:33.000000000 -0400
68383 @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
68384 * kernel image and loaded module images reside. This is required
68385 * so x86_64 can correctly handle the %rip-relative fixups.
68386 */
68387 - kip->insns = module_alloc(PAGE_SIZE);
68388 + kip->insns = module_alloc_exec(PAGE_SIZE);
68389 if (!kip->insns) {
68390 kfree(kip);
68391 return NULL;
68392 @@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
68393 */
68394 if (!list_is_singular(&kip->list)) {
68395 list_del(&kip->list);
68396 - module_free(NULL, kip->insns);
68397 + module_free_exec(NULL, kip->insns);
68398 kfree(kip);
68399 }
68400 return 1;
68401 @@ -1936,7 +1936,7 @@ static int __init init_kprobes(void)
68402 {
68403 int i, err = 0;
68404 unsigned long offset = 0, size = 0;
68405 - char *modname, namebuf[128];
68406 + char *modname, namebuf[KSYM_NAME_LEN];
68407 const char *symbol_name;
68408 void *addr;
68409 struct kprobe_blackpoint *kb;
68410 @@ -2062,7 +2062,7 @@ static int __kprobes show_kprobe_addr(st
68411 const char *sym = NULL;
68412 unsigned int i = *(loff_t *) v;
68413 unsigned long offset = 0;
68414 - char *modname, namebuf[128];
68415 + char *modname, namebuf[KSYM_NAME_LEN];
68416
68417 head = &kprobe_table[i];
68418 preempt_disable();
68419 diff -urNp linux-2.6.39.3/kernel/lockdep.c linux-2.6.39.3/kernel/lockdep.c
68420 --- linux-2.6.39.3/kernel/lockdep.c 2011-06-25 12:55:23.000000000 -0400
68421 +++ linux-2.6.39.3/kernel/lockdep.c 2011-06-25 13:00:28.000000000 -0400
68422 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
68423 end = (unsigned long) &_end,
68424 addr = (unsigned long) obj;
68425
68426 +#ifdef CONFIG_PAX_KERNEXEC
68427 + start = ktla_ktva(start);
68428 +#endif
68429 +
68430 /*
68431 * static variable?
68432 */
68433 @@ -706,6 +710,7 @@ register_lock_class(struct lockdep_map *
68434 if (!static_obj(lock->key)) {
68435 debug_locks_off();
68436 printk("INFO: trying to register non-static key.\n");
68437 + printk("lock:%pS key:%pS.\n", lock, lock->key);
68438 printk("the code is fine but needs lockdep annotation.\n");
68439 printk("turning off the locking correctness validator.\n");
68440 dump_stack();
68441 @@ -2752,7 +2757,7 @@ static int __lock_acquire(struct lockdep
68442 if (!class)
68443 return 0;
68444 }
68445 - atomic_inc((atomic_t *)&class->ops);
68446 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
68447 if (very_verbose(class)) {
68448 printk("\nacquire class [%p] %s", class->key, class->name);
68449 if (class->name_version > 1)
68450 diff -urNp linux-2.6.39.3/kernel/lockdep_proc.c linux-2.6.39.3/kernel/lockdep_proc.c
68451 --- linux-2.6.39.3/kernel/lockdep_proc.c 2011-05-19 00:06:34.000000000 -0400
68452 +++ linux-2.6.39.3/kernel/lockdep_proc.c 2011-05-22 19:36:33.000000000 -0400
68453 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
68454
68455 static void print_name(struct seq_file *m, struct lock_class *class)
68456 {
68457 - char str[128];
68458 + char str[KSYM_NAME_LEN];
68459 const char *name = class->name;
68460
68461 if (!name) {
68462 diff -urNp linux-2.6.39.3/kernel/module.c linux-2.6.39.3/kernel/module.c
68463 --- linux-2.6.39.3/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
68464 +++ linux-2.6.39.3/kernel/module.c 2011-05-22 19:41:42.000000000 -0400
68465 @@ -57,6 +57,7 @@
68466 #include <linux/kmemleak.h>
68467 #include <linux/jump_label.h>
68468 #include <linux/pfn.h>
68469 +#include <linux/grsecurity.h>
68470
68471 #define CREATE_TRACE_POINTS
68472 #include <trace/events/module.h>
68473 @@ -118,7 +119,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
68474
68475 /* Bounds of module allocation, for speeding __module_address.
68476 * Protected by module_mutex. */
68477 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
68478 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
68479 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
68480
68481 int register_module_notifier(struct notifier_block * nb)
68482 {
68483 @@ -282,7 +284,7 @@ bool each_symbol(bool (*fn)(const struct
68484 return true;
68485
68486 list_for_each_entry_rcu(mod, &modules, list) {
68487 - struct symsearch arr[] = {
68488 + struct symsearch modarr[] = {
68489 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
68490 NOT_GPL_ONLY, false },
68491 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
68492 @@ -304,7 +306,7 @@ bool each_symbol(bool (*fn)(const struct
68493 #endif
68494 };
68495
68496 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
68497 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
68498 return true;
68499 }
68500 return false;
68501 @@ -415,7 +417,7 @@ static inline void __percpu *mod_percpu(
68502 static int percpu_modalloc(struct module *mod,
68503 unsigned long size, unsigned long align)
68504 {
68505 - if (align > PAGE_SIZE) {
68506 + if (align-1 >= PAGE_SIZE) {
68507 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
68508 mod->name, align, PAGE_SIZE);
68509 align = PAGE_SIZE;
68510 @@ -1143,7 +1145,7 @@ resolve_symbol_wait(struct module *mod,
68511 */
68512 #ifdef CONFIG_SYSFS
68513
68514 -#ifdef CONFIG_KALLSYMS
68515 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
68516 static inline bool sect_empty(const Elf_Shdr *sect)
68517 {
68518 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
68519 @@ -1612,17 +1614,17 @@ void unset_section_ro_nx(struct module *
68520 {
68521 unsigned long total_pages;
68522
68523 - if (mod->module_core == module_region) {
68524 + if (mod->module_core_rx == module_region) {
68525 /* Set core as NX+RW */
68526 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_core, mod->core_size);
68527 - set_memory_nx((unsigned long)mod->module_core, total_pages);
68528 - set_memory_rw((unsigned long)mod->module_core, total_pages);
68529 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_core_rx, mod->core_size_rx);
68530 + set_memory_nx((unsigned long)mod->module_core_rx, total_pages);
68531 + set_memory_rw((unsigned long)mod->module_core_rx, total_pages);
68532
68533 - } else if (mod->module_init == module_region) {
68534 + } else if (mod->module_init_rx == module_region) {
68535 /* Set init as NX+RW */
68536 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_init, mod->init_size);
68537 - set_memory_nx((unsigned long)mod->module_init, total_pages);
68538 - set_memory_rw((unsigned long)mod->module_init, total_pages);
68539 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_init_rx, mod->init_size_rx);
68540 + set_memory_nx((unsigned long)mod->module_init_rx, total_pages);
68541 + set_memory_rw((unsigned long)mod->module_init_rx, total_pages);
68542 }
68543 }
68544
68545 @@ -1633,14 +1635,14 @@ void set_all_modules_text_rw()
68546
68547 mutex_lock(&module_mutex);
68548 list_for_each_entry_rcu(mod, &modules, list) {
68549 - if ((mod->module_core) && (mod->core_text_size)) {
68550 - set_page_attributes(mod->module_core,
68551 - mod->module_core + mod->core_text_size,
68552 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
68553 + set_page_attributes(mod->module_core_rx,
68554 + mod->module_core_rx + mod->core_size_rx,
68555 set_memory_rw);
68556 }
68557 - if ((mod->module_init) && (mod->init_text_size)) {
68558 - set_page_attributes(mod->module_init,
68559 - mod->module_init + mod->init_text_size,
68560 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
68561 + set_page_attributes(mod->module_init_rx,
68562 + mod->module_init_rx + mod->init_size_rx,
68563 set_memory_rw);
68564 }
68565 }
68566 @@ -1654,14 +1656,14 @@ void set_all_modules_text_ro()
68567
68568 mutex_lock(&module_mutex);
68569 list_for_each_entry_rcu(mod, &modules, list) {
68570 - if ((mod->module_core) && (mod->core_text_size)) {
68571 - set_page_attributes(mod->module_core,
68572 - mod->module_core + mod->core_text_size,
68573 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
68574 + set_page_attributes(mod->module_core_rx,
68575 + mod->module_core_rx + mod->core_size_rx,
68576 set_memory_ro);
68577 }
68578 - if ((mod->module_init) && (mod->init_text_size)) {
68579 - set_page_attributes(mod->module_init,
68580 - mod->module_init + mod->init_text_size,
68581 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
68582 + set_page_attributes(mod->module_init_rx,
68583 + mod->module_init_rx + mod->init_size_rx,
68584 set_memory_ro);
68585 }
68586 }
68587 @@ -1696,17 +1698,20 @@ static void free_module(struct module *m
68588 destroy_params(mod->kp, mod->num_kp);
68589
68590 /* This may be NULL, but that's OK */
68591 - unset_section_ro_nx(mod, mod->module_init);
68592 - module_free(mod, mod->module_init);
68593 + unset_section_ro_nx(mod, mod->module_init_rx);
68594 + module_free(mod, mod->module_init_rw);
68595 + module_free_exec(mod, mod->module_init_rx);
68596 kfree(mod->args);
68597 percpu_modfree(mod);
68598
68599 /* Free lock-classes: */
68600 - lockdep_free_key_range(mod->module_core, mod->core_size);
68601 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
68602 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
68603
68604 /* Finally, free the core (containing the module structure) */
68605 - unset_section_ro_nx(mod, mod->module_core);
68606 - module_free(mod, mod->module_core);
68607 + unset_section_ro_nx(mod, mod->module_core_rx);
68608 + module_free_exec(mod, mod->module_core_rx);
68609 + module_free(mod, mod->module_core_rw);
68610
68611 #ifdef CONFIG_MPU
68612 update_protections(current->mm);
68613 @@ -1775,10 +1780,31 @@ static int simplify_symbols(struct modul
68614 unsigned int i;
68615 int ret = 0;
68616 const struct kernel_symbol *ksym;
68617 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68618 + int is_fs_load = 0;
68619 + int register_filesystem_found = 0;
68620 + char *p;
68621 +
68622 + p = strstr(mod->args, "grsec_modharden_fs");
68623 + if (p) {
68624 + char *endptr = p + strlen("grsec_modharden_fs");
68625 + /* copy \0 as well */
68626 + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
68627 + is_fs_load = 1;
68628 + }
68629 +#endif
68630
68631 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
68632 const char *name = info->strtab + sym[i].st_name;
68633
68634 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68635 + /* it's a real shame this will never get ripped and copied
68636 + upstream! ;(
68637 + */
68638 + if (is_fs_load && !strcmp(name, "register_filesystem"))
68639 + register_filesystem_found = 1;
68640 +#endif
68641 +
68642 switch (sym[i].st_shndx) {
68643 case SHN_COMMON:
68644 /* We compiled with -fno-common. These are not
68645 @@ -1799,7 +1825,9 @@ static int simplify_symbols(struct modul
68646 ksym = resolve_symbol_wait(mod, info, name);
68647 /* Ok if resolved. */
68648 if (ksym && !IS_ERR(ksym)) {
68649 + pax_open_kernel();
68650 sym[i].st_value = ksym->value;
68651 + pax_close_kernel();
68652 break;
68653 }
68654
68655 @@ -1818,11 +1846,20 @@ static int simplify_symbols(struct modul
68656 secbase = (unsigned long)mod_percpu(mod);
68657 else
68658 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
68659 + pax_open_kernel();
68660 sym[i].st_value += secbase;
68661 + pax_close_kernel();
68662 break;
68663 }
68664 }
68665
68666 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68667 + if (is_fs_load && !register_filesystem_found) {
68668 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
68669 + ret = -EPERM;
68670 + }
68671 +#endif
68672 +
68673 return ret;
68674 }
68675
68676 @@ -1906,22 +1943,12 @@ static void layout_sections(struct modul
68677 || s->sh_entsize != ~0UL
68678 || strstarts(sname, ".init"))
68679 continue;
68680 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
68681 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
68682 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
68683 + else
68684 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
68685 DEBUGP("\t%s\n", name);
68686 }
68687 - switch (m) {
68688 - case 0: /* executable */
68689 - mod->core_size = debug_align(mod->core_size);
68690 - mod->core_text_size = mod->core_size;
68691 - break;
68692 - case 1: /* RO: text and ro-data */
68693 - mod->core_size = debug_align(mod->core_size);
68694 - mod->core_ro_size = mod->core_size;
68695 - break;
68696 - case 3: /* whole core */
68697 - mod->core_size = debug_align(mod->core_size);
68698 - break;
68699 - }
68700 }
68701
68702 DEBUGP("Init section allocation order:\n");
68703 @@ -1935,23 +1962,13 @@ static void layout_sections(struct modul
68704 || s->sh_entsize != ~0UL
68705 || !strstarts(sname, ".init"))
68706 continue;
68707 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
68708 - | INIT_OFFSET_MASK);
68709 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
68710 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
68711 + else
68712 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
68713 + s->sh_entsize |= INIT_OFFSET_MASK;
68714 DEBUGP("\t%s\n", sname);
68715 }
68716 - switch (m) {
68717 - case 0: /* executable */
68718 - mod->init_size = debug_align(mod->init_size);
68719 - mod->init_text_size = mod->init_size;
68720 - break;
68721 - case 1: /* RO: text and ro-data */
68722 - mod->init_size = debug_align(mod->init_size);
68723 - mod->init_ro_size = mod->init_size;
68724 - break;
68725 - case 3: /* whole init */
68726 - mod->init_size = debug_align(mod->init_size);
68727 - break;
68728 - }
68729 }
68730 }
68731
68732 @@ -2119,7 +2136,7 @@ static void layout_symtab(struct module
68733
68734 /* Put symbol section at end of init part of module. */
68735 symsect->sh_flags |= SHF_ALLOC;
68736 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
68737 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
68738 info->index.sym) | INIT_OFFSET_MASK;
68739 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
68740
68741 @@ -2136,19 +2153,19 @@ static void layout_symtab(struct module
68742 }
68743
68744 /* Append room for core symbols at end of core part. */
68745 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
68746 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
68747 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
68748 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
68749
68750 /* Put string table section at end of init part of module. */
68751 strsect->sh_flags |= SHF_ALLOC;
68752 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
68753 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
68754 info->index.str) | INIT_OFFSET_MASK;
68755 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
68756
68757 /* Append room for core symbols' strings at end of core part. */
68758 - info->stroffs = mod->core_size;
68759 + info->stroffs = mod->core_size_rx;
68760 __set_bit(0, info->strmap);
68761 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
68762 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
68763 }
68764
68765 static void add_kallsyms(struct module *mod, const struct load_info *info)
68766 @@ -2164,11 +2181,13 @@ static void add_kallsyms(struct module *
68767 /* Make sure we get permanent strtab: don't use info->strtab. */
68768 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
68769
68770 + pax_open_kernel();
68771 +
68772 /* Set types up while we still have access to sections. */
68773 for (i = 0; i < mod->num_symtab; i++)
68774 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
68775
68776 - mod->core_symtab = dst = mod->module_core + info->symoffs;
68777 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
68778 src = mod->symtab;
68779 *dst = *src;
68780 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
68781 @@ -2181,10 +2200,12 @@ static void add_kallsyms(struct module *
68782 }
68783 mod->core_num_syms = ndst;
68784
68785 - mod->core_strtab = s = mod->module_core + info->stroffs;
68786 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
68787 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
68788 if (test_bit(i, info->strmap))
68789 *++s = mod->strtab[i];
68790 +
68791 + pax_close_kernel();
68792 }
68793 #else
68794 static inline void layout_symtab(struct module *mod, struct load_info *info)
68795 @@ -2213,17 +2234,33 @@ static void dynamic_debug_remove(struct
68796 ddebug_remove_module(debug->modname);
68797 }
68798
68799 -static void *module_alloc_update_bounds(unsigned long size)
68800 +static void *module_alloc_update_bounds_rw(unsigned long size)
68801 {
68802 void *ret = module_alloc(size);
68803
68804 if (ret) {
68805 mutex_lock(&module_mutex);
68806 /* Update module bounds. */
68807 - if ((unsigned long)ret < module_addr_min)
68808 - module_addr_min = (unsigned long)ret;
68809 - if ((unsigned long)ret + size > module_addr_max)
68810 - module_addr_max = (unsigned long)ret + size;
68811 + if ((unsigned long)ret < module_addr_min_rw)
68812 + module_addr_min_rw = (unsigned long)ret;
68813 + if ((unsigned long)ret + size > module_addr_max_rw)
68814 + module_addr_max_rw = (unsigned long)ret + size;
68815 + mutex_unlock(&module_mutex);
68816 + }
68817 + return ret;
68818 +}
68819 +
68820 +static void *module_alloc_update_bounds_rx(unsigned long size)
68821 +{
68822 + void *ret = module_alloc_exec(size);
68823 +
68824 + if (ret) {
68825 + mutex_lock(&module_mutex);
68826 + /* Update module bounds. */
68827 + if ((unsigned long)ret < module_addr_min_rx)
68828 + module_addr_min_rx = (unsigned long)ret;
68829 + if ((unsigned long)ret + size > module_addr_max_rx)
68830 + module_addr_max_rx = (unsigned long)ret + size;
68831 mutex_unlock(&module_mutex);
68832 }
68833 return ret;
68834 @@ -2516,7 +2553,7 @@ static int move_module(struct module *mo
68835 void *ptr;
68836
68837 /* Do the allocs. */
68838 - ptr = module_alloc_update_bounds(mod->core_size);
68839 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
68840 /*
68841 * The pointer to this block is stored in the module structure
68842 * which is inside the block. Just mark it as not being a
68843 @@ -2526,23 +2563,50 @@ static int move_module(struct module *mo
68844 if (!ptr)
68845 return -ENOMEM;
68846
68847 - memset(ptr, 0, mod->core_size);
68848 - mod->module_core = ptr;
68849 + memset(ptr, 0, mod->core_size_rw);
68850 + mod->module_core_rw = ptr;
68851
68852 - ptr = module_alloc_update_bounds(mod->init_size);
68853 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
68854 /*
68855 * The pointer to this block is stored in the module structure
68856 * which is inside the block. This block doesn't need to be
68857 * scanned as it contains data and code that will be freed
68858 * after the module is initialized.
68859 */
68860 - kmemleak_ignore(ptr);
68861 - if (!ptr && mod->init_size) {
68862 - module_free(mod, mod->module_core);
68863 + kmemleak_not_leak(ptr);
68864 + if (!ptr && mod->init_size_rw) {
68865 + module_free(mod, mod->module_core_rw);
68866 return -ENOMEM;
68867 }
68868 - memset(ptr, 0, mod->init_size);
68869 - mod->module_init = ptr;
68870 + memset(ptr, 0, mod->init_size_rw);
68871 + mod->module_init_rw = ptr;
68872 +
68873 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
68874 + kmemleak_not_leak(ptr);
68875 + if (!ptr) {
68876 + module_free(mod, mod->module_init_rw);
68877 + module_free(mod, mod->module_core_rw);
68878 + return -ENOMEM;
68879 + }
68880 +
68881 + pax_open_kernel();
68882 + memset(ptr, 0, mod->core_size_rx);
68883 + pax_close_kernel();
68884 + mod->module_core_rx = ptr;
68885 +
68886 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
68887 + kmemleak_not_leak(ptr);
68888 + if (!ptr && mod->init_size_rx) {
68889 + module_free_exec(mod, mod->module_core_rx);
68890 + module_free(mod, mod->module_init_rw);
68891 + module_free(mod, mod->module_core_rw);
68892 + return -ENOMEM;
68893 + }
68894 +
68895 + pax_open_kernel();
68896 + memset(ptr, 0, mod->init_size_rx);
68897 + pax_close_kernel();
68898 + mod->module_init_rx = ptr;
68899
68900 /* Transfer each section which specifies SHF_ALLOC */
68901 DEBUGP("final section addresses:\n");
68902 @@ -2553,16 +2617,45 @@ static int move_module(struct module *mo
68903 if (!(shdr->sh_flags & SHF_ALLOC))
68904 continue;
68905
68906 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
68907 - dest = mod->module_init
68908 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
68909 - else
68910 - dest = mod->module_core + shdr->sh_entsize;
68911 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
68912 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
68913 + dest = mod->module_init_rw
68914 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
68915 + else
68916 + dest = mod->module_init_rx
68917 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
68918 + } else {
68919 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
68920 + dest = mod->module_core_rw + shdr->sh_entsize;
68921 + else
68922 + dest = mod->module_core_rx + shdr->sh_entsize;
68923 + }
68924 +
68925 + if (shdr->sh_type != SHT_NOBITS) {
68926 +
68927 +#ifdef CONFIG_PAX_KERNEXEC
68928 +#ifdef CONFIG_X86_64
68929 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
68930 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
68931 +#endif
68932 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
68933 + pax_open_kernel();
68934 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
68935 + pax_close_kernel();
68936 + } else
68937 +#endif
68938
68939 - if (shdr->sh_type != SHT_NOBITS)
68940 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
68941 + }
68942 /* Update sh_addr to point to copy in image. */
68943 - shdr->sh_addr = (unsigned long)dest;
68944 +
68945 +#ifdef CONFIG_PAX_KERNEXEC
68946 + if (shdr->sh_flags & SHF_EXECINSTR)
68947 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
68948 + else
68949 +#endif
68950 +
68951 + shdr->sh_addr = (unsigned long)dest;
68952 DEBUGP("\t0x%lx %s\n",
68953 shdr->sh_addr, info->secstrings + shdr->sh_name);
68954 }
68955 @@ -2613,12 +2706,12 @@ static void flush_module_icache(const st
68956 * Do it before processing of module parameters, so the module
68957 * can provide parameter accessor functions of its own.
68958 */
68959 - if (mod->module_init)
68960 - flush_icache_range((unsigned long)mod->module_init,
68961 - (unsigned long)mod->module_init
68962 - + mod->init_size);
68963 - flush_icache_range((unsigned long)mod->module_core,
68964 - (unsigned long)mod->module_core + mod->core_size);
68965 + if (mod->module_init_rx)
68966 + flush_icache_range((unsigned long)mod->module_init_rx,
68967 + (unsigned long)mod->module_init_rx
68968 + + mod->init_size_rx);
68969 + flush_icache_range((unsigned long)mod->module_core_rx,
68970 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
68971
68972 set_fs(old_fs);
68973 }
68974 @@ -2690,8 +2783,10 @@ static void module_deallocate(struct mod
68975 {
68976 kfree(info->strmap);
68977 percpu_modfree(mod);
68978 - module_free(mod, mod->module_init);
68979 - module_free(mod, mod->module_core);
68980 + module_free_exec(mod, mod->module_init_rx);
68981 + module_free_exec(mod, mod->module_core_rx);
68982 + module_free(mod, mod->module_init_rw);
68983 + module_free(mod, mod->module_core_rw);
68984 }
68985
68986 static int post_relocation(struct module *mod, const struct load_info *info)
68987 @@ -2748,9 +2843,38 @@ static struct module *load_module(void _
68988 if (err)
68989 goto free_unload;
68990
68991 + /* Now copy in args */
68992 + mod->args = strndup_user(uargs, ~0UL >> 1);
68993 + if (IS_ERR(mod->args)) {
68994 + err = PTR_ERR(mod->args);
68995 + goto free_unload;
68996 + }
68997 +
68998 /* Set up MODINFO_ATTR fields */
68999 setup_modinfo(mod, &info);
69000
69001 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
69002 + {
69003 + char *p, *p2;
69004 +
69005 + if (strstr(mod->args, "grsec_modharden_netdev")) {
69006 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
69007 + err = -EPERM;
69008 + goto free_modinfo;
69009 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
69010 + p += strlen("grsec_modharden_normal");
69011 + p2 = strstr(p, "_");
69012 + if (p2) {
69013 + *p2 = '\0';
69014 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
69015 + *p2 = '_';
69016 + }
69017 + err = -EPERM;
69018 + goto free_modinfo;
69019 + }
69020 + }
69021 +#endif
69022 +
69023 /* Fix up syms, so that st_value is a pointer to location. */
69024 err = simplify_symbols(mod, &info);
69025 if (err < 0)
69026 @@ -2766,13 +2890,6 @@ static struct module *load_module(void _
69027
69028 flush_module_icache(mod);
69029
69030 - /* Now copy in args */
69031 - mod->args = strndup_user(uargs, ~0UL >> 1);
69032 - if (IS_ERR(mod->args)) {
69033 - err = PTR_ERR(mod->args);
69034 - goto free_arch_cleanup;
69035 - }
69036 -
69037 /* Mark state as coming so strong_try_module_get() ignores us. */
69038 mod->state = MODULE_STATE_COMING;
69039
69040 @@ -2832,11 +2949,10 @@ static struct module *load_module(void _
69041 unlock:
69042 mutex_unlock(&module_mutex);
69043 synchronize_sched();
69044 - kfree(mod->args);
69045 - free_arch_cleanup:
69046 module_arch_cleanup(mod);
69047 free_modinfo:
69048 free_modinfo(mod);
69049 + kfree(mod->args);
69050 free_unload:
69051 module_unload_free(mod);
69052 free_module:
69053 @@ -2877,16 +2993,16 @@ SYSCALL_DEFINE3(init_module, void __user
69054 MODULE_STATE_COMING, mod);
69055
69056 /* Set RO and NX regions for core */
69057 - set_section_ro_nx(mod->module_core,
69058 - mod->core_text_size,
69059 - mod->core_ro_size,
69060 - mod->core_size);
69061 + set_section_ro_nx(mod->module_core_rx,
69062 + mod->core_size_rx,
69063 + mod->core_size_rx,
69064 + mod->core_size_rx);
69065
69066 /* Set RO and NX regions for init */
69067 - set_section_ro_nx(mod->module_init,
69068 - mod->init_text_size,
69069 - mod->init_ro_size,
69070 - mod->init_size);
69071 + set_section_ro_nx(mod->module_init_rx,
69072 + mod->init_size_rx,
69073 + mod->init_size_rx,
69074 + mod->init_size_rx);
69075
69076 do_mod_ctors(mod);
69077 /* Start the module */
69078 @@ -2931,11 +3047,13 @@ SYSCALL_DEFINE3(init_module, void __user
69079 mod->symtab = mod->core_symtab;
69080 mod->strtab = mod->core_strtab;
69081 #endif
69082 - unset_section_ro_nx(mod, mod->module_init);
69083 - module_free(mod, mod->module_init);
69084 - mod->module_init = NULL;
69085 - mod->init_size = 0;
69086 - mod->init_text_size = 0;
69087 + unset_section_ro_nx(mod, mod->module_init_rx);
69088 + module_free(mod, mod->module_init_rw);
69089 + module_free_exec(mod, mod->module_init_rx);
69090 + mod->module_init_rw = NULL;
69091 + mod->module_init_rx = NULL;
69092 + mod->init_size_rw = 0;
69093 + mod->init_size_rx = 0;
69094 mutex_unlock(&module_mutex);
69095
69096 return 0;
69097 @@ -2966,10 +3084,16 @@ static const char *get_ksymbol(struct mo
69098 unsigned long nextval;
69099
69100 /* At worse, next value is at end of module */
69101 - if (within_module_init(addr, mod))
69102 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
69103 + if (within_module_init_rx(addr, mod))
69104 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
69105 + else if (within_module_init_rw(addr, mod))
69106 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
69107 + else if (within_module_core_rx(addr, mod))
69108 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
69109 + else if (within_module_core_rw(addr, mod))
69110 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
69111 else
69112 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
69113 + return NULL;
69114
69115 /* Scan for closest preceding symbol, and next symbol. (ELF
69116 starts real symbols at 1). */
69117 @@ -3215,7 +3339,7 @@ static int m_show(struct seq_file *m, vo
69118 char buf[8];
69119
69120 seq_printf(m, "%s %u",
69121 - mod->name, mod->init_size + mod->core_size);
69122 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
69123 print_unload_info(m, mod);
69124
69125 /* Informative for users. */
69126 @@ -3224,7 +3348,7 @@ static int m_show(struct seq_file *m, vo
69127 mod->state == MODULE_STATE_COMING ? "Loading":
69128 "Live");
69129 /* Used by oprofile and other similar tools. */
69130 - seq_printf(m, " 0x%pK", mod->module_core);
69131 + seq_printf(m, " 0x%pK 0x%pK", mod->module_core_rx, mod->module_core_rw);
69132
69133 /* Taints info */
69134 if (mod->taints)
69135 @@ -3260,7 +3384,17 @@ static const struct file_operations proc
69136
69137 static int __init proc_modules_init(void)
69138 {
69139 +#ifndef CONFIG_GRKERNSEC_HIDESYM
69140 +#ifdef CONFIG_GRKERNSEC_PROC_USER
69141 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
69142 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
69143 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
69144 +#else
69145 proc_create("modules", 0, NULL, &proc_modules_operations);
69146 +#endif
69147 +#else
69148 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
69149 +#endif
69150 return 0;
69151 }
69152 module_init(proc_modules_init);
69153 @@ -3319,12 +3453,12 @@ struct module *__module_address(unsigned
69154 {
69155 struct module *mod;
69156
69157 - if (addr < module_addr_min || addr > module_addr_max)
69158 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
69159 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
69160 return NULL;
69161
69162 list_for_each_entry_rcu(mod, &modules, list)
69163 - if (within_module_core(addr, mod)
69164 - || within_module_init(addr, mod))
69165 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
69166 return mod;
69167 return NULL;
69168 }
69169 @@ -3358,11 +3492,20 @@ bool is_module_text_address(unsigned lon
69170 */
69171 struct module *__module_text_address(unsigned long addr)
69172 {
69173 - struct module *mod = __module_address(addr);
69174 + struct module *mod;
69175 +
69176 +#ifdef CONFIG_X86_32
69177 + addr = ktla_ktva(addr);
69178 +#endif
69179 +
69180 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
69181 + return NULL;
69182 +
69183 + mod = __module_address(addr);
69184 +
69185 if (mod) {
69186 /* Make sure it's within the text section. */
69187 - if (!within(addr, mod->module_init, mod->init_text_size)
69188 - && !within(addr, mod->module_core, mod->core_text_size))
69189 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
69190 mod = NULL;
69191 }
69192 return mod;
69193 diff -urNp linux-2.6.39.3/kernel/mutex.c linux-2.6.39.3/kernel/mutex.c
69194 --- linux-2.6.39.3/kernel/mutex.c 2011-05-19 00:06:34.000000000 -0400
69195 +++ linux-2.6.39.3/kernel/mutex.c 2011-05-22 19:36:33.000000000 -0400
69196 @@ -160,7 +160,7 @@ __mutex_lock_common(struct mutex *lock,
69197 */
69198
69199 for (;;) {
69200 - struct thread_info *owner;
69201 + struct task_struct *owner;
69202
69203 /*
69204 * If we own the BKL, then don't spin. The owner of
69205 @@ -205,7 +205,7 @@ __mutex_lock_common(struct mutex *lock,
69206 spin_lock_mutex(&lock->wait_lock, flags);
69207
69208 debug_mutex_lock_common(lock, &waiter);
69209 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
69210 + debug_mutex_add_waiter(lock, &waiter, task);
69211
69212 /* add waiting tasks to the end of the waitqueue (FIFO): */
69213 list_add_tail(&waiter.list, &lock->wait_list);
69214 @@ -234,8 +234,7 @@ __mutex_lock_common(struct mutex *lock,
69215 * TASK_UNINTERRUPTIBLE case.)
69216 */
69217 if (unlikely(signal_pending_state(state, task))) {
69218 - mutex_remove_waiter(lock, &waiter,
69219 - task_thread_info(task));
69220 + mutex_remove_waiter(lock, &waiter, task);
69221 mutex_release(&lock->dep_map, 1, ip);
69222 spin_unlock_mutex(&lock->wait_lock, flags);
69223
69224 @@ -256,7 +255,7 @@ __mutex_lock_common(struct mutex *lock,
69225 done:
69226 lock_acquired(&lock->dep_map, ip);
69227 /* got the lock - rejoice! */
69228 - mutex_remove_waiter(lock, &waiter, current_thread_info());
69229 + mutex_remove_waiter(lock, &waiter, task);
69230 mutex_set_owner(lock);
69231
69232 /* set it to 0 if there are no waiters left: */
69233 diff -urNp linux-2.6.39.3/kernel/mutex-debug.c linux-2.6.39.3/kernel/mutex-debug.c
69234 --- linux-2.6.39.3/kernel/mutex-debug.c 2011-05-19 00:06:34.000000000 -0400
69235 +++ linux-2.6.39.3/kernel/mutex-debug.c 2011-05-22 19:36:33.000000000 -0400
69236 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
69237 }
69238
69239 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
69240 - struct thread_info *ti)
69241 + struct task_struct *task)
69242 {
69243 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
69244
69245 /* Mark the current thread as blocked on the lock: */
69246 - ti->task->blocked_on = waiter;
69247 + task->blocked_on = waiter;
69248 }
69249
69250 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
69251 - struct thread_info *ti)
69252 + struct task_struct *task)
69253 {
69254 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
69255 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
69256 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
69257 - ti->task->blocked_on = NULL;
69258 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
69259 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
69260 + task->blocked_on = NULL;
69261
69262 list_del_init(&waiter->list);
69263 waiter->task = NULL;
69264 @@ -75,7 +75,7 @@ void debug_mutex_unlock(struct mutex *lo
69265 return;
69266
69267 DEBUG_LOCKS_WARN_ON(lock->magic != lock);
69268 - DEBUG_LOCKS_WARN_ON(lock->owner != current_thread_info());
69269 + DEBUG_LOCKS_WARN_ON(lock->owner != current);
69270 DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
69271 mutex_clear_owner(lock);
69272 }
69273 diff -urNp linux-2.6.39.3/kernel/mutex-debug.h linux-2.6.39.3/kernel/mutex-debug.h
69274 --- linux-2.6.39.3/kernel/mutex-debug.h 2011-05-19 00:06:34.000000000 -0400
69275 +++ linux-2.6.39.3/kernel/mutex-debug.h 2011-05-22 19:36:33.000000000 -0400
69276 @@ -20,16 +20,16 @@ extern void debug_mutex_wake_waiter(stru
69277 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
69278 extern void debug_mutex_add_waiter(struct mutex *lock,
69279 struct mutex_waiter *waiter,
69280 - struct thread_info *ti);
69281 + struct task_struct *task);
69282 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
69283 - struct thread_info *ti);
69284 + struct task_struct *task);
69285 extern void debug_mutex_unlock(struct mutex *lock);
69286 extern void debug_mutex_init(struct mutex *lock, const char *name,
69287 struct lock_class_key *key);
69288
69289 static inline void mutex_set_owner(struct mutex *lock)
69290 {
69291 - lock->owner = current_thread_info();
69292 + lock->owner = current;
69293 }
69294
69295 static inline void mutex_clear_owner(struct mutex *lock)
69296 diff -urNp linux-2.6.39.3/kernel/mutex.h linux-2.6.39.3/kernel/mutex.h
69297 --- linux-2.6.39.3/kernel/mutex.h 2011-05-19 00:06:34.000000000 -0400
69298 +++ linux-2.6.39.3/kernel/mutex.h 2011-05-22 19:36:33.000000000 -0400
69299 @@ -19,7 +19,7 @@
69300 #ifdef CONFIG_SMP
69301 static inline void mutex_set_owner(struct mutex *lock)
69302 {
69303 - lock->owner = current_thread_info();
69304 + lock->owner = current;
69305 }
69306
69307 static inline void mutex_clear_owner(struct mutex *lock)
69308 diff -urNp linux-2.6.39.3/kernel/padata.c linux-2.6.39.3/kernel/padata.c
69309 --- linux-2.6.39.3/kernel/padata.c 2011-05-19 00:06:34.000000000 -0400
69310 +++ linux-2.6.39.3/kernel/padata.c 2011-05-22 19:36:33.000000000 -0400
69311 @@ -132,10 +132,10 @@ int padata_do_parallel(struct padata_ins
69312 padata->pd = pd;
69313 padata->cb_cpu = cb_cpu;
69314
69315 - if (unlikely(atomic_read(&pd->seq_nr) == pd->max_seq_nr))
69316 - atomic_set(&pd->seq_nr, -1);
69317 + if (unlikely(atomic_read_unchecked(&pd->seq_nr) == pd->max_seq_nr))
69318 + atomic_set_unchecked(&pd->seq_nr, -1);
69319
69320 - padata->seq_nr = atomic_inc_return(&pd->seq_nr);
69321 + padata->seq_nr = atomic_inc_return_unchecked(&pd->seq_nr);
69322
69323 target_cpu = padata_cpu_hash(padata);
69324 queue = per_cpu_ptr(pd->pqueue, target_cpu);
69325 @@ -444,7 +444,7 @@ static struct parallel_data *padata_allo
69326 padata_init_pqueues(pd);
69327 padata_init_squeues(pd);
69328 setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd);
69329 - atomic_set(&pd->seq_nr, -1);
69330 + atomic_set_unchecked(&pd->seq_nr, -1);
69331 atomic_set(&pd->reorder_objects, 0);
69332 atomic_set(&pd->refcnt, 0);
69333 pd->pinst = pinst;
69334 diff -urNp linux-2.6.39.3/kernel/panic.c linux-2.6.39.3/kernel/panic.c
69335 --- linux-2.6.39.3/kernel/panic.c 2011-05-19 00:06:34.000000000 -0400
69336 +++ linux-2.6.39.3/kernel/panic.c 2011-05-22 19:41:42.000000000 -0400
69337 @@ -369,7 +369,7 @@ static void warn_slowpath_common(const c
69338 const char *board;
69339
69340 printk(KERN_WARNING "------------[ cut here ]------------\n");
69341 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
69342 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
69343 board = dmi_get_system_info(DMI_PRODUCT_NAME);
69344 if (board)
69345 printk(KERN_WARNING "Hardware name: %s\n", board);
69346 @@ -424,7 +424,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
69347 */
69348 void __stack_chk_fail(void)
69349 {
69350 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
69351 + dump_stack();
69352 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
69353 __builtin_return_address(0));
69354 }
69355 EXPORT_SYMBOL(__stack_chk_fail);
69356 diff -urNp linux-2.6.39.3/kernel/params.c linux-2.6.39.3/kernel/params.c
69357 --- linux-2.6.39.3/kernel/params.c 2011-05-19 00:06:34.000000000 -0400
69358 +++ linux-2.6.39.3/kernel/params.c 2011-05-22 19:36:33.000000000 -0400
69359 @@ -234,7 +234,7 @@ int parse_args(const char *name,
69360 { \
69361 return sprintf(buffer, format, *((type *)kp->arg)); \
69362 } \
69363 - struct kernel_param_ops param_ops_##name = { \
69364 + const struct kernel_param_ops param_ops_##name = { \
69365 .set = param_set_##name, \
69366 .get = param_get_##name, \
69367 }; \
69368 @@ -286,7 +286,7 @@ static void param_free_charp(void *arg)
69369 maybe_kfree_parameter(*((char **)arg));
69370 }
69371
69372 -struct kernel_param_ops param_ops_charp = {
69373 +const struct kernel_param_ops param_ops_charp = {
69374 .set = param_set_charp,
69375 .get = param_get_charp,
69376 .free = param_free_charp,
69377 @@ -334,7 +334,7 @@ int param_get_bool(char *buffer, const s
69378 }
69379 EXPORT_SYMBOL(param_get_bool);
69380
69381 -struct kernel_param_ops param_ops_bool = {
69382 +const struct kernel_param_ops param_ops_bool = {
69383 .set = param_set_bool,
69384 .get = param_get_bool,
69385 };
69386 @@ -362,7 +362,7 @@ int param_get_invbool(char *buffer, cons
69387 }
69388 EXPORT_SYMBOL(param_get_invbool);
69389
69390 -struct kernel_param_ops param_ops_invbool = {
69391 +const struct kernel_param_ops param_ops_invbool = {
69392 .set = param_set_invbool,
69393 .get = param_get_invbool,
69394 };
69395 @@ -460,7 +460,7 @@ static void param_array_free(void *arg)
69396 arr->ops->free(arr->elem + arr->elemsize * i);
69397 }
69398
69399 -struct kernel_param_ops param_array_ops = {
69400 +const struct kernel_param_ops param_array_ops = {
69401 .set = param_array_set,
69402 .get = param_array_get,
69403 .free = param_array_free,
69404 @@ -488,7 +488,7 @@ int param_get_string(char *buffer, const
69405 }
69406 EXPORT_SYMBOL(param_get_string);
69407
69408 -struct kernel_param_ops param_ops_string = {
69409 +const struct kernel_param_ops param_ops_string = {
69410 .set = param_set_copystring,
69411 .get = param_get_string,
69412 };
69413 diff -urNp linux-2.6.39.3/kernel/perf_event.c linux-2.6.39.3/kernel/perf_event.c
69414 --- linux-2.6.39.3/kernel/perf_event.c 2011-05-19 00:06:34.000000000 -0400
69415 +++ linux-2.6.39.3/kernel/perf_event.c 2011-05-22 19:36:33.000000000 -0400
69416 @@ -170,7 +170,7 @@ int perf_proc_update_handler(struct ctl_
69417 return 0;
69418 }
69419
69420 -static atomic64_t perf_event_id;
69421 +static atomic64_unchecked_t perf_event_id;
69422
69423 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
69424 enum event_type_t event_type);
69425 @@ -2496,7 +2496,7 @@ static void __perf_event_read(void *info
69426
69427 static inline u64 perf_event_count(struct perf_event *event)
69428 {
69429 - return local64_read(&event->count) + atomic64_read(&event->child_count);
69430 + return local64_read(&event->count) + atomic64_read_unchecked(&event->child_count);
69431 }
69432
69433 static u64 perf_event_read(struct perf_event *event)
69434 @@ -3031,9 +3031,9 @@ u64 perf_event_read_value(struct perf_ev
69435 mutex_lock(&event->child_mutex);
69436 total += perf_event_read(event);
69437 *enabled += event->total_time_enabled +
69438 - atomic64_read(&event->child_total_time_enabled);
69439 + atomic64_read_unchecked(&event->child_total_time_enabled);
69440 *running += event->total_time_running +
69441 - atomic64_read(&event->child_total_time_running);
69442 + atomic64_read_unchecked(&event->child_total_time_running);
69443
69444 list_for_each_entry(child, &event->child_list, child_list) {
69445 total += perf_event_read(child);
69446 @@ -3396,10 +3396,10 @@ void perf_event_update_userpage(struct p
69447 userpg->offset -= local64_read(&event->hw.prev_count);
69448
69449 userpg->time_enabled = event->total_time_enabled +
69450 - atomic64_read(&event->child_total_time_enabled);
69451 + atomic64_read_unchecked(&event->child_total_time_enabled);
69452
69453 userpg->time_running = event->total_time_running +
69454 - atomic64_read(&event->child_total_time_running);
69455 + atomic64_read_unchecked(&event->child_total_time_running);
69456
69457 barrier();
69458 ++userpg->lock;
69459 @@ -3884,16 +3884,16 @@ static void perf_pending_event(struct ir
69460 * Later on, we might change it to a list if there is
69461 * another virtualization implementation supporting the callbacks.
69462 */
69463 -struct perf_guest_info_callbacks *perf_guest_cbs;
69464 +const struct perf_guest_info_callbacks *perf_guest_cbs;
69465
69466 -int perf_register_guest_info_callbacks(struct perf_guest_info_callbacks *cbs)
69467 +int perf_register_guest_info_callbacks(const struct perf_guest_info_callbacks *cbs)
69468 {
69469 perf_guest_cbs = cbs;
69470 return 0;
69471 }
69472 EXPORT_SYMBOL_GPL(perf_register_guest_info_callbacks);
69473
69474 -int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *cbs)
69475 +int perf_unregister_guest_info_callbacks(const struct perf_guest_info_callbacks *cbs)
69476 {
69477 perf_guest_cbs = NULL;
69478 return 0;
69479 @@ -4196,11 +4196,11 @@ static void perf_output_read_one(struct
69480 values[n++] = perf_event_count(event);
69481 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
69482 values[n++] = enabled +
69483 - atomic64_read(&event->child_total_time_enabled);
69484 + atomic64_read_unchecked(&event->child_total_time_enabled);
69485 }
69486 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
69487 values[n++] = running +
69488 - atomic64_read(&event->child_total_time_running);
69489 + atomic64_read_unchecked(&event->child_total_time_running);
69490 }
69491 if (read_format & PERF_FORMAT_ID)
69492 values[n++] = primary_event_id(event);
69493 @@ -6201,7 +6201,7 @@ perf_event_alloc(struct perf_event_attr
69494 event->parent = parent_event;
69495
69496 event->ns = get_pid_ns(current->nsproxy->pid_ns);
69497 - event->id = atomic64_inc_return(&perf_event_id);
69498 + event->id = atomic64_inc_return_unchecked(&perf_event_id);
69499
69500 event->state = PERF_EVENT_STATE_INACTIVE;
69501
69502 @@ -6724,10 +6724,10 @@ static void sync_child_event(struct perf
69503 /*
69504 * Add back the child's count to the parent's count:
69505 */
69506 - atomic64_add(child_val, &parent_event->child_count);
69507 - atomic64_add(child_event->total_time_enabled,
69508 + atomic64_add_unchecked(child_val, &parent_event->child_count);
69509 + atomic64_add_unchecked(child_event->total_time_enabled,
69510 &parent_event->child_total_time_enabled);
69511 - atomic64_add(child_event->total_time_running,
69512 + atomic64_add_unchecked(child_event->total_time_running,
69513 &parent_event->child_total_time_running);
69514
69515 /*
69516 diff -urNp linux-2.6.39.3/kernel/pid.c linux-2.6.39.3/kernel/pid.c
69517 --- linux-2.6.39.3/kernel/pid.c 2011-05-19 00:06:34.000000000 -0400
69518 +++ linux-2.6.39.3/kernel/pid.c 2011-05-22 19:41:42.000000000 -0400
69519 @@ -33,6 +33,7 @@
69520 #include <linux/rculist.h>
69521 #include <linux/bootmem.h>
69522 #include <linux/hash.h>
69523 +#include <linux/security.h>
69524 #include <linux/pid_namespace.h>
69525 #include <linux/init_task.h>
69526 #include <linux/syscalls.h>
69527 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
69528
69529 int pid_max = PID_MAX_DEFAULT;
69530
69531 -#define RESERVED_PIDS 300
69532 +#define RESERVED_PIDS 500
69533
69534 int pid_max_min = RESERVED_PIDS + 1;
69535 int pid_max_max = PID_MAX_LIMIT;
69536 @@ -419,8 +420,15 @@ EXPORT_SYMBOL(pid_task);
69537 */
69538 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
69539 {
69540 + struct task_struct *task;
69541 +
69542 rcu_lockdep_assert(rcu_read_lock_held());
69543 - return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
69544 + task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
69545 +
69546 + if (gr_pid_is_chrooted(task))
69547 + return NULL;
69548 +
69549 + return task;
69550 }
69551
69552 struct task_struct *find_task_by_vpid(pid_t vnr)
69553 diff -urNp linux-2.6.39.3/kernel/posix-cpu-timers.c linux-2.6.39.3/kernel/posix-cpu-timers.c
69554 --- linux-2.6.39.3/kernel/posix-cpu-timers.c 2011-05-19 00:06:34.000000000 -0400
69555 +++ linux-2.6.39.3/kernel/posix-cpu-timers.c 2011-05-22 19:41:42.000000000 -0400
69556 @@ -6,6 +6,7 @@
69557 #include <linux/posix-timers.h>
69558 #include <linux/errno.h>
69559 #include <linux/math64.h>
69560 +#include <linux/security.h>
69561 #include <asm/uaccess.h>
69562 #include <linux/kernel_stat.h>
69563 #include <trace/events/timer.h>
69564 @@ -1590,7 +1591,7 @@ static int thread_cpu_timer_create(struc
69565 return posix_cpu_timer_create(timer);
69566 }
69567
69568 -struct k_clock clock_posix_cpu = {
69569 +const struct k_clock clock_posix_cpu = {
69570 .clock_getres = posix_cpu_clock_getres,
69571 .clock_set = posix_cpu_clock_set,
69572 .clock_get = posix_cpu_clock_get,
69573 @@ -1604,14 +1605,14 @@ struct k_clock clock_posix_cpu = {
69574
69575 static __init int init_posix_cpu_timers(void)
69576 {
69577 - struct k_clock process = {
69578 + const struct k_clock process = {
69579 .clock_getres = process_cpu_clock_getres,
69580 .clock_get = process_cpu_clock_get,
69581 .timer_create = process_cpu_timer_create,
69582 .nsleep = process_cpu_nsleep,
69583 .nsleep_restart = process_cpu_nsleep_restart,
69584 };
69585 - struct k_clock thread = {
69586 + const struct k_clock thread = {
69587 .clock_getres = thread_cpu_clock_getres,
69588 .clock_get = thread_cpu_clock_get,
69589 .timer_create = thread_cpu_timer_create,
69590 diff -urNp linux-2.6.39.3/kernel/posix-timers.c linux-2.6.39.3/kernel/posix-timers.c
69591 --- linux-2.6.39.3/kernel/posix-timers.c 2011-05-19 00:06:34.000000000 -0400
69592 +++ linux-2.6.39.3/kernel/posix-timers.c 2011-05-22 20:13:41.000000000 -0400
69593 @@ -43,6 +43,7 @@
69594 #include <linux/idr.h>
69595 #include <linux/posix-clock.h>
69596 #include <linux/posix-timers.h>
69597 +#include <linux/grsecurity.h>
69598 #include <linux/syscalls.h>
69599 #include <linux/wait.h>
69600 #include <linux/workqueue.h>
69601 @@ -227,7 +228,7 @@ static int posix_get_boottime(const cloc
69602 */
69603 static __init int init_posix_timers(void)
69604 {
69605 - struct k_clock clock_realtime = {
69606 + const struct k_clock clock_realtime = {
69607 .clock_getres = hrtimer_get_res,
69608 .clock_get = posix_clock_realtime_get,
69609 .clock_set = posix_clock_realtime_set,
69610 @@ -239,7 +240,7 @@ static __init int init_posix_timers(void
69611 .timer_get = common_timer_get,
69612 .timer_del = common_timer_del,
69613 };
69614 - struct k_clock clock_monotonic = {
69615 + const struct k_clock clock_monotonic = {
69616 .clock_getres = hrtimer_get_res,
69617 .clock_get = posix_ktime_get_ts,
69618 .nsleep = common_nsleep,
69619 @@ -249,19 +250,19 @@ static __init int init_posix_timers(void
69620 .timer_get = common_timer_get,
69621 .timer_del = common_timer_del,
69622 };
69623 - struct k_clock clock_monotonic_raw = {
69624 + const struct k_clock clock_monotonic_raw = {
69625 .clock_getres = hrtimer_get_res,
69626 .clock_get = posix_get_monotonic_raw,
69627 };
69628 - struct k_clock clock_realtime_coarse = {
69629 + const struct k_clock clock_realtime_coarse = {
69630 .clock_getres = posix_get_coarse_res,
69631 .clock_get = posix_get_realtime_coarse,
69632 };
69633 - struct k_clock clock_monotonic_coarse = {
69634 + const struct k_clock clock_monotonic_coarse = {
69635 .clock_getres = posix_get_coarse_res,
69636 .clock_get = posix_get_monotonic_coarse,
69637 };
69638 - struct k_clock clock_boottime = {
69639 + const struct k_clock clock_boottime = {
69640 .clock_getres = hrtimer_get_res,
69641 .clock_get = posix_get_boottime,
69642 .nsleep = common_nsleep,
69643 @@ -272,6 +273,8 @@ static __init int init_posix_timers(void
69644 .timer_del = common_timer_del,
69645 };
69646
69647 + pax_track_stack();
69648 +
69649 posix_timers_register_clock(CLOCK_REALTIME, &clock_realtime);
69650 posix_timers_register_clock(CLOCK_MONOTONIC, &clock_monotonic);
69651 posix_timers_register_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
69652 @@ -454,7 +457,7 @@ static struct pid *good_sigevent(sigeven
69653 }
69654
69655 void posix_timers_register_clock(const clockid_t clock_id,
69656 - struct k_clock *new_clock)
69657 + const struct k_clock *new_clock)
69658 {
69659 if ((unsigned) clock_id >= MAX_CLOCKS) {
69660 printk(KERN_WARNING "POSIX clock register failed for clock_id %d\n",
69661 @@ -506,7 +509,7 @@ static void release_posix_timer(struct k
69662 kmem_cache_free(posix_timers_cache, tmr);
69663 }
69664
69665 -static struct k_clock *clockid_to_kclock(const clockid_t id)
69666 +static const struct k_clock *clockid_to_kclock(const clockid_t id)
69667 {
69668 if (id < 0)
69669 return (id & CLOCKFD_MASK) == CLOCKFD ?
69670 @@ -529,7 +532,7 @@ SYSCALL_DEFINE3(timer_create, const cloc
69671 struct sigevent __user *, timer_event_spec,
69672 timer_t __user *, created_timer_id)
69673 {
69674 - struct k_clock *kc = clockid_to_kclock(which_clock);
69675 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69676 struct k_itimer *new_timer;
69677 int error, new_timer_id;
69678 sigevent_t event;
69679 @@ -714,7 +717,7 @@ SYSCALL_DEFINE2(timer_gettime, timer_t,
69680 {
69681 struct itimerspec cur_setting;
69682 struct k_itimer *timr;
69683 - struct k_clock *kc;
69684 + const struct k_clock *kc;
69685 unsigned long flags;
69686 int ret = 0;
69687
69688 @@ -822,7 +825,7 @@ SYSCALL_DEFINE4(timer_settime, timer_t,
69689 int error = 0;
69690 unsigned long flag;
69691 struct itimerspec *rtn = old_setting ? &old_spec : NULL;
69692 - struct k_clock *kc;
69693 + const struct k_clock *kc;
69694
69695 if (!new_setting)
69696 return -EINVAL;
69697 @@ -868,7 +871,7 @@ static int common_timer_del(struct k_iti
69698
69699 static inline int timer_delete_hook(struct k_itimer *timer)
69700 {
69701 - struct k_clock *kc = clockid_to_kclock(timer->it_clock);
69702 + const struct k_clock *kc = clockid_to_kclock(timer->it_clock);
69703
69704 if (WARN_ON_ONCE(!kc || !kc->timer_del))
69705 return -EINVAL;
69706 @@ -947,7 +950,7 @@ void exit_itimers(struct signal_struct *
69707 SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
69708 const struct timespec __user *, tp)
69709 {
69710 - struct k_clock *kc = clockid_to_kclock(which_clock);
69711 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69712 struct timespec new_tp;
69713
69714 if (!kc || !kc->clock_set)
69715 @@ -956,13 +959,20 @@ SYSCALL_DEFINE2(clock_settime, const clo
69716 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
69717 return -EFAULT;
69718
69719 + /* only the CLOCK_REALTIME clock can be set, all other clocks
69720 + have their clock_set fptr set to a nosettime dummy function
69721 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
69722 + call common_clock_set, which calls do_sys_settimeofday, which
69723 + we hook
69724 + */
69725 +
69726 return kc->clock_set(which_clock, &new_tp);
69727 }
69728
69729 SYSCALL_DEFINE2(clock_gettime, const clockid_t, which_clock,
69730 struct timespec __user *,tp)
69731 {
69732 - struct k_clock *kc = clockid_to_kclock(which_clock);
69733 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69734 struct timespec kernel_tp;
69735 int error;
69736
69737 @@ -980,7 +990,7 @@ SYSCALL_DEFINE2(clock_gettime, const clo
69738 SYSCALL_DEFINE2(clock_adjtime, const clockid_t, which_clock,
69739 struct timex __user *, utx)
69740 {
69741 - struct k_clock *kc = clockid_to_kclock(which_clock);
69742 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69743 struct timex ktx;
69744 int err;
69745
69746 @@ -1003,7 +1013,7 @@ SYSCALL_DEFINE2(clock_adjtime, const clo
69747 SYSCALL_DEFINE2(clock_getres, const clockid_t, which_clock,
69748 struct timespec __user *, tp)
69749 {
69750 - struct k_clock *kc = clockid_to_kclock(which_clock);
69751 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69752 struct timespec rtn_tp;
69753 int error;
69754
69755 @@ -1033,7 +1043,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const c
69756 const struct timespec __user *, rqtp,
69757 struct timespec __user *, rmtp)
69758 {
69759 - struct k_clock *kc = clockid_to_kclock(which_clock);
69760 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69761 struct timespec t;
69762
69763 if (!kc)
69764 @@ -1057,7 +1067,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const c
69765 long clock_nanosleep_restart(struct restart_block *restart_block)
69766 {
69767 clockid_t which_clock = restart_block->nanosleep.index;
69768 - struct k_clock *kc = clockid_to_kclock(which_clock);
69769 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69770
69771 if (WARN_ON_ONCE(!kc || !kc->nsleep_restart))
69772 return -EINVAL;
69773 diff -urNp linux-2.6.39.3/kernel/power/poweroff.c linux-2.6.39.3/kernel/power/poweroff.c
69774 --- linux-2.6.39.3/kernel/power/poweroff.c 2011-05-19 00:06:34.000000000 -0400
69775 +++ linux-2.6.39.3/kernel/power/poweroff.c 2011-05-22 19:36:33.000000000 -0400
69776 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
69777 .enable_mask = SYSRQ_ENABLE_BOOT,
69778 };
69779
69780 -static int pm_sysrq_init(void)
69781 +static int __init pm_sysrq_init(void)
69782 {
69783 register_sysrq_key('o', &sysrq_poweroff_op);
69784 return 0;
69785 diff -urNp linux-2.6.39.3/kernel/power/process.c linux-2.6.39.3/kernel/power/process.c
69786 --- linux-2.6.39.3/kernel/power/process.c 2011-05-19 00:06:34.000000000 -0400
69787 +++ linux-2.6.39.3/kernel/power/process.c 2011-05-22 19:36:33.000000000 -0400
69788 @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
69789 u64 elapsed_csecs64;
69790 unsigned int elapsed_csecs;
69791 bool wakeup = false;
69792 + bool timedout = false;
69793
69794 do_gettimeofday(&start);
69795
69796 @@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
69797
69798 while (true) {
69799 todo = 0;
69800 + if (time_after(jiffies, end_time))
69801 + timedout = true;
69802 read_lock(&tasklist_lock);
69803 do_each_thread(g, p) {
69804 if (frozen(p) || !freezable(p))
69805 @@ -71,9 +74,13 @@ static int try_to_freeze_tasks(bool sig_
69806 * try_to_stop() after schedule() in ptrace/signal
69807 * stop sees TIF_FREEZE.
69808 */
69809 - if (!task_is_stopped_or_traced(p) &&
69810 - !freezer_should_skip(p))
69811 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
69812 todo++;
69813 + if (timedout) {
69814 + printk(KERN_ERR "Task refusing to freeze:\n");
69815 + sched_show_task(p);
69816 + }
69817 + }
69818 } while_each_thread(g, p);
69819 read_unlock(&tasklist_lock);
69820
69821 @@ -82,7 +89,7 @@ static int try_to_freeze_tasks(bool sig_
69822 todo += wq_busy;
69823 }
69824
69825 - if (!todo || time_after(jiffies, end_time))
69826 + if (!todo || timedout)
69827 break;
69828
69829 if (pm_wakeup_pending()) {
69830 diff -urNp linux-2.6.39.3/kernel/printk.c linux-2.6.39.3/kernel/printk.c
69831 --- linux-2.6.39.3/kernel/printk.c 2011-05-19 00:06:34.000000000 -0400
69832 +++ linux-2.6.39.3/kernel/printk.c 2011-05-22 19:41:42.000000000 -0400
69833 @@ -284,12 +284,17 @@ static int check_syslog_permissions(int
69834 if (from_file && type != SYSLOG_ACTION_OPEN)
69835 return 0;
69836
69837 +#ifdef CONFIG_GRKERNSEC_DMESG
69838 + if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
69839 + return -EPERM;
69840 +#endif
69841 +
69842 if (syslog_action_restricted(type)) {
69843 if (capable(CAP_SYSLOG))
69844 return 0;
69845 /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
69846 if (capable(CAP_SYS_ADMIN)) {
69847 - WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
69848 + printk_once(KERN_WARNING "Attempt to access syslog with CAP_SYS_ADMIN "
69849 "but no CAP_SYSLOG (deprecated).\n");
69850 return 0;
69851 }
69852 diff -urNp linux-2.6.39.3/kernel/profile.c linux-2.6.39.3/kernel/profile.c
69853 --- linux-2.6.39.3/kernel/profile.c 2011-05-19 00:06:34.000000000 -0400
69854 +++ linux-2.6.39.3/kernel/profile.c 2011-05-22 19:36:33.000000000 -0400
69855 @@ -39,7 +39,7 @@ struct profile_hit {
69856 /* Oprofile timer tick hook */
69857 static int (*timer_hook)(struct pt_regs *) __read_mostly;
69858
69859 -static atomic_t *prof_buffer;
69860 +static atomic_unchecked_t *prof_buffer;
69861 static unsigned long prof_len, prof_shift;
69862
69863 int prof_on __read_mostly;
69864 @@ -283,7 +283,7 @@ static void profile_flip_buffers(void)
69865 hits[i].pc = 0;
69866 continue;
69867 }
69868 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
69869 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
69870 hits[i].hits = hits[i].pc = 0;
69871 }
69872 }
69873 @@ -346,9 +346,9 @@ void profile_hits(int type, void *__pc,
69874 * Add the current hit(s) and flush the write-queue out
69875 * to the global buffer:
69876 */
69877 - atomic_add(nr_hits, &prof_buffer[pc]);
69878 + atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
69879 for (i = 0; i < NR_PROFILE_HIT; ++i) {
69880 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
69881 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
69882 hits[i].pc = hits[i].hits = 0;
69883 }
69884 out:
69885 @@ -426,7 +426,7 @@ void profile_hits(int type, void *__pc,
69886 if (prof_on != type || !prof_buffer)
69887 return;
69888 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
69889 - atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
69890 + atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
69891 }
69892 #endif /* !CONFIG_SMP */
69893 EXPORT_SYMBOL_GPL(profile_hits);
69894 @@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
69895 return -EFAULT;
69896 buf++; p++; count--; read++;
69897 }
69898 - pnt = (char *)prof_buffer + p - sizeof(atomic_t);
69899 + pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
69900 if (copy_to_user(buf, (void *)pnt, count))
69901 return -EFAULT;
69902 read += count;
69903 @@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
69904 }
69905 #endif
69906 profile_discard_flip_buffers();
69907 - memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
69908 + memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
69909 return count;
69910 }
69911
69912 diff -urNp linux-2.6.39.3/kernel/ptrace.c linux-2.6.39.3/kernel/ptrace.c
69913 --- linux-2.6.39.3/kernel/ptrace.c 2011-05-19 00:06:34.000000000 -0400
69914 +++ linux-2.6.39.3/kernel/ptrace.c 2011-05-23 17:07:00.000000000 -0400
69915 @@ -117,7 +117,8 @@ int ptrace_check_attach(struct task_stru
69916 return ret;
69917 }
69918
69919 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
69920 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
69921 + unsigned int log)
69922 {
69923 const struct cred *cred = current_cred(), *tcred;
69924
69925 @@ -143,7 +144,8 @@ int __ptrace_may_access(struct task_stru
69926 cred->gid == tcred->sgid &&
69927 cred->gid == tcred->gid))
69928 goto ok;
69929 - if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
69930 + if ((!log && ns_capable_nolog(tcred->user->user_ns, CAP_SYS_PTRACE)) ||
69931 + (log && ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE)))
69932 goto ok;
69933 rcu_read_unlock();
69934 return -EPERM;
69935 @@ -152,7 +154,9 @@ ok:
69936 smp_rmb();
69937 if (task->mm)
69938 dumpable = get_dumpable(task->mm);
69939 - if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
69940 + if (!dumpable &&
69941 + ((!log && !task_ns_capable_nolog(task, CAP_SYS_PTRACE)) ||
69942 + (log && !task_ns_capable(task, CAP_SYS_PTRACE))))
69943 return -EPERM;
69944
69945 return security_ptrace_access_check(task, mode);
69946 @@ -162,7 +166,16 @@ bool ptrace_may_access(struct task_struc
69947 {
69948 int err;
69949 task_lock(task);
69950 - err = __ptrace_may_access(task, mode);
69951 + err = __ptrace_may_access(task, mode, 0);
69952 + task_unlock(task);
69953 + return !err;
69954 +}
69955 +
69956 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
69957 +{
69958 + int err;
69959 + task_lock(task);
69960 + err = __ptrace_may_access(task, mode, 1);
69961 task_unlock(task);
69962 return !err;
69963 }
69964 @@ -189,7 +202,7 @@ static int ptrace_attach(struct task_str
69965 goto out;
69966
69967 task_lock(task);
69968 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
69969 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
69970 task_unlock(task);
69971 if (retval)
69972 goto unlock_creds;
69973 @@ -202,7 +215,7 @@ static int ptrace_attach(struct task_str
69974 goto unlock_tasklist;
69975
69976 task->ptrace = PT_PTRACED;
69977 - if (task_ns_capable(task, CAP_SYS_PTRACE))
69978 + if (task_ns_capable_nolog(task, CAP_SYS_PTRACE))
69979 task->ptrace |= PT_PTRACE_CAP;
69980
69981 __ptrace_link(task, current);
69982 @@ -362,6 +375,8 @@ int ptrace_readdata(struct task_struct *
69983 {
69984 int copied = 0;
69985
69986 + pax_track_stack();
69987 +
69988 while (len > 0) {
69989 char buf[128];
69990 int this_len, retval;
69991 @@ -373,7 +388,7 @@ int ptrace_readdata(struct task_struct *
69992 break;
69993 return -EIO;
69994 }
69995 - if (copy_to_user(dst, buf, retval))
69996 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
69997 return -EFAULT;
69998 copied += retval;
69999 src += retval;
70000 @@ -387,6 +402,8 @@ int ptrace_writedata(struct task_struct
70001 {
70002 int copied = 0;
70003
70004 + pax_track_stack();
70005 +
70006 while (len > 0) {
70007 char buf[128];
70008 int this_len, retval;
70009 @@ -569,9 +586,11 @@ int ptrace_request(struct task_struct *c
70010 {
70011 int ret = -EIO;
70012 siginfo_t siginfo;
70013 - void __user *datavp = (void __user *) data;
70014 + void __user *datavp = (__force void __user *) data;
70015 unsigned long __user *datalp = datavp;
70016
70017 + pax_track_stack();
70018 +
70019 switch (request) {
70020 case PTRACE_PEEKTEXT:
70021 case PTRACE_PEEKDATA:
70022 @@ -717,14 +736,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
70023 goto out;
70024 }
70025
70026 + if (gr_handle_ptrace(child, request)) {
70027 + ret = -EPERM;
70028 + goto out_put_task_struct;
70029 + }
70030 +
70031 if (request == PTRACE_ATTACH) {
70032 ret = ptrace_attach(child);
70033 /*
70034 * Some architectures need to do book-keeping after
70035 * a ptrace attach.
70036 */
70037 - if (!ret)
70038 + if (!ret) {
70039 arch_ptrace_attach(child);
70040 + gr_audit_ptrace(child);
70041 + }
70042 goto out_put_task_struct;
70043 }
70044
70045 @@ -749,7 +775,7 @@ int generic_ptrace_peekdata(struct task_
70046 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
70047 if (copied != sizeof(tmp))
70048 return -EIO;
70049 - return put_user(tmp, (unsigned long __user *)data);
70050 + return put_user(tmp, (__force unsigned long __user *)data);
70051 }
70052
70053 int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
70054 @@ -772,6 +798,8 @@ int compat_ptrace_request(struct task_st
70055 siginfo_t siginfo;
70056 int ret;
70057
70058 + pax_track_stack();
70059 +
70060 switch (request) {
70061 case PTRACE_PEEKTEXT:
70062 case PTRACE_PEEKDATA:
70063 @@ -859,14 +887,21 @@ asmlinkage long compat_sys_ptrace(compat
70064 goto out;
70065 }
70066
70067 + if (gr_handle_ptrace(child, request)) {
70068 + ret = -EPERM;
70069 + goto out_put_task_struct;
70070 + }
70071 +
70072 if (request == PTRACE_ATTACH) {
70073 ret = ptrace_attach(child);
70074 /*
70075 * Some architectures need to do book-keeping after
70076 * a ptrace attach.
70077 */
70078 - if (!ret)
70079 + if (!ret) {
70080 arch_ptrace_attach(child);
70081 + gr_audit_ptrace(child);
70082 + }
70083 goto out_put_task_struct;
70084 }
70085
70086 diff -urNp linux-2.6.39.3/kernel/rcutorture.c linux-2.6.39.3/kernel/rcutorture.c
70087 --- linux-2.6.39.3/kernel/rcutorture.c 2011-05-19 00:06:34.000000000 -0400
70088 +++ linux-2.6.39.3/kernel/rcutorture.c 2011-05-22 19:36:33.000000000 -0400
70089 @@ -138,12 +138,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
70090 { 0 };
70091 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
70092 { 0 };
70093 -static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
70094 -static atomic_t n_rcu_torture_alloc;
70095 -static atomic_t n_rcu_torture_alloc_fail;
70096 -static atomic_t n_rcu_torture_free;
70097 -static atomic_t n_rcu_torture_mberror;
70098 -static atomic_t n_rcu_torture_error;
70099 +static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
70100 +static atomic_unchecked_t n_rcu_torture_alloc;
70101 +static atomic_unchecked_t n_rcu_torture_alloc_fail;
70102 +static atomic_unchecked_t n_rcu_torture_free;
70103 +static atomic_unchecked_t n_rcu_torture_mberror;
70104 +static atomic_unchecked_t n_rcu_torture_error;
70105 static long n_rcu_torture_boost_ktrerror;
70106 static long n_rcu_torture_boost_rterror;
70107 static long n_rcu_torture_boost_allocerror;
70108 @@ -225,11 +225,11 @@ rcu_torture_alloc(void)
70109
70110 spin_lock_bh(&rcu_torture_lock);
70111 if (list_empty(&rcu_torture_freelist)) {
70112 - atomic_inc(&n_rcu_torture_alloc_fail);
70113 + atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
70114 spin_unlock_bh(&rcu_torture_lock);
70115 return NULL;
70116 }
70117 - atomic_inc(&n_rcu_torture_alloc);
70118 + atomic_inc_unchecked(&n_rcu_torture_alloc);
70119 p = rcu_torture_freelist.next;
70120 list_del_init(p);
70121 spin_unlock_bh(&rcu_torture_lock);
70122 @@ -242,7 +242,7 @@ rcu_torture_alloc(void)
70123 static void
70124 rcu_torture_free(struct rcu_torture *p)
70125 {
70126 - atomic_inc(&n_rcu_torture_free);
70127 + atomic_inc_unchecked(&n_rcu_torture_free);
70128 spin_lock_bh(&rcu_torture_lock);
70129 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
70130 spin_unlock_bh(&rcu_torture_lock);
70131 @@ -362,7 +362,7 @@ rcu_torture_cb(struct rcu_head *p)
70132 i = rp->rtort_pipe_count;
70133 if (i > RCU_TORTURE_PIPE_LEN)
70134 i = RCU_TORTURE_PIPE_LEN;
70135 - atomic_inc(&rcu_torture_wcount[i]);
70136 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
70137 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
70138 rp->rtort_mbtest = 0;
70139 rcu_torture_free(rp);
70140 @@ -409,7 +409,7 @@ static void rcu_sync_torture_deferred_fr
70141 i = rp->rtort_pipe_count;
70142 if (i > RCU_TORTURE_PIPE_LEN)
70143 i = RCU_TORTURE_PIPE_LEN;
70144 - atomic_inc(&rcu_torture_wcount[i]);
70145 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
70146 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
70147 rp->rtort_mbtest = 0;
70148 list_del(&rp->rtort_free);
70149 @@ -882,7 +882,7 @@ rcu_torture_writer(void *arg)
70150 i = old_rp->rtort_pipe_count;
70151 if (i > RCU_TORTURE_PIPE_LEN)
70152 i = RCU_TORTURE_PIPE_LEN;
70153 - atomic_inc(&rcu_torture_wcount[i]);
70154 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
70155 old_rp->rtort_pipe_count++;
70156 cur_ops->deferred_free(old_rp);
70157 }
70158 @@ -951,7 +951,7 @@ static void rcu_torture_timer(unsigned l
70159 return;
70160 }
70161 if (p->rtort_mbtest == 0)
70162 - atomic_inc(&n_rcu_torture_mberror);
70163 + atomic_inc_unchecked(&n_rcu_torture_mberror);
70164 spin_lock(&rand_lock);
70165 cur_ops->read_delay(&rand);
70166 n_rcu_torture_timers++;
70167 @@ -1013,7 +1013,7 @@ rcu_torture_reader(void *arg)
70168 continue;
70169 }
70170 if (p->rtort_mbtest == 0)
70171 - atomic_inc(&n_rcu_torture_mberror);
70172 + atomic_inc_unchecked(&n_rcu_torture_mberror);
70173 cur_ops->read_delay(&rand);
70174 preempt_disable();
70175 pipe_count = p->rtort_pipe_count;
70176 @@ -1072,10 +1072,10 @@ rcu_torture_printk(char *page)
70177 rcu_torture_current,
70178 rcu_torture_current_version,
70179 list_empty(&rcu_torture_freelist),
70180 - atomic_read(&n_rcu_torture_alloc),
70181 - atomic_read(&n_rcu_torture_alloc_fail),
70182 - atomic_read(&n_rcu_torture_free),
70183 - atomic_read(&n_rcu_torture_mberror),
70184 + atomic_read_unchecked(&n_rcu_torture_alloc),
70185 + atomic_read_unchecked(&n_rcu_torture_alloc_fail),
70186 + atomic_read_unchecked(&n_rcu_torture_free),
70187 + atomic_read_unchecked(&n_rcu_torture_mberror),
70188 n_rcu_torture_boost_ktrerror,
70189 n_rcu_torture_boost_rterror,
70190 n_rcu_torture_boost_allocerror,
70191 @@ -1083,7 +1083,7 @@ rcu_torture_printk(char *page)
70192 n_rcu_torture_boost_failure,
70193 n_rcu_torture_boosts,
70194 n_rcu_torture_timers);
70195 - if (atomic_read(&n_rcu_torture_mberror) != 0 ||
70196 + if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0 ||
70197 n_rcu_torture_boost_ktrerror != 0 ||
70198 n_rcu_torture_boost_rterror != 0 ||
70199 n_rcu_torture_boost_allocerror != 0 ||
70200 @@ -1093,7 +1093,7 @@ rcu_torture_printk(char *page)
70201 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
70202 if (i > 1) {
70203 cnt += sprintf(&page[cnt], "!!! ");
70204 - atomic_inc(&n_rcu_torture_error);
70205 + atomic_inc_unchecked(&n_rcu_torture_error);
70206 WARN_ON_ONCE(1);
70207 }
70208 cnt += sprintf(&page[cnt], "Reader Pipe: ");
70209 @@ -1107,7 +1107,7 @@ rcu_torture_printk(char *page)
70210 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
70211 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
70212 cnt += sprintf(&page[cnt], " %d",
70213 - atomic_read(&rcu_torture_wcount[i]));
70214 + atomic_read_unchecked(&rcu_torture_wcount[i]));
70215 }
70216 cnt += sprintf(&page[cnt], "\n");
70217 if (cur_ops->stats)
70218 @@ -1415,7 +1415,7 @@ rcu_torture_cleanup(void)
70219
70220 if (cur_ops->cleanup)
70221 cur_ops->cleanup();
70222 - if (atomic_read(&n_rcu_torture_error))
70223 + if (atomic_read_unchecked(&n_rcu_torture_error))
70224 rcu_torture_print_module_parms(cur_ops, "End of test: FAILURE");
70225 else
70226 rcu_torture_print_module_parms(cur_ops, "End of test: SUCCESS");
70227 @@ -1479,11 +1479,11 @@ rcu_torture_init(void)
70228
70229 rcu_torture_current = NULL;
70230 rcu_torture_current_version = 0;
70231 - atomic_set(&n_rcu_torture_alloc, 0);
70232 - atomic_set(&n_rcu_torture_alloc_fail, 0);
70233 - atomic_set(&n_rcu_torture_free, 0);
70234 - atomic_set(&n_rcu_torture_mberror, 0);
70235 - atomic_set(&n_rcu_torture_error, 0);
70236 + atomic_set_unchecked(&n_rcu_torture_alloc, 0);
70237 + atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
70238 + atomic_set_unchecked(&n_rcu_torture_free, 0);
70239 + atomic_set_unchecked(&n_rcu_torture_mberror, 0);
70240 + atomic_set_unchecked(&n_rcu_torture_error, 0);
70241 n_rcu_torture_boost_ktrerror = 0;
70242 n_rcu_torture_boost_rterror = 0;
70243 n_rcu_torture_boost_allocerror = 0;
70244 @@ -1491,7 +1491,7 @@ rcu_torture_init(void)
70245 n_rcu_torture_boost_failure = 0;
70246 n_rcu_torture_boosts = 0;
70247 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
70248 - atomic_set(&rcu_torture_wcount[i], 0);
70249 + atomic_set_unchecked(&rcu_torture_wcount[i], 0);
70250 for_each_possible_cpu(cpu) {
70251 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
70252 per_cpu(rcu_torture_count, cpu)[i] = 0;
70253 diff -urNp linux-2.6.39.3/kernel/rcutree.c linux-2.6.39.3/kernel/rcutree.c
70254 --- linux-2.6.39.3/kernel/rcutree.c 2011-05-19 00:06:34.000000000 -0400
70255 +++ linux-2.6.39.3/kernel/rcutree.c 2011-05-22 19:36:33.000000000 -0400
70256 @@ -1389,7 +1389,7 @@ __rcu_process_callbacks(struct rcu_state
70257 /*
70258 * Do softirq processing for the current CPU.
70259 */
70260 -static void rcu_process_callbacks(struct softirq_action *unused)
70261 +static void rcu_process_callbacks(void)
70262 {
70263 /*
70264 * Memory references from any prior RCU read-side critical sections
70265 diff -urNp linux-2.6.39.3/kernel/rcutree_plugin.h linux-2.6.39.3/kernel/rcutree_plugin.h
70266 --- linux-2.6.39.3/kernel/rcutree_plugin.h 2011-05-19 00:06:34.000000000 -0400
70267 +++ linux-2.6.39.3/kernel/rcutree_plugin.h 2011-05-22 19:36:33.000000000 -0400
70268 @@ -730,7 +730,7 @@ void synchronize_rcu_expedited(void)
70269
70270 /* Clean up and exit. */
70271 smp_mb(); /* ensure expedited GP seen before counter increment. */
70272 - ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
70273 + ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
70274 unlock_mb_ret:
70275 mutex_unlock(&sync_rcu_preempt_exp_mutex);
70276 mb_ret:
70277 @@ -1025,8 +1025,8 @@ EXPORT_SYMBOL_GPL(synchronize_sched_expe
70278
70279 #else /* #ifndef CONFIG_SMP */
70280
70281 -static atomic_t sync_sched_expedited_started = ATOMIC_INIT(0);
70282 -static atomic_t sync_sched_expedited_done = ATOMIC_INIT(0);
70283 +static atomic_unchecked_t sync_sched_expedited_started = ATOMIC_INIT(0);
70284 +static atomic_unchecked_t sync_sched_expedited_done = ATOMIC_INIT(0);
70285
70286 static int synchronize_sched_expedited_cpu_stop(void *data)
70287 {
70288 @@ -1081,7 +1081,7 @@ void synchronize_sched_expedited(void)
70289 int firstsnap, s, snap, trycount = 0;
70290
70291 /* Note that atomic_inc_return() implies full memory barrier. */
70292 - firstsnap = snap = atomic_inc_return(&sync_sched_expedited_started);
70293 + firstsnap = snap = atomic_inc_return_unchecked(&sync_sched_expedited_started);
70294 get_online_cpus();
70295
70296 /*
70297 @@ -1102,7 +1102,7 @@ void synchronize_sched_expedited(void)
70298 }
70299
70300 /* Check to see if someone else did our work for us. */
70301 - s = atomic_read(&sync_sched_expedited_done);
70302 + s = atomic_read_unchecked(&sync_sched_expedited_done);
70303 if (UINT_CMP_GE((unsigned)s, (unsigned)firstsnap)) {
70304 smp_mb(); /* ensure test happens before caller kfree */
70305 return;
70306 @@ -1117,7 +1117,7 @@ void synchronize_sched_expedited(void)
70307 * grace period works for us.
70308 */
70309 get_online_cpus();
70310 - snap = atomic_read(&sync_sched_expedited_started) - 1;
70311 + snap = atomic_read_unchecked(&sync_sched_expedited_started) - 1;
70312 smp_mb(); /* ensure read is before try_stop_cpus(). */
70313 }
70314
70315 @@ -1128,12 +1128,12 @@ void synchronize_sched_expedited(void)
70316 * than we did beat us to the punch.
70317 */
70318 do {
70319 - s = atomic_read(&sync_sched_expedited_done);
70320 + s = atomic_read_unchecked(&sync_sched_expedited_done);
70321 if (UINT_CMP_GE((unsigned)s, (unsigned)snap)) {
70322 smp_mb(); /* ensure test happens before caller kfree */
70323 break;
70324 }
70325 - } while (atomic_cmpxchg(&sync_sched_expedited_done, s, snap) != s);
70326 + } while (atomic_cmpxchg_unchecked(&sync_sched_expedited_done, s, snap) != s);
70327
70328 put_online_cpus();
70329 }
70330 diff -urNp linux-2.6.39.3/kernel/relay.c linux-2.6.39.3/kernel/relay.c
70331 --- linux-2.6.39.3/kernel/relay.c 2011-05-19 00:06:34.000000000 -0400
70332 +++ linux-2.6.39.3/kernel/relay.c 2011-05-22 19:36:33.000000000 -0400
70333 @@ -1236,6 +1236,8 @@ static ssize_t subbuf_splice_actor(struc
70334 };
70335 ssize_t ret;
70336
70337 + pax_track_stack();
70338 +
70339 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
70340 return 0;
70341 if (splice_grow_spd(pipe, &spd))
70342 diff -urNp linux-2.6.39.3/kernel/resource.c linux-2.6.39.3/kernel/resource.c
70343 --- linux-2.6.39.3/kernel/resource.c 2011-05-19 00:06:34.000000000 -0400
70344 +++ linux-2.6.39.3/kernel/resource.c 2011-05-22 19:41:42.000000000 -0400
70345 @@ -133,8 +133,18 @@ static const struct file_operations proc
70346
70347 static int __init ioresources_init(void)
70348 {
70349 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
70350 +#ifdef CONFIG_GRKERNSEC_PROC_USER
70351 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
70352 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
70353 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
70354 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
70355 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
70356 +#endif
70357 +#else
70358 proc_create("ioports", 0, NULL, &proc_ioports_operations);
70359 proc_create("iomem", 0, NULL, &proc_iomem_operations);
70360 +#endif
70361 return 0;
70362 }
70363 __initcall(ioresources_init);
70364 diff -urNp linux-2.6.39.3/kernel/rtmutex-tester.c linux-2.6.39.3/kernel/rtmutex-tester.c
70365 --- linux-2.6.39.3/kernel/rtmutex-tester.c 2011-05-19 00:06:34.000000000 -0400
70366 +++ linux-2.6.39.3/kernel/rtmutex-tester.c 2011-05-22 19:36:33.000000000 -0400
70367 @@ -20,7 +20,7 @@
70368 #define MAX_RT_TEST_MUTEXES 8
70369
70370 static spinlock_t rttest_lock;
70371 -static atomic_t rttest_event;
70372 +static atomic_unchecked_t rttest_event;
70373
70374 struct test_thread_data {
70375 int opcode;
70376 @@ -61,7 +61,7 @@ static int handle_op(struct test_thread_
70377
70378 case RTTEST_LOCKCONT:
70379 td->mutexes[td->opdata] = 1;
70380 - td->event = atomic_add_return(1, &rttest_event);
70381 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70382 return 0;
70383
70384 case RTTEST_RESET:
70385 @@ -74,7 +74,7 @@ static int handle_op(struct test_thread_
70386 return 0;
70387
70388 case RTTEST_RESETEVENT:
70389 - atomic_set(&rttest_event, 0);
70390 + atomic_set_unchecked(&rttest_event, 0);
70391 return 0;
70392
70393 default:
70394 @@ -91,9 +91,9 @@ static int handle_op(struct test_thread_
70395 return ret;
70396
70397 td->mutexes[id] = 1;
70398 - td->event = atomic_add_return(1, &rttest_event);
70399 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70400 rt_mutex_lock(&mutexes[id]);
70401 - td->event = atomic_add_return(1, &rttest_event);
70402 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70403 td->mutexes[id] = 4;
70404 return 0;
70405
70406 @@ -104,9 +104,9 @@ static int handle_op(struct test_thread_
70407 return ret;
70408
70409 td->mutexes[id] = 1;
70410 - td->event = atomic_add_return(1, &rttest_event);
70411 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70412 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
70413 - td->event = atomic_add_return(1, &rttest_event);
70414 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70415 td->mutexes[id] = ret ? 0 : 4;
70416 return ret ? -EINTR : 0;
70417
70418 @@ -115,9 +115,9 @@ static int handle_op(struct test_thread_
70419 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
70420 return ret;
70421
70422 - td->event = atomic_add_return(1, &rttest_event);
70423 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70424 rt_mutex_unlock(&mutexes[id]);
70425 - td->event = atomic_add_return(1, &rttest_event);
70426 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70427 td->mutexes[id] = 0;
70428 return 0;
70429
70430 @@ -164,7 +164,7 @@ void schedule_rt_mutex_test(struct rt_mu
70431 break;
70432
70433 td->mutexes[dat] = 2;
70434 - td->event = atomic_add_return(1, &rttest_event);
70435 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70436 break;
70437
70438 default:
70439 @@ -184,7 +184,7 @@ void schedule_rt_mutex_test(struct rt_mu
70440 return;
70441
70442 td->mutexes[dat] = 3;
70443 - td->event = atomic_add_return(1, &rttest_event);
70444 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70445 break;
70446
70447 case RTTEST_LOCKNOWAIT:
70448 @@ -196,7 +196,7 @@ void schedule_rt_mutex_test(struct rt_mu
70449 return;
70450
70451 td->mutexes[dat] = 1;
70452 - td->event = atomic_add_return(1, &rttest_event);
70453 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70454 return;
70455
70456 default:
70457 diff -urNp linux-2.6.39.3/kernel/sched_autogroup.c linux-2.6.39.3/kernel/sched_autogroup.c
70458 --- linux-2.6.39.3/kernel/sched_autogroup.c 2011-05-19 00:06:34.000000000 -0400
70459 +++ linux-2.6.39.3/kernel/sched_autogroup.c 2011-05-22 19:36:33.000000000 -0400
70460 @@ -7,7 +7,7 @@
70461
70462 unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
70463 static struct autogroup autogroup_default;
70464 -static atomic_t autogroup_seq_nr;
70465 +static atomic_unchecked_t autogroup_seq_nr;
70466
70467 static void __init autogroup_init(struct task_struct *init_task)
70468 {
70469 @@ -78,7 +78,7 @@ static inline struct autogroup *autogrou
70470
70471 kref_init(&ag->kref);
70472 init_rwsem(&ag->lock);
70473 - ag->id = atomic_inc_return(&autogroup_seq_nr);
70474 + ag->id = atomic_inc_return_unchecked(&autogroup_seq_nr);
70475 ag->tg = tg;
70476 #ifdef CONFIG_RT_GROUP_SCHED
70477 /*
70478 diff -urNp linux-2.6.39.3/kernel/sched.c linux-2.6.39.3/kernel/sched.c
70479 --- linux-2.6.39.3/kernel/sched.c 2011-05-19 00:06:34.000000000 -0400
70480 +++ linux-2.6.39.3/kernel/sched.c 2011-05-23 17:07:00.000000000 -0400
70481 @@ -4078,6 +4078,8 @@ asmlinkage void __sched schedule(void)
70482 struct rq *rq;
70483 int cpu;
70484
70485 + pax_track_stack();
70486 +
70487 need_resched:
70488 preempt_disable();
70489 cpu = smp_processor_id();
70490 @@ -4165,7 +4167,7 @@ EXPORT_SYMBOL(schedule);
70491 * Look out! "owner" is an entirely speculative pointer
70492 * access and not reliable.
70493 */
70494 -int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
70495 +int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner)
70496 {
70497 unsigned int cpu;
70498 struct rq *rq;
70499 @@ -4179,10 +4181,10 @@ int mutex_spin_on_owner(struct mutex *lo
70500 * DEBUG_PAGEALLOC could have unmapped it if
70501 * the mutex owner just released it and exited.
70502 */
70503 - if (probe_kernel_address(&owner->cpu, cpu))
70504 + if (probe_kernel_address(&task_thread_info(owner)->cpu, cpu))
70505 return 0;
70506 #else
70507 - cpu = owner->cpu;
70508 + cpu = task_thread_info(owner)->cpu;
70509 #endif
70510
70511 /*
70512 @@ -4219,7 +4221,7 @@ int mutex_spin_on_owner(struct mutex *lo
70513 /*
70514 * Is that owner really running on that cpu?
70515 */
70516 - if (task_thread_info(rq->curr) != owner || need_resched())
70517 + if (rq->curr != owner || need_resched())
70518 return 0;
70519
70520 arch_mutex_cpu_relax();
70521 @@ -4778,6 +4780,8 @@ int can_nice(const struct task_struct *p
70522 /* convert nice value [19,-20] to rlimit style value [1,40] */
70523 int nice_rlim = 20 - nice;
70524
70525 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
70526 +
70527 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
70528 capable(CAP_SYS_NICE));
70529 }
70530 @@ -4811,7 +4815,8 @@ SYSCALL_DEFINE1(nice, int, increment)
70531 if (nice > 19)
70532 nice = 19;
70533
70534 - if (increment < 0 && !can_nice(current, nice))
70535 + if (increment < 0 && (!can_nice(current, nice) ||
70536 + gr_handle_chroot_nice()))
70537 return -EPERM;
70538
70539 retval = security_task_setnice(current, nice);
70540 @@ -4957,6 +4962,7 @@ recheck:
70541 unsigned long rlim_rtprio =
70542 task_rlimit(p, RLIMIT_RTPRIO);
70543
70544 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
70545 /* can't set/change the rt policy */
70546 if (policy != p->policy && !rlim_rtprio)
70547 return -EPERM;
70548 @@ -7164,7 +7170,7 @@ static void init_sched_groups_power(int
70549 long power;
70550 int weight;
70551
70552 - WARN_ON(!sd || !sd->groups);
70553 + BUG_ON(!sd || !sd->groups);
70554
70555 if (cpu != group_first_cpu(sd->groups))
70556 return;
70557 diff -urNp linux-2.6.39.3/kernel/sched_fair.c linux-2.6.39.3/kernel/sched_fair.c
70558 --- linux-2.6.39.3/kernel/sched_fair.c 2011-05-19 00:06:34.000000000 -0400
70559 +++ linux-2.6.39.3/kernel/sched_fair.c 2011-05-22 19:36:33.000000000 -0400
70560 @@ -3999,7 +3999,7 @@ static void nohz_idle_balance(int this_c
70561 * run_rebalance_domains is triggered when needed from the scheduler tick.
70562 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
70563 */
70564 -static void run_rebalance_domains(struct softirq_action *h)
70565 +static void run_rebalance_domains(void)
70566 {
70567 int this_cpu = smp_processor_id();
70568 struct rq *this_rq = cpu_rq(this_cpu);
70569 diff -urNp linux-2.6.39.3/kernel/signal.c linux-2.6.39.3/kernel/signal.c
70570 --- linux-2.6.39.3/kernel/signal.c 2011-05-19 00:06:34.000000000 -0400
70571 +++ linux-2.6.39.3/kernel/signal.c 2011-05-23 17:07:00.000000000 -0400
70572 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
70573
70574 int print_fatal_signals __read_mostly;
70575
70576 -static void __user *sig_handler(struct task_struct *t, int sig)
70577 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
70578 {
70579 return t->sighand->action[sig - 1].sa.sa_handler;
70580 }
70581
70582 -static int sig_handler_ignored(void __user *handler, int sig)
70583 +static int sig_handler_ignored(__sighandler_t handler, int sig)
70584 {
70585 /* Is it explicitly or implicitly ignored? */
70586 return handler == SIG_IGN ||
70587 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
70588 static int sig_task_ignored(struct task_struct *t, int sig,
70589 int from_ancestor_ns)
70590 {
70591 - void __user *handler;
70592 + __sighandler_t handler;
70593
70594 handler = sig_handler(t, sig);
70595
70596 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
70597 atomic_inc(&user->sigpending);
70598 rcu_read_unlock();
70599
70600 + if (!override_rlimit)
70601 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
70602 +
70603 if (override_rlimit ||
70604 atomic_read(&user->sigpending) <=
70605 task_rlimit(t, RLIMIT_SIGPENDING)) {
70606 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
70607
70608 int unhandled_signal(struct task_struct *tsk, int sig)
70609 {
70610 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
70611 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
70612 if (is_global_init(tsk))
70613 return 1;
70614 if (handler != SIG_IGN && handler != SIG_DFL)
70615 @@ -693,6 +696,9 @@ static int check_kill_permission(int sig
70616 }
70617 }
70618
70619 + if (gr_handle_signal(t, sig))
70620 + return -EPERM;
70621 +
70622 return security_task_kill(t, info, sig, 0);
70623 }
70624
70625 @@ -1041,7 +1047,7 @@ __group_send_sig_info(int sig, struct si
70626 return send_signal(sig, info, p, 1);
70627 }
70628
70629 -static int
70630 +int
70631 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
70632 {
70633 return send_signal(sig, info, t, 0);
70634 @@ -1078,6 +1084,7 @@ force_sig_info(int sig, struct siginfo *
70635 unsigned long int flags;
70636 int ret, blocked, ignored;
70637 struct k_sigaction *action;
70638 + int is_unhandled = 0;
70639
70640 spin_lock_irqsave(&t->sighand->siglock, flags);
70641 action = &t->sighand->action[sig-1];
70642 @@ -1092,9 +1099,18 @@ force_sig_info(int sig, struct siginfo *
70643 }
70644 if (action->sa.sa_handler == SIG_DFL)
70645 t->signal->flags &= ~SIGNAL_UNKILLABLE;
70646 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
70647 + is_unhandled = 1;
70648 ret = specific_send_sig_info(sig, info, t);
70649 spin_unlock_irqrestore(&t->sighand->siglock, flags);
70650
70651 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
70652 + normal operation */
70653 + if (is_unhandled) {
70654 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
70655 + gr_handle_crash(t, sig);
70656 + }
70657 +
70658 return ret;
70659 }
70660
70661 @@ -1153,8 +1169,11 @@ int group_send_sig_info(int sig, struct
70662 ret = check_kill_permission(sig, info, p);
70663 rcu_read_unlock();
70664
70665 - if (!ret && sig)
70666 + if (!ret && sig) {
70667 ret = do_send_sig_info(sig, info, p, true);
70668 + if (!ret)
70669 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
70670 + }
70671
70672 return ret;
70673 }
70674 @@ -1718,6 +1737,8 @@ void ptrace_notify(int exit_code)
70675 {
70676 siginfo_t info;
70677
70678 + pax_track_stack();
70679 +
70680 BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
70681
70682 memset(&info, 0, sizeof info);
70683 diff -urNp linux-2.6.39.3/kernel/smp.c linux-2.6.39.3/kernel/smp.c
70684 --- linux-2.6.39.3/kernel/smp.c 2011-05-19 00:06:34.000000000 -0400
70685 +++ linux-2.6.39.3/kernel/smp.c 2011-05-22 19:36:33.000000000 -0400
70686 @@ -583,22 +583,22 @@ int smp_call_function(smp_call_func_t fu
70687 }
70688 EXPORT_SYMBOL(smp_call_function);
70689
70690 -void ipi_call_lock(void)
70691 +void ipi_call_lock(void) __acquires(call_function.lock)
70692 {
70693 raw_spin_lock(&call_function.lock);
70694 }
70695
70696 -void ipi_call_unlock(void)
70697 +void ipi_call_unlock(void) __releases(call_function.lock)
70698 {
70699 raw_spin_unlock(&call_function.lock);
70700 }
70701
70702 -void ipi_call_lock_irq(void)
70703 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
70704 {
70705 raw_spin_lock_irq(&call_function.lock);
70706 }
70707
70708 -void ipi_call_unlock_irq(void)
70709 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
70710 {
70711 raw_spin_unlock_irq(&call_function.lock);
70712 }
70713 diff -urNp linux-2.6.39.3/kernel/softirq.c linux-2.6.39.3/kernel/softirq.c
70714 --- linux-2.6.39.3/kernel/softirq.c 2011-05-19 00:06:34.000000000 -0400
70715 +++ linux-2.6.39.3/kernel/softirq.c 2011-05-22 19:36:33.000000000 -0400
70716 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
70717
70718 DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
70719
70720 -char *softirq_to_name[NR_SOFTIRQS] = {
70721 +const char * const softirq_to_name[NR_SOFTIRQS] = {
70722 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
70723 "TASKLET", "SCHED", "HRTIMER", "RCU"
70724 };
70725 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
70726
70727 asmlinkage void __do_softirq(void)
70728 {
70729 - struct softirq_action *h;
70730 + const struct softirq_action *h;
70731 __u32 pending;
70732 int max_restart = MAX_SOFTIRQ_RESTART;
70733 int cpu;
70734 @@ -235,7 +235,7 @@ restart:
70735 kstat_incr_softirqs_this_cpu(vec_nr);
70736
70737 trace_softirq_entry(vec_nr);
70738 - h->action(h);
70739 + h->action();
70740 trace_softirq_exit(vec_nr);
70741 if (unlikely(prev_count != preempt_count())) {
70742 printk(KERN_ERR "huh, entered softirq %u %s %p"
70743 @@ -377,7 +377,7 @@ void raise_softirq(unsigned int nr)
70744 local_irq_restore(flags);
70745 }
70746
70747 -void open_softirq(int nr, void (*action)(struct softirq_action *))
70748 +void open_softirq(int nr, void (*action)(void))
70749 {
70750 softirq_vec[nr].action = action;
70751 }
70752 @@ -433,7 +433,7 @@ void __tasklet_hi_schedule_first(struct
70753
70754 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
70755
70756 -static void tasklet_action(struct softirq_action *a)
70757 +static void tasklet_action(void)
70758 {
70759 struct tasklet_struct *list;
70760
70761 @@ -468,7 +468,7 @@ static void tasklet_action(struct softir
70762 }
70763 }
70764
70765 -static void tasklet_hi_action(struct softirq_action *a)
70766 +static void tasklet_hi_action(void)
70767 {
70768 struct tasklet_struct *list;
70769
70770 diff -urNp linux-2.6.39.3/kernel/sys.c linux-2.6.39.3/kernel/sys.c
70771 --- linux-2.6.39.3/kernel/sys.c 2011-05-19 00:06:34.000000000 -0400
70772 +++ linux-2.6.39.3/kernel/sys.c 2011-05-22 21:08:10.000000000 -0400
70773 @@ -154,6 +154,12 @@ static int set_one_prio(struct task_stru
70774 error = -EACCES;
70775 goto out;
70776 }
70777 +
70778 + if (gr_handle_chroot_setpriority(p, niceval)) {
70779 + error = -EACCES;
70780 + goto out;
70781 + }
70782 +
70783 no_nice = security_task_setnice(p, niceval);
70784 if (no_nice) {
70785 error = no_nice;
70786 @@ -538,6 +544,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
70787 goto error;
70788 }
70789
70790 + if (gr_check_group_change(new->gid, new->egid, -1))
70791 + goto error;
70792 +
70793 if (rgid != (gid_t) -1 ||
70794 (egid != (gid_t) -1 && egid != old->gid))
70795 new->sgid = new->egid;
70796 @@ -567,6 +576,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
70797 old = current_cred();
70798
70799 retval = -EPERM;
70800 +
70801 + if (gr_check_group_change(gid, gid, gid))
70802 + goto error;
70803 +
70804 if (nsown_capable(CAP_SETGID))
70805 new->gid = new->egid = new->sgid = new->fsgid = gid;
70806 else if (gid == old->gid || gid == old->sgid)
70807 @@ -647,6 +660,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
70808 goto error;
70809 }
70810
70811 + if (gr_check_user_change(new->uid, new->euid, -1))
70812 + goto error;
70813 +
70814 if (new->uid != old->uid) {
70815 retval = set_user(new);
70816 if (retval < 0)
70817 @@ -691,6 +707,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
70818 old = current_cred();
70819
70820 retval = -EPERM;
70821 +
70822 + if (gr_check_crash_uid(uid))
70823 + goto error;
70824 + if (gr_check_user_change(uid, uid, uid))
70825 + goto error;
70826 +
70827 if (nsown_capable(CAP_SETUID)) {
70828 new->suid = new->uid = uid;
70829 if (uid != old->uid) {
70830 @@ -745,6 +767,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
70831 goto error;
70832 }
70833
70834 + if (gr_check_user_change(ruid, euid, -1))
70835 + goto error;
70836 +
70837 if (ruid != (uid_t) -1) {
70838 new->uid = ruid;
70839 if (ruid != old->uid) {
70840 @@ -809,6 +834,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
70841 goto error;
70842 }
70843
70844 + if (gr_check_group_change(rgid, egid, -1))
70845 + goto error;
70846 +
70847 if (rgid != (gid_t) -1)
70848 new->gid = rgid;
70849 if (egid != (gid_t) -1)
70850 @@ -855,6 +883,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
70851 old = current_cred();
70852 old_fsuid = old->fsuid;
70853
70854 + if (gr_check_user_change(-1, -1, uid))
70855 + goto error;
70856 +
70857 if (uid == old->uid || uid == old->euid ||
70858 uid == old->suid || uid == old->fsuid ||
70859 nsown_capable(CAP_SETUID)) {
70860 @@ -865,6 +896,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
70861 }
70862 }
70863
70864 +error:
70865 abort_creds(new);
70866 return old_fsuid;
70867
70868 @@ -891,12 +923,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
70869 if (gid == old->gid || gid == old->egid ||
70870 gid == old->sgid || gid == old->fsgid ||
70871 nsown_capable(CAP_SETGID)) {
70872 + if (gr_check_group_change(-1, -1, gid))
70873 + goto error;
70874 +
70875 if (gid != old_fsgid) {
70876 new->fsgid = gid;
70877 goto change_okay;
70878 }
70879 }
70880
70881 +error:
70882 abort_creds(new);
70883 return old_fsgid;
70884
70885 @@ -1643,7 +1679,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
70886 error = get_dumpable(me->mm);
70887 break;
70888 case PR_SET_DUMPABLE:
70889 - if (arg2 < 0 || arg2 > 1) {
70890 + if (arg2 > 1) {
70891 error = -EINVAL;
70892 break;
70893 }
70894 diff -urNp linux-2.6.39.3/kernel/sysctl.c linux-2.6.39.3/kernel/sysctl.c
70895 --- linux-2.6.39.3/kernel/sysctl.c 2011-05-19 00:06:34.000000000 -0400
70896 +++ linux-2.6.39.3/kernel/sysctl.c 2011-05-22 20:23:10.000000000 -0400
70897 @@ -84,6 +84,13 @@
70898
70899
70900 #if defined(CONFIG_SYSCTL)
70901 +#include <linux/grsecurity.h>
70902 +#include <linux/grinternal.h>
70903 +
70904 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
70905 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
70906 + const int op);
70907 +extern int gr_handle_chroot_sysctl(const int op);
70908
70909 /* External variables not in a header file. */
70910 extern int sysctl_overcommit_memory;
70911 @@ -196,6 +203,7 @@ static int sysrq_sysctl_handler(ctl_tabl
70912 }
70913
70914 #endif
70915 +extern struct ctl_table grsecurity_table[];
70916
70917 static struct ctl_table root_table[];
70918 static struct ctl_table_root sysctl_table_root;
70919 @@ -225,6 +233,20 @@ extern struct ctl_table epoll_table[];
70920 int sysctl_legacy_va_layout;
70921 #endif
70922
70923 +#ifdef CONFIG_PAX_SOFTMODE
70924 +static ctl_table pax_table[] = {
70925 + {
70926 + .procname = "softmode",
70927 + .data = &pax_softmode,
70928 + .maxlen = sizeof(unsigned int),
70929 + .mode = 0600,
70930 + .proc_handler = &proc_dointvec,
70931 + },
70932 +
70933 + { }
70934 +};
70935 +#endif
70936 +
70937 /* The default sysctl tables: */
70938
70939 static struct ctl_table root_table[] = {
70940 @@ -271,6 +293,22 @@ static int max_extfrag_threshold = 1000;
70941 #endif
70942
70943 static struct ctl_table kern_table[] = {
70944 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
70945 + {
70946 + .procname = "grsecurity",
70947 + .mode = 0500,
70948 + .child = grsecurity_table,
70949 + },
70950 +#endif
70951 +
70952 +#ifdef CONFIG_PAX_SOFTMODE
70953 + {
70954 + .procname = "pax",
70955 + .mode = 0500,
70956 + .child = pax_table,
70957 + },
70958 +#endif
70959 +
70960 {
70961 .procname = "sched_child_runs_first",
70962 .data = &sysctl_sched_child_runs_first,
70963 @@ -545,7 +583,7 @@ static struct ctl_table kern_table[] = {
70964 .data = &modprobe_path,
70965 .maxlen = KMOD_PATH_LEN,
70966 .mode = 0644,
70967 - .proc_handler = proc_dostring,
70968 + .proc_handler = proc_dostring_modpriv,
70969 },
70970 {
70971 .procname = "modules_disabled",
70972 @@ -707,16 +745,20 @@ static struct ctl_table kern_table[] = {
70973 .extra1 = &zero,
70974 .extra2 = &one,
70975 },
70976 +#endif
70977 {
70978 .procname = "kptr_restrict",
70979 .data = &kptr_restrict,
70980 .maxlen = sizeof(int),
70981 .mode = 0644,
70982 .proc_handler = proc_dmesg_restrict,
70983 +#ifdef CONFIG_GRKERNSEC_HIDESYM
70984 + .extra1 = &two,
70985 +#else
70986 .extra1 = &zero,
70987 +#endif
70988 .extra2 = &two,
70989 },
70990 -#endif
70991 {
70992 .procname = "ngroups_max",
70993 .data = &ngroups_max,
70994 @@ -1189,6 +1231,13 @@ static struct ctl_table vm_table[] = {
70995 .proc_handler = proc_dointvec_minmax,
70996 .extra1 = &zero,
70997 },
70998 + {
70999 + .procname = "heap_stack_gap",
71000 + .data = &sysctl_heap_stack_gap,
71001 + .maxlen = sizeof(sysctl_heap_stack_gap),
71002 + .mode = 0644,
71003 + .proc_handler = proc_doulongvec_minmax,
71004 + },
71005 #else
71006 {
71007 .procname = "nr_trim_pages",
71008 @@ -1698,6 +1747,17 @@ static int test_perm(int mode, int op)
71009 int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
71010 {
71011 int mode;
71012 + int error;
71013 +
71014 + if (table->parent != NULL && table->parent->procname != NULL &&
71015 + table->procname != NULL &&
71016 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
71017 + return -EACCES;
71018 + if (gr_handle_chroot_sysctl(op))
71019 + return -EACCES;
71020 + error = gr_handle_sysctl(table, op);
71021 + if (error)
71022 + return error;
71023
71024 if (root->permissions)
71025 mode = root->permissions(root, current->nsproxy, table);
71026 @@ -2102,6 +2162,16 @@ int proc_dostring(struct ctl_table *tabl
71027 buffer, lenp, ppos);
71028 }
71029
71030 +int proc_dostring_modpriv(struct ctl_table *table, int write,
71031 + void __user *buffer, size_t *lenp, loff_t *ppos)
71032 +{
71033 + if (write && !capable(CAP_SYS_MODULE))
71034 + return -EPERM;
71035 +
71036 + return _proc_do_string(table->data, table->maxlen, write,
71037 + buffer, lenp, ppos);
71038 +}
71039 +
71040 static size_t proc_skip_spaces(char **buf)
71041 {
71042 size_t ret;
71043 @@ -2207,6 +2277,8 @@ static int proc_put_long(void __user **b
71044 len = strlen(tmp);
71045 if (len > *size)
71046 len = *size;
71047 + if (len > sizeof(tmp))
71048 + len = sizeof(tmp);
71049 if (copy_to_user(*buf, tmp, len))
71050 return -EFAULT;
71051 *size -= len;
71052 @@ -2523,8 +2595,11 @@ static int __do_proc_doulongvec_minmax(v
71053 *i = val;
71054 } else {
71055 val = convdiv * (*i) / convmul;
71056 - if (!first)
71057 + if (!first) {
71058 err = proc_put_char(&buffer, &left, '\t');
71059 + if (err)
71060 + break;
71061 + }
71062 err = proc_put_long(&buffer, &left, val, false);
71063 if (err)
71064 break;
71065 @@ -2919,6 +2994,12 @@ int proc_dostring(struct ctl_table *tabl
71066 return -ENOSYS;
71067 }
71068
71069 +int proc_dostring_modpriv(struct ctl_table *table, int write,
71070 + void __user *buffer, size_t *lenp, loff_t *ppos)
71071 +{
71072 + return -ENOSYS;
71073 +}
71074 +
71075 int proc_dointvec(struct ctl_table *table, int write,
71076 void __user *buffer, size_t *lenp, loff_t *ppos)
71077 {
71078 @@ -2975,6 +3056,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
71079 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
71080 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
71081 EXPORT_SYMBOL(proc_dostring);
71082 +EXPORT_SYMBOL(proc_dostring_modpriv);
71083 EXPORT_SYMBOL(proc_doulongvec_minmax);
71084 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
71085 EXPORT_SYMBOL(register_sysctl_table);
71086 diff -urNp linux-2.6.39.3/kernel/sysctl_check.c linux-2.6.39.3/kernel/sysctl_check.c
71087 --- linux-2.6.39.3/kernel/sysctl_check.c 2011-05-19 00:06:34.000000000 -0400
71088 +++ linux-2.6.39.3/kernel/sysctl_check.c 2011-05-22 19:41:42.000000000 -0400
71089 @@ -129,6 +129,7 @@ int sysctl_check_table(struct nsproxy *n
71090 set_fail(&fail, table, "Directory with extra2");
71091 } else {
71092 if ((table->proc_handler == proc_dostring) ||
71093 + (table->proc_handler == proc_dostring_modpriv) ||
71094 (table->proc_handler == proc_dointvec) ||
71095 (table->proc_handler == proc_dointvec_minmax) ||
71096 (table->proc_handler == proc_dointvec_jiffies) ||
71097 diff -urNp linux-2.6.39.3/kernel/taskstats.c linux-2.6.39.3/kernel/taskstats.c
71098 --- linux-2.6.39.3/kernel/taskstats.c 2011-07-09 09:18:51.000000000 -0400
71099 +++ linux-2.6.39.3/kernel/taskstats.c 2011-07-09 09:19:24.000000000 -0400
71100 @@ -27,9 +27,12 @@
71101 #include <linux/cgroup.h>
71102 #include <linux/fs.h>
71103 #include <linux/file.h>
71104 +#include <linux/grsecurity.h>
71105 #include <net/genetlink.h>
71106 #include <asm/atomic.h>
71107
71108 +extern int gr_is_taskstats_denied(int pid);
71109 +
71110 /*
71111 * Maximum length of a cpumask that can be specified in
71112 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
71113 @@ -558,6 +561,9 @@ err:
71114
71115 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
71116 {
71117 + if (gr_is_taskstats_denied(current->pid))
71118 + return -EACCES;
71119 +
71120 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
71121 return cmd_attr_register_cpumask(info);
71122 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
71123 diff -urNp linux-2.6.39.3/kernel/time/posix-clock.c linux-2.6.39.3/kernel/time/posix-clock.c
71124 --- linux-2.6.39.3/kernel/time/posix-clock.c 2011-05-19 00:06:34.000000000 -0400
71125 +++ linux-2.6.39.3/kernel/time/posix-clock.c 2011-05-22 19:36:33.000000000 -0400
71126 @@ -433,7 +433,7 @@ static int pc_timer_settime(struct k_iti
71127 return err;
71128 }
71129
71130 -struct k_clock clock_posix_dynamic = {
71131 +const struct k_clock clock_posix_dynamic = {
71132 .clock_getres = pc_clock_getres,
71133 .clock_set = pc_clock_settime,
71134 .clock_get = pc_clock_gettime,
71135 diff -urNp linux-2.6.39.3/kernel/time/tick-broadcast.c linux-2.6.39.3/kernel/time/tick-broadcast.c
71136 --- linux-2.6.39.3/kernel/time/tick-broadcast.c 2011-05-19 00:06:34.000000000 -0400
71137 +++ linux-2.6.39.3/kernel/time/tick-broadcast.c 2011-05-22 19:36:33.000000000 -0400
71138 @@ -115,7 +115,7 @@ int tick_device_uses_broadcast(struct cl
71139 * then clear the broadcast bit.
71140 */
71141 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
71142 - int cpu = smp_processor_id();
71143 + cpu = smp_processor_id();
71144
71145 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
71146 tick_broadcast_clear_oneshot(cpu);
71147 diff -urNp linux-2.6.39.3/kernel/time/timekeeping.c linux-2.6.39.3/kernel/time/timekeeping.c
71148 --- linux-2.6.39.3/kernel/time/timekeeping.c 2011-05-19 00:06:34.000000000 -0400
71149 +++ linux-2.6.39.3/kernel/time/timekeeping.c 2011-05-22 20:40:50.000000000 -0400
71150 @@ -14,6 +14,7 @@
71151 #include <linux/init.h>
71152 #include <linux/mm.h>
71153 #include <linux/sched.h>
71154 +#include <linux/grsecurity.h>
71155 #include <linux/syscore_ops.h>
71156 #include <linux/clocksource.h>
71157 #include <linux/jiffies.h>
71158 @@ -361,6 +362,8 @@ int do_settimeofday(const struct timespe
71159 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
71160 return -EINVAL;
71161
71162 + gr_log_timechange();
71163 +
71164 write_seqlock_irqsave(&xtime_lock, flags);
71165
71166 timekeeping_forward_now();
71167 diff -urNp linux-2.6.39.3/kernel/time/timer_list.c linux-2.6.39.3/kernel/time/timer_list.c
71168 --- linux-2.6.39.3/kernel/time/timer_list.c 2011-05-19 00:06:34.000000000 -0400
71169 +++ linux-2.6.39.3/kernel/time/timer_list.c 2011-05-22 19:41:42.000000000 -0400
71170 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
71171
71172 static void print_name_offset(struct seq_file *m, void *sym)
71173 {
71174 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71175 + SEQ_printf(m, "<%p>", NULL);
71176 +#else
71177 char symname[KSYM_NAME_LEN];
71178
71179 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
71180 SEQ_printf(m, "<%pK>", sym);
71181 else
71182 SEQ_printf(m, "%s", symname);
71183 +#endif
71184 }
71185
71186 static void
71187 @@ -112,7 +116,11 @@ next_one:
71188 static void
71189 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
71190 {
71191 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71192 + SEQ_printf(m, " .base: %p\n", NULL);
71193 +#else
71194 SEQ_printf(m, " .base: %pK\n", base);
71195 +#endif
71196 SEQ_printf(m, " .index: %d\n",
71197 base->index);
71198 SEQ_printf(m, " .resolution: %Lu nsecs\n",
71199 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
71200 {
71201 struct proc_dir_entry *pe;
71202
71203 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
71204 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
71205 +#else
71206 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
71207 +#endif
71208 if (!pe)
71209 return -ENOMEM;
71210 return 0;
71211 diff -urNp linux-2.6.39.3/kernel/time/timer_stats.c linux-2.6.39.3/kernel/time/timer_stats.c
71212 --- linux-2.6.39.3/kernel/time/timer_stats.c 2011-05-19 00:06:34.000000000 -0400
71213 +++ linux-2.6.39.3/kernel/time/timer_stats.c 2011-05-22 19:41:42.000000000 -0400
71214 @@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
71215 static unsigned long nr_entries;
71216 static struct entry entries[MAX_ENTRIES];
71217
71218 -static atomic_t overflow_count;
71219 +static atomic_unchecked_t overflow_count;
71220
71221 /*
71222 * The entries are in a hash-table, for fast lookup:
71223 @@ -140,7 +140,7 @@ static void reset_entries(void)
71224 nr_entries = 0;
71225 memset(entries, 0, sizeof(entries));
71226 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
71227 - atomic_set(&overflow_count, 0);
71228 + atomic_set_unchecked(&overflow_count, 0);
71229 }
71230
71231 static struct entry *alloc_entry(void)
71232 @@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
71233 if (likely(entry))
71234 entry->count++;
71235 else
71236 - atomic_inc(&overflow_count);
71237 + atomic_inc_unchecked(&overflow_count);
71238
71239 out_unlock:
71240 raw_spin_unlock_irqrestore(lock, flags);
71241 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
71242
71243 static void print_name_offset(struct seq_file *m, unsigned long addr)
71244 {
71245 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71246 + seq_printf(m, "<%p>", NULL);
71247 +#else
71248 char symname[KSYM_NAME_LEN];
71249
71250 if (lookup_symbol_name(addr, symname) < 0)
71251 seq_printf(m, "<%p>", (void *)addr);
71252 else
71253 seq_printf(m, "%s", symname);
71254 +#endif
71255 }
71256
71257 static int tstats_show(struct seq_file *m, void *v)
71258 @@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
71259
71260 seq_puts(m, "Timer Stats Version: v0.2\n");
71261 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
71262 - if (atomic_read(&overflow_count))
71263 + if (atomic_read_unchecked(&overflow_count))
71264 seq_printf(m, "Overflow: %d entries\n",
71265 - atomic_read(&overflow_count));
71266 + atomic_read_unchecked(&overflow_count));
71267
71268 for (i = 0; i < nr_entries; i++) {
71269 entry = entries + i;
71270 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
71271 {
71272 struct proc_dir_entry *pe;
71273
71274 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
71275 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
71276 +#else
71277 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
71278 +#endif
71279 if (!pe)
71280 return -ENOMEM;
71281 return 0;
71282 diff -urNp linux-2.6.39.3/kernel/time.c linux-2.6.39.3/kernel/time.c
71283 --- linux-2.6.39.3/kernel/time.c 2011-05-19 00:06:34.000000000 -0400
71284 +++ linux-2.6.39.3/kernel/time.c 2011-05-22 19:41:42.000000000 -0400
71285 @@ -163,6 +163,11 @@ int do_sys_settimeofday(const struct tim
71286 return error;
71287
71288 if (tz) {
71289 + /* we log in do_settimeofday called below, so don't log twice
71290 + */
71291 + if (!tv)
71292 + gr_log_timechange();
71293 +
71294 /* SMP safe, global irq locking makes it work. */
71295 sys_tz = *tz;
71296 update_vsyscall_tz();
71297 diff -urNp linux-2.6.39.3/kernel/timer.c linux-2.6.39.3/kernel/timer.c
71298 --- linux-2.6.39.3/kernel/timer.c 2011-05-19 00:06:34.000000000 -0400
71299 +++ linux-2.6.39.3/kernel/timer.c 2011-05-22 19:36:33.000000000 -0400
71300 @@ -1305,7 +1305,7 @@ void update_process_times(int user_tick)
71301 /*
71302 * This function runs timers and the timer-tq in bottom half context.
71303 */
71304 -static void run_timer_softirq(struct softirq_action *h)
71305 +static void run_timer_softirq(void)
71306 {
71307 struct tvec_base *base = __this_cpu_read(tvec_bases);
71308
71309 diff -urNp linux-2.6.39.3/kernel/trace/blktrace.c linux-2.6.39.3/kernel/trace/blktrace.c
71310 --- linux-2.6.39.3/kernel/trace/blktrace.c 2011-05-19 00:06:34.000000000 -0400
71311 +++ linux-2.6.39.3/kernel/trace/blktrace.c 2011-05-22 19:36:33.000000000 -0400
71312 @@ -321,7 +321,7 @@ static ssize_t blk_dropped_read(struct f
71313 struct blk_trace *bt = filp->private_data;
71314 char buf[16];
71315
71316 - snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
71317 + snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
71318
71319 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
71320 }
71321 @@ -386,7 +386,7 @@ static int blk_subbuf_start_callback(str
71322 return 1;
71323
71324 bt = buf->chan->private_data;
71325 - atomic_inc(&bt->dropped);
71326 + atomic_inc_unchecked(&bt->dropped);
71327 return 0;
71328 }
71329
71330 @@ -487,7 +487,7 @@ int do_blk_trace_setup(struct request_qu
71331
71332 bt->dir = dir;
71333 bt->dev = dev;
71334 - atomic_set(&bt->dropped, 0);
71335 + atomic_set_unchecked(&bt->dropped, 0);
71336
71337 ret = -EIO;
71338 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
71339 diff -urNp linux-2.6.39.3/kernel/trace/ftrace.c linux-2.6.39.3/kernel/trace/ftrace.c
71340 --- linux-2.6.39.3/kernel/trace/ftrace.c 2011-06-03 00:04:14.000000000 -0400
71341 +++ linux-2.6.39.3/kernel/trace/ftrace.c 2011-06-03 00:32:08.000000000 -0400
71342 @@ -1107,13 +1107,18 @@ ftrace_code_disable(struct module *mod,
71343
71344 ip = rec->ip;
71345
71346 + ret = ftrace_arch_code_modify_prepare();
71347 + FTRACE_WARN_ON(ret);
71348 + if (ret)
71349 + return 0;
71350 +
71351 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
71352 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
71353 if (ret) {
71354 ftrace_bug(ret, ip);
71355 rec->flags |= FTRACE_FL_FAILED;
71356 - return 0;
71357 }
71358 - return 1;
71359 + return ret ? 0 : 1;
71360 }
71361
71362 /*
71363 @@ -2011,7 +2016,7 @@ static void ftrace_free_entry_rcu(struct
71364
71365 int
71366 register_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
71367 - void *data)
71368 + void *data)
71369 {
71370 struct ftrace_func_probe *entry;
71371 struct ftrace_page *pg;
71372 @@ -2083,7 +2088,7 @@ enum {
71373 };
71374
71375 static void
71376 -__unregister_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
71377 +__unregister_ftrace_function_probe(char *glob, const struct ftrace_probe_ops *ops,
71378 void *data, int flags)
71379 {
71380 struct ftrace_func_probe *entry;
71381 @@ -2144,7 +2149,7 @@ unregister_ftrace_function_probe(char *g
71382 }
71383
71384 void
71385 -unregister_ftrace_function_probe_func(char *glob, struct ftrace_probe_ops *ops)
71386 +unregister_ftrace_function_probe_func(char *glob, const struct ftrace_probe_ops *ops)
71387 {
71388 __unregister_ftrace_function_probe(glob, ops, NULL, PROBE_TEST_FUNC);
71389 }
71390 diff -urNp linux-2.6.39.3/kernel/trace/trace.c linux-2.6.39.3/kernel/trace/trace.c
71391 --- linux-2.6.39.3/kernel/trace/trace.c 2011-05-19 00:06:34.000000000 -0400
71392 +++ linux-2.6.39.3/kernel/trace/trace.c 2011-05-22 19:36:33.000000000 -0400
71393 @@ -3330,6 +3330,8 @@ static ssize_t tracing_splice_read_pipe(
71394 size_t rem;
71395 unsigned int i;
71396
71397 + pax_track_stack();
71398 +
71399 if (splice_grow_spd(pipe, &spd))
71400 return -ENOMEM;
71401
71402 @@ -3813,6 +3815,8 @@ tracing_buffers_splice_read(struct file
71403 int entries, size, i;
71404 size_t ret;
71405
71406 + pax_track_stack();
71407 +
71408 if (splice_grow_spd(pipe, &spd))
71409 return -ENOMEM;
71410
71411 @@ -3981,10 +3985,9 @@ static const struct file_operations trac
71412 };
71413 #endif
71414
71415 -static struct dentry *d_tracer;
71416 -
71417 struct dentry *tracing_init_dentry(void)
71418 {
71419 + static struct dentry *d_tracer;
71420 static int once;
71421
71422 if (d_tracer)
71423 @@ -4004,10 +4007,9 @@ struct dentry *tracing_init_dentry(void)
71424 return d_tracer;
71425 }
71426
71427 -static struct dentry *d_percpu;
71428 -
71429 struct dentry *tracing_dentry_percpu(void)
71430 {
71431 + static struct dentry *d_percpu;
71432 static int once;
71433 struct dentry *d_tracer;
71434
71435 diff -urNp linux-2.6.39.3/kernel/trace/trace_events.c linux-2.6.39.3/kernel/trace/trace_events.c
71436 --- linux-2.6.39.3/kernel/trace/trace_events.c 2011-05-19 00:06:34.000000000 -0400
71437 +++ linux-2.6.39.3/kernel/trace/trace_events.c 2011-05-22 19:36:33.000000000 -0400
71438 @@ -1241,10 +1241,10 @@ static LIST_HEAD(ftrace_module_file_list
71439 struct ftrace_module_file_ops {
71440 struct list_head list;
71441 struct module *mod;
71442 - struct file_operations id;
71443 - struct file_operations enable;
71444 - struct file_operations format;
71445 - struct file_operations filter;
71446 + struct file_operations id; /* cannot be const, see trace_create_file_ops() */
71447 + struct file_operations enable; /* cannot be const, see trace_create_file_ops() */
71448 + struct file_operations format; /* cannot be const, see trace_create_file_ops() */
71449 + struct file_operations filter; /* cannot be const, see trace_create_file_ops() */
71450 };
71451
71452 static struct ftrace_module_file_ops *
71453 diff -urNp linux-2.6.39.3/kernel/trace/trace_functions.c linux-2.6.39.3/kernel/trace/trace_functions.c
71454 --- linux-2.6.39.3/kernel/trace/trace_functions.c 2011-05-19 00:06:34.000000000 -0400
71455 +++ linux-2.6.39.3/kernel/trace/trace_functions.c 2011-05-22 19:36:33.000000000 -0400
71456 @@ -308,7 +308,7 @@ ftrace_trace_onoff_print(struct seq_file
71457 static int
71458 ftrace_trace_onoff_unreg(char *glob, char *cmd, char *param)
71459 {
71460 - struct ftrace_probe_ops *ops;
71461 + const struct ftrace_probe_ops *ops;
71462
71463 /* we register both traceon and traceoff to this callback */
71464 if (strcmp(cmd, "traceon") == 0)
71465 diff -urNp linux-2.6.39.3/kernel/trace/trace_mmiotrace.c linux-2.6.39.3/kernel/trace/trace_mmiotrace.c
71466 --- linux-2.6.39.3/kernel/trace/trace_mmiotrace.c 2011-05-19 00:06:34.000000000 -0400
71467 +++ linux-2.6.39.3/kernel/trace/trace_mmiotrace.c 2011-05-22 19:36:33.000000000 -0400
71468 @@ -24,7 +24,7 @@ struct header_iter {
71469 static struct trace_array *mmio_trace_array;
71470 static bool overrun_detected;
71471 static unsigned long prev_overruns;
71472 -static atomic_t dropped_count;
71473 +static atomic_unchecked_t dropped_count;
71474
71475 static void mmio_reset_data(struct trace_array *tr)
71476 {
71477 @@ -127,7 +127,7 @@ static void mmio_close(struct trace_iter
71478
71479 static unsigned long count_overruns(struct trace_iterator *iter)
71480 {
71481 - unsigned long cnt = atomic_xchg(&dropped_count, 0);
71482 + unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
71483 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
71484
71485 if (over > prev_overruns)
71486 @@ -317,7 +317,7 @@ static void __trace_mmiotrace_rw(struct
71487 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
71488 sizeof(*entry), 0, pc);
71489 if (!event) {
71490 - atomic_inc(&dropped_count);
71491 + atomic_inc_unchecked(&dropped_count);
71492 return;
71493 }
71494 entry = ring_buffer_event_data(event);
71495 @@ -347,7 +347,7 @@ static void __trace_mmiotrace_map(struct
71496 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
71497 sizeof(*entry), 0, pc);
71498 if (!event) {
71499 - atomic_inc(&dropped_count);
71500 + atomic_inc_unchecked(&dropped_count);
71501 return;
71502 }
71503 entry = ring_buffer_event_data(event);
71504 diff -urNp linux-2.6.39.3/kernel/trace/trace_output.c linux-2.6.39.3/kernel/trace/trace_output.c
71505 --- linux-2.6.39.3/kernel/trace/trace_output.c 2011-05-19 00:06:34.000000000 -0400
71506 +++ linux-2.6.39.3/kernel/trace/trace_output.c 2011-05-22 19:36:33.000000000 -0400
71507 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
71508
71509 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
71510 if (!IS_ERR(p)) {
71511 - p = mangle_path(s->buffer + s->len, p, "\n");
71512 + p = mangle_path(s->buffer + s->len, p, "\n\\");
71513 if (p) {
71514 s->len = p - s->buffer;
71515 return 1;
71516 diff -urNp linux-2.6.39.3/kernel/trace/trace_stack.c linux-2.6.39.3/kernel/trace/trace_stack.c
71517 --- linux-2.6.39.3/kernel/trace/trace_stack.c 2011-05-19 00:06:34.000000000 -0400
71518 +++ linux-2.6.39.3/kernel/trace/trace_stack.c 2011-05-22 19:36:33.000000000 -0400
71519 @@ -50,7 +50,7 @@ static inline void check_stack(void)
71520 return;
71521
71522 /* we do not handle interrupt stacks yet */
71523 - if (!object_is_on_stack(&this_size))
71524 + if (!object_starts_on_stack(&this_size))
71525 return;
71526
71527 local_irq_save(flags);
71528 diff -urNp linux-2.6.39.3/kernel/trace/trace_workqueue.c linux-2.6.39.3/kernel/trace/trace_workqueue.c
71529 --- linux-2.6.39.3/kernel/trace/trace_workqueue.c 2011-05-19 00:06:34.000000000 -0400
71530 +++ linux-2.6.39.3/kernel/trace/trace_workqueue.c 2011-05-22 19:36:33.000000000 -0400
71531 @@ -22,7 +22,7 @@ struct cpu_workqueue_stats {
71532 int cpu;
71533 pid_t pid;
71534 /* Can be inserted from interrupt or user context, need to be atomic */
71535 - atomic_t inserted;
71536 + atomic_unchecked_t inserted;
71537 /*
71538 * Don't need to be atomic, works are serialized in a single workqueue thread
71539 * on a single CPU.
71540 @@ -60,7 +60,7 @@ probe_workqueue_insertion(void *ignore,
71541 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
71542 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
71543 if (node->pid == wq_thread->pid) {
71544 - atomic_inc(&node->inserted);
71545 + atomic_inc_unchecked(&node->inserted);
71546 goto found;
71547 }
71548 }
71549 @@ -210,7 +210,7 @@ static int workqueue_stat_show(struct se
71550 tsk = get_pid_task(pid, PIDTYPE_PID);
71551 if (tsk) {
71552 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
71553 - atomic_read(&cws->inserted), cws->executed,
71554 + atomic_read_unchecked(&cws->inserted), cws->executed,
71555 tsk->comm);
71556 put_task_struct(tsk);
71557 }
71558 diff -urNp linux-2.6.39.3/lib/bug.c linux-2.6.39.3/lib/bug.c
71559 --- linux-2.6.39.3/lib/bug.c 2011-05-19 00:06:34.000000000 -0400
71560 +++ linux-2.6.39.3/lib/bug.c 2011-05-22 19:36:33.000000000 -0400
71561 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
71562 return BUG_TRAP_TYPE_NONE;
71563
71564 bug = find_bug(bugaddr);
71565 + if (!bug)
71566 + return BUG_TRAP_TYPE_NONE;
71567
71568 file = NULL;
71569 line = 0;
71570 diff -urNp linux-2.6.39.3/lib/debugobjects.c linux-2.6.39.3/lib/debugobjects.c
71571 --- linux-2.6.39.3/lib/debugobjects.c 2011-07-09 09:18:51.000000000 -0400
71572 +++ linux-2.6.39.3/lib/debugobjects.c 2011-07-09 09:19:24.000000000 -0400
71573 @@ -284,7 +284,7 @@ static void debug_object_is_on_stack(voi
71574 if (limit > 4)
71575 return;
71576
71577 - is_on_stack = object_is_on_stack(addr);
71578 + is_on_stack = object_starts_on_stack(addr);
71579 if (is_on_stack == onstack)
71580 return;
71581
71582 diff -urNp linux-2.6.39.3/lib/dma-debug.c linux-2.6.39.3/lib/dma-debug.c
71583 --- linux-2.6.39.3/lib/dma-debug.c 2011-05-19 00:06:34.000000000 -0400
71584 +++ linux-2.6.39.3/lib/dma-debug.c 2011-05-22 19:36:33.000000000 -0400
71585 @@ -862,7 +862,7 @@ out:
71586
71587 static void check_for_stack(struct device *dev, void *addr)
71588 {
71589 - if (object_is_on_stack(addr))
71590 + if (object_starts_on_stack(addr))
71591 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
71592 "stack [addr=%p]\n", addr);
71593 }
71594 diff -urNp linux-2.6.39.3/lib/inflate.c linux-2.6.39.3/lib/inflate.c
71595 --- linux-2.6.39.3/lib/inflate.c 2011-05-19 00:06:34.000000000 -0400
71596 +++ linux-2.6.39.3/lib/inflate.c 2011-05-22 19:36:33.000000000 -0400
71597 @@ -269,7 +269,7 @@ static void free(void *where)
71598 malloc_ptr = free_mem_ptr;
71599 }
71600 #else
71601 -#define malloc(a) kmalloc(a, GFP_KERNEL)
71602 +#define malloc(a) kmalloc((a), GFP_KERNEL)
71603 #define free(a) kfree(a)
71604 #endif
71605
71606 diff -urNp linux-2.6.39.3/lib/Kconfig.debug linux-2.6.39.3/lib/Kconfig.debug
71607 --- linux-2.6.39.3/lib/Kconfig.debug 2011-05-19 00:06:34.000000000 -0400
71608 +++ linux-2.6.39.3/lib/Kconfig.debug 2011-05-22 19:41:42.000000000 -0400
71609 @@ -1078,6 +1078,7 @@ config LATENCYTOP
71610 depends on DEBUG_KERNEL
71611 depends on STACKTRACE_SUPPORT
71612 depends on PROC_FS
71613 + depends on !GRKERNSEC_HIDESYM
71614 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
71615 select KALLSYMS
71616 select KALLSYMS_ALL
71617 diff -urNp linux-2.6.39.3/lib/kref.c linux-2.6.39.3/lib/kref.c
71618 --- linux-2.6.39.3/lib/kref.c 2011-05-19 00:06:34.000000000 -0400
71619 +++ linux-2.6.39.3/lib/kref.c 2011-05-22 19:36:33.000000000 -0400
71620 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
71621 */
71622 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
71623 {
71624 - WARN_ON(release == NULL);
71625 + BUG_ON(release == NULL);
71626 WARN_ON(release == (void (*)(struct kref *))kfree);
71627
71628 if (atomic_dec_and_test(&kref->refcount)) {
71629 diff -urNp linux-2.6.39.3/lib/radix-tree.c linux-2.6.39.3/lib/radix-tree.c
71630 --- linux-2.6.39.3/lib/radix-tree.c 2011-05-19 00:06:34.000000000 -0400
71631 +++ linux-2.6.39.3/lib/radix-tree.c 2011-05-22 19:36:33.000000000 -0400
71632 @@ -80,7 +80,7 @@ struct radix_tree_preload {
71633 int nr;
71634 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
71635 };
71636 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
71637 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
71638
71639 static inline void *ptr_to_indirect(void *ptr)
71640 {
71641 diff -urNp linux-2.6.39.3/lib/vsprintf.c linux-2.6.39.3/lib/vsprintf.c
71642 --- linux-2.6.39.3/lib/vsprintf.c 2011-05-19 00:06:34.000000000 -0400
71643 +++ linux-2.6.39.3/lib/vsprintf.c 2011-05-22 20:54:59.000000000 -0400
71644 @@ -16,6 +16,9 @@
71645 * - scnprintf and vscnprintf
71646 */
71647
71648 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71649 +#define __INCLUDED_BY_HIDESYM 1
71650 +#endif
71651 #include <stdarg.h>
71652 #include <linux/module.h>
71653 #include <linux/types.h>
71654 @@ -435,7 +438,7 @@ char *symbol_string(char *buf, char *end
71655 char sym[KSYM_SYMBOL_LEN];
71656 if (ext == 'B')
71657 sprint_backtrace(sym, value);
71658 - else if (ext != 'f' && ext != 's')
71659 + else if (ext != 'f' && ext != 's' && ext != 'a')
71660 sprint_symbol(sym, value);
71661 else
71662 kallsyms_lookup(value, NULL, NULL, NULL, sym);
71663 @@ -797,7 +800,11 @@ char *uuid_string(char *buf, char *end,
71664 return string(buf, end, uuid, spec);
71665 }
71666
71667 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71668 +int kptr_restrict __read_mostly = 2;
71669 +#else
71670 int kptr_restrict __read_mostly;
71671 +#endif
71672
71673 /*
71674 * Show a '%p' thing. A kernel extension is that the '%p' is followed
71675 @@ -811,6 +818,8 @@ int kptr_restrict __read_mostly;
71676 * - 'S' For symbolic direct pointers with offset
71677 * - 's' For symbolic direct pointers without offset
71678 * - 'B' For backtraced symbolic direct pointers with offset
71679 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
71680 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
71681 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
71682 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
71683 * - 'M' For a 6-byte MAC address, it prints the address in the
71684 @@ -855,12 +864,12 @@ char *pointer(const char *fmt, char *buf
71685 {
71686 if (!ptr && *fmt != 'K') {
71687 /*
71688 - * Print (null) with the same width as a pointer so it makes
71689 + * Print (nil) with the same width as a pointer so it makes
71690 * tabular output look nice.
71691 */
71692 if (spec.field_width == -1)
71693 spec.field_width = 2 * sizeof(void *);
71694 - return string(buf, end, "(null)", spec);
71695 + return string(buf, end, "(nil)", spec);
71696 }
71697
71698 switch (*fmt) {
71699 @@ -870,6 +879,13 @@ char *pointer(const char *fmt, char *buf
71700 /* Fallthrough */
71701 case 'S':
71702 case 's':
71703 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71704 + break;
71705 +#else
71706 + return symbol_string(buf, end, ptr, spec, *fmt);
71707 +#endif
71708 + case 'A':
71709 + case 'a':
71710 case 'B':
71711 return symbol_string(buf, end, ptr, spec, *fmt);
71712 case 'R':
71713 @@ -1632,11 +1648,11 @@ int bstr_printf(char *buf, size_t size,
71714 typeof(type) value; \
71715 if (sizeof(type) == 8) { \
71716 args = PTR_ALIGN(args, sizeof(u32)); \
71717 - *(u32 *)&value = *(u32 *)args; \
71718 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
71719 + *(u32 *)&value = *(const u32 *)args; \
71720 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
71721 } else { \
71722 args = PTR_ALIGN(args, sizeof(type)); \
71723 - value = *(typeof(type) *)args; \
71724 + value = *(const typeof(type) *)args; \
71725 } \
71726 args += sizeof(type); \
71727 value; \
71728 @@ -1699,7 +1715,7 @@ int bstr_printf(char *buf, size_t size,
71729 case FORMAT_TYPE_STR: {
71730 const char *str_arg = args;
71731 args += strlen(str_arg) + 1;
71732 - str = string(str, end, (char *)str_arg, spec);
71733 + str = string(str, end, str_arg, spec);
71734 break;
71735 }
71736
71737 diff -urNp linux-2.6.39.3/localversion-grsec linux-2.6.39.3/localversion-grsec
71738 --- linux-2.6.39.3/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
71739 +++ linux-2.6.39.3/localversion-grsec 2011-05-22 19:41:42.000000000 -0400
71740 @@ -0,0 +1 @@
71741 +-grsec
71742 diff -urNp linux-2.6.39.3/Makefile linux-2.6.39.3/Makefile
71743 --- linux-2.6.39.3/Makefile 2011-07-09 09:18:51.000000000 -0400
71744 +++ linux-2.6.39.3/Makefile 2011-07-09 09:19:18.000000000 -0400
71745 @@ -237,8 +237,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
71746
71747 HOSTCC = gcc
71748 HOSTCXX = g++
71749 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
71750 -HOSTCXXFLAGS = -O2
71751 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
71752 +HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
71753 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
71754
71755 # Decide whether to build built-in, modular, or both.
71756 # Normally, just do built-in.
71757 @@ -356,10 +357,12 @@ LINUXINCLUDE := -I$(srctree)/arch/$(h
71758 KBUILD_CPPFLAGS := -D__KERNEL__
71759
71760 KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
71761 + -W -Wno-unused-parameter -Wno-missing-field-initializers \
71762 -fno-strict-aliasing -fno-common \
71763 -Werror-implicit-function-declaration \
71764 -Wno-format-security \
71765 -fno-delete-null-pointer-checks
71766 +KBUILD_CFLAGS += $(call cc-option, -Wno-empty-body)
71767 KBUILD_AFLAGS_KERNEL :=
71768 KBUILD_CFLAGS_KERNEL :=
71769 KBUILD_AFLAGS := -D__ASSEMBLY__
71770 @@ -397,8 +400,8 @@ export RCS_TAR_IGNORE := --exclude SCCS
71771 # Rules shared between *config targets and build targets
71772
71773 # Basic helpers built in scripts/
71774 -PHONY += scripts_basic
71775 -scripts_basic:
71776 +PHONY += scripts_basic pax-plugin
71777 +scripts_basic: pax-plugin
71778 $(Q)$(MAKE) $(build)=scripts/basic
71779 $(Q)rm -f .tmp_quiet_recordmcount
71780
71781 @@ -550,6 +553,18 @@ endif
71782
71783 include $(srctree)/arch/$(SRCARCH)/Makefile
71784
71785 +ifeq ($(CONFIG_PAX_MEMORY_STACKLEAK),y)
71786 +KBUILD_CFLAGS += $(call cc-ifversion, -ge, 0405, -fplugin=$(objtree)/tools/gcc/pax_plugin.so -fplugin-arg-pax_plugin-track-lowest-sp=100)
71787 +endif
71788 +pax-plugin:
71789 +ifneq (,$(findstring pax_plugin, $(KBUILD_CFLAGS)))
71790 + $(Q)$(MAKE) $(build)=tools/gcc
71791 +else
71792 +ifeq ($(CONFIG_PAX_MEMORY_STACKLEAK),y)
71793 + $(Q)echo "warning, your gcc does not support plugins, PAX_MEMORY_STACKLEAK will be less secure"
71794 +endif
71795 +endif
71796 +
71797 ifneq ($(CONFIG_FRAME_WARN),0)
71798 KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
71799 endif
71800 @@ -685,7 +700,7 @@ export mod_strip_cmd
71801
71802
71803 ifeq ($(KBUILD_EXTMOD),)
71804 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
71805 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
71806
71807 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
71808 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
71809 @@ -947,7 +962,7 @@ ifneq ($(KBUILD_SRC),)
71810 endif
71811
71812 # prepare2 creates a makefile if using a separate output directory
71813 -prepare2: prepare3 outputmakefile
71814 +prepare2: prepare3 outputmakefile pax-plugin
71815
71816 prepare1: prepare2 include/linux/version.h include/generated/utsrelease.h \
71817 include/config/auto.conf
71818 @@ -1375,7 +1390,7 @@ clean: $(clean-dirs)
71819 $(call cmd,rmdirs)
71820 $(call cmd,rmfiles)
71821 @find $(if $(KBUILD_EXTMOD), $(KBUILD_EXTMOD), .) $(RCS_FIND_IGNORE) \
71822 - \( -name '*.[oas]' -o -name '*.ko' -o -name '.*.cmd' \
71823 + \( -name '*.[oas]' -o -name '*.[ks]o' -o -name '.*.cmd' \
71824 -o -name '.*.d' -o -name '.*.tmp' -o -name '*.mod.c' \
71825 -o -name '*.symtypes' -o -name 'modules.order' \
71826 -o -name modules.builtin -o -name '.tmp_*.o.*' \
71827 diff -urNp linux-2.6.39.3/mm/filemap.c linux-2.6.39.3/mm/filemap.c
71828 --- linux-2.6.39.3/mm/filemap.c 2011-05-19 00:06:34.000000000 -0400
71829 +++ linux-2.6.39.3/mm/filemap.c 2011-05-22 19:41:42.000000000 -0400
71830 @@ -1724,7 +1724,7 @@ int generic_file_mmap(struct file * file
71831 struct address_space *mapping = file->f_mapping;
71832
71833 if (!mapping->a_ops->readpage)
71834 - return -ENOEXEC;
71835 + return -ENODEV;
71836 file_accessed(file);
71837 vma->vm_ops = &generic_file_vm_ops;
71838 vma->vm_flags |= VM_CAN_NONLINEAR;
71839 @@ -2120,6 +2120,7 @@ inline int generic_write_checks(struct f
71840 *pos = i_size_read(inode);
71841
71842 if (limit != RLIM_INFINITY) {
71843 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
71844 if (*pos >= limit) {
71845 send_sig(SIGXFSZ, current, 0);
71846 return -EFBIG;
71847 diff -urNp linux-2.6.39.3/mm/fremap.c linux-2.6.39.3/mm/fremap.c
71848 --- linux-2.6.39.3/mm/fremap.c 2011-05-19 00:06:34.000000000 -0400
71849 +++ linux-2.6.39.3/mm/fremap.c 2011-05-22 19:36:33.000000000 -0400
71850 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
71851 retry:
71852 vma = find_vma(mm, start);
71853
71854 +#ifdef CONFIG_PAX_SEGMEXEC
71855 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
71856 + goto out;
71857 +#endif
71858 +
71859 /*
71860 * Make sure the vma is shared, that it supports prefaulting,
71861 * and that the remapped range is valid and fully within
71862 @@ -224,7 +229,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
71863 /*
71864 * drop PG_Mlocked flag for over-mapped range
71865 */
71866 - unsigned int saved_flags = vma->vm_flags;
71867 + unsigned long saved_flags = vma->vm_flags;
71868 munlock_vma_pages_range(vma, start, start + size);
71869 vma->vm_flags = saved_flags;
71870 }
71871 diff -urNp linux-2.6.39.3/mm/highmem.c linux-2.6.39.3/mm/highmem.c
71872 --- linux-2.6.39.3/mm/highmem.c 2011-05-19 00:06:34.000000000 -0400
71873 +++ linux-2.6.39.3/mm/highmem.c 2011-05-22 19:36:33.000000000 -0400
71874 @@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
71875 * So no dangers, even with speculative execution.
71876 */
71877 page = pte_page(pkmap_page_table[i]);
71878 + pax_open_kernel();
71879 pte_clear(&init_mm, (unsigned long)page_address(page),
71880 &pkmap_page_table[i]);
71881 -
71882 + pax_close_kernel();
71883 set_page_address(page, NULL);
71884 need_flush = 1;
71885 }
71886 @@ -186,9 +187,11 @@ start:
71887 }
71888 }
71889 vaddr = PKMAP_ADDR(last_pkmap_nr);
71890 +
71891 + pax_open_kernel();
71892 set_pte_at(&init_mm, vaddr,
71893 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
71894 -
71895 + pax_close_kernel();
71896 pkmap_count[last_pkmap_nr] = 1;
71897 set_page_address(page, (void *)vaddr);
71898
71899 diff -urNp linux-2.6.39.3/mm/huge_memory.c linux-2.6.39.3/mm/huge_memory.c
71900 --- linux-2.6.39.3/mm/huge_memory.c 2011-05-19 00:06:34.000000000 -0400
71901 +++ linux-2.6.39.3/mm/huge_memory.c 2011-05-22 19:36:33.000000000 -0400
71902 @@ -702,7 +702,7 @@ out:
71903 * run pte_offset_map on the pmd, if an huge pmd could
71904 * materialize from under us from a different thread.
71905 */
71906 - if (unlikely(__pte_alloc(mm, vma, pmd, address)))
71907 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
71908 return VM_FAULT_OOM;
71909 /* if an huge pmd materialized from under us just retry later */
71910 if (unlikely(pmd_trans_huge(*pmd)))
71911 diff -urNp linux-2.6.39.3/mm/hugetlb.c linux-2.6.39.3/mm/hugetlb.c
71912 --- linux-2.6.39.3/mm/hugetlb.c 2011-07-09 09:18:51.000000000 -0400
71913 +++ linux-2.6.39.3/mm/hugetlb.c 2011-07-09 09:19:24.000000000 -0400
71914 @@ -2339,6 +2339,27 @@ static int unmap_ref_private(struct mm_s
71915 return 1;
71916 }
71917
71918 +#ifdef CONFIG_PAX_SEGMEXEC
71919 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
71920 +{
71921 + struct mm_struct *mm = vma->vm_mm;
71922 + struct vm_area_struct *vma_m;
71923 + unsigned long address_m;
71924 + pte_t *ptep_m;
71925 +
71926 + vma_m = pax_find_mirror_vma(vma);
71927 + if (!vma_m)
71928 + return;
71929 +
71930 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71931 + address_m = address + SEGMEXEC_TASK_SIZE;
71932 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
71933 + get_page(page_m);
71934 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
71935 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
71936 +}
71937 +#endif
71938 +
71939 /*
71940 * Hugetlb_cow() should be called with page lock of the original hugepage held.
71941 */
71942 @@ -2440,6 +2461,11 @@ retry_avoidcopy:
71943 make_huge_pte(vma, new_page, 1));
71944 page_remove_rmap(old_page);
71945 hugepage_add_new_anon_rmap(new_page, vma, address);
71946 +
71947 +#ifdef CONFIG_PAX_SEGMEXEC
71948 + pax_mirror_huge_pte(vma, address, new_page);
71949 +#endif
71950 +
71951 /* Make the old page be freed below */
71952 new_page = old_page;
71953 mmu_notifier_invalidate_range_end(mm,
71954 @@ -2591,6 +2617,10 @@ retry:
71955 && (vma->vm_flags & VM_SHARED)));
71956 set_huge_pte_at(mm, address, ptep, new_pte);
71957
71958 +#ifdef CONFIG_PAX_SEGMEXEC
71959 + pax_mirror_huge_pte(vma, address, page);
71960 +#endif
71961 +
71962 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
71963 /* Optimization, do the COW without a second fault */
71964 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
71965 @@ -2620,6 +2650,10 @@ int hugetlb_fault(struct mm_struct *mm,
71966 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
71967 struct hstate *h = hstate_vma(vma);
71968
71969 +#ifdef CONFIG_PAX_SEGMEXEC
71970 + struct vm_area_struct *vma_m;
71971 +#endif
71972 +
71973 ptep = huge_pte_offset(mm, address);
71974 if (ptep) {
71975 entry = huge_ptep_get(ptep);
71976 @@ -2631,6 +2665,26 @@ int hugetlb_fault(struct mm_struct *mm,
71977 VM_FAULT_SET_HINDEX(h - hstates);
71978 }
71979
71980 +#ifdef CONFIG_PAX_SEGMEXEC
71981 + vma_m = pax_find_mirror_vma(vma);
71982 + if (vma_m) {
71983 + unsigned long address_m;
71984 +
71985 + if (vma->vm_start > vma_m->vm_start) {
71986 + address_m = address;
71987 + address -= SEGMEXEC_TASK_SIZE;
71988 + vma = vma_m;
71989 + h = hstate_vma(vma);
71990 + } else
71991 + address_m = address + SEGMEXEC_TASK_SIZE;
71992 +
71993 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
71994 + return VM_FAULT_OOM;
71995 + address_m &= HPAGE_MASK;
71996 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
71997 + }
71998 +#endif
71999 +
72000 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
72001 if (!ptep)
72002 return VM_FAULT_OOM;
72003 diff -urNp linux-2.6.39.3/mm/internal.h linux-2.6.39.3/mm/internal.h
72004 --- linux-2.6.39.3/mm/internal.h 2011-05-19 00:06:34.000000000 -0400
72005 +++ linux-2.6.39.3/mm/internal.h 2011-07-09 09:12:54.000000000 -0400
72006 @@ -49,6 +49,7 @@ extern void putback_lru_page(struct page
72007 * in mm/page_alloc.c
72008 */
72009 extern void __free_pages_bootmem(struct page *page, unsigned int order);
72010 +extern void free_compound_page(struct page *page);
72011 extern void prep_compound_page(struct page *page, unsigned long order);
72012 #ifdef CONFIG_MEMORY_FAILURE
72013 extern bool is_free_buddy_page(struct page *page);
72014 diff -urNp linux-2.6.39.3/mm/Kconfig linux-2.6.39.3/mm/Kconfig
72015 --- linux-2.6.39.3/mm/Kconfig 2011-05-19 00:06:34.000000000 -0400
72016 +++ linux-2.6.39.3/mm/Kconfig 2011-05-22 19:41:42.000000000 -0400
72017 @@ -240,7 +240,7 @@ config KSM
72018 config DEFAULT_MMAP_MIN_ADDR
72019 int "Low address space to protect from user allocation"
72020 depends on MMU
72021 - default 4096
72022 + default 65536
72023 help
72024 This is the portion of low virtual memory which should be protected
72025 from userspace allocation. Keeping a user from writing to low pages
72026 diff -urNp linux-2.6.39.3/mm/kmemleak.c linux-2.6.39.3/mm/kmemleak.c
72027 --- linux-2.6.39.3/mm/kmemleak.c 2011-06-03 00:04:14.000000000 -0400
72028 +++ linux-2.6.39.3/mm/kmemleak.c 2011-06-03 00:32:08.000000000 -0400
72029 @@ -357,7 +357,7 @@ static void print_unreferenced(struct se
72030
72031 for (i = 0; i < object->trace_len; i++) {
72032 void *ptr = (void *)object->trace[i];
72033 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
72034 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
72035 }
72036 }
72037
72038 diff -urNp linux-2.6.39.3/mm/maccess.c linux-2.6.39.3/mm/maccess.c
72039 --- linux-2.6.39.3/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400
72040 +++ linux-2.6.39.3/mm/maccess.c 2011-05-22 19:36:33.000000000 -0400
72041 @@ -15,10 +15,10 @@
72042 * happens, handle that and return -EFAULT.
72043 */
72044
72045 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
72046 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
72047 __attribute__((alias("__probe_kernel_read")));
72048
72049 -long __probe_kernel_read(void *dst, void *src, size_t size)
72050 +long __probe_kernel_read(void *dst, const void *src, size_t size)
72051 {
72052 long ret;
72053 mm_segment_t old_fs = get_fs();
72054 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
72055 * Safely write to address @dst from the buffer at @src. If a kernel fault
72056 * happens, handle that and return -EFAULT.
72057 */
72058 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
72059 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
72060 __attribute__((alias("__probe_kernel_write")));
72061
72062 -long __probe_kernel_write(void *dst, void *src, size_t size)
72063 +long __probe_kernel_write(void *dst, const void *src, size_t size)
72064 {
72065 long ret;
72066 mm_segment_t old_fs = get_fs();
72067 diff -urNp linux-2.6.39.3/mm/madvise.c linux-2.6.39.3/mm/madvise.c
72068 --- linux-2.6.39.3/mm/madvise.c 2011-05-19 00:06:34.000000000 -0400
72069 +++ linux-2.6.39.3/mm/madvise.c 2011-05-22 19:36:33.000000000 -0400
72070 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
72071 pgoff_t pgoff;
72072 unsigned long new_flags = vma->vm_flags;
72073
72074 +#ifdef CONFIG_PAX_SEGMEXEC
72075 + struct vm_area_struct *vma_m;
72076 +#endif
72077 +
72078 switch (behavior) {
72079 case MADV_NORMAL:
72080 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
72081 @@ -110,6 +114,13 @@ success:
72082 /*
72083 * vm_flags is protected by the mmap_sem held in write mode.
72084 */
72085 +
72086 +#ifdef CONFIG_PAX_SEGMEXEC
72087 + vma_m = pax_find_mirror_vma(vma);
72088 + if (vma_m)
72089 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
72090 +#endif
72091 +
72092 vma->vm_flags = new_flags;
72093
72094 out:
72095 @@ -168,6 +179,11 @@ static long madvise_dontneed(struct vm_a
72096 struct vm_area_struct ** prev,
72097 unsigned long start, unsigned long end)
72098 {
72099 +
72100 +#ifdef CONFIG_PAX_SEGMEXEC
72101 + struct vm_area_struct *vma_m;
72102 +#endif
72103 +
72104 *prev = vma;
72105 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
72106 return -EINVAL;
72107 @@ -180,6 +196,21 @@ static long madvise_dontneed(struct vm_a
72108 zap_page_range(vma, start, end - start, &details);
72109 } else
72110 zap_page_range(vma, start, end - start, NULL);
72111 +
72112 +#ifdef CONFIG_PAX_SEGMEXEC
72113 + vma_m = pax_find_mirror_vma(vma);
72114 + if (vma_m) {
72115 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
72116 + struct zap_details details = {
72117 + .nonlinear_vma = vma_m,
72118 + .last_index = ULONG_MAX,
72119 + };
72120 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
72121 + } else
72122 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
72123 + }
72124 +#endif
72125 +
72126 return 0;
72127 }
72128
72129 @@ -376,6 +407,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
72130 if (end < start)
72131 goto out;
72132
72133 +#ifdef CONFIG_PAX_SEGMEXEC
72134 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
72135 + if (end > SEGMEXEC_TASK_SIZE)
72136 + goto out;
72137 + } else
72138 +#endif
72139 +
72140 + if (end > TASK_SIZE)
72141 + goto out;
72142 +
72143 error = 0;
72144 if (end == start)
72145 goto out;
72146 diff -urNp linux-2.6.39.3/mm/memory.c linux-2.6.39.3/mm/memory.c
72147 --- linux-2.6.39.3/mm/memory.c 2011-05-19 00:06:34.000000000 -0400
72148 +++ linux-2.6.39.3/mm/memory.c 2011-05-22 19:36:33.000000000 -0400
72149 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
72150 return;
72151
72152 pmd = pmd_offset(pud, start);
72153 +
72154 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
72155 pud_clear(pud);
72156 pmd_free_tlb(tlb, pmd, start);
72157 +#endif
72158 +
72159 }
72160
72161 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
72162 @@ -291,9 +295,12 @@ static inline void free_pud_range(struct
72163 if (end - 1 > ceiling - 1)
72164 return;
72165
72166 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
72167 pud = pud_offset(pgd, start);
72168 pgd_clear(pgd);
72169 pud_free_tlb(tlb, pud, start);
72170 +#endif
72171 +
72172 }
72173
72174 /*
72175 @@ -1410,12 +1417,6 @@ no_page_table:
72176 return page;
72177 }
72178
72179 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
72180 -{
72181 - return stack_guard_page_start(vma, addr) ||
72182 - stack_guard_page_end(vma, addr+PAGE_SIZE);
72183 -}
72184 -
72185 /**
72186 * __get_user_pages() - pin user pages in memory
72187 * @tsk: task_struct of target task
72188 @@ -1488,10 +1489,10 @@ int __get_user_pages(struct task_struct
72189 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
72190 i = 0;
72191
72192 - do {
72193 + while (nr_pages) {
72194 struct vm_area_struct *vma;
72195
72196 - vma = find_extend_vma(mm, start);
72197 + vma = find_vma(mm, start);
72198 if (!vma && in_gate_area(mm, start)) {
72199 unsigned long pg = start & PAGE_MASK;
72200 pgd_t *pgd;
72201 @@ -1539,7 +1540,7 @@ int __get_user_pages(struct task_struct
72202 goto next_page;
72203 }
72204
72205 - if (!vma ||
72206 + if (!vma || start < vma->vm_start ||
72207 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
72208 !(vm_flags & vma->vm_flags))
72209 return i ? : -EFAULT;
72210 @@ -1566,11 +1567,6 @@ int __get_user_pages(struct task_struct
72211 int ret;
72212 unsigned int fault_flags = 0;
72213
72214 - /* For mlock, just skip the stack guard page. */
72215 - if (foll_flags & FOLL_MLOCK) {
72216 - if (stack_guard_page(vma, start))
72217 - goto next_page;
72218 - }
72219 if (foll_flags & FOLL_WRITE)
72220 fault_flags |= FAULT_FLAG_WRITE;
72221 if (nonblocking)
72222 @@ -1644,7 +1640,7 @@ next_page:
72223 start += PAGE_SIZE;
72224 nr_pages--;
72225 } while (nr_pages && start < vma->vm_end);
72226 - } while (nr_pages);
72227 + }
72228 return i;
72229 }
72230 EXPORT_SYMBOL(__get_user_pages);
72231 @@ -1795,6 +1791,10 @@ static int insert_page(struct vm_area_st
72232 page_add_file_rmap(page);
72233 set_pte_at(mm, addr, pte, mk_pte(page, prot));
72234
72235 +#ifdef CONFIG_PAX_SEGMEXEC
72236 + pax_mirror_file_pte(vma, addr, page, ptl);
72237 +#endif
72238 +
72239 retval = 0;
72240 pte_unmap_unlock(pte, ptl);
72241 return retval;
72242 @@ -1829,10 +1829,22 @@ out:
72243 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
72244 struct page *page)
72245 {
72246 +
72247 +#ifdef CONFIG_PAX_SEGMEXEC
72248 + struct vm_area_struct *vma_m;
72249 +#endif
72250 +
72251 if (addr < vma->vm_start || addr >= vma->vm_end)
72252 return -EFAULT;
72253 if (!page_count(page))
72254 return -EINVAL;
72255 +
72256 +#ifdef CONFIG_PAX_SEGMEXEC
72257 + vma_m = pax_find_mirror_vma(vma);
72258 + if (vma_m)
72259 + vma_m->vm_flags |= VM_INSERTPAGE;
72260 +#endif
72261 +
72262 vma->vm_flags |= VM_INSERTPAGE;
72263 return insert_page(vma, addr, page, vma->vm_page_prot);
72264 }
72265 @@ -1918,6 +1930,7 @@ int vm_insert_mixed(struct vm_area_struc
72266 unsigned long pfn)
72267 {
72268 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
72269 + BUG_ON(vma->vm_mirror);
72270
72271 if (addr < vma->vm_start || addr >= vma->vm_end)
72272 return -EFAULT;
72273 @@ -2233,6 +2246,186 @@ static inline void cow_user_page(struct
72274 copy_user_highpage(dst, src, va, vma);
72275 }
72276
72277 +#ifdef CONFIG_PAX_SEGMEXEC
72278 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
72279 +{
72280 + struct mm_struct *mm = vma->vm_mm;
72281 + spinlock_t *ptl;
72282 + pte_t *pte, entry;
72283 +
72284 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
72285 + entry = *pte;
72286 + if (!pte_present(entry)) {
72287 + if (!pte_none(entry)) {
72288 + BUG_ON(pte_file(entry));
72289 + free_swap_and_cache(pte_to_swp_entry(entry));
72290 + pte_clear_not_present_full(mm, address, pte, 0);
72291 + }
72292 + } else {
72293 + struct page *page;
72294 +
72295 + flush_cache_page(vma, address, pte_pfn(entry));
72296 + entry = ptep_clear_flush(vma, address, pte);
72297 + BUG_ON(pte_dirty(entry));
72298 + page = vm_normal_page(vma, address, entry);
72299 + if (page) {
72300 + update_hiwater_rss(mm);
72301 + if (PageAnon(page))
72302 + dec_mm_counter_fast(mm, MM_ANONPAGES);
72303 + else
72304 + dec_mm_counter_fast(mm, MM_FILEPAGES);
72305 + page_remove_rmap(page);
72306 + page_cache_release(page);
72307 + }
72308 + }
72309 + pte_unmap_unlock(pte, ptl);
72310 +}
72311 +
72312 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
72313 + *
72314 + * the ptl of the lower mapped page is held on entry and is not released on exit
72315 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
72316 + */
72317 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
72318 +{
72319 + struct mm_struct *mm = vma->vm_mm;
72320 + unsigned long address_m;
72321 + spinlock_t *ptl_m;
72322 + struct vm_area_struct *vma_m;
72323 + pmd_t *pmd_m;
72324 + pte_t *pte_m, entry_m;
72325 +
72326 + BUG_ON(!page_m || !PageAnon(page_m));
72327 +
72328 + vma_m = pax_find_mirror_vma(vma);
72329 + if (!vma_m)
72330 + return;
72331 +
72332 + BUG_ON(!PageLocked(page_m));
72333 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
72334 + address_m = address + SEGMEXEC_TASK_SIZE;
72335 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
72336 + pte_m = pte_offset_map(pmd_m, address_m);
72337 + ptl_m = pte_lockptr(mm, pmd_m);
72338 + if (ptl != ptl_m) {
72339 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
72340 + if (!pte_none(*pte_m))
72341 + goto out;
72342 + }
72343 +
72344 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
72345 + page_cache_get(page_m);
72346 + page_add_anon_rmap(page_m, vma_m, address_m);
72347 + inc_mm_counter_fast(mm, MM_ANONPAGES);
72348 + set_pte_at(mm, address_m, pte_m, entry_m);
72349 + update_mmu_cache(vma_m, address_m, entry_m);
72350 +out:
72351 + if (ptl != ptl_m)
72352 + spin_unlock(ptl_m);
72353 + pte_unmap(pte_m);
72354 + unlock_page(page_m);
72355 +}
72356 +
72357 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
72358 +{
72359 + struct mm_struct *mm = vma->vm_mm;
72360 + unsigned long address_m;
72361 + spinlock_t *ptl_m;
72362 + struct vm_area_struct *vma_m;
72363 + pmd_t *pmd_m;
72364 + pte_t *pte_m, entry_m;
72365 +
72366 + BUG_ON(!page_m || PageAnon(page_m));
72367 +
72368 + vma_m = pax_find_mirror_vma(vma);
72369 + if (!vma_m)
72370 + return;
72371 +
72372 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
72373 + address_m = address + SEGMEXEC_TASK_SIZE;
72374 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
72375 + pte_m = pte_offset_map(pmd_m, address_m);
72376 + ptl_m = pte_lockptr(mm, pmd_m);
72377 + if (ptl != ptl_m) {
72378 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
72379 + if (!pte_none(*pte_m))
72380 + goto out;
72381 + }
72382 +
72383 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
72384 + page_cache_get(page_m);
72385 + page_add_file_rmap(page_m);
72386 + inc_mm_counter_fast(mm, MM_FILEPAGES);
72387 + set_pte_at(mm, address_m, pte_m, entry_m);
72388 + update_mmu_cache(vma_m, address_m, entry_m);
72389 +out:
72390 + if (ptl != ptl_m)
72391 + spin_unlock(ptl_m);
72392 + pte_unmap(pte_m);
72393 +}
72394 +
72395 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
72396 +{
72397 + struct mm_struct *mm = vma->vm_mm;
72398 + unsigned long address_m;
72399 + spinlock_t *ptl_m;
72400 + struct vm_area_struct *vma_m;
72401 + pmd_t *pmd_m;
72402 + pte_t *pte_m, entry_m;
72403 +
72404 + vma_m = pax_find_mirror_vma(vma);
72405 + if (!vma_m)
72406 + return;
72407 +
72408 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
72409 + address_m = address + SEGMEXEC_TASK_SIZE;
72410 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
72411 + pte_m = pte_offset_map(pmd_m, address_m);
72412 + ptl_m = pte_lockptr(mm, pmd_m);
72413 + if (ptl != ptl_m) {
72414 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
72415 + if (!pte_none(*pte_m))
72416 + goto out;
72417 + }
72418 +
72419 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
72420 + set_pte_at(mm, address_m, pte_m, entry_m);
72421 +out:
72422 + if (ptl != ptl_m)
72423 + spin_unlock(ptl_m);
72424 + pte_unmap(pte_m);
72425 +}
72426 +
72427 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
72428 +{
72429 + struct page *page_m;
72430 + pte_t entry;
72431 +
72432 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
72433 + goto out;
72434 +
72435 + entry = *pte;
72436 + page_m = vm_normal_page(vma, address, entry);
72437 + if (!page_m)
72438 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
72439 + else if (PageAnon(page_m)) {
72440 + if (pax_find_mirror_vma(vma)) {
72441 + pte_unmap_unlock(pte, ptl);
72442 + lock_page(page_m);
72443 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
72444 + if (pte_same(entry, *pte))
72445 + pax_mirror_anon_pte(vma, address, page_m, ptl);
72446 + else
72447 + unlock_page(page_m);
72448 + }
72449 + } else
72450 + pax_mirror_file_pte(vma, address, page_m, ptl);
72451 +
72452 +out:
72453 + pte_unmap_unlock(pte, ptl);
72454 +}
72455 +#endif
72456 +
72457 /*
72458 * This routine handles present pages, when users try to write
72459 * to a shared page. It is done by copying the page to a new address
72460 @@ -2444,6 +2637,12 @@ gotten:
72461 */
72462 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
72463 if (likely(pte_same(*page_table, orig_pte))) {
72464 +
72465 +#ifdef CONFIG_PAX_SEGMEXEC
72466 + if (pax_find_mirror_vma(vma))
72467 + BUG_ON(!trylock_page(new_page));
72468 +#endif
72469 +
72470 if (old_page) {
72471 if (!PageAnon(old_page)) {
72472 dec_mm_counter_fast(mm, MM_FILEPAGES);
72473 @@ -2495,6 +2694,10 @@ gotten:
72474 page_remove_rmap(old_page);
72475 }
72476
72477 +#ifdef CONFIG_PAX_SEGMEXEC
72478 + pax_mirror_anon_pte(vma, address, new_page, ptl);
72479 +#endif
72480 +
72481 /* Free the old page.. */
72482 new_page = old_page;
72483 ret |= VM_FAULT_WRITE;
72484 @@ -2905,6 +3108,11 @@ static int do_swap_page(struct mm_struct
72485 swap_free(entry);
72486 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
72487 try_to_free_swap(page);
72488 +
72489 +#ifdef CONFIG_PAX_SEGMEXEC
72490 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
72491 +#endif
72492 +
72493 unlock_page(page);
72494 if (swapcache) {
72495 /*
72496 @@ -2928,6 +3136,11 @@ static int do_swap_page(struct mm_struct
72497
72498 /* No need to invalidate - it was non-present before */
72499 update_mmu_cache(vma, address, page_table);
72500 +
72501 +#ifdef CONFIG_PAX_SEGMEXEC
72502 + pax_mirror_anon_pte(vma, address, page, ptl);
72503 +#endif
72504 +
72505 unlock:
72506 pte_unmap_unlock(page_table, ptl);
72507 out:
72508 @@ -2947,40 +3160,6 @@ out_release:
72509 }
72510
72511 /*
72512 - * This is like a special single-page "expand_{down|up}wards()",
72513 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
72514 - * doesn't hit another vma.
72515 - */
72516 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
72517 -{
72518 - address &= PAGE_MASK;
72519 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
72520 - struct vm_area_struct *prev = vma->vm_prev;
72521 -
72522 - /*
72523 - * Is there a mapping abutting this one below?
72524 - *
72525 - * That's only ok if it's the same stack mapping
72526 - * that has gotten split..
72527 - */
72528 - if (prev && prev->vm_end == address)
72529 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
72530 -
72531 - expand_stack(vma, address - PAGE_SIZE);
72532 - }
72533 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
72534 - struct vm_area_struct *next = vma->vm_next;
72535 -
72536 - /* As VM_GROWSDOWN but s/below/above/ */
72537 - if (next && next->vm_start == address + PAGE_SIZE)
72538 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
72539 -
72540 - expand_upwards(vma, address + PAGE_SIZE);
72541 - }
72542 - return 0;
72543 -}
72544 -
72545 -/*
72546 * We enter with non-exclusive mmap_sem (to exclude vma changes,
72547 * but allow concurrent faults), and pte mapped but not yet locked.
72548 * We return with mmap_sem still held, but pte unmapped and unlocked.
72549 @@ -2989,27 +3168,23 @@ static int do_anonymous_page(struct mm_s
72550 unsigned long address, pte_t *page_table, pmd_t *pmd,
72551 unsigned int flags)
72552 {
72553 - struct page *page;
72554 + struct page *page = NULL;
72555 spinlock_t *ptl;
72556 pte_t entry;
72557
72558 - pte_unmap(page_table);
72559 -
72560 - /* Check if we need to add a guard page to the stack */
72561 - if (check_stack_guard_page(vma, address) < 0)
72562 - return VM_FAULT_SIGBUS;
72563 -
72564 - /* Use the zero-page for reads */
72565 if (!(flags & FAULT_FLAG_WRITE)) {
72566 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
72567 vma->vm_page_prot));
72568 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
72569 + ptl = pte_lockptr(mm, pmd);
72570 + spin_lock(ptl);
72571 if (!pte_none(*page_table))
72572 goto unlock;
72573 goto setpte;
72574 }
72575
72576 /* Allocate our own private page. */
72577 + pte_unmap(page_table);
72578 +
72579 if (unlikely(anon_vma_prepare(vma)))
72580 goto oom;
72581 page = alloc_zeroed_user_highpage_movable(vma, address);
72582 @@ -3028,6 +3203,11 @@ static int do_anonymous_page(struct mm_s
72583 if (!pte_none(*page_table))
72584 goto release;
72585
72586 +#ifdef CONFIG_PAX_SEGMEXEC
72587 + if (pax_find_mirror_vma(vma))
72588 + BUG_ON(!trylock_page(page));
72589 +#endif
72590 +
72591 inc_mm_counter_fast(mm, MM_ANONPAGES);
72592 page_add_new_anon_rmap(page, vma, address);
72593 setpte:
72594 @@ -3035,6 +3215,12 @@ setpte:
72595
72596 /* No need to invalidate - it was non-present before */
72597 update_mmu_cache(vma, address, page_table);
72598 +
72599 +#ifdef CONFIG_PAX_SEGMEXEC
72600 + if (page)
72601 + pax_mirror_anon_pte(vma, address, page, ptl);
72602 +#endif
72603 +
72604 unlock:
72605 pte_unmap_unlock(page_table, ptl);
72606 return 0;
72607 @@ -3172,6 +3358,12 @@ static int __do_fault(struct mm_struct *
72608 */
72609 /* Only go through if we didn't race with anybody else... */
72610 if (likely(pte_same(*page_table, orig_pte))) {
72611 +
72612 +#ifdef CONFIG_PAX_SEGMEXEC
72613 + if (anon && pax_find_mirror_vma(vma))
72614 + BUG_ON(!trylock_page(page));
72615 +#endif
72616 +
72617 flush_icache_page(vma, page);
72618 entry = mk_pte(page, vma->vm_page_prot);
72619 if (flags & FAULT_FLAG_WRITE)
72620 @@ -3191,6 +3383,14 @@ static int __do_fault(struct mm_struct *
72621
72622 /* no need to invalidate: a not-present page won't be cached */
72623 update_mmu_cache(vma, address, page_table);
72624 +
72625 +#ifdef CONFIG_PAX_SEGMEXEC
72626 + if (anon)
72627 + pax_mirror_anon_pte(vma, address, page, ptl);
72628 + else
72629 + pax_mirror_file_pte(vma, address, page, ptl);
72630 +#endif
72631 +
72632 } else {
72633 if (charged)
72634 mem_cgroup_uncharge_page(page);
72635 @@ -3338,6 +3538,12 @@ int handle_pte_fault(struct mm_struct *m
72636 if (flags & FAULT_FLAG_WRITE)
72637 flush_tlb_fix_spurious_fault(vma, address);
72638 }
72639 +
72640 +#ifdef CONFIG_PAX_SEGMEXEC
72641 + pax_mirror_pte(vma, address, pte, pmd, ptl);
72642 + return 0;
72643 +#endif
72644 +
72645 unlock:
72646 pte_unmap_unlock(pte, ptl);
72647 return 0;
72648 @@ -3354,6 +3560,10 @@ int handle_mm_fault(struct mm_struct *mm
72649 pmd_t *pmd;
72650 pte_t *pte;
72651
72652 +#ifdef CONFIG_PAX_SEGMEXEC
72653 + struct vm_area_struct *vma_m;
72654 +#endif
72655 +
72656 __set_current_state(TASK_RUNNING);
72657
72658 count_vm_event(PGFAULT);
72659 @@ -3364,6 +3574,34 @@ int handle_mm_fault(struct mm_struct *mm
72660 if (unlikely(is_vm_hugetlb_page(vma)))
72661 return hugetlb_fault(mm, vma, address, flags);
72662
72663 +#ifdef CONFIG_PAX_SEGMEXEC
72664 + vma_m = pax_find_mirror_vma(vma);
72665 + if (vma_m) {
72666 + unsigned long address_m;
72667 + pgd_t *pgd_m;
72668 + pud_t *pud_m;
72669 + pmd_t *pmd_m;
72670 +
72671 + if (vma->vm_start > vma_m->vm_start) {
72672 + address_m = address;
72673 + address -= SEGMEXEC_TASK_SIZE;
72674 + vma = vma_m;
72675 + } else
72676 + address_m = address + SEGMEXEC_TASK_SIZE;
72677 +
72678 + pgd_m = pgd_offset(mm, address_m);
72679 + pud_m = pud_alloc(mm, pgd_m, address_m);
72680 + if (!pud_m)
72681 + return VM_FAULT_OOM;
72682 + pmd_m = pmd_alloc(mm, pud_m, address_m);
72683 + if (!pmd_m)
72684 + return VM_FAULT_OOM;
72685 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
72686 + return VM_FAULT_OOM;
72687 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
72688 + }
72689 +#endif
72690 +
72691 pgd = pgd_offset(mm, address);
72692 pud = pud_alloc(mm, pgd, address);
72693 if (!pud)
72694 @@ -3393,7 +3631,7 @@ int handle_mm_fault(struct mm_struct *mm
72695 * run pte_offset_map on the pmd, if an huge pmd could
72696 * materialize from under us from a different thread.
72697 */
72698 - if (unlikely(pmd_none(*pmd)) && __pte_alloc(mm, vma, pmd, address))
72699 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
72700 return VM_FAULT_OOM;
72701 /* if an huge pmd materialized from under us just retry later */
72702 if (unlikely(pmd_trans_huge(*pmd)))
72703 @@ -3497,7 +3735,7 @@ static int __init gate_vma_init(void)
72704 gate_vma.vm_start = FIXADDR_USER_START;
72705 gate_vma.vm_end = FIXADDR_USER_END;
72706 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
72707 - gate_vma.vm_page_prot = __P101;
72708 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
72709 /*
72710 * Make sure the vDSO gets into every core dump.
72711 * Dumping its contents makes post-mortem fully interpretable later
72712 diff -urNp linux-2.6.39.3/mm/memory-failure.c linux-2.6.39.3/mm/memory-failure.c
72713 --- linux-2.6.39.3/mm/memory-failure.c 2011-07-09 09:18:51.000000000 -0400
72714 +++ linux-2.6.39.3/mm/memory-failure.c 2011-07-09 09:19:26.000000000 -0400
72715 @@ -59,7 +59,7 @@ int sysctl_memory_failure_early_kill __r
72716
72717 int sysctl_memory_failure_recovery __read_mostly = 1;
72718
72719 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
72720 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
72721
72722 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
72723
72724 @@ -1013,7 +1013,7 @@ int __memory_failure(unsigned long pfn,
72725 }
72726
72727 nr_pages = 1 << compound_trans_order(hpage);
72728 - atomic_long_add(nr_pages, &mce_bad_pages);
72729 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
72730
72731 /*
72732 * We need/can do nothing about count=0 pages.
72733 @@ -1043,7 +1043,7 @@ int __memory_failure(unsigned long pfn,
72734 if (!PageHWPoison(hpage)
72735 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
72736 || (p != hpage && TestSetPageHWPoison(hpage))) {
72737 - atomic_long_sub(nr_pages, &mce_bad_pages);
72738 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72739 return 0;
72740 }
72741 set_page_hwpoison_huge_page(hpage);
72742 @@ -1101,7 +1101,7 @@ int __memory_failure(unsigned long pfn,
72743 }
72744 if (hwpoison_filter(p)) {
72745 if (TestClearPageHWPoison(p))
72746 - atomic_long_sub(nr_pages, &mce_bad_pages);
72747 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72748 unlock_page(hpage);
72749 put_page(hpage);
72750 return 0;
72751 @@ -1227,7 +1227,7 @@ int unpoison_memory(unsigned long pfn)
72752 return 0;
72753 }
72754 if (TestClearPageHWPoison(p))
72755 - atomic_long_sub(nr_pages, &mce_bad_pages);
72756 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72757 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
72758 return 0;
72759 }
72760 @@ -1241,7 +1241,7 @@ int unpoison_memory(unsigned long pfn)
72761 */
72762 if (TestClearPageHWPoison(page)) {
72763 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
72764 - atomic_long_sub(nr_pages, &mce_bad_pages);
72765 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72766 freeit = 1;
72767 if (PageHuge(page))
72768 clear_page_hwpoison_huge_page(page);
72769 @@ -1354,7 +1354,7 @@ static int soft_offline_huge_page(struct
72770 }
72771 done:
72772 if (!PageHWPoison(hpage))
72773 - atomic_long_add(1 << compound_trans_order(hpage), &mce_bad_pages);
72774 + atomic_long_add_unchecked(1 << compound_trans_order(hpage), &mce_bad_pages);
72775 set_page_hwpoison_huge_page(hpage);
72776 dequeue_hwpoisoned_huge_page(hpage);
72777 /* keep elevated page count for bad page */
72778 @@ -1484,7 +1484,7 @@ int soft_offline_page(struct page *page,
72779 return ret;
72780
72781 done:
72782 - atomic_long_add(1, &mce_bad_pages);
72783 + atomic_long_add_unchecked(1, &mce_bad_pages);
72784 SetPageHWPoison(page);
72785 /* keep elevated page count for bad page */
72786 return ret;
72787 diff -urNp linux-2.6.39.3/mm/mempolicy.c linux-2.6.39.3/mm/mempolicy.c
72788 --- linux-2.6.39.3/mm/mempolicy.c 2011-05-19 00:06:34.000000000 -0400
72789 +++ linux-2.6.39.3/mm/mempolicy.c 2011-05-22 19:41:42.000000000 -0400
72790 @@ -643,6 +643,10 @@ static int mbind_range(struct mm_struct
72791 unsigned long vmstart;
72792 unsigned long vmend;
72793
72794 +#ifdef CONFIG_PAX_SEGMEXEC
72795 + struct vm_area_struct *vma_m;
72796 +#endif
72797 +
72798 vma = find_vma_prev(mm, start, &prev);
72799 if (!vma || vma->vm_start > start)
72800 return -EFAULT;
72801 @@ -673,6 +677,16 @@ static int mbind_range(struct mm_struct
72802 err = policy_vma(vma, new_pol);
72803 if (err)
72804 goto out;
72805 +
72806 +#ifdef CONFIG_PAX_SEGMEXEC
72807 + vma_m = pax_find_mirror_vma(vma);
72808 + if (vma_m) {
72809 + err = policy_vma(vma_m, new_pol);
72810 + if (err)
72811 + goto out;
72812 + }
72813 +#endif
72814 +
72815 }
72816
72817 out:
72818 @@ -1106,6 +1120,17 @@ static long do_mbind(unsigned long start
72819
72820 if (end < start)
72821 return -EINVAL;
72822 +
72823 +#ifdef CONFIG_PAX_SEGMEXEC
72824 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
72825 + if (end > SEGMEXEC_TASK_SIZE)
72826 + return -EINVAL;
72827 + } else
72828 +#endif
72829 +
72830 + if (end > TASK_SIZE)
72831 + return -EINVAL;
72832 +
72833 if (end == start)
72834 return 0;
72835
72836 @@ -1324,6 +1349,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
72837 if (!mm)
72838 goto out;
72839
72840 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
72841 + if (mm != current->mm &&
72842 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
72843 + err = -EPERM;
72844 + goto out;
72845 + }
72846 +#endif
72847 +
72848 /*
72849 * Check if this process has the right to modify the specified
72850 * process. The right exists if the process has administrative
72851 @@ -1333,8 +1366,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
72852 rcu_read_lock();
72853 tcred = __task_cred(task);
72854 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
72855 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
72856 - !capable(CAP_SYS_NICE)) {
72857 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
72858 rcu_read_unlock();
72859 err = -EPERM;
72860 goto out;
72861 @@ -2634,7 +2666,7 @@ int show_numa_map(struct seq_file *m, vo
72862
72863 if (file) {
72864 seq_printf(m, " file=");
72865 - seq_path(m, &file->f_path, "\n\t= ");
72866 + seq_path(m, &file->f_path, "\n\t\\= ");
72867 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
72868 seq_printf(m, " heap");
72869 } else if (vma->vm_start <= mm->start_stack &&
72870 diff -urNp linux-2.6.39.3/mm/migrate.c linux-2.6.39.3/mm/migrate.c
72871 --- linux-2.6.39.3/mm/migrate.c 2011-07-09 09:18:51.000000000 -0400
72872 +++ linux-2.6.39.3/mm/migrate.c 2011-07-09 09:19:26.000000000 -0400
72873 @@ -1133,6 +1133,8 @@ static int do_pages_move(struct mm_struc
72874 unsigned long chunk_start;
72875 int err;
72876
72877 + pax_track_stack();
72878 +
72879 task_nodes = cpuset_mems_allowed(task);
72880
72881 err = -ENOMEM;
72882 @@ -1317,6 +1319,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
72883 if (!mm)
72884 return -EINVAL;
72885
72886 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
72887 + if (mm != current->mm &&
72888 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
72889 + err = -EPERM;
72890 + goto out;
72891 + }
72892 +#endif
72893 +
72894 /*
72895 * Check if this process has the right to modify the specified
72896 * process. The right exists if the process has administrative
72897 @@ -1326,8 +1336,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
72898 rcu_read_lock();
72899 tcred = __task_cred(task);
72900 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
72901 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
72902 - !capable(CAP_SYS_NICE)) {
72903 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
72904 rcu_read_unlock();
72905 err = -EPERM;
72906 goto out;
72907 diff -urNp linux-2.6.39.3/mm/mlock.c linux-2.6.39.3/mm/mlock.c
72908 --- linux-2.6.39.3/mm/mlock.c 2011-05-19 00:06:34.000000000 -0400
72909 +++ linux-2.6.39.3/mm/mlock.c 2011-05-22 19:41:42.000000000 -0400
72910 @@ -13,6 +13,7 @@
72911 #include <linux/pagemap.h>
72912 #include <linux/mempolicy.h>
72913 #include <linux/syscalls.h>
72914 +#include <linux/security.h>
72915 #include <linux/sched.h>
72916 #include <linux/module.h>
72917 #include <linux/rmap.h>
72918 @@ -377,6 +378,9 @@ static int do_mlock(unsigned long start,
72919 return -EINVAL;
72920 if (end == start)
72921 return 0;
72922 + if (end > TASK_SIZE)
72923 + return -EINVAL;
72924 +
72925 vma = find_vma_prev(current->mm, start, &prev);
72926 if (!vma || vma->vm_start > start)
72927 return -ENOMEM;
72928 @@ -387,6 +391,11 @@ static int do_mlock(unsigned long start,
72929 for (nstart = start ; ; ) {
72930 unsigned int newflags;
72931
72932 +#ifdef CONFIG_PAX_SEGMEXEC
72933 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
72934 + break;
72935 +#endif
72936 +
72937 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
72938
72939 newflags = vma->vm_flags | VM_LOCKED;
72940 @@ -492,6 +501,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
72941 lock_limit >>= PAGE_SHIFT;
72942
72943 /* check against resource limits */
72944 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
72945 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
72946 error = do_mlock(start, len, 1);
72947 up_write(&current->mm->mmap_sem);
72948 @@ -515,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
72949 static int do_mlockall(int flags)
72950 {
72951 struct vm_area_struct * vma, * prev = NULL;
72952 - unsigned int def_flags = 0;
72953
72954 if (flags & MCL_FUTURE)
72955 - def_flags = VM_LOCKED;
72956 - current->mm->def_flags = def_flags;
72957 + current->mm->def_flags |= VM_LOCKED;
72958 + else
72959 + current->mm->def_flags &= ~VM_LOCKED;
72960 if (flags == MCL_FUTURE)
72961 goto out;
72962
72963 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
72964 - unsigned int newflags;
72965 + unsigned long newflags;
72966 +
72967 +#ifdef CONFIG_PAX_SEGMEXEC
72968 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
72969 + break;
72970 +#endif
72971
72972 + BUG_ON(vma->vm_end > TASK_SIZE);
72973 newflags = vma->vm_flags | VM_LOCKED;
72974 if (!(flags & MCL_CURRENT))
72975 newflags &= ~VM_LOCKED;
72976 @@ -557,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
72977 lock_limit >>= PAGE_SHIFT;
72978
72979 ret = -ENOMEM;
72980 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
72981 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
72982 capable(CAP_IPC_LOCK))
72983 ret = do_mlockall(flags);
72984 diff -urNp linux-2.6.39.3/mm/mmap.c linux-2.6.39.3/mm/mmap.c
72985 --- linux-2.6.39.3/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
72986 +++ linux-2.6.39.3/mm/mmap.c 2011-05-22 19:41:42.000000000 -0400
72987 @@ -46,6 +46,16 @@
72988 #define arch_rebalance_pgtables(addr, len) (addr)
72989 #endif
72990
72991 +static inline void verify_mm_writelocked(struct mm_struct *mm)
72992 +{
72993 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
72994 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
72995 + up_read(&mm->mmap_sem);
72996 + BUG();
72997 + }
72998 +#endif
72999 +}
73000 +
73001 static void unmap_region(struct mm_struct *mm,
73002 struct vm_area_struct *vma, struct vm_area_struct *prev,
73003 unsigned long start, unsigned long end);
73004 @@ -71,22 +81,32 @@ static void unmap_region(struct mm_struc
73005 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
73006 *
73007 */
73008 -pgprot_t protection_map[16] = {
73009 +pgprot_t protection_map[16] __read_only = {
73010 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
73011 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
73012 };
73013
73014 pgprot_t vm_get_page_prot(unsigned long vm_flags)
73015 {
73016 - return __pgprot(pgprot_val(protection_map[vm_flags &
73017 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
73018 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
73019 pgprot_val(arch_vm_get_page_prot(vm_flags)));
73020 +
73021 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
73022 + if (!(__supported_pte_mask & _PAGE_NX) &&
73023 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
73024 + (vm_flags & (VM_READ | VM_WRITE)))
73025 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
73026 +#endif
73027 +
73028 + return prot;
73029 }
73030 EXPORT_SYMBOL(vm_get_page_prot);
73031
73032 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
73033 int sysctl_overcommit_ratio = 50; /* default is 50% */
73034 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
73035 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
73036 struct percpu_counter vm_committed_as;
73037
73038 /*
73039 @@ -232,6 +252,7 @@ static struct vm_area_struct *remove_vma
73040 struct vm_area_struct *next = vma->vm_next;
73041
73042 might_sleep();
73043 + BUG_ON(vma->vm_mirror);
73044 if (vma->vm_ops && vma->vm_ops->close)
73045 vma->vm_ops->close(vma);
73046 if (vma->vm_file) {
73047 @@ -276,6 +297,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
73048 * not page aligned -Ram Gupta
73049 */
73050 rlim = rlimit(RLIMIT_DATA);
73051 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
73052 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
73053 (mm->end_data - mm->start_data) > rlim)
73054 goto out;
73055 @@ -719,6 +741,12 @@ static int
73056 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
73057 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
73058 {
73059 +
73060 +#ifdef CONFIG_PAX_SEGMEXEC
73061 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
73062 + return 0;
73063 +#endif
73064 +
73065 if (is_mergeable_vma(vma, file, vm_flags) &&
73066 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
73067 if (vma->vm_pgoff == vm_pgoff)
73068 @@ -738,6 +766,12 @@ static int
73069 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
73070 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
73071 {
73072 +
73073 +#ifdef CONFIG_PAX_SEGMEXEC
73074 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
73075 + return 0;
73076 +#endif
73077 +
73078 if (is_mergeable_vma(vma, file, vm_flags) &&
73079 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
73080 pgoff_t vm_pglen;
73081 @@ -780,13 +814,20 @@ can_vma_merge_after(struct vm_area_struc
73082 struct vm_area_struct *vma_merge(struct mm_struct *mm,
73083 struct vm_area_struct *prev, unsigned long addr,
73084 unsigned long end, unsigned long vm_flags,
73085 - struct anon_vma *anon_vma, struct file *file,
73086 + struct anon_vma *anon_vma, struct file *file,
73087 pgoff_t pgoff, struct mempolicy *policy)
73088 {
73089 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
73090 struct vm_area_struct *area, *next;
73091 int err;
73092
73093 +#ifdef CONFIG_PAX_SEGMEXEC
73094 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
73095 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
73096 +
73097 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
73098 +#endif
73099 +
73100 /*
73101 * We later require that vma->vm_flags == vm_flags,
73102 * so this tests vma->vm_flags & VM_SPECIAL, too.
73103 @@ -802,6 +843,15 @@ struct vm_area_struct *vma_merge(struct
73104 if (next && next->vm_end == end) /* cases 6, 7, 8 */
73105 next = next->vm_next;
73106
73107 +#ifdef CONFIG_PAX_SEGMEXEC
73108 + if (prev)
73109 + prev_m = pax_find_mirror_vma(prev);
73110 + if (area)
73111 + area_m = pax_find_mirror_vma(area);
73112 + if (next)
73113 + next_m = pax_find_mirror_vma(next);
73114 +#endif
73115 +
73116 /*
73117 * Can it merge with the predecessor?
73118 */
73119 @@ -821,9 +871,24 @@ struct vm_area_struct *vma_merge(struct
73120 /* cases 1, 6 */
73121 err = vma_adjust(prev, prev->vm_start,
73122 next->vm_end, prev->vm_pgoff, NULL);
73123 - } else /* cases 2, 5, 7 */
73124 +
73125 +#ifdef CONFIG_PAX_SEGMEXEC
73126 + if (!err && prev_m)
73127 + err = vma_adjust(prev_m, prev_m->vm_start,
73128 + next_m->vm_end, prev_m->vm_pgoff, NULL);
73129 +#endif
73130 +
73131 + } else { /* cases 2, 5, 7 */
73132 err = vma_adjust(prev, prev->vm_start,
73133 end, prev->vm_pgoff, NULL);
73134 +
73135 +#ifdef CONFIG_PAX_SEGMEXEC
73136 + if (!err && prev_m)
73137 + err = vma_adjust(prev_m, prev_m->vm_start,
73138 + end_m, prev_m->vm_pgoff, NULL);
73139 +#endif
73140 +
73141 + }
73142 if (err)
73143 return NULL;
73144 khugepaged_enter_vma_merge(prev);
73145 @@ -837,12 +902,27 @@ struct vm_area_struct *vma_merge(struct
73146 mpol_equal(policy, vma_policy(next)) &&
73147 can_vma_merge_before(next, vm_flags,
73148 anon_vma, file, pgoff+pglen)) {
73149 - if (prev && addr < prev->vm_end) /* case 4 */
73150 + if (prev && addr < prev->vm_end) { /* case 4 */
73151 err = vma_adjust(prev, prev->vm_start,
73152 addr, prev->vm_pgoff, NULL);
73153 - else /* cases 3, 8 */
73154 +
73155 +#ifdef CONFIG_PAX_SEGMEXEC
73156 + if (!err && prev_m)
73157 + err = vma_adjust(prev_m, prev_m->vm_start,
73158 + addr_m, prev_m->vm_pgoff, NULL);
73159 +#endif
73160 +
73161 + } else { /* cases 3, 8 */
73162 err = vma_adjust(area, addr, next->vm_end,
73163 next->vm_pgoff - pglen, NULL);
73164 +
73165 +#ifdef CONFIG_PAX_SEGMEXEC
73166 + if (!err && area_m)
73167 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
73168 + next_m->vm_pgoff - pglen, NULL);
73169 +#endif
73170 +
73171 + }
73172 if (err)
73173 return NULL;
73174 khugepaged_enter_vma_merge(area);
73175 @@ -958,14 +1038,11 @@ none:
73176 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
73177 struct file *file, long pages)
73178 {
73179 - const unsigned long stack_flags
73180 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
73181 -
73182 if (file) {
73183 mm->shared_vm += pages;
73184 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
73185 mm->exec_vm += pages;
73186 - } else if (flags & stack_flags)
73187 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
73188 mm->stack_vm += pages;
73189 if (flags & (VM_RESERVED|VM_IO))
73190 mm->reserved_vm += pages;
73191 @@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
73192 * (the exception is when the underlying filesystem is noexec
73193 * mounted, in which case we dont add PROT_EXEC.)
73194 */
73195 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
73196 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
73197 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
73198 prot |= PROT_EXEC;
73199
73200 @@ -1018,7 +1095,7 @@ unsigned long do_mmap_pgoff(struct file
73201 /* Obtain the address to map to. we verify (or select) it and ensure
73202 * that it represents a valid section of the address space.
73203 */
73204 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
73205 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
73206 if (addr & ~PAGE_MASK)
73207 return addr;
73208
73209 @@ -1029,6 +1106,36 @@ unsigned long do_mmap_pgoff(struct file
73210 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
73211 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
73212
73213 +#ifdef CONFIG_PAX_MPROTECT
73214 + if (mm->pax_flags & MF_PAX_MPROTECT) {
73215 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
73216 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
73217 + gr_log_rwxmmap(file);
73218 +
73219 +#ifdef CONFIG_PAX_EMUPLT
73220 + vm_flags &= ~VM_EXEC;
73221 +#else
73222 + return -EPERM;
73223 +#endif
73224 +
73225 + }
73226 +
73227 + if (!(vm_flags & VM_EXEC))
73228 + vm_flags &= ~VM_MAYEXEC;
73229 +#else
73230 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
73231 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
73232 +#endif
73233 + else
73234 + vm_flags &= ~VM_MAYWRITE;
73235 + }
73236 +#endif
73237 +
73238 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
73239 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
73240 + vm_flags &= ~VM_PAGEEXEC;
73241 +#endif
73242 +
73243 if (flags & MAP_LOCKED)
73244 if (!can_do_mlock())
73245 return -EPERM;
73246 @@ -1040,6 +1147,7 @@ unsigned long do_mmap_pgoff(struct file
73247 locked += mm->locked_vm;
73248 lock_limit = rlimit(RLIMIT_MEMLOCK);
73249 lock_limit >>= PAGE_SHIFT;
73250 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
73251 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
73252 return -EAGAIN;
73253 }
73254 @@ -1110,6 +1218,9 @@ unsigned long do_mmap_pgoff(struct file
73255 if (error)
73256 return error;
73257
73258 + if (!gr_acl_handle_mmap(file, prot))
73259 + return -EACCES;
73260 +
73261 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
73262 }
73263 EXPORT_SYMBOL(do_mmap_pgoff);
73264 @@ -1187,10 +1298,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
73265 */
73266 int vma_wants_writenotify(struct vm_area_struct *vma)
73267 {
73268 - unsigned int vm_flags = vma->vm_flags;
73269 + unsigned long vm_flags = vma->vm_flags;
73270
73271 /* If it was private or non-writable, the write bit is already clear */
73272 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
73273 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
73274 return 0;
73275
73276 /* The backer wishes to know when pages are first written to? */
73277 @@ -1239,14 +1350,24 @@ unsigned long mmap_region(struct file *f
73278 unsigned long charged = 0;
73279 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
73280
73281 +#ifdef CONFIG_PAX_SEGMEXEC
73282 + struct vm_area_struct *vma_m = NULL;
73283 +#endif
73284 +
73285 + /*
73286 + * mm->mmap_sem is required to protect against another thread
73287 + * changing the mappings in case we sleep.
73288 + */
73289 + verify_mm_writelocked(mm);
73290 +
73291 /* Clear old maps */
73292 error = -ENOMEM;
73293 -munmap_back:
73294 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73295 if (vma && vma->vm_start < addr + len) {
73296 if (do_munmap(mm, addr, len))
73297 return -ENOMEM;
73298 - goto munmap_back;
73299 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73300 + BUG_ON(vma && vma->vm_start < addr + len);
73301 }
73302
73303 /* Check against address space limit. */
73304 @@ -1295,6 +1416,16 @@ munmap_back:
73305 goto unacct_error;
73306 }
73307
73308 +#ifdef CONFIG_PAX_SEGMEXEC
73309 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
73310 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73311 + if (!vma_m) {
73312 + error = -ENOMEM;
73313 + goto free_vma;
73314 + }
73315 + }
73316 +#endif
73317 +
73318 vma->vm_mm = mm;
73319 vma->vm_start = addr;
73320 vma->vm_end = addr + len;
73321 @@ -1318,6 +1449,19 @@ munmap_back:
73322 error = file->f_op->mmap(file, vma);
73323 if (error)
73324 goto unmap_and_free_vma;
73325 +
73326 +#ifdef CONFIG_PAX_SEGMEXEC
73327 + if (vma_m && (vm_flags & VM_EXECUTABLE))
73328 + added_exe_file_vma(mm);
73329 +#endif
73330 +
73331 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
73332 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
73333 + vma->vm_flags |= VM_PAGEEXEC;
73334 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
73335 + }
73336 +#endif
73337 +
73338 if (vm_flags & VM_EXECUTABLE)
73339 added_exe_file_vma(mm);
73340
73341 @@ -1353,6 +1497,11 @@ munmap_back:
73342 vma_link(mm, vma, prev, rb_link, rb_parent);
73343 file = vma->vm_file;
73344
73345 +#ifdef CONFIG_PAX_SEGMEXEC
73346 + if (vma_m)
73347 + BUG_ON(pax_mirror_vma(vma_m, vma));
73348 +#endif
73349 +
73350 /* Once vma denies write, undo our temporary denial count */
73351 if (correct_wcount)
73352 atomic_inc(&inode->i_writecount);
73353 @@ -1361,6 +1510,7 @@ out:
73354
73355 mm->total_vm += len >> PAGE_SHIFT;
73356 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
73357 + track_exec_limit(mm, addr, addr + len, vm_flags);
73358 if (vm_flags & VM_LOCKED) {
73359 if (!mlock_vma_pages_range(vma, addr, addr + len))
73360 mm->locked_vm += (len >> PAGE_SHIFT);
73361 @@ -1378,6 +1528,12 @@ unmap_and_free_vma:
73362 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
73363 charged = 0;
73364 free_vma:
73365 +
73366 +#ifdef CONFIG_PAX_SEGMEXEC
73367 + if (vma_m)
73368 + kmem_cache_free(vm_area_cachep, vma_m);
73369 +#endif
73370 +
73371 kmem_cache_free(vm_area_cachep, vma);
73372 unacct_error:
73373 if (charged)
73374 @@ -1385,6 +1541,44 @@ unacct_error:
73375 return error;
73376 }
73377
73378 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
73379 +{
73380 + if (!vma) {
73381 +#ifdef CONFIG_STACK_GROWSUP
73382 + if (addr > sysctl_heap_stack_gap)
73383 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
73384 + else
73385 + vma = find_vma(current->mm, 0);
73386 + if (vma && (vma->vm_flags & VM_GROWSUP))
73387 + return false;
73388 +#endif
73389 + return true;
73390 + }
73391 +
73392 + if (addr + len > vma->vm_start)
73393 + return false;
73394 +
73395 + if (vma->vm_flags & VM_GROWSDOWN)
73396 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
73397 +#ifdef CONFIG_STACK_GROWSUP
73398 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
73399 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
73400 +#endif
73401 +
73402 + return true;
73403 +}
73404 +
73405 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
73406 +{
73407 + if (vma->vm_start < len)
73408 + return -ENOMEM;
73409 + if (!(vma->vm_flags & VM_GROWSDOWN))
73410 + return vma->vm_start - len;
73411 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
73412 + return vma->vm_start - len - sysctl_heap_stack_gap;
73413 + return -ENOMEM;
73414 +}
73415 +
73416 /* Get an address range which is currently unmapped.
73417 * For shmat() with addr=0.
73418 *
73419 @@ -1411,18 +1605,23 @@ arch_get_unmapped_area(struct file *filp
73420 if (flags & MAP_FIXED)
73421 return addr;
73422
73423 +#ifdef CONFIG_PAX_RANDMMAP
73424 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
73425 +#endif
73426 +
73427 if (addr) {
73428 addr = PAGE_ALIGN(addr);
73429 - vma = find_vma(mm, addr);
73430 - if (TASK_SIZE - len >= addr &&
73431 - (!vma || addr + len <= vma->vm_start))
73432 - return addr;
73433 + if (TASK_SIZE - len >= addr) {
73434 + vma = find_vma(mm, addr);
73435 + if (check_heap_stack_gap(vma, addr, len))
73436 + return addr;
73437 + }
73438 }
73439 if (len > mm->cached_hole_size) {
73440 - start_addr = addr = mm->free_area_cache;
73441 + start_addr = addr = mm->free_area_cache;
73442 } else {
73443 - start_addr = addr = TASK_UNMAPPED_BASE;
73444 - mm->cached_hole_size = 0;
73445 + start_addr = addr = mm->mmap_base;
73446 + mm->cached_hole_size = 0;
73447 }
73448
73449 full_search:
73450 @@ -1433,34 +1632,40 @@ full_search:
73451 * Start a new search - just in case we missed
73452 * some holes.
73453 */
73454 - if (start_addr != TASK_UNMAPPED_BASE) {
73455 - addr = TASK_UNMAPPED_BASE;
73456 - start_addr = addr;
73457 + if (start_addr != mm->mmap_base) {
73458 + start_addr = addr = mm->mmap_base;
73459 mm->cached_hole_size = 0;
73460 goto full_search;
73461 }
73462 return -ENOMEM;
73463 }
73464 - if (!vma || addr + len <= vma->vm_start) {
73465 - /*
73466 - * Remember the place where we stopped the search:
73467 - */
73468 - mm->free_area_cache = addr + len;
73469 - return addr;
73470 - }
73471 + if (check_heap_stack_gap(vma, addr, len))
73472 + break;
73473 if (addr + mm->cached_hole_size < vma->vm_start)
73474 mm->cached_hole_size = vma->vm_start - addr;
73475 addr = vma->vm_end;
73476 }
73477 +
73478 + /*
73479 + * Remember the place where we stopped the search:
73480 + */
73481 + mm->free_area_cache = addr + len;
73482 + return addr;
73483 }
73484 #endif
73485
73486 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
73487 {
73488 +
73489 +#ifdef CONFIG_PAX_SEGMEXEC
73490 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
73491 + return;
73492 +#endif
73493 +
73494 /*
73495 * Is this a new hole at the lowest possible address?
73496 */
73497 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
73498 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
73499 mm->free_area_cache = addr;
73500 mm->cached_hole_size = ~0UL;
73501 }
73502 @@ -1478,7 +1683,7 @@ arch_get_unmapped_area_topdown(struct fi
73503 {
73504 struct vm_area_struct *vma;
73505 struct mm_struct *mm = current->mm;
73506 - unsigned long addr = addr0;
73507 + unsigned long base = mm->mmap_base, addr = addr0;
73508
73509 /* requested length too big for entire address space */
73510 if (len > TASK_SIZE)
73511 @@ -1487,13 +1692,18 @@ arch_get_unmapped_area_topdown(struct fi
73512 if (flags & MAP_FIXED)
73513 return addr;
73514
73515 +#ifdef CONFIG_PAX_RANDMMAP
73516 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
73517 +#endif
73518 +
73519 /* requesting a specific address */
73520 if (addr) {
73521 addr = PAGE_ALIGN(addr);
73522 - vma = find_vma(mm, addr);
73523 - if (TASK_SIZE - len >= addr &&
73524 - (!vma || addr + len <= vma->vm_start))
73525 - return addr;
73526 + if (TASK_SIZE - len >= addr) {
73527 + vma = find_vma(mm, addr);
73528 + if (check_heap_stack_gap(vma, addr, len))
73529 + return addr;
73530 + }
73531 }
73532
73533 /* check if free_area_cache is useful for us */
73534 @@ -1508,7 +1718,7 @@ arch_get_unmapped_area_topdown(struct fi
73535 /* make sure it can fit in the remaining address space */
73536 if (addr > len) {
73537 vma = find_vma(mm, addr-len);
73538 - if (!vma || addr <= vma->vm_start)
73539 + if (check_heap_stack_gap(vma, addr - len, len))
73540 /* remember the address as a hint for next time */
73541 return (mm->free_area_cache = addr-len);
73542 }
73543 @@ -1525,7 +1735,7 @@ arch_get_unmapped_area_topdown(struct fi
73544 * return with success:
73545 */
73546 vma = find_vma(mm, addr);
73547 - if (!vma || addr+len <= vma->vm_start)
73548 + if (check_heap_stack_gap(vma, addr, len))
73549 /* remember the address as a hint for next time */
73550 return (mm->free_area_cache = addr);
73551
73552 @@ -1534,8 +1744,8 @@ arch_get_unmapped_area_topdown(struct fi
73553 mm->cached_hole_size = vma->vm_start - addr;
73554
73555 /* try just below the current vma->vm_start */
73556 - addr = vma->vm_start-len;
73557 - } while (len < vma->vm_start);
73558 + addr = skip_heap_stack_gap(vma, len);
73559 + } while (!IS_ERR_VALUE(addr));
73560
73561 bottomup:
73562 /*
73563 @@ -1544,13 +1754,21 @@ bottomup:
73564 * can happen with large stack limits and large mmap()
73565 * allocations.
73566 */
73567 + mm->mmap_base = TASK_UNMAPPED_BASE;
73568 +
73569 +#ifdef CONFIG_PAX_RANDMMAP
73570 + if (mm->pax_flags & MF_PAX_RANDMMAP)
73571 + mm->mmap_base += mm->delta_mmap;
73572 +#endif
73573 +
73574 + mm->free_area_cache = mm->mmap_base;
73575 mm->cached_hole_size = ~0UL;
73576 - mm->free_area_cache = TASK_UNMAPPED_BASE;
73577 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
73578 /*
73579 * Restore the topdown base:
73580 */
73581 - mm->free_area_cache = mm->mmap_base;
73582 + mm->mmap_base = base;
73583 + mm->free_area_cache = base;
73584 mm->cached_hole_size = ~0UL;
73585
73586 return addr;
73587 @@ -1559,6 +1777,12 @@ bottomup:
73588
73589 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
73590 {
73591 +
73592 +#ifdef CONFIG_PAX_SEGMEXEC
73593 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
73594 + return;
73595 +#endif
73596 +
73597 /*
73598 * Is this a new hole at the highest possible address?
73599 */
73600 @@ -1566,8 +1790,10 @@ void arch_unmap_area_topdown(struct mm_s
73601 mm->free_area_cache = addr;
73602
73603 /* dont allow allocations above current base */
73604 - if (mm->free_area_cache > mm->mmap_base)
73605 + if (mm->free_area_cache > mm->mmap_base) {
73606 mm->free_area_cache = mm->mmap_base;
73607 + mm->cached_hole_size = ~0UL;
73608 + }
73609 }
73610
73611 unsigned long
73612 @@ -1675,6 +1901,28 @@ out:
73613 return prev ? prev->vm_next : vma;
73614 }
73615
73616 +#ifdef CONFIG_PAX_SEGMEXEC
73617 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
73618 +{
73619 + struct vm_area_struct *vma_m;
73620 +
73621 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
73622 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
73623 + BUG_ON(vma->vm_mirror);
73624 + return NULL;
73625 + }
73626 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
73627 + vma_m = vma->vm_mirror;
73628 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
73629 + BUG_ON(vma->vm_file != vma_m->vm_file);
73630 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
73631 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
73632 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
73633 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
73634 + return vma_m;
73635 +}
73636 +#endif
73637 +
73638 /*
73639 * Verify that the stack growth is acceptable and
73640 * update accounting. This is shared with both the
73641 @@ -1691,6 +1939,7 @@ static int acct_stack_growth(struct vm_a
73642 return -ENOMEM;
73643
73644 /* Stack limit test */
73645 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
73646 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
73647 return -ENOMEM;
73648
73649 @@ -1701,6 +1950,7 @@ static int acct_stack_growth(struct vm_a
73650 locked = mm->locked_vm + grow;
73651 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
73652 limit >>= PAGE_SHIFT;
73653 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
73654 if (locked > limit && !capable(CAP_IPC_LOCK))
73655 return -ENOMEM;
73656 }
73657 @@ -1731,37 +1981,48 @@ static int acct_stack_growth(struct vm_a
73658 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
73659 * vma is the last one with address > vma->vm_end. Have to extend vma.
73660 */
73661 +#ifndef CONFIG_IA64
73662 +static
73663 +#endif
73664 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
73665 {
73666 int error;
73667 + bool locknext;
73668
73669 if (!(vma->vm_flags & VM_GROWSUP))
73670 return -EFAULT;
73671
73672 + /* Also guard against wrapping around to address 0. */
73673 + if (address < PAGE_ALIGN(address+1))
73674 + address = PAGE_ALIGN(address+1);
73675 + else
73676 + return -ENOMEM;
73677 +
73678 /*
73679 * We must make sure the anon_vma is allocated
73680 * so that the anon_vma locking is not a noop.
73681 */
73682 if (unlikely(anon_vma_prepare(vma)))
73683 return -ENOMEM;
73684 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
73685 + if (locknext && anon_vma_prepare(vma->vm_next))
73686 + return -ENOMEM;
73687 vma_lock_anon_vma(vma);
73688 + if (locknext)
73689 + vma_lock_anon_vma(vma->vm_next);
73690
73691 /*
73692 * vma->vm_start/vm_end cannot change under us because the caller
73693 * is required to hold the mmap_sem in read mode. We need the
73694 - * anon_vma lock to serialize against concurrent expand_stacks.
73695 - * Also guard against wrapping around to address 0.
73696 + * anon_vma locks to serialize against concurrent expand_stacks
73697 + * and expand_upwards.
73698 */
73699 - if (address < PAGE_ALIGN(address+4))
73700 - address = PAGE_ALIGN(address+4);
73701 - else {
73702 - vma_unlock_anon_vma(vma);
73703 - return -ENOMEM;
73704 - }
73705 error = 0;
73706
73707 /* Somebody else might have raced and expanded it already */
73708 - if (address > vma->vm_end) {
73709 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
73710 + error = -ENOMEM;
73711 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
73712 unsigned long size, grow;
73713
73714 size = address - vma->vm_start;
73715 @@ -1776,6 +2037,8 @@ int expand_upwards(struct vm_area_struct
73716 }
73717 }
73718 }
73719 + if (locknext)
73720 + vma_unlock_anon_vma(vma->vm_next);
73721 vma_unlock_anon_vma(vma);
73722 khugepaged_enter_vma_merge(vma);
73723 return error;
73724 @@ -1789,6 +2052,8 @@ static int expand_downwards(struct vm_ar
73725 unsigned long address)
73726 {
73727 int error;
73728 + bool lockprev = false;
73729 + struct vm_area_struct *prev;
73730
73731 /*
73732 * We must make sure the anon_vma is allocated
73733 @@ -1802,6 +2067,15 @@ static int expand_downwards(struct vm_ar
73734 if (error)
73735 return error;
73736
73737 + prev = vma->vm_prev;
73738 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
73739 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
73740 +#endif
73741 + if (lockprev && anon_vma_prepare(prev))
73742 + return -ENOMEM;
73743 + if (lockprev)
73744 + vma_lock_anon_vma(prev);
73745 +
73746 vma_lock_anon_vma(vma);
73747
73748 /*
73749 @@ -1811,9 +2085,17 @@ static int expand_downwards(struct vm_ar
73750 */
73751
73752 /* Somebody else might have raced and expanded it already */
73753 - if (address < vma->vm_start) {
73754 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
73755 + error = -ENOMEM;
73756 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
73757 unsigned long size, grow;
73758
73759 +#ifdef CONFIG_PAX_SEGMEXEC
73760 + struct vm_area_struct *vma_m;
73761 +
73762 + vma_m = pax_find_mirror_vma(vma);
73763 +#endif
73764 +
73765 size = vma->vm_end - address;
73766 grow = (vma->vm_start - address) >> PAGE_SHIFT;
73767
73768 @@ -1823,11 +2105,22 @@ static int expand_downwards(struct vm_ar
73769 if (!error) {
73770 vma->vm_start = address;
73771 vma->vm_pgoff -= grow;
73772 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
73773 +
73774 +#ifdef CONFIG_PAX_SEGMEXEC
73775 + if (vma_m) {
73776 + vma_m->vm_start -= grow << PAGE_SHIFT;
73777 + vma_m->vm_pgoff -= grow;
73778 + }
73779 +#endif
73780 +
73781 perf_event_mmap(vma);
73782 }
73783 }
73784 }
73785 vma_unlock_anon_vma(vma);
73786 + if (lockprev)
73787 + vma_unlock_anon_vma(prev);
73788 khugepaged_enter_vma_merge(vma);
73789 return error;
73790 }
73791 @@ -1902,6 +2195,13 @@ static void remove_vma_list(struct mm_st
73792 do {
73793 long nrpages = vma_pages(vma);
73794
73795 +#ifdef CONFIG_PAX_SEGMEXEC
73796 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
73797 + vma = remove_vma(vma);
73798 + continue;
73799 + }
73800 +#endif
73801 +
73802 mm->total_vm -= nrpages;
73803 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
73804 vma = remove_vma(vma);
73805 @@ -1947,6 +2247,16 @@ detach_vmas_to_be_unmapped(struct mm_str
73806 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
73807 vma->vm_prev = NULL;
73808 do {
73809 +
73810 +#ifdef CONFIG_PAX_SEGMEXEC
73811 + if (vma->vm_mirror) {
73812 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
73813 + vma->vm_mirror->vm_mirror = NULL;
73814 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
73815 + vma->vm_mirror = NULL;
73816 + }
73817 +#endif
73818 +
73819 rb_erase(&vma->vm_rb, &mm->mm_rb);
73820 mm->map_count--;
73821 tail_vma = vma;
73822 @@ -1975,14 +2285,33 @@ static int __split_vma(struct mm_struct
73823 struct vm_area_struct *new;
73824 int err = -ENOMEM;
73825
73826 +#ifdef CONFIG_PAX_SEGMEXEC
73827 + struct vm_area_struct *vma_m, *new_m = NULL;
73828 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
73829 +#endif
73830 +
73831 if (is_vm_hugetlb_page(vma) && (addr &
73832 ~(huge_page_mask(hstate_vma(vma)))))
73833 return -EINVAL;
73834
73835 +#ifdef CONFIG_PAX_SEGMEXEC
73836 + vma_m = pax_find_mirror_vma(vma);
73837 +#endif
73838 +
73839 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
73840 if (!new)
73841 goto out_err;
73842
73843 +#ifdef CONFIG_PAX_SEGMEXEC
73844 + if (vma_m) {
73845 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
73846 + if (!new_m) {
73847 + kmem_cache_free(vm_area_cachep, new);
73848 + goto out_err;
73849 + }
73850 + }
73851 +#endif
73852 +
73853 /* most fields are the same, copy all, and then fixup */
73854 *new = *vma;
73855
73856 @@ -1995,6 +2324,22 @@ static int __split_vma(struct mm_struct
73857 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
73858 }
73859
73860 +#ifdef CONFIG_PAX_SEGMEXEC
73861 + if (vma_m) {
73862 + *new_m = *vma_m;
73863 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
73864 + new_m->vm_mirror = new;
73865 + new->vm_mirror = new_m;
73866 +
73867 + if (new_below)
73868 + new_m->vm_end = addr_m;
73869 + else {
73870 + new_m->vm_start = addr_m;
73871 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
73872 + }
73873 + }
73874 +#endif
73875 +
73876 pol = mpol_dup(vma_policy(vma));
73877 if (IS_ERR(pol)) {
73878 err = PTR_ERR(pol);
73879 @@ -2020,6 +2365,42 @@ static int __split_vma(struct mm_struct
73880 else
73881 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
73882
73883 +#ifdef CONFIG_PAX_SEGMEXEC
73884 + if (!err && vma_m) {
73885 + if (anon_vma_clone(new_m, vma_m))
73886 + goto out_free_mpol;
73887 +
73888 + mpol_get(pol);
73889 + vma_set_policy(new_m, pol);
73890 +
73891 + if (new_m->vm_file) {
73892 + get_file(new_m->vm_file);
73893 + if (vma_m->vm_flags & VM_EXECUTABLE)
73894 + added_exe_file_vma(mm);
73895 + }
73896 +
73897 + if (new_m->vm_ops && new_m->vm_ops->open)
73898 + new_m->vm_ops->open(new_m);
73899 +
73900 + if (new_below)
73901 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
73902 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
73903 + else
73904 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
73905 +
73906 + if (err) {
73907 + if (new_m->vm_ops && new_m->vm_ops->close)
73908 + new_m->vm_ops->close(new_m);
73909 + if (new_m->vm_file) {
73910 + if (vma_m->vm_flags & VM_EXECUTABLE)
73911 + removed_exe_file_vma(mm);
73912 + fput(new_m->vm_file);
73913 + }
73914 + mpol_put(pol);
73915 + }
73916 + }
73917 +#endif
73918 +
73919 /* Success. */
73920 if (!err)
73921 return 0;
73922 @@ -2032,10 +2413,18 @@ static int __split_vma(struct mm_struct
73923 removed_exe_file_vma(mm);
73924 fput(new->vm_file);
73925 }
73926 - unlink_anon_vmas(new);
73927 out_free_mpol:
73928 mpol_put(pol);
73929 out_free_vma:
73930 +
73931 +#ifdef CONFIG_PAX_SEGMEXEC
73932 + if (new_m) {
73933 + unlink_anon_vmas(new_m);
73934 + kmem_cache_free(vm_area_cachep, new_m);
73935 + }
73936 +#endif
73937 +
73938 + unlink_anon_vmas(new);
73939 kmem_cache_free(vm_area_cachep, new);
73940 out_err:
73941 return err;
73942 @@ -2048,6 +2437,15 @@ static int __split_vma(struct mm_struct
73943 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
73944 unsigned long addr, int new_below)
73945 {
73946 +
73947 +#ifdef CONFIG_PAX_SEGMEXEC
73948 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
73949 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
73950 + if (mm->map_count >= sysctl_max_map_count-1)
73951 + return -ENOMEM;
73952 + } else
73953 +#endif
73954 +
73955 if (mm->map_count >= sysctl_max_map_count)
73956 return -ENOMEM;
73957
73958 @@ -2059,11 +2457,30 @@ int split_vma(struct mm_struct *mm, stru
73959 * work. This now handles partial unmappings.
73960 * Jeremy Fitzhardinge <jeremy@goop.org>
73961 */
73962 +#ifdef CONFIG_PAX_SEGMEXEC
73963 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73964 +{
73965 + int ret = __do_munmap(mm, start, len);
73966 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
73967 + return ret;
73968 +
73969 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
73970 +}
73971 +
73972 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73973 +#else
73974 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73975 +#endif
73976 {
73977 unsigned long end;
73978 struct vm_area_struct *vma, *prev, *last;
73979
73980 + /*
73981 + * mm->mmap_sem is required to protect against another thread
73982 + * changing the mappings in case we sleep.
73983 + */
73984 + verify_mm_writelocked(mm);
73985 +
73986 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
73987 return -EINVAL;
73988
73989 @@ -2137,6 +2554,8 @@ int do_munmap(struct mm_struct *mm, unsi
73990 /* Fix up all other VM information */
73991 remove_vma_list(mm, vma);
73992
73993 + track_exec_limit(mm, start, end, 0UL);
73994 +
73995 return 0;
73996 }
73997
73998 @@ -2149,22 +2568,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
73999
74000 profile_munmap(addr);
74001
74002 +#ifdef CONFIG_PAX_SEGMEXEC
74003 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
74004 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
74005 + return -EINVAL;
74006 +#endif
74007 +
74008 down_write(&mm->mmap_sem);
74009 ret = do_munmap(mm, addr, len);
74010 up_write(&mm->mmap_sem);
74011 return ret;
74012 }
74013
74014 -static inline void verify_mm_writelocked(struct mm_struct *mm)
74015 -{
74016 -#ifdef CONFIG_DEBUG_VM
74017 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
74018 - WARN_ON(1);
74019 - up_read(&mm->mmap_sem);
74020 - }
74021 -#endif
74022 -}
74023 -
74024 /*
74025 * this is really a simplified "do_mmap". it only handles
74026 * anonymous maps. eventually we may be able to do some
74027 @@ -2178,6 +2593,7 @@ unsigned long do_brk(unsigned long addr,
74028 struct rb_node ** rb_link, * rb_parent;
74029 pgoff_t pgoff = addr >> PAGE_SHIFT;
74030 int error;
74031 + unsigned long charged;
74032
74033 len = PAGE_ALIGN(len);
74034 if (!len)
74035 @@ -2189,16 +2605,30 @@ unsigned long do_brk(unsigned long addr,
74036
74037 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
74038
74039 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
74040 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
74041 + flags &= ~VM_EXEC;
74042 +
74043 +#ifdef CONFIG_PAX_MPROTECT
74044 + if (mm->pax_flags & MF_PAX_MPROTECT)
74045 + flags &= ~VM_MAYEXEC;
74046 +#endif
74047 +
74048 + }
74049 +#endif
74050 +
74051 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
74052 if (error & ~PAGE_MASK)
74053 return error;
74054
74055 + charged = len >> PAGE_SHIFT;
74056 +
74057 /*
74058 * mlock MCL_FUTURE?
74059 */
74060 if (mm->def_flags & VM_LOCKED) {
74061 unsigned long locked, lock_limit;
74062 - locked = len >> PAGE_SHIFT;
74063 + locked = charged;
74064 locked += mm->locked_vm;
74065 lock_limit = rlimit(RLIMIT_MEMLOCK);
74066 lock_limit >>= PAGE_SHIFT;
74067 @@ -2215,22 +2645,22 @@ unsigned long do_brk(unsigned long addr,
74068 /*
74069 * Clear old maps. this also does some error checking for us
74070 */
74071 - munmap_back:
74072 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
74073 if (vma && vma->vm_start < addr + len) {
74074 if (do_munmap(mm, addr, len))
74075 return -ENOMEM;
74076 - goto munmap_back;
74077 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
74078 + BUG_ON(vma && vma->vm_start < addr + len);
74079 }
74080
74081 /* Check against address space limits *after* clearing old maps... */
74082 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
74083 + if (!may_expand_vm(mm, charged))
74084 return -ENOMEM;
74085
74086 if (mm->map_count > sysctl_max_map_count)
74087 return -ENOMEM;
74088
74089 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
74090 + if (security_vm_enough_memory(charged))
74091 return -ENOMEM;
74092
74093 /* Can we just expand an old private anonymous mapping? */
74094 @@ -2244,7 +2674,7 @@ unsigned long do_brk(unsigned long addr,
74095 */
74096 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
74097 if (!vma) {
74098 - vm_unacct_memory(len >> PAGE_SHIFT);
74099 + vm_unacct_memory(charged);
74100 return -ENOMEM;
74101 }
74102
74103 @@ -2258,11 +2688,12 @@ unsigned long do_brk(unsigned long addr,
74104 vma_link(mm, vma, prev, rb_link, rb_parent);
74105 out:
74106 perf_event_mmap(vma);
74107 - mm->total_vm += len >> PAGE_SHIFT;
74108 + mm->total_vm += charged;
74109 if (flags & VM_LOCKED) {
74110 if (!mlock_vma_pages_range(vma, addr, addr + len))
74111 - mm->locked_vm += (len >> PAGE_SHIFT);
74112 + mm->locked_vm += charged;
74113 }
74114 + track_exec_limit(mm, addr, addr + len, flags);
74115 return addr;
74116 }
74117
74118 @@ -2309,8 +2740,10 @@ void exit_mmap(struct mm_struct *mm)
74119 * Walk the list again, actually closing and freeing it,
74120 * with preemption enabled, without holding any MM locks.
74121 */
74122 - while (vma)
74123 + while (vma) {
74124 + vma->vm_mirror = NULL;
74125 vma = remove_vma(vma);
74126 + }
74127
74128 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
74129 }
74130 @@ -2324,6 +2757,13 @@ int insert_vm_struct(struct mm_struct *
74131 struct vm_area_struct * __vma, * prev;
74132 struct rb_node ** rb_link, * rb_parent;
74133
74134 +#ifdef CONFIG_PAX_SEGMEXEC
74135 + struct vm_area_struct *vma_m = NULL;
74136 +#endif
74137 +
74138 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
74139 + return -EPERM;
74140 +
74141 /*
74142 * The vm_pgoff of a purely anonymous vma should be irrelevant
74143 * until its first write fault, when page's anon_vma and index
74144 @@ -2346,7 +2786,22 @@ int insert_vm_struct(struct mm_struct *
74145 if ((vma->vm_flags & VM_ACCOUNT) &&
74146 security_vm_enough_memory_mm(mm, vma_pages(vma)))
74147 return -ENOMEM;
74148 +
74149 +#ifdef CONFIG_PAX_SEGMEXEC
74150 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
74151 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
74152 + if (!vma_m)
74153 + return -ENOMEM;
74154 + }
74155 +#endif
74156 +
74157 vma_link(mm, vma, prev, rb_link, rb_parent);
74158 +
74159 +#ifdef CONFIG_PAX_SEGMEXEC
74160 + if (vma_m)
74161 + BUG_ON(pax_mirror_vma(vma_m, vma));
74162 +#endif
74163 +
74164 return 0;
74165 }
74166
74167 @@ -2364,6 +2819,8 @@ struct vm_area_struct *copy_vma(struct v
74168 struct rb_node **rb_link, *rb_parent;
74169 struct mempolicy *pol;
74170
74171 + BUG_ON(vma->vm_mirror);
74172 +
74173 /*
74174 * If anonymous vma has not yet been faulted, update new pgoff
74175 * to match new location, to increase its chance of merging.
74176 @@ -2413,6 +2870,39 @@ struct vm_area_struct *copy_vma(struct v
74177 kmem_cache_free(vm_area_cachep, new_vma);
74178 return NULL;
74179 }
74180 +
74181 +#ifdef CONFIG_PAX_SEGMEXEC
74182 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
74183 +{
74184 + struct vm_area_struct *prev_m;
74185 + struct rb_node **rb_link_m, *rb_parent_m;
74186 + struct mempolicy *pol_m;
74187 +
74188 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
74189 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
74190 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
74191 + *vma_m = *vma;
74192 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
74193 + if (anon_vma_clone(vma_m, vma))
74194 + return -ENOMEM;
74195 + pol_m = vma_policy(vma_m);
74196 + mpol_get(pol_m);
74197 + vma_set_policy(vma_m, pol_m);
74198 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
74199 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
74200 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
74201 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
74202 + if (vma_m->vm_file)
74203 + get_file(vma_m->vm_file);
74204 + if (vma_m->vm_ops && vma_m->vm_ops->open)
74205 + vma_m->vm_ops->open(vma_m);
74206 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
74207 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
74208 + vma_m->vm_mirror = vma;
74209 + vma->vm_mirror = vma_m;
74210 + return 0;
74211 +}
74212 +#endif
74213
74214 /*
74215 * Return true if the calling process may expand its vm space by the passed
74216 @@ -2424,7 +2914,7 @@ int may_expand_vm(struct mm_struct *mm,
74217 unsigned long lim;
74218
74219 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
74220 -
74221 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
74222 if (cur + npages > lim)
74223 return 0;
74224 return 1;
74225 @@ -2495,6 +2985,22 @@ int install_special_mapping(struct mm_st
74226 vma->vm_start = addr;
74227 vma->vm_end = addr + len;
74228
74229 +#ifdef CONFIG_PAX_MPROTECT
74230 + if (mm->pax_flags & MF_PAX_MPROTECT) {
74231 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
74232 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
74233 + return -EPERM;
74234 + if (!(vm_flags & VM_EXEC))
74235 + vm_flags &= ~VM_MAYEXEC;
74236 +#else
74237 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
74238 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
74239 +#endif
74240 + else
74241 + vm_flags &= ~VM_MAYWRITE;
74242 + }
74243 +#endif
74244 +
74245 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
74246 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
74247
74248 diff -urNp linux-2.6.39.3/mm/mprotect.c linux-2.6.39.3/mm/mprotect.c
74249 --- linux-2.6.39.3/mm/mprotect.c 2011-05-19 00:06:34.000000000 -0400
74250 +++ linux-2.6.39.3/mm/mprotect.c 2011-05-22 19:41:42.000000000 -0400
74251 @@ -23,10 +23,16 @@
74252 #include <linux/mmu_notifier.h>
74253 #include <linux/migrate.h>
74254 #include <linux/perf_event.h>
74255 +
74256 +#ifdef CONFIG_PAX_MPROTECT
74257 +#include <linux/elf.h>
74258 +#endif
74259 +
74260 #include <asm/uaccess.h>
74261 #include <asm/pgtable.h>
74262 #include <asm/cacheflush.h>
74263 #include <asm/tlbflush.h>
74264 +#include <asm/mmu_context.h>
74265
74266 #ifndef pgprot_modify
74267 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
74268 @@ -141,6 +147,48 @@ static void change_protection(struct vm_
74269 flush_tlb_range(vma, start, end);
74270 }
74271
74272 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
74273 +/* called while holding the mmap semaphor for writing except stack expansion */
74274 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
74275 +{
74276 + unsigned long oldlimit, newlimit = 0UL;
74277 +
74278 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
74279 + return;
74280 +
74281 + spin_lock(&mm->page_table_lock);
74282 + oldlimit = mm->context.user_cs_limit;
74283 + if ((prot & VM_EXEC) && oldlimit < end)
74284 + /* USER_CS limit moved up */
74285 + newlimit = end;
74286 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
74287 + /* USER_CS limit moved down */
74288 + newlimit = start;
74289 +
74290 + if (newlimit) {
74291 + mm->context.user_cs_limit = newlimit;
74292 +
74293 +#ifdef CONFIG_SMP
74294 + wmb();
74295 + cpus_clear(mm->context.cpu_user_cs_mask);
74296 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
74297 +#endif
74298 +
74299 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
74300 + }
74301 + spin_unlock(&mm->page_table_lock);
74302 + if (newlimit == end) {
74303 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
74304 +
74305 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
74306 + if (is_vm_hugetlb_page(vma))
74307 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
74308 + else
74309 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
74310 + }
74311 +}
74312 +#endif
74313 +
74314 int
74315 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
74316 unsigned long start, unsigned long end, unsigned long newflags)
74317 @@ -153,11 +201,29 @@ mprotect_fixup(struct vm_area_struct *vm
74318 int error;
74319 int dirty_accountable = 0;
74320
74321 +#ifdef CONFIG_PAX_SEGMEXEC
74322 + struct vm_area_struct *vma_m = NULL;
74323 + unsigned long start_m, end_m;
74324 +
74325 + start_m = start + SEGMEXEC_TASK_SIZE;
74326 + end_m = end + SEGMEXEC_TASK_SIZE;
74327 +#endif
74328 +
74329 if (newflags == oldflags) {
74330 *pprev = vma;
74331 return 0;
74332 }
74333
74334 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
74335 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
74336 +
74337 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
74338 + return -ENOMEM;
74339 +
74340 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
74341 + return -ENOMEM;
74342 + }
74343 +
74344 /*
74345 * If we make a private mapping writable we increase our commit;
74346 * but (without finer accounting) cannot reduce our commit if we
74347 @@ -174,6 +240,42 @@ mprotect_fixup(struct vm_area_struct *vm
74348 }
74349 }
74350
74351 +#ifdef CONFIG_PAX_SEGMEXEC
74352 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
74353 + if (start != vma->vm_start) {
74354 + error = split_vma(mm, vma, start, 1);
74355 + if (error)
74356 + goto fail;
74357 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
74358 + *pprev = (*pprev)->vm_next;
74359 + }
74360 +
74361 + if (end != vma->vm_end) {
74362 + error = split_vma(mm, vma, end, 0);
74363 + if (error)
74364 + goto fail;
74365 + }
74366 +
74367 + if (pax_find_mirror_vma(vma)) {
74368 + error = __do_munmap(mm, start_m, end_m - start_m);
74369 + if (error)
74370 + goto fail;
74371 + } else {
74372 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
74373 + if (!vma_m) {
74374 + error = -ENOMEM;
74375 + goto fail;
74376 + }
74377 + vma->vm_flags = newflags;
74378 + error = pax_mirror_vma(vma_m, vma);
74379 + if (error) {
74380 + vma->vm_flags = oldflags;
74381 + goto fail;
74382 + }
74383 + }
74384 + }
74385 +#endif
74386 +
74387 /*
74388 * First try to merge with previous and/or next vma.
74389 */
74390 @@ -204,9 +306,21 @@ success:
74391 * vm_flags and vm_page_prot are protected by the mmap_sem
74392 * held in write mode.
74393 */
74394 +
74395 +#ifdef CONFIG_PAX_SEGMEXEC
74396 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
74397 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
74398 +#endif
74399 +
74400 vma->vm_flags = newflags;
74401 +
74402 +#ifdef CONFIG_PAX_MPROTECT
74403 + if (mm->binfmt && mm->binfmt->handle_mprotect)
74404 + mm->binfmt->handle_mprotect(vma, newflags);
74405 +#endif
74406 +
74407 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
74408 - vm_get_page_prot(newflags));
74409 + vm_get_page_prot(vma->vm_flags));
74410
74411 if (vma_wants_writenotify(vma)) {
74412 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
74413 @@ -248,6 +362,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74414 end = start + len;
74415 if (end <= start)
74416 return -ENOMEM;
74417 +
74418 +#ifdef CONFIG_PAX_SEGMEXEC
74419 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
74420 + if (end > SEGMEXEC_TASK_SIZE)
74421 + return -EINVAL;
74422 + } else
74423 +#endif
74424 +
74425 + if (end > TASK_SIZE)
74426 + return -EINVAL;
74427 +
74428 if (!arch_validate_prot(prot))
74429 return -EINVAL;
74430
74431 @@ -255,7 +380,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74432 /*
74433 * Does the application expect PROT_READ to imply PROT_EXEC:
74434 */
74435 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
74436 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
74437 prot |= PROT_EXEC;
74438
74439 vm_flags = calc_vm_prot_bits(prot);
74440 @@ -287,6 +412,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74441 if (start > vma->vm_start)
74442 prev = vma;
74443
74444 +#ifdef CONFIG_PAX_MPROTECT
74445 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
74446 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
74447 +#endif
74448 +
74449 for (nstart = start ; ; ) {
74450 unsigned long newflags;
74451
74452 @@ -296,6 +426,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74453
74454 /* newflags >> 4 shift VM_MAY% in place of VM_% */
74455 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
74456 + if (prot & (PROT_WRITE | PROT_EXEC))
74457 + gr_log_rwxmprotect(vma->vm_file);
74458 +
74459 + error = -EACCES;
74460 + goto out;
74461 + }
74462 +
74463 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
74464 error = -EACCES;
74465 goto out;
74466 }
74467 @@ -310,6 +448,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74468 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
74469 if (error)
74470 goto out;
74471 +
74472 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
74473 +
74474 nstart = tmp;
74475
74476 if (nstart < prev->vm_end)
74477 diff -urNp linux-2.6.39.3/mm/mremap.c linux-2.6.39.3/mm/mremap.c
74478 --- linux-2.6.39.3/mm/mremap.c 2011-05-19 00:06:34.000000000 -0400
74479 +++ linux-2.6.39.3/mm/mremap.c 2011-05-22 19:36:33.000000000 -0400
74480 @@ -114,6 +114,12 @@ static void move_ptes(struct vm_area_str
74481 continue;
74482 pte = ptep_clear_flush(vma, old_addr, old_pte);
74483 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
74484 +
74485 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
74486 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
74487 + pte = pte_exprotect(pte);
74488 +#endif
74489 +
74490 set_pte_at(mm, new_addr, new_pte, pte);
74491 }
74492
74493 @@ -273,6 +279,11 @@ static struct vm_area_struct *vma_to_res
74494 if (is_vm_hugetlb_page(vma))
74495 goto Einval;
74496
74497 +#ifdef CONFIG_PAX_SEGMEXEC
74498 + if (pax_find_mirror_vma(vma))
74499 + goto Einval;
74500 +#endif
74501 +
74502 /* We can't remap across vm area boundaries */
74503 if (old_len > vma->vm_end - addr)
74504 goto Efault;
74505 @@ -329,20 +340,25 @@ static unsigned long mremap_to(unsigned
74506 unsigned long ret = -EINVAL;
74507 unsigned long charged = 0;
74508 unsigned long map_flags;
74509 + unsigned long pax_task_size = TASK_SIZE;
74510
74511 if (new_addr & ~PAGE_MASK)
74512 goto out;
74513
74514 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
74515 +#ifdef CONFIG_PAX_SEGMEXEC
74516 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
74517 + pax_task_size = SEGMEXEC_TASK_SIZE;
74518 +#endif
74519 +
74520 + pax_task_size -= PAGE_SIZE;
74521 +
74522 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
74523 goto out;
74524
74525 /* Check if the location we're moving into overlaps the
74526 * old location at all, and fail if it does.
74527 */
74528 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
74529 - goto out;
74530 -
74531 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
74532 + if (addr + old_len > new_addr && new_addr + new_len > addr)
74533 goto out;
74534
74535 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
74536 @@ -414,6 +430,7 @@ unsigned long do_mremap(unsigned long ad
74537 struct vm_area_struct *vma;
74538 unsigned long ret = -EINVAL;
74539 unsigned long charged = 0;
74540 + unsigned long pax_task_size = TASK_SIZE;
74541
74542 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
74543 goto out;
74544 @@ -432,6 +449,17 @@ unsigned long do_mremap(unsigned long ad
74545 if (!new_len)
74546 goto out;
74547
74548 +#ifdef CONFIG_PAX_SEGMEXEC
74549 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
74550 + pax_task_size = SEGMEXEC_TASK_SIZE;
74551 +#endif
74552 +
74553 + pax_task_size -= PAGE_SIZE;
74554 +
74555 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
74556 + old_len > pax_task_size || addr > pax_task_size-old_len)
74557 + goto out;
74558 +
74559 if (flags & MREMAP_FIXED) {
74560 if (flags & MREMAP_MAYMOVE)
74561 ret = mremap_to(addr, old_len, new_addr, new_len);
74562 @@ -481,6 +509,7 @@ unsigned long do_mremap(unsigned long ad
74563 addr + new_len);
74564 }
74565 ret = addr;
74566 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
74567 goto out;
74568 }
74569 }
74570 @@ -507,7 +536,13 @@ unsigned long do_mremap(unsigned long ad
74571 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
74572 if (ret)
74573 goto out;
74574 +
74575 + map_flags = vma->vm_flags;
74576 ret = move_vma(vma, addr, old_len, new_len, new_addr);
74577 + if (!(ret & ~PAGE_MASK)) {
74578 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
74579 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
74580 + }
74581 }
74582 out:
74583 if (ret & ~PAGE_MASK)
74584 diff -urNp linux-2.6.39.3/mm/nobootmem.c linux-2.6.39.3/mm/nobootmem.c
74585 --- linux-2.6.39.3/mm/nobootmem.c 2011-05-19 00:06:34.000000000 -0400
74586 +++ linux-2.6.39.3/mm/nobootmem.c 2011-05-22 19:36:33.000000000 -0400
74587 @@ -110,19 +110,30 @@ static void __init __free_pages_memory(u
74588 unsigned long __init free_all_memory_core_early(int nodeid)
74589 {
74590 int i;
74591 - u64 start, end;
74592 + u64 start, end, startrange, endrange;
74593 unsigned long count = 0;
74594 - struct range *range = NULL;
74595 + struct range *range = NULL, rangerange = { 0, 0 };
74596 int nr_range;
74597
74598 nr_range = get_free_all_memory_range(&range, nodeid);
74599 + startrange = __pa(range) >> PAGE_SHIFT;
74600 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
74601
74602 for (i = 0; i < nr_range; i++) {
74603 start = range[i].start;
74604 end = range[i].end;
74605 + if (start <= endrange && startrange < end) {
74606 + BUG_ON(rangerange.start | rangerange.end);
74607 + rangerange = range[i];
74608 + continue;
74609 + }
74610 count += end - start;
74611 __free_pages_memory(start, end);
74612 }
74613 + start = rangerange.start;
74614 + end = rangerange.end;
74615 + count += end - start;
74616 + __free_pages_memory(start, end);
74617
74618 return count;
74619 }
74620 diff -urNp linux-2.6.39.3/mm/nommu.c linux-2.6.39.3/mm/nommu.c
74621 --- linux-2.6.39.3/mm/nommu.c 2011-05-19 00:06:34.000000000 -0400
74622 +++ linux-2.6.39.3/mm/nommu.c 2011-05-22 19:36:33.000000000 -0400
74623 @@ -63,7 +63,6 @@ int sysctl_overcommit_memory = OVERCOMMI
74624 int sysctl_overcommit_ratio = 50; /* default is 50% */
74625 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
74626 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
74627 -int heap_stack_gap = 0;
74628
74629 atomic_long_t mmap_pages_allocated;
74630
74631 @@ -833,15 +832,6 @@ struct vm_area_struct *find_vma(struct m
74632 EXPORT_SYMBOL(find_vma);
74633
74634 /*
74635 - * find a VMA
74636 - * - we don't extend stack VMAs under NOMMU conditions
74637 - */
74638 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
74639 -{
74640 - return find_vma(mm, addr);
74641 -}
74642 -
74643 -/*
74644 * expand a stack to a given address
74645 * - not supported under NOMMU conditions
74646 */
74647 @@ -1563,6 +1553,7 @@ int split_vma(struct mm_struct *mm, stru
74648
74649 /* most fields are the same, copy all, and then fixup */
74650 *new = *vma;
74651 + INIT_LIST_HEAD(&new->anon_vma_chain);
74652 *region = *vma->vm_region;
74653 new->vm_region = region;
74654
74655 diff -urNp linux-2.6.39.3/mm/page_alloc.c linux-2.6.39.3/mm/page_alloc.c
74656 --- linux-2.6.39.3/mm/page_alloc.c 2011-06-03 00:04:14.000000000 -0400
74657 +++ linux-2.6.39.3/mm/page_alloc.c 2011-07-09 09:12:54.000000000 -0400
74658 @@ -337,7 +337,7 @@ out:
74659 * This usage means that zero-order pages may not be compound.
74660 */
74661
74662 -static void free_compound_page(struct page *page)
74663 +void free_compound_page(struct page *page)
74664 {
74665 __free_pages_ok(page, compound_order(page));
74666 }
74667 @@ -650,6 +650,10 @@ static bool free_pages_prepare(struct pa
74668 int i;
74669 int bad = 0;
74670
74671 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
74672 + unsigned long index = 1UL << order;
74673 +#endif
74674 +
74675 trace_mm_page_free_direct(page, order);
74676 kmemcheck_free_shadow(page, order);
74677
74678 @@ -665,6 +669,12 @@ static bool free_pages_prepare(struct pa
74679 debug_check_no_obj_freed(page_address(page),
74680 PAGE_SIZE << order);
74681 }
74682 +
74683 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
74684 + for (; index; --index)
74685 + sanitize_highpage(page + index - 1);
74686 +#endif
74687 +
74688 arch_free_page(page, order);
74689 kernel_map_pages(page, 1 << order, 0);
74690
74691 @@ -780,8 +790,10 @@ static int prep_new_page(struct page *pa
74692 arch_alloc_page(page, order);
74693 kernel_map_pages(page, 1 << order, 1);
74694
74695 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
74696 if (gfp_flags & __GFP_ZERO)
74697 prep_zero_page(page, order, gfp_flags);
74698 +#endif
74699
74700 if (order && (gfp_flags & __GFP_COMP))
74701 prep_compound_page(page, order);
74702 @@ -2504,6 +2516,8 @@ void __show_free_areas(unsigned int filt
74703 int cpu;
74704 struct zone *zone;
74705
74706 + pax_track_stack();
74707 +
74708 for_each_populated_zone(zone) {
74709 if (skip_free_areas_zone(filter, zone))
74710 continue;
74711 diff -urNp linux-2.6.39.3/mm/percpu.c linux-2.6.39.3/mm/percpu.c
74712 --- linux-2.6.39.3/mm/percpu.c 2011-05-19 00:06:34.000000000 -0400
74713 +++ linux-2.6.39.3/mm/percpu.c 2011-05-22 19:36:33.000000000 -0400
74714 @@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
74715 static unsigned int pcpu_last_unit_cpu __read_mostly;
74716
74717 /* the address of the first chunk which starts with the kernel static area */
74718 -void *pcpu_base_addr __read_mostly;
74719 +void *pcpu_base_addr __read_only;
74720 EXPORT_SYMBOL_GPL(pcpu_base_addr);
74721
74722 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
74723 diff -urNp linux-2.6.39.3/mm/rmap.c linux-2.6.39.3/mm/rmap.c
74724 --- linux-2.6.39.3/mm/rmap.c 2011-05-19 00:06:34.000000000 -0400
74725 +++ linux-2.6.39.3/mm/rmap.c 2011-05-22 19:36:33.000000000 -0400
74726 @@ -131,6 +131,10 @@ int anon_vma_prepare(struct vm_area_stru
74727 struct anon_vma *anon_vma = vma->anon_vma;
74728 struct anon_vma_chain *avc;
74729
74730 +#ifdef CONFIG_PAX_SEGMEXEC
74731 + struct anon_vma_chain *avc_m = NULL;
74732 +#endif
74733 +
74734 might_sleep();
74735 if (unlikely(!anon_vma)) {
74736 struct mm_struct *mm = vma->vm_mm;
74737 @@ -140,6 +144,12 @@ int anon_vma_prepare(struct vm_area_stru
74738 if (!avc)
74739 goto out_enomem;
74740
74741 +#ifdef CONFIG_PAX_SEGMEXEC
74742 + avc_m = anon_vma_chain_alloc();
74743 + if (!avc_m)
74744 + goto out_enomem_free_avc;
74745 +#endif
74746 +
74747 anon_vma = find_mergeable_anon_vma(vma);
74748 allocated = NULL;
74749 if (!anon_vma) {
74750 @@ -153,6 +163,21 @@ int anon_vma_prepare(struct vm_area_stru
74751 /* page_table_lock to protect against threads */
74752 spin_lock(&mm->page_table_lock);
74753 if (likely(!vma->anon_vma)) {
74754 +
74755 +#ifdef CONFIG_PAX_SEGMEXEC
74756 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
74757 +
74758 + if (vma_m) {
74759 + BUG_ON(vma_m->anon_vma);
74760 + vma_m->anon_vma = anon_vma;
74761 + avc_m->anon_vma = anon_vma;
74762 + avc_m->vma = vma;
74763 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
74764 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
74765 + avc_m = NULL;
74766 + }
74767 +#endif
74768 +
74769 vma->anon_vma = anon_vma;
74770 avc->anon_vma = anon_vma;
74771 avc->vma = vma;
74772 @@ -166,12 +191,24 @@ int anon_vma_prepare(struct vm_area_stru
74773
74774 if (unlikely(allocated))
74775 put_anon_vma(allocated);
74776 +
74777 +#ifdef CONFIG_PAX_SEGMEXEC
74778 + if (unlikely(avc_m))
74779 + anon_vma_chain_free(avc_m);
74780 +#endif
74781 +
74782 if (unlikely(avc))
74783 anon_vma_chain_free(avc);
74784 }
74785 return 0;
74786
74787 out_enomem_free_avc:
74788 +
74789 +#ifdef CONFIG_PAX_SEGMEXEC
74790 + if (avc_m)
74791 + anon_vma_chain_free(avc_m);
74792 +#endif
74793 +
74794 anon_vma_chain_free(avc);
74795 out_enomem:
74796 return -ENOMEM;
74797 @@ -198,7 +235,7 @@ static void anon_vma_chain_link(struct v
74798 * Attach the anon_vmas from src to dst.
74799 * Returns 0 on success, -ENOMEM on failure.
74800 */
74801 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
74802 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
74803 {
74804 struct anon_vma_chain *avc, *pavc;
74805
74806 @@ -220,7 +257,7 @@ int anon_vma_clone(struct vm_area_struct
74807 * the corresponding VMA in the parent process is attached to.
74808 * Returns 0 on success, non-zero on failure.
74809 */
74810 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
74811 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
74812 {
74813 struct anon_vma_chain *avc;
74814 struct anon_vma *anon_vma;
74815 diff -urNp linux-2.6.39.3/mm/shmem.c linux-2.6.39.3/mm/shmem.c
74816 --- linux-2.6.39.3/mm/shmem.c 2011-06-03 00:04:14.000000000 -0400
74817 +++ linux-2.6.39.3/mm/shmem.c 2011-06-03 00:32:08.000000000 -0400
74818 @@ -31,7 +31,7 @@
74819 #include <linux/percpu_counter.h>
74820 #include <linux/swap.h>
74821
74822 -static struct vfsmount *shm_mnt;
74823 +struct vfsmount *shm_mnt;
74824
74825 #ifdef CONFIG_SHMEM
74826 /*
74827 @@ -1087,6 +1087,8 @@ static int shmem_writepage(struct page *
74828 goto unlock;
74829 }
74830 entry = shmem_swp_entry(info, index, NULL);
74831 + if (!entry)
74832 + goto unlock;
74833 if (entry->val) {
74834 /*
74835 * The more uptodate page coming down from a stacked
74836 @@ -1158,6 +1160,8 @@ static struct page *shmem_swapin(swp_ent
74837 struct vm_area_struct pvma;
74838 struct page *page;
74839
74840 + pax_track_stack();
74841 +
74842 spol = mpol_cond_copy(&mpol,
74843 mpol_shared_policy_lookup(&info->policy, idx));
74844
74845 @@ -2014,7 +2018,7 @@ static int shmem_symlink(struct inode *d
74846
74847 info = SHMEM_I(inode);
74848 inode->i_size = len-1;
74849 - if (len <= (char *)inode - (char *)info) {
74850 + if (len <= (char *)inode - (char *)info && len <= 64) {
74851 /* do it inline */
74852 memcpy(info, symname, len);
74853 inode->i_op = &shmem_symlink_inline_operations;
74854 @@ -2362,8 +2366,7 @@ int shmem_fill_super(struct super_block
74855 int err = -ENOMEM;
74856
74857 /* Round up to L1_CACHE_BYTES to resist false sharing */
74858 - sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
74859 - L1_CACHE_BYTES), GFP_KERNEL);
74860 + sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
74861 if (!sbinfo)
74862 return -ENOMEM;
74863
74864 diff -urNp linux-2.6.39.3/mm/slab.c linux-2.6.39.3/mm/slab.c
74865 --- linux-2.6.39.3/mm/slab.c 2011-05-19 00:06:34.000000000 -0400
74866 +++ linux-2.6.39.3/mm/slab.c 2011-05-22 19:41:42.000000000 -0400
74867 @@ -150,7 +150,7 @@
74868
74869 /* Legal flag mask for kmem_cache_create(). */
74870 #if DEBUG
74871 -# define CREATE_MASK (SLAB_RED_ZONE | \
74872 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
74873 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
74874 SLAB_CACHE_DMA | \
74875 SLAB_STORE_USER | \
74876 @@ -158,7 +158,7 @@
74877 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
74878 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
74879 #else
74880 -# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
74881 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
74882 SLAB_CACHE_DMA | \
74883 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
74884 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
74885 @@ -287,7 +287,7 @@ struct kmem_list3 {
74886 * Need this for bootstrapping a per node allocator.
74887 */
74888 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
74889 -static struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
74890 +static struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
74891 #define CACHE_CACHE 0
74892 #define SIZE_AC MAX_NUMNODES
74893 #define SIZE_L3 (2 * MAX_NUMNODES)
74894 @@ -388,10 +388,10 @@ static void kmem_list3_init(struct kmem_
74895 if ((x)->max_freeable < i) \
74896 (x)->max_freeable = i; \
74897 } while (0)
74898 -#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
74899 -#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
74900 -#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
74901 -#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
74902 +#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
74903 +#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
74904 +#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
74905 +#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
74906 #else
74907 #define STATS_INC_ACTIVE(x) do { } while (0)
74908 #define STATS_DEC_ACTIVE(x) do { } while (0)
74909 @@ -537,7 +537,7 @@ static inline void *index_to_obj(struct
74910 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
74911 */
74912 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
74913 - const struct slab *slab, void *obj)
74914 + const struct slab *slab, const void *obj)
74915 {
74916 u32 offset = (obj - slab->s_mem);
74917 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
74918 @@ -563,7 +563,7 @@ struct cache_names {
74919 static struct cache_names __initdata cache_names[] = {
74920 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
74921 #include <linux/kmalloc_sizes.h>
74922 - {NULL,}
74923 + {NULL}
74924 #undef CACHE
74925 };
74926
74927 @@ -1529,7 +1529,7 @@ void __init kmem_cache_init(void)
74928 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
74929 sizes[INDEX_AC].cs_size,
74930 ARCH_KMALLOC_MINALIGN,
74931 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74932 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74933 NULL);
74934
74935 if (INDEX_AC != INDEX_L3) {
74936 @@ -1537,7 +1537,7 @@ void __init kmem_cache_init(void)
74937 kmem_cache_create(names[INDEX_L3].name,
74938 sizes[INDEX_L3].cs_size,
74939 ARCH_KMALLOC_MINALIGN,
74940 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74941 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74942 NULL);
74943 }
74944
74945 @@ -1555,7 +1555,7 @@ void __init kmem_cache_init(void)
74946 sizes->cs_cachep = kmem_cache_create(names->name,
74947 sizes->cs_size,
74948 ARCH_KMALLOC_MINALIGN,
74949 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74950 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74951 NULL);
74952 }
74953 #ifdef CONFIG_ZONE_DMA
74954 @@ -4270,10 +4270,10 @@ static int s_show(struct seq_file *m, vo
74955 }
74956 /* cpu stats */
74957 {
74958 - unsigned long allochit = atomic_read(&cachep->allochit);
74959 - unsigned long allocmiss = atomic_read(&cachep->allocmiss);
74960 - unsigned long freehit = atomic_read(&cachep->freehit);
74961 - unsigned long freemiss = atomic_read(&cachep->freemiss);
74962 + unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
74963 + unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
74964 + unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
74965 + unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
74966
74967 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
74968 allochit, allocmiss, freehit, freemiss);
74969 @@ -4530,15 +4530,66 @@ static const struct file_operations proc
74970
74971 static int __init slab_proc_init(void)
74972 {
74973 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
74974 + mode_t gr_mode = S_IRUGO;
74975 +
74976 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
74977 + gr_mode = S_IRUSR;
74978 +#endif
74979 +
74980 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
74981 #ifdef CONFIG_DEBUG_SLAB_LEAK
74982 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
74983 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
74984 #endif
74985 return 0;
74986 }
74987 module_init(slab_proc_init);
74988 #endif
74989
74990 +void check_object_size(const void *ptr, unsigned long n, bool to)
74991 +{
74992 +
74993 +#ifdef CONFIG_PAX_USERCOPY
74994 + struct page *page;
74995 + struct kmem_cache *cachep = NULL;
74996 + struct slab *slabp;
74997 + unsigned int objnr;
74998 + unsigned long offset;
74999 +
75000 + if (!n)
75001 + return;
75002 +
75003 + if (ZERO_OR_NULL_PTR(ptr))
75004 + goto report;
75005 +
75006 + if (!virt_addr_valid(ptr))
75007 + return;
75008 +
75009 + page = virt_to_head_page(ptr);
75010 +
75011 + if (!PageSlab(page)) {
75012 + if (object_is_on_stack(ptr, n) == -1)
75013 + goto report;
75014 + return;
75015 + }
75016 +
75017 + cachep = page_get_cache(page);
75018 + if (!(cachep->flags & SLAB_USERCOPY))
75019 + goto report;
75020 +
75021 + slabp = page_get_slab(page);
75022 + objnr = obj_to_index(cachep, slabp, ptr);
75023 + BUG_ON(objnr >= cachep->num);
75024 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
75025 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
75026 + return;
75027 +
75028 +report:
75029 + pax_report_usercopy(ptr, n, to, cachep ? cachep->name : NULL);
75030 +#endif
75031 +
75032 +}
75033 +EXPORT_SYMBOL(check_object_size);
75034 +
75035 /**
75036 * ksize - get the actual amount of memory allocated for a given object
75037 * @objp: Pointer to the object
75038 diff -urNp linux-2.6.39.3/mm/slob.c linux-2.6.39.3/mm/slob.c
75039 --- linux-2.6.39.3/mm/slob.c 2011-05-19 00:06:34.000000000 -0400
75040 +++ linux-2.6.39.3/mm/slob.c 2011-07-06 20:00:13.000000000 -0400
75041 @@ -29,7 +29,7 @@
75042 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
75043 * alloc_pages() directly, allocating compound pages so the page order
75044 * does not have to be separately tracked, and also stores the exact
75045 - * allocation size in page->private so that it can be used to accurately
75046 + * allocation size in slob_page->size so that it can be used to accurately
75047 * provide ksize(). These objects are detected in kfree() because slob_page()
75048 * is false for them.
75049 *
75050 @@ -58,6 +58,7 @@
75051 */
75052
75053 #include <linux/kernel.h>
75054 +#include <linux/sched.h>
75055 #include <linux/slab.h>
75056 #include <linux/mm.h>
75057 #include <linux/swap.h> /* struct reclaim_state */
75058 @@ -102,7 +103,8 @@ struct slob_page {
75059 unsigned long flags; /* mandatory */
75060 atomic_t _count; /* mandatory */
75061 slobidx_t units; /* free units left in page */
75062 - unsigned long pad[2];
75063 + unsigned long pad[1];
75064 + unsigned long size; /* size when >=PAGE_SIZE */
75065 slob_t *free; /* first free slob_t in page */
75066 struct list_head list; /* linked list of free pages */
75067 };
75068 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
75069 */
75070 static inline int is_slob_page(struct slob_page *sp)
75071 {
75072 - return PageSlab((struct page *)sp);
75073 + return PageSlab((struct page *)sp) && !sp->size;
75074 }
75075
75076 static inline void set_slob_page(struct slob_page *sp)
75077 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
75078
75079 static inline struct slob_page *slob_page(const void *addr)
75080 {
75081 - return (struct slob_page *)virt_to_page(addr);
75082 + return (struct slob_page *)virt_to_head_page(addr);
75083 }
75084
75085 /*
75086 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
75087 /*
75088 * Return the size of a slob block.
75089 */
75090 -static slobidx_t slob_units(slob_t *s)
75091 +static slobidx_t slob_units(const slob_t *s)
75092 {
75093 if (s->units > 0)
75094 return s->units;
75095 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
75096 /*
75097 * Return the next free slob block pointer after this one.
75098 */
75099 -static slob_t *slob_next(slob_t *s)
75100 +static slob_t *slob_next(const slob_t *s)
75101 {
75102 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
75103 slobidx_t next;
75104 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
75105 /*
75106 * Returns true if s is the last free block in its page.
75107 */
75108 -static int slob_last(slob_t *s)
75109 +static int slob_last(const slob_t *s)
75110 {
75111 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
75112 }
75113 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
75114 if (!page)
75115 return NULL;
75116
75117 + set_slob_page(page);
75118 return page_address(page);
75119 }
75120
75121 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
75122 if (!b)
75123 return NULL;
75124 sp = slob_page(b);
75125 - set_slob_page(sp);
75126
75127 spin_lock_irqsave(&slob_lock, flags);
75128 sp->units = SLOB_UNITS(PAGE_SIZE);
75129 sp->free = b;
75130 + sp->size = 0;
75131 INIT_LIST_HEAD(&sp->list);
75132 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
75133 set_slob_page_free(sp, slob_list);
75134 @@ -476,10 +479,9 @@ out:
75135 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
75136 */
75137
75138 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
75139 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
75140 {
75141 - unsigned int *m;
75142 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
75143 + slob_t *m;
75144 void *ret;
75145
75146 lockdep_trace_alloc(gfp);
75147 @@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
75148
75149 if (!m)
75150 return NULL;
75151 - *m = size;
75152 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
75153 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
75154 + m[0].units = size;
75155 + m[1].units = align;
75156 ret = (void *)m + align;
75157
75158 trace_kmalloc_node(_RET_IP_, ret,
75159 @@ -504,16 +509,25 @@ void *__kmalloc_node(size_t size, gfp_t
75160 gfp |= __GFP_COMP;
75161 ret = slob_new_pages(gfp, order, node);
75162 if (ret) {
75163 - struct page *page;
75164 - page = virt_to_page(ret);
75165 - page->private = size;
75166 + struct slob_page *sp;
75167 + sp = slob_page(ret);
75168 + sp->size = size;
75169 }
75170
75171 trace_kmalloc_node(_RET_IP_, ret,
75172 size, PAGE_SIZE << order, gfp, node);
75173 }
75174
75175 - kmemleak_alloc(ret, size, 1, gfp);
75176 + return ret;
75177 +}
75178 +
75179 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
75180 +{
75181 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
75182 + void *ret = __kmalloc_node_align(size, gfp, node, align);
75183 +
75184 + if (!ZERO_OR_NULL_PTR(ret))
75185 + kmemleak_alloc(ret, size, 1, gfp);
75186 return ret;
75187 }
75188 EXPORT_SYMBOL(__kmalloc_node);
75189 @@ -531,13 +545,88 @@ void kfree(const void *block)
75190 sp = slob_page(block);
75191 if (is_slob_page(sp)) {
75192 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
75193 - unsigned int *m = (unsigned int *)(block - align);
75194 - slob_free(m, *m + align);
75195 - } else
75196 + slob_t *m = (slob_t *)(block - align);
75197 + slob_free(m, m[0].units + align);
75198 + } else {
75199 + clear_slob_page(sp);
75200 + free_slob_page(sp);
75201 + sp->size = 0;
75202 put_page(&sp->page);
75203 + }
75204 }
75205 EXPORT_SYMBOL(kfree);
75206
75207 +void check_object_size(const void *ptr, unsigned long n, bool to)
75208 +{
75209 +
75210 +#ifdef CONFIG_PAX_USERCOPY
75211 + struct slob_page *sp;
75212 + const slob_t *free;
75213 + const void *base;
75214 + unsigned long flags;
75215 +
75216 + if (!n)
75217 + return;
75218 +
75219 + if (ZERO_OR_NULL_PTR(ptr))
75220 + goto report;
75221 +
75222 + if (!virt_addr_valid(ptr))
75223 + return;
75224 +
75225 + sp = slob_page(ptr);
75226 + if (!PageSlab((struct page*)sp)) {
75227 + if (object_is_on_stack(ptr, n) == -1)
75228 + goto report;
75229 + return;
75230 + }
75231 +
75232 + if (sp->size) {
75233 + base = page_address(&sp->page);
75234 + if (base <= ptr && n <= sp->size - (ptr - base))
75235 + return;
75236 + goto report;
75237 + }
75238 +
75239 + /* some tricky double walking to find the chunk */
75240 + spin_lock_irqsave(&slob_lock, flags);
75241 + base = (void *)((unsigned long)ptr & PAGE_MASK);
75242 + free = sp->free;
75243 +
75244 + while (!slob_last(free) && (void *)free <= ptr) {
75245 + base = free + slob_units(free);
75246 + free = slob_next(free);
75247 + }
75248 +
75249 + while (base < (void *)free) {
75250 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
75251 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
75252 + int offset;
75253 +
75254 + if (ptr < base + align)
75255 + break;
75256 +
75257 + offset = ptr - base - align;
75258 + if (offset >= m) {
75259 + base += size;
75260 + continue;
75261 + }
75262 +
75263 + if (n > m - offset)
75264 + break;
75265 +
75266 + spin_unlock_irqrestore(&slob_lock, flags);
75267 + return;
75268 + }
75269 +
75270 + spin_unlock_irqrestore(&slob_lock, flags);
75271 +report:
75272 + pax_report_usercopy(ptr, n, to, NULL);
75273 +#endif
75274 +
75275 +}
75276 +EXPORT_SYMBOL(check_object_size);
75277 +
75278 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
75279 size_t ksize(const void *block)
75280 {
75281 @@ -550,10 +639,10 @@ size_t ksize(const void *block)
75282 sp = slob_page(block);
75283 if (is_slob_page(sp)) {
75284 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
75285 - unsigned int *m = (unsigned int *)(block - align);
75286 - return SLOB_UNITS(*m) * SLOB_UNIT;
75287 + slob_t *m = (slob_t *)(block - align);
75288 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
75289 } else
75290 - return sp->page.private;
75291 + return sp->size;
75292 }
75293 EXPORT_SYMBOL(ksize);
75294
75295 @@ -569,8 +658,13 @@ struct kmem_cache *kmem_cache_create(con
75296 {
75297 struct kmem_cache *c;
75298
75299 +#ifdef CONFIG_PAX_USERCOPY
75300 + c = __kmalloc_node_align(sizeof(struct kmem_cache),
75301 + GFP_KERNEL, -1, ARCH_KMALLOC_MINALIGN);
75302 +#else
75303 c = slob_alloc(sizeof(struct kmem_cache),
75304 GFP_KERNEL, ARCH_KMALLOC_MINALIGN, -1);
75305 +#endif
75306
75307 if (c) {
75308 c->name = name;
75309 @@ -608,17 +702,25 @@ void *kmem_cache_alloc_node(struct kmem_
75310 {
75311 void *b;
75312
75313 +#ifdef CONFIG_PAX_USERCOPY
75314 + b = __kmalloc_node_align(c->size, flags, node, c->align);
75315 +#else
75316 if (c->size < PAGE_SIZE) {
75317 b = slob_alloc(c->size, flags, c->align, node);
75318 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
75319 SLOB_UNITS(c->size) * SLOB_UNIT,
75320 flags, node);
75321 } else {
75322 + struct slob_page *sp;
75323 +
75324 b = slob_new_pages(flags, get_order(c->size), node);
75325 + sp = slob_page(b);
75326 + sp->size = c->size;
75327 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
75328 PAGE_SIZE << get_order(c->size),
75329 flags, node);
75330 }
75331 +#endif
75332
75333 if (c->ctor)
75334 c->ctor(b);
75335 @@ -630,10 +732,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
75336
75337 static void __kmem_cache_free(void *b, int size)
75338 {
75339 - if (size < PAGE_SIZE)
75340 + struct slob_page *sp = slob_page(b);
75341 +
75342 + if (is_slob_page(sp))
75343 slob_free(b, size);
75344 - else
75345 + else {
75346 + clear_slob_page(sp);
75347 + free_slob_page(sp);
75348 + sp->size = 0;
75349 slob_free_pages(b, get_order(size));
75350 + }
75351 }
75352
75353 static void kmem_rcu_free(struct rcu_head *head)
75354 @@ -646,17 +754,31 @@ static void kmem_rcu_free(struct rcu_hea
75355
75356 void kmem_cache_free(struct kmem_cache *c, void *b)
75357 {
75358 + int size = c->size;
75359 +
75360 +#ifdef CONFIG_PAX_USERCOPY
75361 + if (size + c->align < PAGE_SIZE) {
75362 + size += c->align;
75363 + b -= c->align;
75364 + }
75365 +#endif
75366 +
75367 kmemleak_free_recursive(b, c->flags);
75368 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
75369 struct slob_rcu *slob_rcu;
75370 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
75371 - slob_rcu->size = c->size;
75372 + slob_rcu = b + (size - sizeof(struct slob_rcu));
75373 + slob_rcu->size = size;
75374 call_rcu(&slob_rcu->head, kmem_rcu_free);
75375 } else {
75376 - __kmem_cache_free(b, c->size);
75377 + __kmem_cache_free(b, size);
75378 }
75379
75380 +#ifdef CONFIG_PAX_USERCOPY
75381 + trace_kfree(_RET_IP_, b);
75382 +#else
75383 trace_kmem_cache_free(_RET_IP_, b);
75384 +#endif
75385 +
75386 }
75387 EXPORT_SYMBOL(kmem_cache_free);
75388
75389 diff -urNp linux-2.6.39.3/mm/slub.c linux-2.6.39.3/mm/slub.c
75390 --- linux-2.6.39.3/mm/slub.c 2011-06-03 00:04:14.000000000 -0400
75391 +++ linux-2.6.39.3/mm/slub.c 2011-06-03 00:32:08.000000000 -0400
75392 @@ -431,7 +431,7 @@ static void print_track(const char *s, s
75393 if (!t->addr)
75394 return;
75395
75396 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
75397 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
75398 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
75399 }
75400
75401 @@ -2183,6 +2183,8 @@ void kmem_cache_free(struct kmem_cache *
75402
75403 page = virt_to_head_page(x);
75404
75405 + BUG_ON(!PageSlab(page));
75406 +
75407 slab_free(s, page, x, _RET_IP_);
75408
75409 trace_kmem_cache_free(_RET_IP_, x);
75410 @@ -2216,7 +2218,7 @@ static int slub_min_objects;
75411 * Merge control. If this is set then no merging of slab caches will occur.
75412 * (Could be removed. This was introduced to pacify the merge skeptics.)
75413 */
75414 -static int slub_nomerge;
75415 +static int slub_nomerge = 1;
75416
75417 /*
75418 * Calculate the order of allocation given an slab object size.
75419 @@ -2644,7 +2646,7 @@ static int kmem_cache_open(struct kmem_c
75420 * list to avoid pounding the page allocator excessively.
75421 */
75422 set_min_partial(s, ilog2(s->size));
75423 - s->refcount = 1;
75424 + atomic_set(&s->refcount, 1);
75425 #ifdef CONFIG_NUMA
75426 s->remote_node_defrag_ratio = 1000;
75427 #endif
75428 @@ -2750,8 +2752,7 @@ static inline int kmem_cache_close(struc
75429 void kmem_cache_destroy(struct kmem_cache *s)
75430 {
75431 down_write(&slub_lock);
75432 - s->refcount--;
75433 - if (!s->refcount) {
75434 + if (atomic_dec_and_test(&s->refcount)) {
75435 list_del(&s->list);
75436 if (kmem_cache_close(s)) {
75437 printk(KERN_ERR "SLUB %s: %s called for cache that "
75438 @@ -2961,6 +2962,46 @@ void *__kmalloc_node(size_t size, gfp_t
75439 EXPORT_SYMBOL(__kmalloc_node);
75440 #endif
75441
75442 +void check_object_size(const void *ptr, unsigned long n, bool to)
75443 +{
75444 +
75445 +#ifdef CONFIG_PAX_USERCOPY
75446 + struct page *page;
75447 + struct kmem_cache *s = NULL;
75448 + unsigned long offset;
75449 +
75450 + if (!n)
75451 + return;
75452 +
75453 + if (ZERO_OR_NULL_PTR(ptr))
75454 + goto report;
75455 +
75456 + if (!virt_addr_valid(ptr))
75457 + return;
75458 +
75459 + page = virt_to_head_page(ptr);
75460 +
75461 + if (!PageSlab(page)) {
75462 + if (object_is_on_stack(ptr, n) == -1)
75463 + goto report;
75464 + return;
75465 + }
75466 +
75467 + s = page->slab;
75468 + if (!(s->flags & SLAB_USERCOPY))
75469 + goto report;
75470 +
75471 + offset = (ptr - page_address(page)) % s->size;
75472 + if (offset <= s->objsize && n <= s->objsize - offset)
75473 + return;
75474 +
75475 +report:
75476 + pax_report_usercopy(ptr, n, to, s ? s->name : NULL);
75477 +#endif
75478 +
75479 +}
75480 +EXPORT_SYMBOL(check_object_size);
75481 +
75482 size_t ksize(const void *object)
75483 {
75484 struct page *page;
75485 @@ -3205,7 +3246,7 @@ static void __init kmem_cache_bootstrap_
75486 int node;
75487
75488 list_add(&s->list, &slab_caches);
75489 - s->refcount = -1;
75490 + atomic_set(&s->refcount, -1);
75491
75492 for_each_node_state(node, N_NORMAL_MEMORY) {
75493 struct kmem_cache_node *n = get_node(s, node);
75494 @@ -3322,17 +3363,17 @@ void __init kmem_cache_init(void)
75495
75496 /* Caches that are not of the two-to-the-power-of size */
75497 if (KMALLOC_MIN_SIZE <= 32) {
75498 - kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, 0);
75499 + kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, SLAB_USERCOPY);
75500 caches++;
75501 }
75502
75503 if (KMALLOC_MIN_SIZE <= 64) {
75504 - kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, 0);
75505 + kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, SLAB_USERCOPY);
75506 caches++;
75507 }
75508
75509 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
75510 - kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, 0);
75511 + kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, SLAB_USERCOPY);
75512 caches++;
75513 }
75514
75515 @@ -3400,7 +3441,7 @@ static int slab_unmergeable(struct kmem_
75516 /*
75517 * We may have set a slab to be unmergeable during bootstrap.
75518 */
75519 - if (s->refcount < 0)
75520 + if (atomic_read(&s->refcount) < 0)
75521 return 1;
75522
75523 return 0;
75524 @@ -3459,7 +3500,7 @@ struct kmem_cache *kmem_cache_create(con
75525 down_write(&slub_lock);
75526 s = find_mergeable(size, align, flags, name, ctor);
75527 if (s) {
75528 - s->refcount++;
75529 + atomic_inc(&s->refcount);
75530 /*
75531 * Adjust the object sizes so that we clear
75532 * the complete object on kzalloc.
75533 @@ -3468,7 +3509,7 @@ struct kmem_cache *kmem_cache_create(con
75534 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
75535
75536 if (sysfs_slab_alias(s, name)) {
75537 - s->refcount--;
75538 + atomic_dec(&s->refcount);
75539 goto err;
75540 }
75541 up_write(&slub_lock);
75542 @@ -4201,7 +4242,7 @@ SLAB_ATTR_RO(ctor);
75543
75544 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
75545 {
75546 - return sprintf(buf, "%d\n", s->refcount - 1);
75547 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
75548 }
75549 SLAB_ATTR_RO(aliases);
75550
75551 @@ -4945,7 +4986,13 @@ static const struct file_operations proc
75552
75553 static int __init slab_proc_init(void)
75554 {
75555 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
75556 + mode_t gr_mode = S_IRUGO;
75557 +
75558 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
75559 + gr_mode = S_IRUSR;
75560 +#endif
75561 +
75562 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
75563 return 0;
75564 }
75565 module_init(slab_proc_init);
75566 diff -urNp linux-2.6.39.3/mm/swap.c linux-2.6.39.3/mm/swap.c
75567 --- linux-2.6.39.3/mm/swap.c 2011-05-19 00:06:34.000000000 -0400
75568 +++ linux-2.6.39.3/mm/swap.c 2011-07-09 09:12:54.000000000 -0400
75569 @@ -31,6 +31,7 @@
75570 #include <linux/backing-dev.h>
75571 #include <linux/memcontrol.h>
75572 #include <linux/gfp.h>
75573 +#include <linux/hugetlb.h>
75574
75575 #include "internal.h"
75576
75577 @@ -71,6 +72,8 @@ static void __put_compound_page(struct p
75578
75579 __page_cache_release(page);
75580 dtor = get_compound_page_dtor(page);
75581 + if (!PageHuge(page))
75582 + BUG_ON(dtor != free_compound_page);
75583 (*dtor)(page);
75584 }
75585
75586 diff -urNp linux-2.6.39.3/mm/swapfile.c linux-2.6.39.3/mm/swapfile.c
75587 --- linux-2.6.39.3/mm/swapfile.c 2011-05-19 00:06:34.000000000 -0400
75588 +++ linux-2.6.39.3/mm/swapfile.c 2011-05-22 19:36:33.000000000 -0400
75589 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(swapon_mutex);
75590
75591 static DECLARE_WAIT_QUEUE_HEAD(proc_poll_wait);
75592 /* Activity counter to indicate that a swapon or swapoff has occurred */
75593 -static atomic_t proc_poll_event = ATOMIC_INIT(0);
75594 +static atomic_unchecked_t proc_poll_event = ATOMIC_INIT(0);
75595
75596 static inline unsigned char swap_count(unsigned char ent)
75597 {
75598 @@ -1669,7 +1669,7 @@ SYSCALL_DEFINE1(swapoff, const char __us
75599 }
75600 filp_close(swap_file, NULL);
75601 err = 0;
75602 - atomic_inc(&proc_poll_event);
75603 + atomic_inc_unchecked(&proc_poll_event);
75604 wake_up_interruptible(&proc_poll_wait);
75605
75606 out_dput:
75607 @@ -1690,8 +1690,8 @@ static unsigned swaps_poll(struct file *
75608
75609 poll_wait(file, &proc_poll_wait, wait);
75610
75611 - if (s->event != atomic_read(&proc_poll_event)) {
75612 - s->event = atomic_read(&proc_poll_event);
75613 + if (s->event != atomic_read_unchecked(&proc_poll_event)) {
75614 + s->event = atomic_read_unchecked(&proc_poll_event);
75615 return POLLIN | POLLRDNORM | POLLERR | POLLPRI;
75616 }
75617
75618 @@ -1797,7 +1797,7 @@ static int swaps_open(struct inode *inod
75619 }
75620
75621 s->seq.private = s;
75622 - s->event = atomic_read(&proc_poll_event);
75623 + s->event = atomic_read_unchecked(&proc_poll_event);
75624 return ret;
75625 }
75626
75627 @@ -2131,7 +2131,7 @@ SYSCALL_DEFINE2(swapon, const char __use
75628 (p->flags & SWP_DISCARDABLE) ? "D" : "");
75629
75630 mutex_unlock(&swapon_mutex);
75631 - atomic_inc(&proc_poll_event);
75632 + atomic_inc_unchecked(&proc_poll_event);
75633 wake_up_interruptible(&proc_poll_wait);
75634
75635 if (S_ISREG(inode->i_mode))
75636 diff -urNp linux-2.6.39.3/mm/util.c linux-2.6.39.3/mm/util.c
75637 --- linux-2.6.39.3/mm/util.c 2011-05-19 00:06:34.000000000 -0400
75638 +++ linux-2.6.39.3/mm/util.c 2011-05-23 17:07:00.000000000 -0400
75639 @@ -112,6 +112,7 @@ EXPORT_SYMBOL(memdup_user);
75640 * allocated buffer. Use this if you don't want to free the buffer immediately
75641 * like, for example, with RCU.
75642 */
75643 +#undef __krealloc
75644 void *__krealloc(const void *p, size_t new_size, gfp_t flags)
75645 {
75646 void *ret;
75647 @@ -145,6 +146,7 @@ EXPORT_SYMBOL(__krealloc);
75648 * behaves exactly like kmalloc(). If @size is 0 and @p is not a
75649 * %NULL pointer, the object pointed to is freed.
75650 */
75651 +#undef krealloc
75652 void *krealloc(const void *p, size_t new_size, gfp_t flags)
75653 {
75654 void *ret;
75655 @@ -219,6 +221,12 @@ EXPORT_SYMBOL(strndup_user);
75656 void arch_pick_mmap_layout(struct mm_struct *mm)
75657 {
75658 mm->mmap_base = TASK_UNMAPPED_BASE;
75659 +
75660 +#ifdef CONFIG_PAX_RANDMMAP
75661 + if (mm->pax_flags & MF_PAX_RANDMMAP)
75662 + mm->mmap_base += mm->delta_mmap;
75663 +#endif
75664 +
75665 mm->get_unmapped_area = arch_get_unmapped_area;
75666 mm->unmap_area = arch_unmap_area;
75667 }
75668 diff -urNp linux-2.6.39.3/mm/vmalloc.c linux-2.6.39.3/mm/vmalloc.c
75669 --- linux-2.6.39.3/mm/vmalloc.c 2011-05-19 00:06:34.000000000 -0400
75670 +++ linux-2.6.39.3/mm/vmalloc.c 2011-05-22 19:36:33.000000000 -0400
75671 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
75672
75673 pte = pte_offset_kernel(pmd, addr);
75674 do {
75675 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
75676 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
75677 +
75678 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75679 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
75680 + BUG_ON(!pte_exec(*pte));
75681 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
75682 + continue;
75683 + }
75684 +#endif
75685 +
75686 + {
75687 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
75688 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
75689 + }
75690 } while (pte++, addr += PAGE_SIZE, addr != end);
75691 }
75692
75693 @@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
75694 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
75695 {
75696 pte_t *pte;
75697 + int ret = -ENOMEM;
75698
75699 /*
75700 * nr is a running index into the array which helps higher level
75701 @@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
75702 pte = pte_alloc_kernel(pmd, addr);
75703 if (!pte)
75704 return -ENOMEM;
75705 +
75706 + pax_open_kernel();
75707 do {
75708 struct page *page = pages[*nr];
75709
75710 - if (WARN_ON(!pte_none(*pte)))
75711 - return -EBUSY;
75712 - if (WARN_ON(!page))
75713 - return -ENOMEM;
75714 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75715 + if (pgprot_val(prot) & _PAGE_NX)
75716 +#endif
75717 +
75718 + if (WARN_ON(!pte_none(*pte))) {
75719 + ret = -EBUSY;
75720 + goto out;
75721 + }
75722 + if (WARN_ON(!page)) {
75723 + ret = -ENOMEM;
75724 + goto out;
75725 + }
75726 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
75727 (*nr)++;
75728 } while (pte++, addr += PAGE_SIZE, addr != end);
75729 - return 0;
75730 + ret = 0;
75731 +out:
75732 + pax_close_kernel();
75733 + return ret;
75734 }
75735
75736 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
75737 @@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
75738 * and fall back on vmalloc() if that fails. Others
75739 * just put it in the vmalloc space.
75740 */
75741 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
75742 +#ifdef CONFIG_MODULES
75743 +#ifdef MODULES_VADDR
75744 unsigned long addr = (unsigned long)x;
75745 if (addr >= MODULES_VADDR && addr < MODULES_END)
75746 return 1;
75747 #endif
75748 +
75749 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75750 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
75751 + return 1;
75752 +#endif
75753 +
75754 +#endif
75755 +
75756 return is_vmalloc_addr(x);
75757 }
75758
75759 @@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
75760
75761 if (!pgd_none(*pgd)) {
75762 pud_t *pud = pud_offset(pgd, addr);
75763 +#ifdef CONFIG_X86
75764 + if (!pud_large(*pud))
75765 +#endif
75766 if (!pud_none(*pud)) {
75767 pmd_t *pmd = pmd_offset(pud, addr);
75768 +#ifdef CONFIG_X86
75769 + if (!pmd_large(*pmd))
75770 +#endif
75771 if (!pmd_none(*pmd)) {
75772 pte_t *ptep, pte;
75773
75774 @@ -1296,6 +1336,16 @@ static struct vm_struct *__get_vm_area_n
75775 struct vm_struct *area;
75776
75777 BUG_ON(in_interrupt());
75778 +
75779 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75780 + if (flags & VM_KERNEXEC) {
75781 + if (start != VMALLOC_START || end != VMALLOC_END)
75782 + return NULL;
75783 + start = (unsigned long)MODULES_EXEC_VADDR;
75784 + end = (unsigned long)MODULES_EXEC_END;
75785 + }
75786 +#endif
75787 +
75788 if (flags & VM_IOREMAP) {
75789 int bit = fls(size);
75790
75791 @@ -1514,6 +1564,11 @@ void *vmap(struct page **pages, unsigned
75792 if (count > totalram_pages)
75793 return NULL;
75794
75795 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75796 + if (!(pgprot_val(prot) & _PAGE_NX))
75797 + flags |= VM_KERNEXEC;
75798 +#endif
75799 +
75800 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
75801 __builtin_return_address(0));
75802 if (!area)
75803 @@ -1610,6 +1665,13 @@ void *__vmalloc_node_range(unsigned long
75804 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
75805 return NULL;
75806
75807 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75808 + if (!(pgprot_val(prot) & _PAGE_NX))
75809 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
75810 + node, gfp_mask, caller);
75811 + else
75812 +#endif
75813 +
75814 area = __get_vm_area_node(size, align, VM_ALLOC, start, end, node,
75815 gfp_mask, caller);
75816
75817 @@ -1649,6 +1711,7 @@ static void *__vmalloc_node(unsigned lon
75818 gfp_mask, prot, node, caller);
75819 }
75820
75821 +#undef __vmalloc
75822 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
75823 {
75824 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
75825 @@ -1672,6 +1735,7 @@ static inline void *__vmalloc_node_flags
75826 * For tight control over page level allocator and protection flags
75827 * use __vmalloc() instead.
75828 */
75829 +#undef vmalloc
75830 void *vmalloc(unsigned long size)
75831 {
75832 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
75833 @@ -1688,6 +1752,7 @@ EXPORT_SYMBOL(vmalloc);
75834 * For tight control over page level allocator and protection flags
75835 * use __vmalloc() instead.
75836 */
75837 +#undef vzalloc
75838 void *vzalloc(unsigned long size)
75839 {
75840 return __vmalloc_node_flags(size, -1,
75841 @@ -1702,6 +1767,7 @@ EXPORT_SYMBOL(vzalloc);
75842 * The resulting memory area is zeroed so it can be mapped to userspace
75843 * without leaking data.
75844 */
75845 +#undef vmalloc_user
75846 void *vmalloc_user(unsigned long size)
75847 {
75848 struct vm_struct *area;
75849 @@ -1729,6 +1795,7 @@ EXPORT_SYMBOL(vmalloc_user);
75850 * For tight control over page level allocator and protection flags
75851 * use __vmalloc() instead.
75852 */
75853 +#undef vmalloc_node
75854 void *vmalloc_node(unsigned long size, int node)
75855 {
75856 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
75857 @@ -1748,6 +1815,7 @@ EXPORT_SYMBOL(vmalloc_node);
75858 * For tight control over page level allocator and protection flags
75859 * use __vmalloc_node() instead.
75860 */
75861 +#undef vzalloc_node
75862 void *vzalloc_node(unsigned long size, int node)
75863 {
75864 return __vmalloc_node_flags(size, node,
75865 @@ -1770,10 +1838,10 @@ EXPORT_SYMBOL(vzalloc_node);
75866 * For tight control over page level allocator and protection flags
75867 * use __vmalloc() instead.
75868 */
75869 -
75870 +#undef vmalloc_exec
75871 void *vmalloc_exec(unsigned long size)
75872 {
75873 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
75874 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
75875 -1, __builtin_return_address(0));
75876 }
75877
75878 @@ -1792,6 +1860,7 @@ void *vmalloc_exec(unsigned long size)
75879 * Allocate enough 32bit PA addressable pages to cover @size from the
75880 * page level allocator and map them into contiguous kernel virtual space.
75881 */
75882 +#undef vmalloc_32
75883 void *vmalloc_32(unsigned long size)
75884 {
75885 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
75886 @@ -1806,6 +1875,7 @@ EXPORT_SYMBOL(vmalloc_32);
75887 * The resulting memory area is 32bit addressable and zeroed so it can be
75888 * mapped to userspace without leaking data.
75889 */
75890 +#undef vmalloc_32_user
75891 void *vmalloc_32_user(unsigned long size)
75892 {
75893 struct vm_struct *area;
75894 @@ -2068,6 +2138,8 @@ int remap_vmalloc_range(struct vm_area_s
75895 unsigned long uaddr = vma->vm_start;
75896 unsigned long usize = vma->vm_end - vma->vm_start;
75897
75898 + BUG_ON(vma->vm_mirror);
75899 +
75900 if ((PAGE_SIZE-1) & (unsigned long)addr)
75901 return -EINVAL;
75902
75903 diff -urNp linux-2.6.39.3/mm/vmstat.c linux-2.6.39.3/mm/vmstat.c
75904 --- linux-2.6.39.3/mm/vmstat.c 2011-05-19 00:06:34.000000000 -0400
75905 +++ linux-2.6.39.3/mm/vmstat.c 2011-05-22 19:41:42.000000000 -0400
75906 @@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
75907 *
75908 * vm_stat contains the global counters
75909 */
75910 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
75911 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
75912 EXPORT_SYMBOL(vm_stat);
75913
75914 #ifdef CONFIG_SMP
75915 @@ -454,7 +454,7 @@ void refresh_cpu_vm_stats(int cpu)
75916 v = p->vm_stat_diff[i];
75917 p->vm_stat_diff[i] = 0;
75918 local_irq_restore(flags);
75919 - atomic_long_add(v, &zone->vm_stat[i]);
75920 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
75921 global_diff[i] += v;
75922 #ifdef CONFIG_NUMA
75923 /* 3 seconds idle till flush */
75924 @@ -492,7 +492,7 @@ void refresh_cpu_vm_stats(int cpu)
75925
75926 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
75927 if (global_diff[i])
75928 - atomic_long_add(global_diff[i], &vm_stat[i]);
75929 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
75930 }
75931
75932 #endif
75933 @@ -1205,10 +1205,20 @@ static int __init setup_vmstat(void)
75934 start_cpu_timer(cpu);
75935 #endif
75936 #ifdef CONFIG_PROC_FS
75937 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
75938 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
75939 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
75940 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
75941 + {
75942 + mode_t gr_mode = S_IRUGO;
75943 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
75944 + gr_mode = S_IRUSR;
75945 +#endif
75946 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
75947 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
75948 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
75949 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
75950 +#else
75951 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
75952 +#endif
75953 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
75954 + }
75955 #endif
75956 return 0;
75957 }
75958 diff -urNp linux-2.6.39.3/net/8021q/vlan.c linux-2.6.39.3/net/8021q/vlan.c
75959 --- linux-2.6.39.3/net/8021q/vlan.c 2011-05-19 00:06:34.000000000 -0400
75960 +++ linux-2.6.39.3/net/8021q/vlan.c 2011-05-22 19:36:33.000000000 -0400
75961 @@ -592,8 +592,7 @@ static int vlan_ioctl_handler(struct net
75962 err = -EPERM;
75963 if (!capable(CAP_NET_ADMIN))
75964 break;
75965 - if ((args.u.name_type >= 0) &&
75966 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
75967 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
75968 struct vlan_net *vn;
75969
75970 vn = net_generic(net, vlan_net_id);
75971 diff -urNp linux-2.6.39.3/net/atm/atm_misc.c linux-2.6.39.3/net/atm/atm_misc.c
75972 --- linux-2.6.39.3/net/atm/atm_misc.c 2011-05-19 00:06:34.000000000 -0400
75973 +++ linux-2.6.39.3/net/atm/atm_misc.c 2011-05-22 19:36:33.000000000 -0400
75974 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
75975 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
75976 return 1;
75977 atm_return(vcc, truesize);
75978 - atomic_inc(&vcc->stats->rx_drop);
75979 + atomic_inc_unchecked(&vcc->stats->rx_drop);
75980 return 0;
75981 }
75982 EXPORT_SYMBOL(atm_charge);
75983 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
75984 }
75985 }
75986 atm_return(vcc, guess);
75987 - atomic_inc(&vcc->stats->rx_drop);
75988 + atomic_inc_unchecked(&vcc->stats->rx_drop);
75989 return NULL;
75990 }
75991 EXPORT_SYMBOL(atm_alloc_charge);
75992 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
75993
75994 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
75995 {
75996 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
75997 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
75998 __SONET_ITEMS
75999 #undef __HANDLE_ITEM
76000 }
76001 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
76002
76003 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
76004 {
76005 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
76006 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
76007 __SONET_ITEMS
76008 #undef __HANDLE_ITEM
76009 }
76010 diff -urNp linux-2.6.39.3/net/atm/mpoa_caches.c linux-2.6.39.3/net/atm/mpoa_caches.c
76011 --- linux-2.6.39.3/net/atm/mpoa_caches.c 2011-05-19 00:06:34.000000000 -0400
76012 +++ linux-2.6.39.3/net/atm/mpoa_caches.c 2011-05-22 19:36:33.000000000 -0400
76013 @@ -255,6 +255,8 @@ static void check_resolving_entries(stru
76014 struct timeval now;
76015 struct k_message msg;
76016
76017 + pax_track_stack();
76018 +
76019 do_gettimeofday(&now);
76020
76021 read_lock_bh(&client->ingress_lock);
76022 diff -urNp linux-2.6.39.3/net/atm/proc.c linux-2.6.39.3/net/atm/proc.c
76023 --- linux-2.6.39.3/net/atm/proc.c 2011-05-19 00:06:34.000000000 -0400
76024 +++ linux-2.6.39.3/net/atm/proc.c 2011-05-22 19:41:42.000000000 -0400
76025 @@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
76026 const struct k_atm_aal_stats *stats)
76027 {
76028 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
76029 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
76030 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
76031 - atomic_read(&stats->rx_drop));
76032 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
76033 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
76034 + atomic_read_unchecked(&stats->rx_drop));
76035 }
76036
76037 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
76038 @@ -191,7 +191,12 @@ static void vcc_info(struct seq_file *se
76039 {
76040 struct sock *sk = sk_atm(vcc);
76041
76042 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76043 + seq_printf(seq, "%p ", NULL);
76044 +#else
76045 seq_printf(seq, "%p ", vcc);
76046 +#endif
76047 +
76048 if (!vcc->dev)
76049 seq_printf(seq, "Unassigned ");
76050 else
76051 @@ -218,7 +223,11 @@ static void svc_info(struct seq_file *se
76052 {
76053 if (!vcc->dev)
76054 seq_printf(seq, sizeof(void *) == 4 ?
76055 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76056 + "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
76057 +#else
76058 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
76059 +#endif
76060 else
76061 seq_printf(seq, "%3d %3d %5d ",
76062 vcc->dev->number, vcc->vpi, vcc->vci);
76063 diff -urNp linux-2.6.39.3/net/atm/resources.c linux-2.6.39.3/net/atm/resources.c
76064 --- linux-2.6.39.3/net/atm/resources.c 2011-05-19 00:06:34.000000000 -0400
76065 +++ linux-2.6.39.3/net/atm/resources.c 2011-05-22 19:36:33.000000000 -0400
76066 @@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
76067 static void copy_aal_stats(struct k_atm_aal_stats *from,
76068 struct atm_aal_stats *to)
76069 {
76070 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
76071 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
76072 __AAL_STAT_ITEMS
76073 #undef __HANDLE_ITEM
76074 }
76075 @@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
76076 static void subtract_aal_stats(struct k_atm_aal_stats *from,
76077 struct atm_aal_stats *to)
76078 {
76079 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
76080 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
76081 __AAL_STAT_ITEMS
76082 #undef __HANDLE_ITEM
76083 }
76084 diff -urNp linux-2.6.39.3/net/batman-adv/hard-interface.c linux-2.6.39.3/net/batman-adv/hard-interface.c
76085 --- linux-2.6.39.3/net/batman-adv/hard-interface.c 2011-05-19 00:06:34.000000000 -0400
76086 +++ linux-2.6.39.3/net/batman-adv/hard-interface.c 2011-05-22 19:36:33.000000000 -0400
76087 @@ -339,8 +339,8 @@ int hardif_enable_interface(struct hard_
76088 hard_iface->batman_adv_ptype.dev = hard_iface->net_dev;
76089 dev_add_pack(&hard_iface->batman_adv_ptype);
76090
76091 - atomic_set(&hard_iface->seqno, 1);
76092 - atomic_set(&hard_iface->frag_seqno, 1);
76093 + atomic_set_unchecked(&hard_iface->seqno, 1);
76094 + atomic_set_unchecked(&hard_iface->frag_seqno, 1);
76095 bat_info(hard_iface->soft_iface, "Adding interface: %s\n",
76096 hard_iface->net_dev->name);
76097
76098 diff -urNp linux-2.6.39.3/net/batman-adv/routing.c linux-2.6.39.3/net/batman-adv/routing.c
76099 --- linux-2.6.39.3/net/batman-adv/routing.c 2011-05-19 00:06:34.000000000 -0400
76100 +++ linux-2.6.39.3/net/batman-adv/routing.c 2011-05-22 19:36:33.000000000 -0400
76101 @@ -625,7 +625,7 @@ void receive_bat_packet(struct ethhdr *e
76102 return;
76103
76104 /* could be changed by schedule_own_packet() */
76105 - if_incoming_seqno = atomic_read(&if_incoming->seqno);
76106 + if_incoming_seqno = atomic_read_unchecked(&if_incoming->seqno);
76107
76108 has_directlink_flag = (batman_packet->flags & DIRECTLINK ? 1 : 0);
76109
76110 diff -urNp linux-2.6.39.3/net/batman-adv/send.c linux-2.6.39.3/net/batman-adv/send.c
76111 --- linux-2.6.39.3/net/batman-adv/send.c 2011-05-19 00:06:34.000000000 -0400
76112 +++ linux-2.6.39.3/net/batman-adv/send.c 2011-05-22 19:36:33.000000000 -0400
76113 @@ -277,7 +277,7 @@ void schedule_own_packet(struct hard_ifa
76114
76115 /* change sequence number to network order */
76116 batman_packet->seqno =
76117 - htonl((uint32_t)atomic_read(&hard_iface->seqno));
76118 + htonl((uint32_t)atomic_read_unchecked(&hard_iface->seqno));
76119
76120 if (vis_server == VIS_TYPE_SERVER_SYNC)
76121 batman_packet->flags |= VIS_SERVER;
76122 @@ -291,7 +291,7 @@ void schedule_own_packet(struct hard_ifa
76123 else
76124 batman_packet->gw_flags = 0;
76125
76126 - atomic_inc(&hard_iface->seqno);
76127 + atomic_inc_unchecked(&hard_iface->seqno);
76128
76129 slide_own_bcast_window(hard_iface);
76130 send_time = own_send_time(bat_priv);
76131 diff -urNp linux-2.6.39.3/net/batman-adv/soft-interface.c linux-2.6.39.3/net/batman-adv/soft-interface.c
76132 --- linux-2.6.39.3/net/batman-adv/soft-interface.c 2011-05-19 00:06:34.000000000 -0400
76133 +++ linux-2.6.39.3/net/batman-adv/soft-interface.c 2011-05-22 19:36:33.000000000 -0400
76134 @@ -386,7 +386,7 @@ int interface_tx(struct sk_buff *skb, st
76135
76136 /* set broadcast sequence number */
76137 bcast_packet->seqno =
76138 - htonl(atomic_inc_return(&bat_priv->bcast_seqno));
76139 + htonl(atomic_inc_return_unchecked(&bat_priv->bcast_seqno));
76140
76141 add_bcast_packet_to_list(bat_priv, skb);
76142
76143 @@ -579,7 +579,7 @@ struct net_device *softif_create(char *n
76144 atomic_set(&bat_priv->batman_queue_left, BATMAN_QUEUE_LEN);
76145
76146 atomic_set(&bat_priv->mesh_state, MESH_INACTIVE);
76147 - atomic_set(&bat_priv->bcast_seqno, 1);
76148 + atomic_set_unchecked(&bat_priv->bcast_seqno, 1);
76149 atomic_set(&bat_priv->hna_local_changed, 0);
76150
76151 bat_priv->primary_if = NULL;
76152 diff -urNp linux-2.6.39.3/net/batman-adv/types.h linux-2.6.39.3/net/batman-adv/types.h
76153 --- linux-2.6.39.3/net/batman-adv/types.h 2011-05-19 00:06:34.000000000 -0400
76154 +++ linux-2.6.39.3/net/batman-adv/types.h 2011-05-22 19:36:33.000000000 -0400
76155 @@ -38,8 +38,8 @@ struct hard_iface {
76156 int16_t if_num;
76157 char if_status;
76158 struct net_device *net_dev;
76159 - atomic_t seqno;
76160 - atomic_t frag_seqno;
76161 + atomic_unchecked_t seqno;
76162 + atomic_unchecked_t frag_seqno;
76163 unsigned char *packet_buff;
76164 int packet_len;
76165 struct kobject *hardif_obj;
76166 @@ -141,7 +141,7 @@ struct bat_priv {
76167 atomic_t orig_interval; /* uint */
76168 atomic_t hop_penalty; /* uint */
76169 atomic_t log_level; /* uint */
76170 - atomic_t bcast_seqno;
76171 + atomic_unchecked_t bcast_seqno;
76172 atomic_t bcast_queue_left;
76173 atomic_t batman_queue_left;
76174 char num_ifaces;
76175 diff -urNp linux-2.6.39.3/net/batman-adv/unicast.c linux-2.6.39.3/net/batman-adv/unicast.c
76176 --- linux-2.6.39.3/net/batman-adv/unicast.c 2011-05-19 00:06:34.000000000 -0400
76177 +++ linux-2.6.39.3/net/batman-adv/unicast.c 2011-05-22 19:36:33.000000000 -0400
76178 @@ -263,7 +263,7 @@ int frag_send_skb(struct sk_buff *skb, s
76179 frag1->flags = UNI_FRAG_HEAD | large_tail;
76180 frag2->flags = large_tail;
76181
76182 - seqno = atomic_add_return(2, &hard_iface->frag_seqno);
76183 + seqno = atomic_add_return_unchecked(2, &hard_iface->frag_seqno);
76184 frag1->seqno = htons(seqno - 1);
76185 frag2->seqno = htons(seqno);
76186
76187 diff -urNp linux-2.6.39.3/net/bluetooth/l2cap_core.c linux-2.6.39.3/net/bluetooth/l2cap_core.c
76188 --- linux-2.6.39.3/net/bluetooth/l2cap_core.c 2011-05-19 00:06:34.000000000 -0400
76189 +++ linux-2.6.39.3/net/bluetooth/l2cap_core.c 2011-06-25 14:32:21.000000000 -0400
76190 @@ -2202,7 +2202,7 @@ static inline int l2cap_config_req(struc
76191
76192 /* Reject if config buffer is too small. */
76193 len = cmd_len - sizeof(*req);
76194 - if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
76195 + if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
76196 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
76197 l2cap_build_conf_rsp(sk, rsp,
76198 L2CAP_CONF_REJECT, flags), rsp);
76199 diff -urNp linux-2.6.39.3/net/bluetooth/l2cap_sock.c linux-2.6.39.3/net/bluetooth/l2cap_sock.c
76200 --- linux-2.6.39.3/net/bluetooth/l2cap_sock.c 2011-05-19 00:06:34.000000000 -0400
76201 +++ linux-2.6.39.3/net/bluetooth/l2cap_sock.c 2011-06-12 06:36:08.000000000 -0400
76202 @@ -446,6 +446,7 @@ static int l2cap_sock_getsockopt_old(str
76203 break;
76204 }
76205
76206 + memset(&cinfo, 0, sizeof(cinfo));
76207 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
76208 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
76209
76210 diff -urNp linux-2.6.39.3/net/bluetooth/rfcomm/sock.c linux-2.6.39.3/net/bluetooth/rfcomm/sock.c
76211 --- linux-2.6.39.3/net/bluetooth/rfcomm/sock.c 2011-05-19 00:06:34.000000000 -0400
76212 +++ linux-2.6.39.3/net/bluetooth/rfcomm/sock.c 2011-06-12 06:36:42.000000000 -0400
76213 @@ -787,6 +787,7 @@ static int rfcomm_sock_getsockopt_old(st
76214
76215 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
76216
76217 + memset(&cinfo, 0, sizeof(cinfo));
76218 cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
76219 memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
76220
76221 diff -urNp linux-2.6.39.3/net/bridge/br_multicast.c linux-2.6.39.3/net/bridge/br_multicast.c
76222 --- linux-2.6.39.3/net/bridge/br_multicast.c 2011-05-19 00:06:34.000000000 -0400
76223 +++ linux-2.6.39.3/net/bridge/br_multicast.c 2011-05-22 19:36:33.000000000 -0400
76224 @@ -1482,7 +1482,7 @@ static int br_multicast_ipv6_rcv(struct
76225 nexthdr = ip6h->nexthdr;
76226 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
76227
76228 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
76229 + if (nexthdr != IPPROTO_ICMPV6)
76230 return 0;
76231
76232 /* Okay, we found ICMPv6 header */
76233 diff -urNp linux-2.6.39.3/net/bridge/netfilter/ebtables.c linux-2.6.39.3/net/bridge/netfilter/ebtables.c
76234 --- linux-2.6.39.3/net/bridge/netfilter/ebtables.c 2011-05-19 00:06:34.000000000 -0400
76235 +++ linux-2.6.39.3/net/bridge/netfilter/ebtables.c 2011-05-22 19:36:33.000000000 -0400
76236 @@ -1512,7 +1512,7 @@ static int do_ebt_get_ctl(struct sock *s
76237 tmp.valid_hooks = t->table->valid_hooks;
76238 }
76239 mutex_unlock(&ebt_mutex);
76240 - if (copy_to_user(user, &tmp, *len) != 0){
76241 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
76242 BUGPRINT("c2u Didn't work\n");
76243 ret = -EFAULT;
76244 break;
76245 @@ -1780,6 +1780,8 @@ static int compat_copy_everything_to_use
76246 int ret;
76247 void __user *pos;
76248
76249 + pax_track_stack();
76250 +
76251 memset(&tinfo, 0, sizeof(tinfo));
76252
76253 if (cmd == EBT_SO_GET_ENTRIES) {
76254 diff -urNp linux-2.6.39.3/net/caif/caif_socket.c linux-2.6.39.3/net/caif/caif_socket.c
76255 --- linux-2.6.39.3/net/caif/caif_socket.c 2011-05-19 00:06:34.000000000 -0400
76256 +++ linux-2.6.39.3/net/caif/caif_socket.c 2011-05-22 19:36:33.000000000 -0400
76257 @@ -48,18 +48,19 @@ static struct dentry *debugfsdir;
76258 #ifdef CONFIG_DEBUG_FS
76259 struct debug_fs_counter {
76260 atomic_t caif_nr_socks;
76261 - atomic_t num_connect_req;
76262 - atomic_t num_connect_resp;
76263 - atomic_t num_connect_fail_resp;
76264 - atomic_t num_disconnect;
76265 - atomic_t num_remote_shutdown_ind;
76266 - atomic_t num_tx_flow_off_ind;
76267 - atomic_t num_tx_flow_on_ind;
76268 - atomic_t num_rx_flow_off;
76269 - atomic_t num_rx_flow_on;
76270 + atomic_unchecked_t num_connect_req;
76271 + atomic_unchecked_t num_connect_resp;
76272 + atomic_unchecked_t num_connect_fail_resp;
76273 + atomic_unchecked_t num_disconnect;
76274 + atomic_unchecked_t num_remote_shutdown_ind;
76275 + atomic_unchecked_t num_tx_flow_off_ind;
76276 + atomic_unchecked_t num_tx_flow_on_ind;
76277 + atomic_unchecked_t num_rx_flow_off;
76278 + atomic_unchecked_t num_rx_flow_on;
76279 };
76280 static struct debug_fs_counter cnt;
76281 #define dbfs_atomic_inc(v) atomic_inc(v)
76282 +#define dbfs_atomic_inc_unchecked(v) atomic_inc_unchecked(v)
76283 #define dbfs_atomic_dec(v) atomic_dec(v)
76284 #else
76285 #define dbfs_atomic_inc(v)
76286 @@ -159,7 +160,7 @@ static int caif_queue_rcv_skb(struct soc
76287 atomic_read(&cf_sk->sk.sk_rmem_alloc),
76288 sk_rcvbuf_lowwater(cf_sk));
76289 set_rx_flow_off(cf_sk);
76290 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
76291 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
76292 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
76293 }
76294
76295 @@ -169,7 +170,7 @@ static int caif_queue_rcv_skb(struct soc
76296 if (!sk_rmem_schedule(sk, skb->truesize) && rx_flow_is_on(cf_sk)) {
76297 set_rx_flow_off(cf_sk);
76298 pr_debug("sending flow OFF due to rmem_schedule\n");
76299 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
76300 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
76301 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
76302 }
76303 skb->dev = NULL;
76304 @@ -218,21 +219,21 @@ static void caif_ctrl_cb(struct cflayer
76305 switch (flow) {
76306 case CAIF_CTRLCMD_FLOW_ON_IND:
76307 /* OK from modem to start sending again */
76308 - dbfs_atomic_inc(&cnt.num_tx_flow_on_ind);
76309 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_on_ind);
76310 set_tx_flow_on(cf_sk);
76311 cf_sk->sk.sk_state_change(&cf_sk->sk);
76312 break;
76313
76314 case CAIF_CTRLCMD_FLOW_OFF_IND:
76315 /* Modem asks us to shut up */
76316 - dbfs_atomic_inc(&cnt.num_tx_flow_off_ind);
76317 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_off_ind);
76318 set_tx_flow_off(cf_sk);
76319 cf_sk->sk.sk_state_change(&cf_sk->sk);
76320 break;
76321
76322 case CAIF_CTRLCMD_INIT_RSP:
76323 /* We're now connected */
76324 - dbfs_atomic_inc(&cnt.num_connect_resp);
76325 + dbfs_atomic_inc_unchecked(&cnt.num_connect_resp);
76326 cf_sk->sk.sk_state = CAIF_CONNECTED;
76327 set_tx_flow_on(cf_sk);
76328 cf_sk->sk.sk_state_change(&cf_sk->sk);
76329 @@ -247,7 +248,7 @@ static void caif_ctrl_cb(struct cflayer
76330
76331 case CAIF_CTRLCMD_INIT_FAIL_RSP:
76332 /* Connect request failed */
76333 - dbfs_atomic_inc(&cnt.num_connect_fail_resp);
76334 + dbfs_atomic_inc_unchecked(&cnt.num_connect_fail_resp);
76335 cf_sk->sk.sk_err = ECONNREFUSED;
76336 cf_sk->sk.sk_state = CAIF_DISCONNECTED;
76337 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
76338 @@ -261,7 +262,7 @@ static void caif_ctrl_cb(struct cflayer
76339
76340 case CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND:
76341 /* Modem has closed this connection, or device is down. */
76342 - dbfs_atomic_inc(&cnt.num_remote_shutdown_ind);
76343 + dbfs_atomic_inc_unchecked(&cnt.num_remote_shutdown_ind);
76344 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
76345 cf_sk->sk.sk_err = ECONNRESET;
76346 set_rx_flow_on(cf_sk);
76347 @@ -281,7 +282,7 @@ static void caif_check_flow_release(stru
76348 return;
76349
76350 if (atomic_read(&sk->sk_rmem_alloc) <= sk_rcvbuf_lowwater(cf_sk)) {
76351 - dbfs_atomic_inc(&cnt.num_rx_flow_on);
76352 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_on);
76353 set_rx_flow_on(cf_sk);
76354 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_ON_REQ);
76355 }
76356 @@ -864,7 +865,7 @@ static int caif_connect(struct socket *s
76357 /*ifindex = id of the interface.*/
76358 cf_sk->conn_req.ifindex = cf_sk->sk.sk_bound_dev_if;
76359
76360 - dbfs_atomic_inc(&cnt.num_connect_req);
76361 + dbfs_atomic_inc_unchecked(&cnt.num_connect_req);
76362 cf_sk->layer.receive = caif_sktrecv_cb;
76363 err = caif_connect_client(&cf_sk->conn_req,
76364 &cf_sk->layer, &ifindex, &headroom, &tailroom);
76365 @@ -952,7 +953,7 @@ static int caif_release(struct socket *s
76366 spin_unlock(&sk->sk_receive_queue.lock);
76367 sock->sk = NULL;
76368
76369 - dbfs_atomic_inc(&cnt.num_disconnect);
76370 + dbfs_atomic_inc_unchecked(&cnt.num_disconnect);
76371
76372 if (cf_sk->debugfs_socket_dir != NULL)
76373 debugfs_remove_recursive(cf_sk->debugfs_socket_dir);
76374 diff -urNp linux-2.6.39.3/net/caif/cfctrl.c linux-2.6.39.3/net/caif/cfctrl.c
76375 --- linux-2.6.39.3/net/caif/cfctrl.c 2011-05-19 00:06:34.000000000 -0400
76376 +++ linux-2.6.39.3/net/caif/cfctrl.c 2011-05-22 19:36:33.000000000 -0400
76377 @@ -9,6 +9,7 @@
76378 #include <linux/stddef.h>
76379 #include <linux/spinlock.h>
76380 #include <linux/slab.h>
76381 +#include <linux/sched.h>
76382 #include <net/caif/caif_layer.h>
76383 #include <net/caif/cfpkt.h>
76384 #include <net/caif/cfctrl.h>
76385 @@ -46,8 +47,8 @@ struct cflayer *cfctrl_create(void)
76386 dev_info.id = 0xff;
76387 memset(this, 0, sizeof(*this));
76388 cfsrvl_init(&this->serv, 0, &dev_info, false);
76389 - atomic_set(&this->req_seq_no, 1);
76390 - atomic_set(&this->rsp_seq_no, 1);
76391 + atomic_set_unchecked(&this->req_seq_no, 1);
76392 + atomic_set_unchecked(&this->rsp_seq_no, 1);
76393 this->serv.layer.receive = cfctrl_recv;
76394 sprintf(this->serv.layer.name, "ctrl");
76395 this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
76396 @@ -116,8 +117,8 @@ void cfctrl_insert_req(struct cfctrl *ct
76397 struct cfctrl_request_info *req)
76398 {
76399 spin_lock(&ctrl->info_list_lock);
76400 - atomic_inc(&ctrl->req_seq_no);
76401 - req->sequence_no = atomic_read(&ctrl->req_seq_no);
76402 + atomic_inc_unchecked(&ctrl->req_seq_no);
76403 + req->sequence_no = atomic_read_unchecked(&ctrl->req_seq_no);
76404 list_add_tail(&req->list, &ctrl->list);
76405 spin_unlock(&ctrl->info_list_lock);
76406 }
76407 @@ -136,7 +137,7 @@ struct cfctrl_request_info *cfctrl_remov
76408 if (p != first)
76409 pr_warn("Requests are not received in order\n");
76410
76411 - atomic_set(&ctrl->rsp_seq_no,
76412 + atomic_set_unchecked(&ctrl->rsp_seq_no,
76413 p->sequence_no);
76414 list_del(&p->list);
76415 goto out;
76416 @@ -385,6 +386,7 @@ static int cfctrl_recv(struct cflayer *l
76417 struct cfctrl *cfctrl = container_obj(layer);
76418 struct cfctrl_request_info rsp, *req;
76419
76420 + pax_track_stack();
76421
76422 cfpkt_extr_head(pkt, &cmdrsp, 1);
76423 cmd = cmdrsp & CFCTRL_CMD_MASK;
76424 diff -urNp linux-2.6.39.3/net/can/bcm.c linux-2.6.39.3/net/can/bcm.c
76425 --- linux-2.6.39.3/net/can/bcm.c 2011-05-19 00:06:34.000000000 -0400
76426 +++ linux-2.6.39.3/net/can/bcm.c 2011-05-22 19:41:42.000000000 -0400
76427 @@ -165,9 +165,15 @@ static int bcm_proc_show(struct seq_file
76428 struct bcm_sock *bo = bcm_sk(sk);
76429 struct bcm_op *op;
76430
76431 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76432 + seq_printf(m, ">>> socket %p", NULL);
76433 + seq_printf(m, " / sk %p", NULL);
76434 + seq_printf(m, " / bo %p", NULL);
76435 +#else
76436 seq_printf(m, ">>> socket %p", sk->sk_socket);
76437 seq_printf(m, " / sk %p", sk);
76438 seq_printf(m, " / bo %p", bo);
76439 +#endif
76440 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
76441 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
76442 seq_printf(m, " <<<\n");
76443 diff -urNp linux-2.6.39.3/net/core/datagram.c linux-2.6.39.3/net/core/datagram.c
76444 --- linux-2.6.39.3/net/core/datagram.c 2011-05-19 00:06:34.000000000 -0400
76445 +++ linux-2.6.39.3/net/core/datagram.c 2011-05-22 19:36:33.000000000 -0400
76446 @@ -285,7 +285,7 @@ int skb_kill_datagram(struct sock *sk, s
76447 }
76448
76449 kfree_skb(skb);
76450 - atomic_inc(&sk->sk_drops);
76451 + atomic_inc_unchecked(&sk->sk_drops);
76452 sk_mem_reclaim_partial(sk);
76453
76454 return err;
76455 diff -urNp linux-2.6.39.3/net/core/dev.c linux-2.6.39.3/net/core/dev.c
76456 --- linux-2.6.39.3/net/core/dev.c 2011-06-03 00:04:14.000000000 -0400
76457 +++ linux-2.6.39.3/net/core/dev.c 2011-06-03 00:32:08.000000000 -0400
76458 @@ -1125,10 +1125,14 @@ void dev_load(struct net *net, const cha
76459 if (no_module && capable(CAP_NET_ADMIN))
76460 no_module = request_module("netdev-%s", name);
76461 if (no_module && capable(CAP_SYS_MODULE)) {
76462 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
76463 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
76464 +#else
76465 if (!request_module("%s", name))
76466 pr_err("Loading kernel module for a network device "
76467 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
76468 "instead\n", name);
76469 +#endif
76470 }
76471 }
76472 EXPORT_SYMBOL(dev_load);
76473 @@ -1957,7 +1961,7 @@ struct dev_gso_cb {
76474
76475 static void dev_gso_skb_destructor(struct sk_buff *skb)
76476 {
76477 - struct dev_gso_cb *cb;
76478 + const struct dev_gso_cb *cb;
76479
76480 do {
76481 struct sk_buff *nskb = skb->next;
76482 @@ -2901,7 +2905,7 @@ int netif_rx_ni(struct sk_buff *skb)
76483 }
76484 EXPORT_SYMBOL(netif_rx_ni);
76485
76486 -static void net_tx_action(struct softirq_action *h)
76487 +static void net_tx_action(void)
76488 {
76489 struct softnet_data *sd = &__get_cpu_var(softnet_data);
76490
76491 @@ -3765,7 +3769,7 @@ void netif_napi_del(struct napi_struct *
76492 }
76493 EXPORT_SYMBOL(netif_napi_del);
76494
76495 -static void net_rx_action(struct softirq_action *h)
76496 +static void net_rx_action(void)
76497 {
76498 struct softnet_data *sd = &__get_cpu_var(softnet_data);
76499 unsigned long time_limit = jiffies + 2;
76500 diff -urNp linux-2.6.39.3/net/core/flow.c linux-2.6.39.3/net/core/flow.c
76501 --- linux-2.6.39.3/net/core/flow.c 2011-05-19 00:06:34.000000000 -0400
76502 +++ linux-2.6.39.3/net/core/flow.c 2011-05-22 19:36:34.000000000 -0400
76503 @@ -60,7 +60,7 @@ struct flow_cache {
76504 struct timer_list rnd_timer;
76505 };
76506
76507 -atomic_t flow_cache_genid = ATOMIC_INIT(0);
76508 +atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
76509 EXPORT_SYMBOL(flow_cache_genid);
76510 static struct flow_cache flow_cache_global;
76511 static struct kmem_cache *flow_cachep __read_mostly;
76512 @@ -85,7 +85,7 @@ static void flow_cache_new_hashrnd(unsig
76513
76514 static int flow_entry_valid(struct flow_cache_entry *fle)
76515 {
76516 - if (atomic_read(&flow_cache_genid) != fle->genid)
76517 + if (atomic_read_unchecked(&flow_cache_genid) != fle->genid)
76518 return 0;
76519 if (fle->object && !fle->object->ops->check(fle->object))
76520 return 0;
76521 @@ -253,7 +253,7 @@ flow_cache_lookup(struct net *net, const
76522 hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
76523 fcp->hash_count++;
76524 }
76525 - } else if (likely(fle->genid == atomic_read(&flow_cache_genid))) {
76526 + } else if (likely(fle->genid == atomic_read_unchecked(&flow_cache_genid))) {
76527 flo = fle->object;
76528 if (!flo)
76529 goto ret_object;
76530 @@ -274,7 +274,7 @@ nocache:
76531 }
76532 flo = resolver(net, key, family, dir, flo, ctx);
76533 if (fle) {
76534 - fle->genid = atomic_read(&flow_cache_genid);
76535 + fle->genid = atomic_read_unchecked(&flow_cache_genid);
76536 if (!IS_ERR(flo))
76537 fle->object = flo;
76538 else
76539 diff -urNp linux-2.6.39.3/net/core/skbuff.c linux-2.6.39.3/net/core/skbuff.c
76540 --- linux-2.6.39.3/net/core/skbuff.c 2011-06-03 00:04:14.000000000 -0400
76541 +++ linux-2.6.39.3/net/core/skbuff.c 2011-06-03 00:32:08.000000000 -0400
76542 @@ -1542,6 +1542,8 @@ int skb_splice_bits(struct sk_buff *skb,
76543 struct sock *sk = skb->sk;
76544 int ret = 0;
76545
76546 + pax_track_stack();
76547 +
76548 if (splice_grow_spd(pipe, &spd))
76549 return -ENOMEM;
76550
76551 diff -urNp linux-2.6.39.3/net/core/sock.c linux-2.6.39.3/net/core/sock.c
76552 --- linux-2.6.39.3/net/core/sock.c 2011-05-19 00:06:34.000000000 -0400
76553 +++ linux-2.6.39.3/net/core/sock.c 2011-05-22 19:36:34.000000000 -0400
76554 @@ -291,7 +291,7 @@ int sock_queue_rcv_skb(struct sock *sk,
76555 */
76556 if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
76557 (unsigned)sk->sk_rcvbuf) {
76558 - atomic_inc(&sk->sk_drops);
76559 + atomic_inc_unchecked(&sk->sk_drops);
76560 return -ENOMEM;
76561 }
76562
76563 @@ -300,7 +300,7 @@ int sock_queue_rcv_skb(struct sock *sk,
76564 return err;
76565
76566 if (!sk_rmem_schedule(sk, skb->truesize)) {
76567 - atomic_inc(&sk->sk_drops);
76568 + atomic_inc_unchecked(&sk->sk_drops);
76569 return -ENOBUFS;
76570 }
76571
76572 @@ -320,7 +320,7 @@ int sock_queue_rcv_skb(struct sock *sk,
76573 skb_dst_force(skb);
76574
76575 spin_lock_irqsave(&list->lock, flags);
76576 - skb->dropcount = atomic_read(&sk->sk_drops);
76577 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
76578 __skb_queue_tail(list, skb);
76579 spin_unlock_irqrestore(&list->lock, flags);
76580
76581 @@ -340,7 +340,7 @@ int sk_receive_skb(struct sock *sk, stru
76582 skb->dev = NULL;
76583
76584 if (sk_rcvqueues_full(sk, skb)) {
76585 - atomic_inc(&sk->sk_drops);
76586 + atomic_inc_unchecked(&sk->sk_drops);
76587 goto discard_and_relse;
76588 }
76589 if (nested)
76590 @@ -358,7 +358,7 @@ int sk_receive_skb(struct sock *sk, stru
76591 mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_);
76592 } else if (sk_add_backlog(sk, skb)) {
76593 bh_unlock_sock(sk);
76594 - atomic_inc(&sk->sk_drops);
76595 + atomic_inc_unchecked(&sk->sk_drops);
76596 goto discard_and_relse;
76597 }
76598
76599 @@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
76600 return -ENOTCONN;
76601 if (lv < len)
76602 return -EINVAL;
76603 - if (copy_to_user(optval, address, len))
76604 + if (len > sizeof(address) || copy_to_user(optval, address, len))
76605 return -EFAULT;
76606 goto lenout;
76607 }
76608 @@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
76609
76610 if (len > lv)
76611 len = lv;
76612 - if (copy_to_user(optval, &v, len))
76613 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
76614 return -EFAULT;
76615 lenout:
76616 if (put_user(len, optlen))
76617 @@ -2023,7 +2023,7 @@ void sock_init_data(struct socket *sock,
76618 */
76619 smp_wmb();
76620 atomic_set(&sk->sk_refcnt, 1);
76621 - atomic_set(&sk->sk_drops, 0);
76622 + atomic_set_unchecked(&sk->sk_drops, 0);
76623 }
76624 EXPORT_SYMBOL(sock_init_data);
76625
76626 diff -urNp linux-2.6.39.3/net/decnet/sysctl_net_decnet.c linux-2.6.39.3/net/decnet/sysctl_net_decnet.c
76627 --- linux-2.6.39.3/net/decnet/sysctl_net_decnet.c 2011-05-19 00:06:34.000000000 -0400
76628 +++ linux-2.6.39.3/net/decnet/sysctl_net_decnet.c 2011-05-22 19:36:34.000000000 -0400
76629 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
76630
76631 if (len > *lenp) len = *lenp;
76632
76633 - if (copy_to_user(buffer, addr, len))
76634 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
76635 return -EFAULT;
76636
76637 *lenp = len;
76638 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
76639
76640 if (len > *lenp) len = *lenp;
76641
76642 - if (copy_to_user(buffer, devname, len))
76643 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
76644 return -EFAULT;
76645
76646 *lenp = len;
76647 diff -urNp linux-2.6.39.3/net/econet/Kconfig linux-2.6.39.3/net/econet/Kconfig
76648 --- linux-2.6.39.3/net/econet/Kconfig 2011-05-19 00:06:34.000000000 -0400
76649 +++ linux-2.6.39.3/net/econet/Kconfig 2011-05-22 19:41:42.000000000 -0400
76650 @@ -4,7 +4,7 @@
76651
76652 config ECONET
76653 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
76654 - depends on EXPERIMENTAL && INET
76655 + depends on EXPERIMENTAL && INET && BROKEN
76656 ---help---
76657 Econet is a fairly old and slow networking protocol mainly used by
76658 Acorn computers to access file and print servers. It uses native
76659 diff -urNp linux-2.6.39.3/net/ipv4/fib_frontend.c linux-2.6.39.3/net/ipv4/fib_frontend.c
76660 --- linux-2.6.39.3/net/ipv4/fib_frontend.c 2011-05-19 00:06:34.000000000 -0400
76661 +++ linux-2.6.39.3/net/ipv4/fib_frontend.c 2011-05-22 19:36:34.000000000 -0400
76662 @@ -968,12 +968,12 @@ static int fib_inetaddr_event(struct not
76663 #ifdef CONFIG_IP_ROUTE_MULTIPATH
76664 fib_sync_up(dev);
76665 #endif
76666 - atomic_inc(&net->ipv4.dev_addr_genid);
76667 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
76668 rt_cache_flush(dev_net(dev), -1);
76669 break;
76670 case NETDEV_DOWN:
76671 fib_del_ifaddr(ifa, NULL);
76672 - atomic_inc(&net->ipv4.dev_addr_genid);
76673 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
76674 if (ifa->ifa_dev->ifa_list == NULL) {
76675 /* Last address was deleted from this interface.
76676 * Disable IP.
76677 @@ -1009,7 +1009,7 @@ static int fib_netdev_event(struct notif
76678 #ifdef CONFIG_IP_ROUTE_MULTIPATH
76679 fib_sync_up(dev);
76680 #endif
76681 - atomic_inc(&net->ipv4.dev_addr_genid);
76682 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
76683 rt_cache_flush(dev_net(dev), -1);
76684 break;
76685 case NETDEV_DOWN:
76686 diff -urNp linux-2.6.39.3/net/ipv4/fib_semantics.c linux-2.6.39.3/net/ipv4/fib_semantics.c
76687 --- linux-2.6.39.3/net/ipv4/fib_semantics.c 2011-05-19 00:06:34.000000000 -0400
76688 +++ linux-2.6.39.3/net/ipv4/fib_semantics.c 2011-05-22 19:36:34.000000000 -0400
76689 @@ -701,7 +701,7 @@ __be32 fib_info_update_nh_saddr(struct n
76690 nh->nh_saddr = inet_select_addr(nh->nh_dev,
76691 nh->nh_gw,
76692 nh->nh_parent->fib_scope);
76693 - nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
76694 + nh->nh_saddr_genid = atomic_read_unchecked(&net->ipv4.dev_addr_genid);
76695
76696 return nh->nh_saddr;
76697 }
76698 diff -urNp linux-2.6.39.3/net/ipv4/inet_diag.c linux-2.6.39.3/net/ipv4/inet_diag.c
76699 --- linux-2.6.39.3/net/ipv4/inet_diag.c 2011-07-09 09:18:51.000000000 -0400
76700 +++ linux-2.6.39.3/net/ipv4/inet_diag.c 2011-06-20 19:27:58.000000000 -0400
76701 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
76702 r->idiag_retrans = 0;
76703
76704 r->id.idiag_if = sk->sk_bound_dev_if;
76705 +
76706 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76707 + r->id.idiag_cookie[0] = 0;
76708 + r->id.idiag_cookie[1] = 0;
76709 +#else
76710 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
76711 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
76712 +#endif
76713
76714 r->id.idiag_sport = inet->inet_sport;
76715 r->id.idiag_dport = inet->inet_dport;
76716 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
76717 r->idiag_family = tw->tw_family;
76718 r->idiag_retrans = 0;
76719 r->id.idiag_if = tw->tw_bound_dev_if;
76720 +
76721 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76722 + r->id.idiag_cookie[0] = 0;
76723 + r->id.idiag_cookie[1] = 0;
76724 +#else
76725 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
76726 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
76727 +#endif
76728 +
76729 r->id.idiag_sport = tw->tw_sport;
76730 r->id.idiag_dport = tw->tw_dport;
76731 r->id.idiag_src[0] = tw->tw_rcv_saddr;
76732 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
76733 if (sk == NULL)
76734 goto unlock;
76735
76736 +#ifndef CONFIG_GRKERNSEC_HIDESYM
76737 err = -ESTALE;
76738 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
76739 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
76740 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
76741 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
76742 goto out;
76743 +#endif
76744
76745 err = -ENOMEM;
76746 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
76747 @@ -580,8 +595,14 @@ static int inet_diag_fill_req(struct sk_
76748 r->idiag_retrans = req->retrans;
76749
76750 r->id.idiag_if = sk->sk_bound_dev_if;
76751 +
76752 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76753 + r->id.idiag_cookie[0] = 0;
76754 + r->id.idiag_cookie[1] = 0;
76755 +#else
76756 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
76757 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
76758 +#endif
76759
76760 tmo = req->expires - jiffies;
76761 if (tmo < 0)
76762 diff -urNp linux-2.6.39.3/net/ipv4/inet_hashtables.c linux-2.6.39.3/net/ipv4/inet_hashtables.c
76763 --- linux-2.6.39.3/net/ipv4/inet_hashtables.c 2011-05-19 00:06:34.000000000 -0400
76764 +++ linux-2.6.39.3/net/ipv4/inet_hashtables.c 2011-05-22 19:41:42.000000000 -0400
76765 @@ -18,11 +18,14 @@
76766 #include <linux/sched.h>
76767 #include <linux/slab.h>
76768 #include <linux/wait.h>
76769 +#include <linux/security.h>
76770
76771 #include <net/inet_connection_sock.h>
76772 #include <net/inet_hashtables.h>
76773 #include <net/ip.h>
76774
76775 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
76776 +
76777 /*
76778 * Allocate and initialize a new local port bind bucket.
76779 * The bindhash mutex for snum's hash chain must be held here.
76780 @@ -529,6 +532,8 @@ ok:
76781 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
76782 spin_unlock(&head->lock);
76783
76784 + gr_update_task_in_ip_table(current, inet_sk(sk));
76785 +
76786 if (tw) {
76787 inet_twsk_deschedule(tw, death_row);
76788 while (twrefcnt) {
76789 diff -urNp linux-2.6.39.3/net/ipv4/inetpeer.c linux-2.6.39.3/net/ipv4/inetpeer.c
76790 --- linux-2.6.39.3/net/ipv4/inetpeer.c 2011-07-09 09:18:51.000000000 -0400
76791 +++ linux-2.6.39.3/net/ipv4/inetpeer.c 2011-07-09 09:21:38.000000000 -0400
76792 @@ -480,6 +480,8 @@ struct inet_peer *inet_getpeer(struct in
76793 unsigned int sequence;
76794 int invalidated, newrefcnt = 0;
76795
76796 + pax_track_stack();
76797 +
76798 /* Look up for the address quickly, lockless.
76799 * Because of a concurrent writer, we might not find an existing entry.
76800 */
76801 @@ -516,8 +518,8 @@ found: /* The existing node has been fo
76802 if (p) {
76803 p->daddr = *daddr;
76804 atomic_set(&p->refcnt, 1);
76805 - atomic_set(&p->rid, 0);
76806 - atomic_set(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
76807 + atomic_set_unchecked(&p->rid, 0);
76808 + atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
76809 p->tcp_ts_stamp = 0;
76810 p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
76811 p->rate_tokens = 0;
76812 diff -urNp linux-2.6.39.3/net/ipv4/ip_fragment.c linux-2.6.39.3/net/ipv4/ip_fragment.c
76813 --- linux-2.6.39.3/net/ipv4/ip_fragment.c 2011-05-19 00:06:34.000000000 -0400
76814 +++ linux-2.6.39.3/net/ipv4/ip_fragment.c 2011-05-22 19:36:34.000000000 -0400
76815 @@ -297,7 +297,7 @@ static inline int ip_frag_too_far(struct
76816 return 0;
76817
76818 start = qp->rid;
76819 - end = atomic_inc_return(&peer->rid);
76820 + end = atomic_inc_return_unchecked(&peer->rid);
76821 qp->rid = end;
76822
76823 rc = qp->q.fragments && (end - start) > max;
76824 diff -urNp linux-2.6.39.3/net/ipv4/ip_sockglue.c linux-2.6.39.3/net/ipv4/ip_sockglue.c
76825 --- linux-2.6.39.3/net/ipv4/ip_sockglue.c 2011-05-19 00:06:34.000000000 -0400
76826 +++ linux-2.6.39.3/net/ipv4/ip_sockglue.c 2011-05-22 19:36:34.000000000 -0400
76827 @@ -1064,6 +1064,8 @@ static int do_ip_getsockopt(struct sock
76828 int val;
76829 int len;
76830
76831 + pax_track_stack();
76832 +
76833 if (level != SOL_IP)
76834 return -EOPNOTSUPP;
76835
76836 diff -urNp linux-2.6.39.3/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.39.3/net/ipv4/netfilter/nf_nat_snmp_basic.c
76837 --- linux-2.6.39.3/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-05-19 00:06:34.000000000 -0400
76838 +++ linux-2.6.39.3/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-05-22 19:36:34.000000000 -0400
76839 @@ -399,7 +399,7 @@ static unsigned char asn1_octets_decode(
76840
76841 *len = 0;
76842
76843 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
76844 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
76845 if (*octets == NULL) {
76846 if (net_ratelimit())
76847 pr_notice("OOM in bsalg (%d)\n", __LINE__);
76848 diff -urNp linux-2.6.39.3/net/ipv4/raw.c linux-2.6.39.3/net/ipv4/raw.c
76849 --- linux-2.6.39.3/net/ipv4/raw.c 2011-05-19 00:06:34.000000000 -0400
76850 +++ linux-2.6.39.3/net/ipv4/raw.c 2011-05-22 19:41:42.000000000 -0400
76851 @@ -302,7 +302,7 @@ static int raw_rcv_skb(struct sock * sk,
76852 int raw_rcv(struct sock *sk, struct sk_buff *skb)
76853 {
76854 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
76855 - atomic_inc(&sk->sk_drops);
76856 + atomic_inc_unchecked(&sk->sk_drops);
76857 kfree_skb(skb);
76858 return NET_RX_DROP;
76859 }
76860 @@ -730,15 +730,19 @@ static int raw_init(struct sock *sk)
76861
76862 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
76863 {
76864 + struct icmp_filter filter;
76865 +
76866 if (optlen > sizeof(struct icmp_filter))
76867 optlen = sizeof(struct icmp_filter);
76868 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
76869 + if (copy_from_user(&filter, optval, optlen))
76870 return -EFAULT;
76871 + memcpy(&raw_sk(sk)->filter, &filter, sizeof(filter));
76872 return 0;
76873 }
76874
76875 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
76876 {
76877 + struct icmp_filter filter;
76878 int len, ret = -EFAULT;
76879
76880 if (get_user(len, optlen))
76881 @@ -749,8 +753,9 @@ static int raw_geticmpfilter(struct sock
76882 if (len > sizeof(struct icmp_filter))
76883 len = sizeof(struct icmp_filter);
76884 ret = -EFAULT;
76885 + memcpy(&filter, &raw_sk(sk)->filter, len);
76886 if (put_user(len, optlen) ||
76887 - copy_to_user(optval, &raw_sk(sk)->filter, len))
76888 + copy_to_user(optval, &filter, len))
76889 goto out;
76890 ret = 0;
76891 out: return ret;
76892 @@ -978,7 +983,13 @@ static void raw_sock_seq_show(struct seq
76893 sk_wmem_alloc_get(sp),
76894 sk_rmem_alloc_get(sp),
76895 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
76896 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
76897 + atomic_read(&sp->sk_refcnt),
76898 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76899 + NULL,
76900 +#else
76901 + sp,
76902 +#endif
76903 + atomic_read_unchecked(&sp->sk_drops));
76904 }
76905
76906 static int raw_seq_show(struct seq_file *seq, void *v)
76907 diff -urNp linux-2.6.39.3/net/ipv4/route.c linux-2.6.39.3/net/ipv4/route.c
76908 --- linux-2.6.39.3/net/ipv4/route.c 2011-07-09 09:18:51.000000000 -0400
76909 +++ linux-2.6.39.3/net/ipv4/route.c 2011-07-09 09:19:27.000000000 -0400
76910 @@ -303,7 +303,7 @@ static inline unsigned int rt_hash(__be3
76911
76912 static inline int rt_genid(struct net *net)
76913 {
76914 - return atomic_read(&net->ipv4.rt_genid);
76915 + return atomic_read_unchecked(&net->ipv4.rt_genid);
76916 }
76917
76918 #ifdef CONFIG_PROC_FS
76919 @@ -831,7 +831,7 @@ static void rt_cache_invalidate(struct n
76920 unsigned char shuffle;
76921
76922 get_random_bytes(&shuffle, sizeof(shuffle));
76923 - atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
76924 + atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
76925 }
76926
76927 /*
76928 @@ -2833,7 +2833,7 @@ static int rt_fill_info(struct net *net,
76929 rt->peer->pmtu_expires - jiffies : 0;
76930 if (rt->peer) {
76931 inet_peer_refcheck(rt->peer);
76932 - id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
76933 + id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff;
76934 if (rt->peer->tcp_ts_stamp) {
76935 ts = rt->peer->tcp_ts;
76936 tsage = get_seconds() - rt->peer->tcp_ts_stamp;
76937 diff -urNp linux-2.6.39.3/net/ipv4/tcp.c linux-2.6.39.3/net/ipv4/tcp.c
76938 --- linux-2.6.39.3/net/ipv4/tcp.c 2011-05-19 00:06:34.000000000 -0400
76939 +++ linux-2.6.39.3/net/ipv4/tcp.c 2011-05-22 19:36:34.000000000 -0400
76940 @@ -2121,6 +2121,8 @@ static int do_tcp_setsockopt(struct sock
76941 int val;
76942 int err = 0;
76943
76944 + pax_track_stack();
76945 +
76946 /* These are data/string values, all the others are ints */
76947 switch (optname) {
76948 case TCP_CONGESTION: {
76949 @@ -2500,6 +2502,8 @@ static int do_tcp_getsockopt(struct sock
76950 struct tcp_sock *tp = tcp_sk(sk);
76951 int val, len;
76952
76953 + pax_track_stack();
76954 +
76955 if (get_user(len, optlen))
76956 return -EFAULT;
76957
76958 diff -urNp linux-2.6.39.3/net/ipv4/tcp_ipv4.c linux-2.6.39.3/net/ipv4/tcp_ipv4.c
76959 --- linux-2.6.39.3/net/ipv4/tcp_ipv4.c 2011-05-19 00:06:34.000000000 -0400
76960 +++ linux-2.6.39.3/net/ipv4/tcp_ipv4.c 2011-05-22 19:41:42.000000000 -0400
76961 @@ -86,6 +86,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
76962 int sysctl_tcp_low_latency __read_mostly;
76963 EXPORT_SYMBOL(sysctl_tcp_low_latency);
76964
76965 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76966 +extern int grsec_enable_blackhole;
76967 +#endif
76968
76969 #ifdef CONFIG_TCP_MD5SIG
76970 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
76971 @@ -1594,6 +1597,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
76972 return 0;
76973
76974 reset:
76975 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76976 + if (!grsec_enable_blackhole)
76977 +#endif
76978 tcp_v4_send_reset(rsk, skb);
76979 discard:
76980 kfree_skb(skb);
76981 @@ -1656,12 +1662,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
76982 TCP_SKB_CB(skb)->sacked = 0;
76983
76984 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
76985 - if (!sk)
76986 + if (!sk) {
76987 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76988 + ret = 1;
76989 +#endif
76990 goto no_tcp_socket;
76991 -
76992 + }
76993 process:
76994 - if (sk->sk_state == TCP_TIME_WAIT)
76995 + if (sk->sk_state == TCP_TIME_WAIT) {
76996 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76997 + ret = 2;
76998 +#endif
76999 goto do_time_wait;
77000 + }
77001
77002 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
77003 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
77004 @@ -1711,6 +1724,10 @@ no_tcp_socket:
77005 bad_packet:
77006 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
77007 } else {
77008 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77009 + if (!grsec_enable_blackhole || (ret == 1 &&
77010 + (skb->dev->flags & IFF_LOOPBACK)))
77011 +#endif
77012 tcp_v4_send_reset(NULL, skb);
77013 }
77014
77015 @@ -2374,7 +2391,11 @@ static void get_openreq4(struct sock *sk
77016 0, /* non standard timer */
77017 0, /* open_requests have no inode */
77018 atomic_read(&sk->sk_refcnt),
77019 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77020 + NULL,
77021 +#else
77022 req,
77023 +#endif
77024 len);
77025 }
77026
77027 @@ -2424,7 +2445,12 @@ static void get_tcp4_sock(struct sock *s
77028 sock_i_uid(sk),
77029 icsk->icsk_probes_out,
77030 sock_i_ino(sk),
77031 - atomic_read(&sk->sk_refcnt), sk,
77032 + atomic_read(&sk->sk_refcnt),
77033 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77034 + NULL,
77035 +#else
77036 + sk,
77037 +#endif
77038 jiffies_to_clock_t(icsk->icsk_rto),
77039 jiffies_to_clock_t(icsk->icsk_ack.ato),
77040 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
77041 @@ -2452,7 +2478,13 @@ static void get_timewait4_sock(struct in
77042 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
77043 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
77044 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
77045 - atomic_read(&tw->tw_refcnt), tw, len);
77046 + atomic_read(&tw->tw_refcnt),
77047 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77048 + NULL,
77049 +#else
77050 + tw,
77051 +#endif
77052 + len);
77053 }
77054
77055 #define TMPSZ 150
77056 diff -urNp linux-2.6.39.3/net/ipv4/tcp_minisocks.c linux-2.6.39.3/net/ipv4/tcp_minisocks.c
77057 --- linux-2.6.39.3/net/ipv4/tcp_minisocks.c 2011-05-19 00:06:34.000000000 -0400
77058 +++ linux-2.6.39.3/net/ipv4/tcp_minisocks.c 2011-05-22 19:41:42.000000000 -0400
77059 @@ -27,6 +27,10 @@
77060 #include <net/inet_common.h>
77061 #include <net/xfrm.h>
77062
77063 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77064 +extern int grsec_enable_blackhole;
77065 +#endif
77066 +
77067 int sysctl_tcp_syncookies __read_mostly = 1;
77068 EXPORT_SYMBOL(sysctl_tcp_syncookies);
77069
77070 @@ -745,6 +749,10 @@ listen_overflow:
77071
77072 embryonic_reset:
77073 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
77074 +
77075 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77076 + if (!grsec_enable_blackhole)
77077 +#endif
77078 if (!(flg & TCP_FLAG_RST))
77079 req->rsk_ops->send_reset(sk, skb);
77080
77081 diff -urNp linux-2.6.39.3/net/ipv4/tcp_output.c linux-2.6.39.3/net/ipv4/tcp_output.c
77082 --- linux-2.6.39.3/net/ipv4/tcp_output.c 2011-05-19 00:06:34.000000000 -0400
77083 +++ linux-2.6.39.3/net/ipv4/tcp_output.c 2011-05-22 19:36:34.000000000 -0400
77084 @@ -2421,6 +2421,8 @@ struct sk_buff *tcp_make_synack(struct s
77085 int mss;
77086 int s_data_desired = 0;
77087
77088 + pax_track_stack();
77089 +
77090 if (cvp != NULL && cvp->s_data_constant && cvp->s_data_desired)
77091 s_data_desired = cvp->s_data_desired;
77092 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15 + s_data_desired, 1, GFP_ATOMIC);
77093 diff -urNp linux-2.6.39.3/net/ipv4/tcp_probe.c linux-2.6.39.3/net/ipv4/tcp_probe.c
77094 --- linux-2.6.39.3/net/ipv4/tcp_probe.c 2011-05-19 00:06:34.000000000 -0400
77095 +++ linux-2.6.39.3/net/ipv4/tcp_probe.c 2011-05-22 19:36:34.000000000 -0400
77096 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
77097 if (cnt + width >= len)
77098 break;
77099
77100 - if (copy_to_user(buf + cnt, tbuf, width))
77101 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
77102 return -EFAULT;
77103 cnt += width;
77104 }
77105 diff -urNp linux-2.6.39.3/net/ipv4/tcp_timer.c linux-2.6.39.3/net/ipv4/tcp_timer.c
77106 --- linux-2.6.39.3/net/ipv4/tcp_timer.c 2011-05-19 00:06:34.000000000 -0400
77107 +++ linux-2.6.39.3/net/ipv4/tcp_timer.c 2011-05-22 19:41:42.000000000 -0400
77108 @@ -22,6 +22,10 @@
77109 #include <linux/gfp.h>
77110 #include <net/tcp.h>
77111
77112 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77113 +extern int grsec_lastack_retries;
77114 +#endif
77115 +
77116 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
77117 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
77118 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
77119 @@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
77120 }
77121 }
77122
77123 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77124 + if ((sk->sk_state == TCP_LAST_ACK) &&
77125 + (grsec_lastack_retries > 0) &&
77126 + (grsec_lastack_retries < retry_until))
77127 + retry_until = grsec_lastack_retries;
77128 +#endif
77129 +
77130 if (retransmits_timed_out(sk, retry_until,
77131 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
77132 /* Has it gone just too far? */
77133 diff -urNp linux-2.6.39.3/net/ipv4/udp.c linux-2.6.39.3/net/ipv4/udp.c
77134 --- linux-2.6.39.3/net/ipv4/udp.c 2011-07-09 09:18:51.000000000 -0400
77135 +++ linux-2.6.39.3/net/ipv4/udp.c 2011-07-09 09:19:27.000000000 -0400
77136 @@ -86,6 +86,7 @@
77137 #include <linux/types.h>
77138 #include <linux/fcntl.h>
77139 #include <linux/module.h>
77140 +#include <linux/security.h>
77141 #include <linux/socket.h>
77142 #include <linux/sockios.h>
77143 #include <linux/igmp.h>
77144 @@ -107,6 +108,10 @@
77145 #include <net/xfrm.h>
77146 #include "udp_impl.h"
77147
77148 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77149 +extern int grsec_enable_blackhole;
77150 +#endif
77151 +
77152 struct udp_table udp_table __read_mostly;
77153 EXPORT_SYMBOL(udp_table);
77154
77155 @@ -564,6 +569,9 @@ found:
77156 return s;
77157 }
77158
77159 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
77160 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
77161 +
77162 /*
77163 * This routine is called by the ICMP module when it gets some
77164 * sort of error condition. If err < 0 then the socket should
77165 @@ -853,9 +861,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
77166 dport = usin->sin_port;
77167 if (dport == 0)
77168 return -EINVAL;
77169 +
77170 + err = gr_search_udp_sendmsg(sk, usin);
77171 + if (err)
77172 + return err;
77173 } else {
77174 if (sk->sk_state != TCP_ESTABLISHED)
77175 return -EDESTADDRREQ;
77176 +
77177 + err = gr_search_udp_sendmsg(sk, NULL);
77178 + if (err)
77179 + return err;
77180 +
77181 daddr = inet->inet_daddr;
77182 dport = inet->inet_dport;
77183 /* Open fast path for connected socket.
77184 @@ -1090,7 +1107,7 @@ static unsigned int first_packet_length(
77185 udp_lib_checksum_complete(skb)) {
77186 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
77187 IS_UDPLITE(sk));
77188 - atomic_inc(&sk->sk_drops);
77189 + atomic_inc_unchecked(&sk->sk_drops);
77190 __skb_unlink(skb, rcvq);
77191 __skb_queue_tail(&list_kill, skb);
77192 }
77193 @@ -1176,6 +1193,10 @@ try_again:
77194 if (!skb)
77195 goto out;
77196
77197 + err = gr_search_udp_recvmsg(sk, skb);
77198 + if (err)
77199 + goto out_free;
77200 +
77201 ulen = skb->len - sizeof(struct udphdr);
77202 if (len > ulen)
77203 len = ulen;
77204 @@ -1475,7 +1496,7 @@ int udp_queue_rcv_skb(struct sock *sk, s
77205
77206 drop:
77207 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
77208 - atomic_inc(&sk->sk_drops);
77209 + atomic_inc_unchecked(&sk->sk_drops);
77210 kfree_skb(skb);
77211 return -1;
77212 }
77213 @@ -1494,7 +1515,7 @@ static void flush_stack(struct sock **st
77214 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
77215
77216 if (!skb1) {
77217 - atomic_inc(&sk->sk_drops);
77218 + atomic_inc_unchecked(&sk->sk_drops);
77219 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
77220 IS_UDPLITE(sk));
77221 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
77222 @@ -1663,6 +1684,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
77223 goto csum_error;
77224
77225 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
77226 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77227 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
77228 +#endif
77229 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
77230
77231 /*
77232 @@ -2090,8 +2114,13 @@ static void udp4_format_sock(struct sock
77233 sk_wmem_alloc_get(sp),
77234 sk_rmem_alloc_get(sp),
77235 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
77236 - atomic_read(&sp->sk_refcnt), sp,
77237 - atomic_read(&sp->sk_drops), len);
77238 + atomic_read(&sp->sk_refcnt),
77239 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77240 + NULL,
77241 +#else
77242 + sp,
77243 +#endif
77244 + atomic_read_unchecked(&sp->sk_drops), len);
77245 }
77246
77247 int udp4_seq_show(struct seq_file *seq, void *v)
77248 diff -urNp linux-2.6.39.3/net/ipv6/inet6_connection_sock.c linux-2.6.39.3/net/ipv6/inet6_connection_sock.c
77249 --- linux-2.6.39.3/net/ipv6/inet6_connection_sock.c 2011-05-19 00:06:34.000000000 -0400
77250 +++ linux-2.6.39.3/net/ipv6/inet6_connection_sock.c 2011-05-22 19:36:34.000000000 -0400
77251 @@ -178,7 +178,7 @@ void __inet6_csk_dst_store(struct sock *
77252 #ifdef CONFIG_XFRM
77253 {
77254 struct rt6_info *rt = (struct rt6_info *)dst;
77255 - rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
77256 + rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
77257 }
77258 #endif
77259 }
77260 @@ -193,7 +193,7 @@ struct dst_entry *__inet6_csk_dst_check(
77261 #ifdef CONFIG_XFRM
77262 if (dst) {
77263 struct rt6_info *rt = (struct rt6_info *)dst;
77264 - if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
77265 + if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
77266 __sk_dst_reset(sk);
77267 dst = NULL;
77268 }
77269 diff -urNp linux-2.6.39.3/net/ipv6/ipv6_sockglue.c linux-2.6.39.3/net/ipv6/ipv6_sockglue.c
77270 --- linux-2.6.39.3/net/ipv6/ipv6_sockglue.c 2011-05-19 00:06:34.000000000 -0400
77271 +++ linux-2.6.39.3/net/ipv6/ipv6_sockglue.c 2011-05-22 19:36:34.000000000 -0400
77272 @@ -129,6 +129,8 @@ static int do_ipv6_setsockopt(struct soc
77273 int val, valbool;
77274 int retv = -ENOPROTOOPT;
77275
77276 + pax_track_stack();
77277 +
77278 if (optval == NULL)
77279 val=0;
77280 else {
77281 @@ -919,6 +921,8 @@ static int do_ipv6_getsockopt(struct soc
77282 int len;
77283 int val;
77284
77285 + pax_track_stack();
77286 +
77287 if (ip6_mroute_opt(optname))
77288 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
77289
77290 diff -urNp linux-2.6.39.3/net/ipv6/raw.c linux-2.6.39.3/net/ipv6/raw.c
77291 --- linux-2.6.39.3/net/ipv6/raw.c 2011-05-19 00:06:34.000000000 -0400
77292 +++ linux-2.6.39.3/net/ipv6/raw.c 2011-05-22 19:41:42.000000000 -0400
77293 @@ -376,7 +376,7 @@ static inline int rawv6_rcv_skb(struct s
77294 {
77295 if ((raw6_sk(sk)->checksum || rcu_dereference_raw(sk->sk_filter)) &&
77296 skb_checksum_complete(skb)) {
77297 - atomic_inc(&sk->sk_drops);
77298 + atomic_inc_unchecked(&sk->sk_drops);
77299 kfree_skb(skb);
77300 return NET_RX_DROP;
77301 }
77302 @@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
77303 struct raw6_sock *rp = raw6_sk(sk);
77304
77305 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
77306 - atomic_inc(&sk->sk_drops);
77307 + atomic_inc_unchecked(&sk->sk_drops);
77308 kfree_skb(skb);
77309 return NET_RX_DROP;
77310 }
77311 @@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
77312
77313 if (inet->hdrincl) {
77314 if (skb_checksum_complete(skb)) {
77315 - atomic_inc(&sk->sk_drops);
77316 + atomic_inc_unchecked(&sk->sk_drops);
77317 kfree_skb(skb);
77318 return NET_RX_DROP;
77319 }
77320 @@ -601,7 +601,7 @@ out:
77321 return err;
77322 }
77323
77324 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
77325 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
77326 struct flowi6 *fl6, struct dst_entry **dstp,
77327 unsigned int flags)
77328 {
77329 @@ -742,6 +742,8 @@ static int rawv6_sendmsg(struct kiocb *i
77330 u16 proto;
77331 int err;
77332
77333 + pax_track_stack();
77334 +
77335 /* Rough check on arithmetic overflow,
77336 better check is made in ip6_append_data().
77337 */
77338 @@ -909,12 +911,15 @@ do_confirm:
77339 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
77340 char __user *optval, int optlen)
77341 {
77342 + struct icmp6_filter filter;
77343 +
77344 switch (optname) {
77345 case ICMPV6_FILTER:
77346 if (optlen > sizeof(struct icmp6_filter))
77347 optlen = sizeof(struct icmp6_filter);
77348 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
77349 + if (copy_from_user(&filter, optval, optlen))
77350 return -EFAULT;
77351 + memcpy(&raw6_sk(sk)->filter, &filter, optlen);
77352 return 0;
77353 default:
77354 return -ENOPROTOOPT;
77355 @@ -926,6 +931,7 @@ static int rawv6_seticmpfilter(struct so
77356 static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
77357 char __user *optval, int __user *optlen)
77358 {
77359 + struct icmp6_filter filter;
77360 int len;
77361
77362 switch (optname) {
77363 @@ -938,7 +944,8 @@ static int rawv6_geticmpfilter(struct so
77364 len = sizeof(struct icmp6_filter);
77365 if (put_user(len, optlen))
77366 return -EFAULT;
77367 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
77368 + memcpy(&filter, &raw6_sk(sk)->filter, len);
77369 + if (copy_to_user(optval, &filter, len))
77370 return -EFAULT;
77371 return 0;
77372 default:
77373 @@ -1252,7 +1259,13 @@ static void raw6_sock_seq_show(struct se
77374 0, 0L, 0,
77375 sock_i_uid(sp), 0,
77376 sock_i_ino(sp),
77377 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
77378 + atomic_read(&sp->sk_refcnt),
77379 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77380 + NULL,
77381 +#else
77382 + sp,
77383 +#endif
77384 + atomic_read_unchecked(&sp->sk_drops));
77385 }
77386
77387 static int raw6_seq_show(struct seq_file *seq, void *v)
77388 diff -urNp linux-2.6.39.3/net/ipv6/tcp_ipv6.c linux-2.6.39.3/net/ipv6/tcp_ipv6.c
77389 --- linux-2.6.39.3/net/ipv6/tcp_ipv6.c 2011-05-19 00:06:34.000000000 -0400
77390 +++ linux-2.6.39.3/net/ipv6/tcp_ipv6.c 2011-05-22 19:41:42.000000000 -0400
77391 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
77392 }
77393 #endif
77394
77395 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77396 +extern int grsec_enable_blackhole;
77397 +#endif
77398 +
77399 static void tcp_v6_hash(struct sock *sk)
77400 {
77401 if (sk->sk_state != TCP_CLOSE) {
77402 @@ -1660,6 +1664,9 @@ static int tcp_v6_do_rcv(struct sock *sk
77403 return 0;
77404
77405 reset:
77406 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77407 + if (!grsec_enable_blackhole)
77408 +#endif
77409 tcp_v6_send_reset(sk, skb);
77410 discard:
77411 if (opt_skb)
77412 @@ -1739,12 +1746,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
77413 TCP_SKB_CB(skb)->sacked = 0;
77414
77415 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
77416 - if (!sk)
77417 + if (!sk) {
77418 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77419 + ret = 1;
77420 +#endif
77421 goto no_tcp_socket;
77422 + }
77423
77424 process:
77425 - if (sk->sk_state == TCP_TIME_WAIT)
77426 + if (sk->sk_state == TCP_TIME_WAIT) {
77427 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77428 + ret = 2;
77429 +#endif
77430 goto do_time_wait;
77431 + }
77432
77433 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
77434 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
77435 @@ -1792,6 +1807,10 @@ no_tcp_socket:
77436 bad_packet:
77437 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
77438 } else {
77439 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77440 + if (!grsec_enable_blackhole || (ret == 1 &&
77441 + (skb->dev->flags & IFF_LOOPBACK)))
77442 +#endif
77443 tcp_v6_send_reset(NULL, skb);
77444 }
77445
77446 @@ -2052,7 +2071,13 @@ static void get_openreq6(struct seq_file
77447 uid,
77448 0, /* non standard timer */
77449 0, /* open_requests have no inode */
77450 - 0, req);
77451 + 0,
77452 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77453 + NULL
77454 +#else
77455 + req
77456 +#endif
77457 + );
77458 }
77459
77460 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
77461 @@ -2102,7 +2127,12 @@ static void get_tcp6_sock(struct seq_fil
77462 sock_i_uid(sp),
77463 icsk->icsk_probes_out,
77464 sock_i_ino(sp),
77465 - atomic_read(&sp->sk_refcnt), sp,
77466 + atomic_read(&sp->sk_refcnt),
77467 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77468 + NULL,
77469 +#else
77470 + sp,
77471 +#endif
77472 jiffies_to_clock_t(icsk->icsk_rto),
77473 jiffies_to_clock_t(icsk->icsk_ack.ato),
77474 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
77475 @@ -2137,7 +2167,13 @@ static void get_timewait6_sock(struct se
77476 dest->s6_addr32[2], dest->s6_addr32[3], destp,
77477 tw->tw_substate, 0, 0,
77478 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
77479 - atomic_read(&tw->tw_refcnt), tw);
77480 + atomic_read(&tw->tw_refcnt),
77481 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77482 + NULL
77483 +#else
77484 + tw
77485 +#endif
77486 + );
77487 }
77488
77489 static int tcp6_seq_show(struct seq_file *seq, void *v)
77490 diff -urNp linux-2.6.39.3/net/ipv6/udp.c linux-2.6.39.3/net/ipv6/udp.c
77491 --- linux-2.6.39.3/net/ipv6/udp.c 2011-07-09 09:18:51.000000000 -0400
77492 +++ linux-2.6.39.3/net/ipv6/udp.c 2011-07-09 09:19:27.000000000 -0400
77493 @@ -50,6 +50,10 @@
77494 #include <linux/seq_file.h>
77495 #include "udp_impl.h"
77496
77497 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77498 +extern int grsec_enable_blackhole;
77499 +#endif
77500 +
77501 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
77502 {
77503 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
77504 @@ -548,7 +552,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
77505
77506 return 0;
77507 drop:
77508 - atomic_inc(&sk->sk_drops);
77509 + atomic_inc_unchecked(&sk->sk_drops);
77510 drop_no_sk_drops_inc:
77511 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
77512 kfree_skb(skb);
77513 @@ -624,7 +628,7 @@ static void flush_stack(struct sock **st
77514 continue;
77515 }
77516 drop:
77517 - atomic_inc(&sk->sk_drops);
77518 + atomic_inc_unchecked(&sk->sk_drops);
77519 UDP6_INC_STATS_BH(sock_net(sk),
77520 UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk));
77521 UDP6_INC_STATS_BH(sock_net(sk),
77522 @@ -779,6 +783,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
77523 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
77524 proto == IPPROTO_UDPLITE);
77525
77526 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77527 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
77528 +#endif
77529 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
77530
77531 kfree_skb(skb);
77532 @@ -795,7 +802,7 @@ int __udp6_lib_rcv(struct sk_buff *skb,
77533 if (!sock_owned_by_user(sk))
77534 udpv6_queue_rcv_skb(sk, skb);
77535 else if (sk_add_backlog(sk, skb)) {
77536 - atomic_inc(&sk->sk_drops);
77537 + atomic_inc_unchecked(&sk->sk_drops);
77538 bh_unlock_sock(sk);
77539 sock_put(sk);
77540 goto discard;
77541 @@ -1406,8 +1413,13 @@ static void udp6_sock_seq_show(struct se
77542 0, 0L, 0,
77543 sock_i_uid(sp), 0,
77544 sock_i_ino(sp),
77545 - atomic_read(&sp->sk_refcnt), sp,
77546 - atomic_read(&sp->sk_drops));
77547 + atomic_read(&sp->sk_refcnt),
77548 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77549 + NULL,
77550 +#else
77551 + sp,
77552 +#endif
77553 + atomic_read_unchecked(&sp->sk_drops));
77554 }
77555
77556 int udp6_seq_show(struct seq_file *seq, void *v)
77557 diff -urNp linux-2.6.39.3/net/irda/ircomm/ircomm_tty.c linux-2.6.39.3/net/irda/ircomm/ircomm_tty.c
77558 --- linux-2.6.39.3/net/irda/ircomm/ircomm_tty.c 2011-05-19 00:06:34.000000000 -0400
77559 +++ linux-2.6.39.3/net/irda/ircomm/ircomm_tty.c 2011-05-22 19:36:34.000000000 -0400
77560 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
77561 add_wait_queue(&self->open_wait, &wait);
77562
77563 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
77564 - __FILE__,__LINE__, tty->driver->name, self->open_count );
77565 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
77566
77567 /* As far as I can see, we protect open_count - Jean II */
77568 spin_lock_irqsave(&self->spinlock, flags);
77569 if (!tty_hung_up_p(filp)) {
77570 extra_count = 1;
77571 - self->open_count--;
77572 + local_dec(&self->open_count);
77573 }
77574 spin_unlock_irqrestore(&self->spinlock, flags);
77575 - self->blocked_open++;
77576 + local_inc(&self->blocked_open);
77577
77578 while (1) {
77579 if (tty->termios->c_cflag & CBAUD) {
77580 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
77581 }
77582
77583 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
77584 - __FILE__,__LINE__, tty->driver->name, self->open_count );
77585 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
77586
77587 schedule();
77588 }
77589 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
77590 if (extra_count) {
77591 /* ++ is not atomic, so this should be protected - Jean II */
77592 spin_lock_irqsave(&self->spinlock, flags);
77593 - self->open_count++;
77594 + local_inc(&self->open_count);
77595 spin_unlock_irqrestore(&self->spinlock, flags);
77596 }
77597 - self->blocked_open--;
77598 + local_dec(&self->blocked_open);
77599
77600 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
77601 - __FILE__,__LINE__, tty->driver->name, self->open_count);
77602 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
77603
77604 if (!retval)
77605 self->flags |= ASYNC_NORMAL_ACTIVE;
77606 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
77607 }
77608 /* ++ is not atomic, so this should be protected - Jean II */
77609 spin_lock_irqsave(&self->spinlock, flags);
77610 - self->open_count++;
77611 + local_inc(&self->open_count);
77612
77613 tty->driver_data = self;
77614 self->tty = tty;
77615 spin_unlock_irqrestore(&self->spinlock, flags);
77616
77617 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
77618 - self->line, self->open_count);
77619 + self->line, local_read(&self->open_count));
77620
77621 /* Not really used by us, but lets do it anyway */
77622 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
77623 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
77624 return;
77625 }
77626
77627 - if ((tty->count == 1) && (self->open_count != 1)) {
77628 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
77629 /*
77630 * Uh, oh. tty->count is 1, which means that the tty
77631 * structure will be freed. state->count should always
77632 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
77633 */
77634 IRDA_DEBUG(0, "%s(), bad serial port count; "
77635 "tty->count is 1, state->count is %d\n", __func__ ,
77636 - self->open_count);
77637 - self->open_count = 1;
77638 + local_read(&self->open_count));
77639 + local_set(&self->open_count, 1);
77640 }
77641
77642 - if (--self->open_count < 0) {
77643 + if (local_dec_return(&self->open_count) < 0) {
77644 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
77645 - __func__, self->line, self->open_count);
77646 - self->open_count = 0;
77647 + __func__, self->line, local_read(&self->open_count));
77648 + local_set(&self->open_count, 0);
77649 }
77650 - if (self->open_count) {
77651 + if (local_read(&self->open_count)) {
77652 spin_unlock_irqrestore(&self->spinlock, flags);
77653
77654 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
77655 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
77656 tty->closing = 0;
77657 self->tty = NULL;
77658
77659 - if (self->blocked_open) {
77660 + if (local_read(&self->blocked_open)) {
77661 if (self->close_delay)
77662 schedule_timeout_interruptible(self->close_delay);
77663 wake_up_interruptible(&self->open_wait);
77664 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
77665 spin_lock_irqsave(&self->spinlock, flags);
77666 self->flags &= ~ASYNC_NORMAL_ACTIVE;
77667 self->tty = NULL;
77668 - self->open_count = 0;
77669 + local_set(&self->open_count, 0);
77670 spin_unlock_irqrestore(&self->spinlock, flags);
77671
77672 wake_up_interruptible(&self->open_wait);
77673 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
77674 seq_putc(m, '\n');
77675
77676 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
77677 - seq_printf(m, "Open count: %d\n", self->open_count);
77678 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
77679 seq_printf(m, "Max data size: %d\n", self->max_data_size);
77680 seq_printf(m, "Max header size: %d\n", self->max_header_size);
77681
77682 diff -urNp linux-2.6.39.3/net/iucv/af_iucv.c linux-2.6.39.3/net/iucv/af_iucv.c
77683 --- linux-2.6.39.3/net/iucv/af_iucv.c 2011-05-19 00:06:34.000000000 -0400
77684 +++ linux-2.6.39.3/net/iucv/af_iucv.c 2011-05-22 19:36:34.000000000 -0400
77685 @@ -653,10 +653,10 @@ static int iucv_sock_autobind(struct soc
77686
77687 write_lock_bh(&iucv_sk_list.lock);
77688
77689 - sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
77690 + sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
77691 while (__iucv_get_sock_by_name(name)) {
77692 sprintf(name, "%08x",
77693 - atomic_inc_return(&iucv_sk_list.autobind_name));
77694 + atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
77695 }
77696
77697 write_unlock_bh(&iucv_sk_list.lock);
77698 diff -urNp linux-2.6.39.3/net/key/af_key.c linux-2.6.39.3/net/key/af_key.c
77699 --- linux-2.6.39.3/net/key/af_key.c 2011-05-19 00:06:34.000000000 -0400
77700 +++ linux-2.6.39.3/net/key/af_key.c 2011-05-22 19:41:42.000000000 -0400
77701 @@ -2481,6 +2481,8 @@ static int pfkey_migrate(struct sock *sk
77702 struct xfrm_migrate m[XFRM_MAX_DEPTH];
77703 struct xfrm_kmaddress k;
77704
77705 + pax_track_stack();
77706 +
77707 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
77708 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
77709 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
77710 @@ -3016,10 +3018,10 @@ static int pfkey_send_policy_notify(stru
77711 static u32 get_acqseq(void)
77712 {
77713 u32 res;
77714 - static atomic_t acqseq;
77715 + static atomic_unchecked_t acqseq;
77716
77717 do {
77718 - res = atomic_inc_return(&acqseq);
77719 + res = atomic_inc_return_unchecked(&acqseq);
77720 } while (!res);
77721 return res;
77722 }
77723 @@ -3657,7 +3659,11 @@ static int pfkey_seq_show(struct seq_fil
77724 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
77725 else
77726 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
77727 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77728 + NULL,
77729 +#else
77730 s,
77731 +#endif
77732 atomic_read(&s->sk_refcnt),
77733 sk_rmem_alloc_get(s),
77734 sk_wmem_alloc_get(s),
77735 diff -urNp linux-2.6.39.3/net/l2tp/l2tp_ip.c linux-2.6.39.3/net/l2tp/l2tp_ip.c
77736 --- linux-2.6.39.3/net/l2tp/l2tp_ip.c 2011-05-19 00:06:34.000000000 -0400
77737 +++ linux-2.6.39.3/net/l2tp/l2tp_ip.c 2011-05-22 19:36:34.000000000 -0400
77738 @@ -625,7 +625,7 @@ static struct inet_protosw l2tp_ip_proto
77739 .no_check = 0,
77740 };
77741
77742 -static struct net_protocol l2tp_ip_protocol __read_mostly = {
77743 +static const struct net_protocol l2tp_ip_protocol = {
77744 .handler = l2tp_ip_recv,
77745 };
77746
77747 diff -urNp linux-2.6.39.3/net/lapb/lapb_iface.c linux-2.6.39.3/net/lapb/lapb_iface.c
77748 --- linux-2.6.39.3/net/lapb/lapb_iface.c 2011-05-19 00:06:34.000000000 -0400
77749 +++ linux-2.6.39.3/net/lapb/lapb_iface.c 2011-05-22 19:36:34.000000000 -0400
77750 @@ -138,8 +138,7 @@ static struct lapb_cb *lapb_create_cb(vo
77751 out:
77752 return lapb;
77753 }
77754 -
77755 -int lapb_register(struct net_device *dev, struct lapb_register_struct *callbacks)
77756 +int lapb_register(struct net_device *dev, const struct lapb_register_struct *callbacks)
77757 {
77758 struct lapb_cb *lapb;
77759 int rc = LAPB_BADTOKEN;
77760 diff -urNp linux-2.6.39.3/net/mac80211/cfg.c linux-2.6.39.3/net/mac80211/cfg.c
77761 --- linux-2.6.39.3/net/mac80211/cfg.c 2011-06-03 00:04:14.000000000 -0400
77762 +++ linux-2.6.39.3/net/mac80211/cfg.c 2011-06-03 00:32:08.000000000 -0400
77763 @@ -2031,7 +2031,7 @@ static void ieee80211_get_ringparam(stru
77764 drv_get_ringparam(local, tx, tx_max, rx, rx_max);
77765 }
77766
77767 -struct cfg80211_ops mac80211_config_ops = {
77768 +const struct cfg80211_ops mac80211_config_ops = {
77769 .add_virtual_intf = ieee80211_add_iface,
77770 .del_virtual_intf = ieee80211_del_iface,
77771 .change_virtual_intf = ieee80211_change_iface,
77772 diff -urNp linux-2.6.39.3/net/mac80211/cfg.h linux-2.6.39.3/net/mac80211/cfg.h
77773 --- linux-2.6.39.3/net/mac80211/cfg.h 2011-05-19 00:06:34.000000000 -0400
77774 +++ linux-2.6.39.3/net/mac80211/cfg.h 2011-05-22 19:36:34.000000000 -0400
77775 @@ -4,6 +4,6 @@
77776 #ifndef __CFG_H
77777 #define __CFG_H
77778
77779 -extern struct cfg80211_ops mac80211_config_ops;
77780 +extern const struct cfg80211_ops mac80211_config_ops;
77781
77782 #endif /* __CFG_H */
77783 diff -urNp linux-2.6.39.3/net/mac80211/debugfs_sta.c linux-2.6.39.3/net/mac80211/debugfs_sta.c
77784 --- linux-2.6.39.3/net/mac80211/debugfs_sta.c 2011-05-19 00:06:34.000000000 -0400
77785 +++ linux-2.6.39.3/net/mac80211/debugfs_sta.c 2011-05-22 19:36:34.000000000 -0400
77786 @@ -115,6 +115,8 @@ static ssize_t sta_agg_status_read(struc
77787 struct tid_ampdu_rx *tid_rx;
77788 struct tid_ampdu_tx *tid_tx;
77789
77790 + pax_track_stack();
77791 +
77792 rcu_read_lock();
77793
77794 p += scnprintf(p, sizeof(buf) + buf - p, "next dialog_token: %#02x\n",
77795 @@ -215,6 +217,8 @@ static ssize_t sta_ht_capa_read(struct f
77796 struct sta_info *sta = file->private_data;
77797 struct ieee80211_sta_ht_cap *htc = &sta->sta.ht_cap;
77798
77799 + pax_track_stack();
77800 +
77801 p += scnprintf(p, sizeof(buf) + buf - p, "ht %ssupported\n",
77802 htc->ht_supported ? "" : "not ");
77803 if (htc->ht_supported) {
77804 diff -urNp linux-2.6.39.3/net/mac80211/ieee80211_i.h linux-2.6.39.3/net/mac80211/ieee80211_i.h
77805 --- linux-2.6.39.3/net/mac80211/ieee80211_i.h 2011-05-19 00:06:34.000000000 -0400
77806 +++ linux-2.6.39.3/net/mac80211/ieee80211_i.h 2011-05-22 19:36:34.000000000 -0400
77807 @@ -27,6 +27,7 @@
77808 #include <net/ieee80211_radiotap.h>
77809 #include <net/cfg80211.h>
77810 #include <net/mac80211.h>
77811 +#include <asm/local.h>
77812 #include "key.h"
77813 #include "sta_info.h"
77814
77815 @@ -714,7 +715,7 @@ struct ieee80211_local {
77816 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
77817 spinlock_t queue_stop_reason_lock;
77818
77819 - int open_count;
77820 + local_t open_count;
77821 int monitors, cooked_mntrs;
77822 /* number of interfaces with corresponding FIF_ flags */
77823 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
77824 diff -urNp linux-2.6.39.3/net/mac80211/iface.c linux-2.6.39.3/net/mac80211/iface.c
77825 --- linux-2.6.39.3/net/mac80211/iface.c 2011-05-19 00:06:34.000000000 -0400
77826 +++ linux-2.6.39.3/net/mac80211/iface.c 2011-05-22 19:36:34.000000000 -0400
77827 @@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_
77828 break;
77829 }
77830
77831 - if (local->open_count == 0) {
77832 + if (local_read(&local->open_count) == 0) {
77833 res = drv_start(local);
77834 if (res)
77835 goto err_del_bss;
77836 @@ -235,7 +235,7 @@ static int ieee80211_do_open(struct net_
77837 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
77838
77839 if (!is_valid_ether_addr(dev->dev_addr)) {
77840 - if (!local->open_count)
77841 + if (!local_read(&local->open_count))
77842 drv_stop(local);
77843 return -EADDRNOTAVAIL;
77844 }
77845 @@ -327,7 +327,7 @@ static int ieee80211_do_open(struct net_
77846 mutex_unlock(&local->mtx);
77847
77848 if (coming_up)
77849 - local->open_count++;
77850 + local_inc(&local->open_count);
77851
77852 if (hw_reconf_flags) {
77853 ieee80211_hw_config(local, hw_reconf_flags);
77854 @@ -347,7 +347,7 @@ static int ieee80211_do_open(struct net_
77855 err_del_interface:
77856 drv_remove_interface(local, &sdata->vif);
77857 err_stop:
77858 - if (!local->open_count)
77859 + if (!local_read(&local->open_count))
77860 drv_stop(local);
77861 err_del_bss:
77862 sdata->bss = NULL;
77863 @@ -474,7 +474,7 @@ static void ieee80211_do_stop(struct iee
77864 }
77865
77866 if (going_down)
77867 - local->open_count--;
77868 + local_dec(&local->open_count);
77869
77870 switch (sdata->vif.type) {
77871 case NL80211_IFTYPE_AP_VLAN:
77872 @@ -533,7 +533,7 @@ static void ieee80211_do_stop(struct iee
77873
77874 ieee80211_recalc_ps(local, -1);
77875
77876 - if (local->open_count == 0) {
77877 + if (local_read(&local->open_count) == 0) {
77878 if (local->ops->napi_poll)
77879 napi_disable(&local->napi);
77880 ieee80211_clear_tx_pending(local);
77881 diff -urNp linux-2.6.39.3/net/mac80211/main.c linux-2.6.39.3/net/mac80211/main.c
77882 --- linux-2.6.39.3/net/mac80211/main.c 2011-05-19 00:06:34.000000000 -0400
77883 +++ linux-2.6.39.3/net/mac80211/main.c 2011-05-22 19:36:34.000000000 -0400
77884 @@ -215,7 +215,7 @@ int ieee80211_hw_config(struct ieee80211
77885 local->hw.conf.power_level = power;
77886 }
77887
77888 - if (changed && local->open_count) {
77889 + if (changed && local_read(&local->open_count)) {
77890 ret = drv_config(local, changed);
77891 /*
77892 * Goal:
77893 diff -urNp linux-2.6.39.3/net/mac80211/mlme.c linux-2.6.39.3/net/mac80211/mlme.c
77894 --- linux-2.6.39.3/net/mac80211/mlme.c 2011-06-03 00:04:14.000000000 -0400
77895 +++ linux-2.6.39.3/net/mac80211/mlme.c 2011-06-03 00:32:08.000000000 -0400
77896 @@ -1431,6 +1431,8 @@ static bool ieee80211_assoc_success(stru
77897 bool have_higher_than_11mbit = false;
77898 u16 ap_ht_cap_flags;
77899
77900 + pax_track_stack();
77901 +
77902 /* AssocResp and ReassocResp have identical structure */
77903
77904 aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
77905 diff -urNp linux-2.6.39.3/net/mac80211/pm.c linux-2.6.39.3/net/mac80211/pm.c
77906 --- linux-2.6.39.3/net/mac80211/pm.c 2011-05-19 00:06:34.000000000 -0400
77907 +++ linux-2.6.39.3/net/mac80211/pm.c 2011-05-22 19:36:34.000000000 -0400
77908 @@ -95,7 +95,7 @@ int __ieee80211_suspend(struct ieee80211
77909 }
77910
77911 /* stop hardware - this must stop RX */
77912 - if (local->open_count)
77913 + if (local_read(&local->open_count))
77914 ieee80211_stop_device(local);
77915
77916 local->suspended = true;
77917 diff -urNp linux-2.6.39.3/net/mac80211/rate.c linux-2.6.39.3/net/mac80211/rate.c
77918 --- linux-2.6.39.3/net/mac80211/rate.c 2011-05-19 00:06:34.000000000 -0400
77919 +++ linux-2.6.39.3/net/mac80211/rate.c 2011-05-22 19:36:34.000000000 -0400
77920 @@ -371,7 +371,7 @@ int ieee80211_init_rate_ctrl_alg(struct
77921
77922 ASSERT_RTNL();
77923
77924 - if (local->open_count)
77925 + if (local_read(&local->open_count))
77926 return -EBUSY;
77927
77928 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
77929 diff -urNp linux-2.6.39.3/net/mac80211/rc80211_pid_debugfs.c linux-2.6.39.3/net/mac80211/rc80211_pid_debugfs.c
77930 --- linux-2.6.39.3/net/mac80211/rc80211_pid_debugfs.c 2011-05-19 00:06:34.000000000 -0400
77931 +++ linux-2.6.39.3/net/mac80211/rc80211_pid_debugfs.c 2011-05-22 19:36:34.000000000 -0400
77932 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
77933
77934 spin_unlock_irqrestore(&events->lock, status);
77935
77936 - if (copy_to_user(buf, pb, p))
77937 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
77938 return -EFAULT;
77939
77940 return p;
77941 diff -urNp linux-2.6.39.3/net/mac80211/util.c linux-2.6.39.3/net/mac80211/util.c
77942 --- linux-2.6.39.3/net/mac80211/util.c 2011-05-19 00:06:34.000000000 -0400
77943 +++ linux-2.6.39.3/net/mac80211/util.c 2011-05-22 19:36:34.000000000 -0400
77944 @@ -1129,7 +1129,7 @@ int ieee80211_reconfig(struct ieee80211_
77945 local->resuming = true;
77946
77947 /* restart hardware */
77948 - if (local->open_count) {
77949 + if (local_read(&local->open_count)) {
77950 /*
77951 * Upon resume hardware can sometimes be goofy due to
77952 * various platform / driver / bus issues, so restarting
77953 diff -urNp linux-2.6.39.3/net/netfilter/ipvs/ip_vs_conn.c linux-2.6.39.3/net/netfilter/ipvs/ip_vs_conn.c
77954 --- linux-2.6.39.3/net/netfilter/ipvs/ip_vs_conn.c 2011-07-09 09:18:51.000000000 -0400
77955 +++ linux-2.6.39.3/net/netfilter/ipvs/ip_vs_conn.c 2011-07-09 09:19:27.000000000 -0400
77956 @@ -556,7 +556,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
77957 /* Increase the refcnt counter of the dest */
77958 atomic_inc(&dest->refcnt);
77959
77960 - conn_flags = atomic_read(&dest->conn_flags);
77961 + conn_flags = atomic_read_unchecked(&dest->conn_flags);
77962 if (cp->protocol != IPPROTO_UDP)
77963 conn_flags &= ~IP_VS_CONN_F_ONE_PACKET;
77964 /* Bind with the destination and its corresponding transmitter */
77965 @@ -869,7 +869,7 @@ ip_vs_conn_new(const struct ip_vs_conn_p
77966 atomic_set(&cp->refcnt, 1);
77967
77968 atomic_set(&cp->n_control, 0);
77969 - atomic_set(&cp->in_pkts, 0);
77970 + atomic_set_unchecked(&cp->in_pkts, 0);
77971
77972 atomic_inc(&ipvs->conn_count);
77973 if (flags & IP_VS_CONN_F_NO_CPORT)
77974 @@ -1149,7 +1149,7 @@ static inline int todrop_entry(struct ip
77975
77976 /* Don't drop the entry if its number of incoming packets is not
77977 located in [0, 8] */
77978 - i = atomic_read(&cp->in_pkts);
77979 + i = atomic_read_unchecked(&cp->in_pkts);
77980 if (i > 8 || i < 0) return 0;
77981
77982 if (!todrop_rate[i]) return 0;
77983 diff -urNp linux-2.6.39.3/net/netfilter/ipvs/ip_vs_core.c linux-2.6.39.3/net/netfilter/ipvs/ip_vs_core.c
77984 --- linux-2.6.39.3/net/netfilter/ipvs/ip_vs_core.c 2011-07-09 09:18:51.000000000 -0400
77985 +++ linux-2.6.39.3/net/netfilter/ipvs/ip_vs_core.c 2011-07-09 09:19:27.000000000 -0400
77986 @@ -563,7 +563,7 @@ int ip_vs_leave(struct ip_vs_service *sv
77987 ret = cp->packet_xmit(skb, cp, pd->pp);
77988 /* do not touch skb anymore */
77989
77990 - atomic_inc(&cp->in_pkts);
77991 + atomic_inc_unchecked(&cp->in_pkts);
77992 ip_vs_conn_put(cp);
77993 return ret;
77994 }
77995 @@ -1633,7 +1633,7 @@ ip_vs_in(unsigned int hooknum, struct sk
77996 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
77997 pkts = sysctl_sync_threshold(ipvs);
77998 else
77999 - pkts = atomic_add_return(1, &cp->in_pkts);
78000 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
78001
78002 if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
78003 cp->protocol == IPPROTO_SCTP) {
78004 diff -urNp linux-2.6.39.3/net/netfilter/ipvs/ip_vs_ctl.c linux-2.6.39.3/net/netfilter/ipvs/ip_vs_ctl.c
78005 --- linux-2.6.39.3/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-19 00:06:34.000000000 -0400
78006 +++ linux-2.6.39.3/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-22 19:36:34.000000000 -0400
78007 @@ -782,7 +782,7 @@ __ip_vs_update_dest(struct ip_vs_service
78008 ip_vs_rs_hash(ipvs, dest);
78009 write_unlock_bh(&ipvs->rs_lock);
78010 }
78011 - atomic_set(&dest->conn_flags, conn_flags);
78012 + atomic_set_unchecked(&dest->conn_flags, conn_flags);
78013
78014 /* bind the service */
78015 if (!dest->svc) {
78016 @@ -2027,7 +2027,7 @@ static int ip_vs_info_seq_show(struct se
78017 " %-7s %-6d %-10d %-10d\n",
78018 &dest->addr.in6,
78019 ntohs(dest->port),
78020 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
78021 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
78022 atomic_read(&dest->weight),
78023 atomic_read(&dest->activeconns),
78024 atomic_read(&dest->inactconns));
78025 @@ -2038,7 +2038,7 @@ static int ip_vs_info_seq_show(struct se
78026 "%-7s %-6d %-10d %-10d\n",
78027 ntohl(dest->addr.ip),
78028 ntohs(dest->port),
78029 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
78030 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
78031 atomic_read(&dest->weight),
78032 atomic_read(&dest->activeconns),
78033 atomic_read(&dest->inactconns));
78034 @@ -2287,6 +2287,8 @@ do_ip_vs_set_ctl(struct sock *sk, int cm
78035 struct ip_vs_dest_user *udest_compat;
78036 struct ip_vs_dest_user_kern udest;
78037
78038 + pax_track_stack();
78039 +
78040 if (!capable(CAP_NET_ADMIN))
78041 return -EPERM;
78042
78043 @@ -2501,7 +2503,7 @@ __ip_vs_get_dest_entries(struct net *net
78044
78045 entry.addr = dest->addr.ip;
78046 entry.port = dest->port;
78047 - entry.conn_flags = atomic_read(&dest->conn_flags);
78048 + entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
78049 entry.weight = atomic_read(&dest->weight);
78050 entry.u_threshold = dest->u_threshold;
78051 entry.l_threshold = dest->l_threshold;
78052 @@ -3029,7 +3031,7 @@ static int ip_vs_genl_fill_dest(struct s
78053 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
78054
78055 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
78056 - atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
78057 + atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
78058 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
78059 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
78060 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
78061 diff -urNp linux-2.6.39.3/net/netfilter/ipvs/ip_vs_sync.c linux-2.6.39.3/net/netfilter/ipvs/ip_vs_sync.c
78062 --- linux-2.6.39.3/net/netfilter/ipvs/ip_vs_sync.c 2011-05-19 00:06:34.000000000 -0400
78063 +++ linux-2.6.39.3/net/netfilter/ipvs/ip_vs_sync.c 2011-05-22 19:36:34.000000000 -0400
78064 @@ -648,7 +648,7 @@ control:
78065 * i.e only increment in_pkts for Templates.
78066 */
78067 if (cp->flags & IP_VS_CONN_F_TEMPLATE) {
78068 - int pkts = atomic_add_return(1, &cp->in_pkts);
78069 + int pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
78070
78071 if (pkts % sysctl_sync_period(ipvs) != 1)
78072 return;
78073 @@ -794,7 +794,7 @@ static void ip_vs_proc_conn(struct net *
78074
78075 if (opt)
78076 memcpy(&cp->in_seq, opt, sizeof(*opt));
78077 - atomic_set(&cp->in_pkts, sysctl_sync_threshold(ipvs));
78078 + atomic_set_unchecked(&cp->in_pkts, sysctl_sync_threshold(ipvs));
78079 cp->state = state;
78080 cp->old_state = cp->state;
78081 /*
78082 diff -urNp linux-2.6.39.3/net/netfilter/ipvs/ip_vs_xmit.c linux-2.6.39.3/net/netfilter/ipvs/ip_vs_xmit.c
78083 --- linux-2.6.39.3/net/netfilter/ipvs/ip_vs_xmit.c 2011-05-19 00:06:34.000000000 -0400
78084 +++ linux-2.6.39.3/net/netfilter/ipvs/ip_vs_xmit.c 2011-05-22 19:36:34.000000000 -0400
78085 @@ -1127,7 +1127,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
78086 else
78087 rc = NF_ACCEPT;
78088 /* do not touch skb anymore */
78089 - atomic_inc(&cp->in_pkts);
78090 + atomic_inc_unchecked(&cp->in_pkts);
78091 goto out;
78092 }
78093
78094 @@ -1245,7 +1245,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
78095 else
78096 rc = NF_ACCEPT;
78097 /* do not touch skb anymore */
78098 - atomic_inc(&cp->in_pkts);
78099 + atomic_inc_unchecked(&cp->in_pkts);
78100 goto out;
78101 }
78102
78103 diff -urNp linux-2.6.39.3/net/netfilter/Kconfig linux-2.6.39.3/net/netfilter/Kconfig
78104 --- linux-2.6.39.3/net/netfilter/Kconfig 2011-05-19 00:06:34.000000000 -0400
78105 +++ linux-2.6.39.3/net/netfilter/Kconfig 2011-05-22 19:41:42.000000000 -0400
78106 @@ -781,6 +781,16 @@ config NETFILTER_XT_MATCH_ESP
78107
78108 To compile it as a module, choose M here. If unsure, say N.
78109
78110 +config NETFILTER_XT_MATCH_GRADM
78111 + tristate '"gradm" match support'
78112 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
78113 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
78114 + ---help---
78115 + The gradm match allows to match on grsecurity RBAC being enabled.
78116 + It is useful when iptables rules are applied early on bootup to
78117 + prevent connections to the machine (except from a trusted host)
78118 + while the RBAC system is disabled.
78119 +
78120 config NETFILTER_XT_MATCH_HASHLIMIT
78121 tristate '"hashlimit" match support'
78122 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
78123 diff -urNp linux-2.6.39.3/net/netfilter/Makefile linux-2.6.39.3/net/netfilter/Makefile
78124 --- linux-2.6.39.3/net/netfilter/Makefile 2011-05-19 00:06:34.000000000 -0400
78125 +++ linux-2.6.39.3/net/netfilter/Makefile 2011-05-22 20:40:16.000000000 -0400
78126 @@ -81,6 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) +=
78127 obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
78128 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
78129 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
78130 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
78131 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
78132 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
78133 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
78134 diff -urNp linux-2.6.39.3/net/netfilter/nfnetlink_log.c linux-2.6.39.3/net/netfilter/nfnetlink_log.c
78135 --- linux-2.6.39.3/net/netfilter/nfnetlink_log.c 2011-05-19 00:06:34.000000000 -0400
78136 +++ linux-2.6.39.3/net/netfilter/nfnetlink_log.c 2011-05-22 19:36:35.000000000 -0400
78137 @@ -70,7 +70,7 @@ struct nfulnl_instance {
78138 };
78139
78140 static DEFINE_SPINLOCK(instances_lock);
78141 -static atomic_t global_seq;
78142 +static atomic_unchecked_t global_seq;
78143
78144 #define INSTANCE_BUCKETS 16
78145 static struct hlist_head instance_table[INSTANCE_BUCKETS];
78146 @@ -506,7 +506,7 @@ __build_packet_message(struct nfulnl_ins
78147 /* global sequence number */
78148 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
78149 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
78150 - htonl(atomic_inc_return(&global_seq)));
78151 + htonl(atomic_inc_return_unchecked(&global_seq)));
78152
78153 if (data_len) {
78154 struct nlattr *nla;
78155 diff -urNp linux-2.6.39.3/net/netfilter/nfnetlink_queue.c linux-2.6.39.3/net/netfilter/nfnetlink_queue.c
78156 --- linux-2.6.39.3/net/netfilter/nfnetlink_queue.c 2011-05-19 00:06:34.000000000 -0400
78157 +++ linux-2.6.39.3/net/netfilter/nfnetlink_queue.c 2011-05-22 19:36:35.000000000 -0400
78158 @@ -58,7 +58,7 @@ struct nfqnl_instance {
78159 */
78160 spinlock_t lock;
78161 unsigned int queue_total;
78162 - atomic_t id_sequence; /* 'sequence' of pkt ids */
78163 + atomic_unchecked_t id_sequence; /* 'sequence' of pkt ids */
78164 struct list_head queue_list; /* packets in queue */
78165 };
78166
78167 @@ -272,7 +272,7 @@ nfqnl_build_packet_message(struct nfqnl_
78168 nfmsg->version = NFNETLINK_V0;
78169 nfmsg->res_id = htons(queue->queue_num);
78170
78171 - entry->id = atomic_inc_return(&queue->id_sequence);
78172 + entry->id = atomic_inc_return_unchecked(&queue->id_sequence);
78173 pmsg.packet_id = htonl(entry->id);
78174 pmsg.hw_protocol = entskb->protocol;
78175 pmsg.hook = entry->hook;
78176 @@ -869,7 +869,7 @@ static int seq_show(struct seq_file *s,
78177 inst->peer_pid, inst->queue_total,
78178 inst->copy_mode, inst->copy_range,
78179 inst->queue_dropped, inst->queue_user_dropped,
78180 - atomic_read(&inst->id_sequence), 1);
78181 + atomic_read_unchecked(&inst->id_sequence), 1);
78182 }
78183
78184 static const struct seq_operations nfqnl_seq_ops = {
78185 diff -urNp linux-2.6.39.3/net/netfilter/xt_gradm.c linux-2.6.39.3/net/netfilter/xt_gradm.c
78186 --- linux-2.6.39.3/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
78187 +++ linux-2.6.39.3/net/netfilter/xt_gradm.c 2011-05-22 19:41:42.000000000 -0400
78188 @@ -0,0 +1,51 @@
78189 +/*
78190 + * gradm match for netfilter
78191 + * Copyright © Zbigniew Krzystolik, 2010
78192 + *
78193 + * This program is free software; you can redistribute it and/or modify
78194 + * it under the terms of the GNU General Public License; either version
78195 + * 2 or 3 as published by the Free Software Foundation.
78196 + */
78197 +#include <linux/module.h>
78198 +#include <linux/moduleparam.h>
78199 +#include <linux/skbuff.h>
78200 +#include <linux/netfilter/x_tables.h>
78201 +#include <linux/grsecurity.h>
78202 +#include <linux/netfilter/xt_gradm.h>
78203 +
78204 +static bool
78205 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
78206 +{
78207 + const struct xt_gradm_mtinfo *info = par->matchinfo;
78208 + bool retval = false;
78209 + if (gr_acl_is_enabled())
78210 + retval = true;
78211 + return retval ^ info->invflags;
78212 +}
78213 +
78214 +static struct xt_match gradm_mt_reg __read_mostly = {
78215 + .name = "gradm",
78216 + .revision = 0,
78217 + .family = NFPROTO_UNSPEC,
78218 + .match = gradm_mt,
78219 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
78220 + .me = THIS_MODULE,
78221 +};
78222 +
78223 +static int __init gradm_mt_init(void)
78224 +{
78225 + return xt_register_match(&gradm_mt_reg);
78226 +}
78227 +
78228 +static void __exit gradm_mt_exit(void)
78229 +{
78230 + xt_unregister_match(&gradm_mt_reg);
78231 +}
78232 +
78233 +module_init(gradm_mt_init);
78234 +module_exit(gradm_mt_exit);
78235 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
78236 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
78237 +MODULE_LICENSE("GPL");
78238 +MODULE_ALIAS("ipt_gradm");
78239 +MODULE_ALIAS("ip6t_gradm");
78240 diff -urNp linux-2.6.39.3/net/netfilter/xt_statistic.c linux-2.6.39.3/net/netfilter/xt_statistic.c
78241 --- linux-2.6.39.3/net/netfilter/xt_statistic.c 2011-05-19 00:06:34.000000000 -0400
78242 +++ linux-2.6.39.3/net/netfilter/xt_statistic.c 2011-05-22 19:36:35.000000000 -0400
78243 @@ -18,7 +18,7 @@
78244 #include <linux/netfilter/x_tables.h>
78245
78246 struct xt_statistic_priv {
78247 - atomic_t count;
78248 + atomic_unchecked_t count;
78249 } ____cacheline_aligned_in_smp;
78250
78251 MODULE_LICENSE("GPL");
78252 @@ -41,9 +41,9 @@ statistic_mt(const struct sk_buff *skb,
78253 break;
78254 case XT_STATISTIC_MODE_NTH:
78255 do {
78256 - oval = atomic_read(&info->master->count);
78257 + oval = atomic_read_unchecked(&info->master->count);
78258 nval = (oval == info->u.nth.every) ? 0 : oval + 1;
78259 - } while (atomic_cmpxchg(&info->master->count, oval, nval) != oval);
78260 + } while (atomic_cmpxchg_unchecked(&info->master->count, oval, nval) != oval);
78261 if (nval == 0)
78262 ret = !ret;
78263 break;
78264 @@ -63,7 +63,7 @@ static int statistic_mt_check(const stru
78265 info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
78266 if (info->master == NULL)
78267 return -ENOMEM;
78268 - atomic_set(&info->master->count, info->u.nth.count);
78269 + atomic_set_unchecked(&info->master->count, info->u.nth.count);
78270
78271 return 0;
78272 }
78273 diff -urNp linux-2.6.39.3/net/netlink/af_netlink.c linux-2.6.39.3/net/netlink/af_netlink.c
78274 --- linux-2.6.39.3/net/netlink/af_netlink.c 2011-05-19 00:06:34.000000000 -0400
78275 +++ linux-2.6.39.3/net/netlink/af_netlink.c 2011-05-22 19:41:42.000000000 -0400
78276 @@ -742,7 +742,7 @@ static void netlink_overrun(struct sock
78277 sk->sk_error_report(sk);
78278 }
78279 }
78280 - atomic_inc(&sk->sk_drops);
78281 + atomic_inc_unchecked(&sk->sk_drops);
78282 }
78283
78284 static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
78285 @@ -1992,15 +1992,23 @@ static int netlink_seq_show(struct seq_f
78286 struct netlink_sock *nlk = nlk_sk(s);
78287
78288 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
78289 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78290 + NULL,
78291 +#else
78292 s,
78293 +#endif
78294 s->sk_protocol,
78295 nlk->pid,
78296 nlk->groups ? (u32)nlk->groups[0] : 0,
78297 sk_rmem_alloc_get(s),
78298 sk_wmem_alloc_get(s),
78299 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78300 + NULL,
78301 +#else
78302 nlk->cb,
78303 +#endif
78304 atomic_read(&s->sk_refcnt),
78305 - atomic_read(&s->sk_drops),
78306 + atomic_read_unchecked(&s->sk_drops),
78307 sock_i_ino(s)
78308 );
78309
78310 diff -urNp linux-2.6.39.3/net/netrom/af_netrom.c linux-2.6.39.3/net/netrom/af_netrom.c
78311 --- linux-2.6.39.3/net/netrom/af_netrom.c 2011-05-19 00:06:34.000000000 -0400
78312 +++ linux-2.6.39.3/net/netrom/af_netrom.c 2011-05-22 19:41:42.000000000 -0400
78313 @@ -840,6 +840,7 @@ static int nr_getname(struct socket *soc
78314 struct sock *sk = sock->sk;
78315 struct nr_sock *nr = nr_sk(sk);
78316
78317 + memset(sax, 0, sizeof(*sax));
78318 lock_sock(sk);
78319 if (peer != 0) {
78320 if (sk->sk_state != TCP_ESTABLISHED) {
78321 @@ -854,7 +855,6 @@ static int nr_getname(struct socket *soc
78322 *uaddr_len = sizeof(struct full_sockaddr_ax25);
78323 } else {
78324 sax->fsa_ax25.sax25_family = AF_NETROM;
78325 - sax->fsa_ax25.sax25_ndigis = 0;
78326 sax->fsa_ax25.sax25_call = nr->source_addr;
78327 *uaddr_len = sizeof(struct sockaddr_ax25);
78328 }
78329 diff -urNp linux-2.6.39.3/net/packet/af_packet.c linux-2.6.39.3/net/packet/af_packet.c
78330 --- linux-2.6.39.3/net/packet/af_packet.c 2011-07-09 09:18:51.000000000 -0400
78331 +++ linux-2.6.39.3/net/packet/af_packet.c 2011-07-09 09:19:27.000000000 -0400
78332 @@ -647,14 +647,14 @@ static int packet_rcv(struct sk_buff *sk
78333
78334 spin_lock(&sk->sk_receive_queue.lock);
78335 po->stats.tp_packets++;
78336 - skb->dropcount = atomic_read(&sk->sk_drops);
78337 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
78338 __skb_queue_tail(&sk->sk_receive_queue, skb);
78339 spin_unlock(&sk->sk_receive_queue.lock);
78340 sk->sk_data_ready(sk, skb->len);
78341 return 0;
78342
78343 drop_n_acct:
78344 - po->stats.tp_drops = atomic_inc_return(&sk->sk_drops);
78345 + po->stats.tp_drops = atomic_inc_return_unchecked(&sk->sk_drops);
78346
78347 drop_n_restore:
78348 if (skb_head != skb->data && skb_shared(skb)) {
78349 @@ -2159,7 +2159,7 @@ static int packet_getsockopt(struct sock
78350 case PACKET_HDRLEN:
78351 if (len > sizeof(int))
78352 len = sizeof(int);
78353 - if (copy_from_user(&val, optval, len))
78354 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
78355 return -EFAULT;
78356 switch (val) {
78357 case TPACKET_V1:
78358 @@ -2197,7 +2197,7 @@ static int packet_getsockopt(struct sock
78359
78360 if (put_user(len, optlen))
78361 return -EFAULT;
78362 - if (copy_to_user(optval, data, len))
78363 + if (len > sizeof(st) || copy_to_user(optval, data, len))
78364 return -EFAULT;
78365 return 0;
78366 }
78367 @@ -2709,7 +2709,11 @@ static int packet_seq_show(struct seq_fi
78368
78369 seq_printf(seq,
78370 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
78371 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78372 + NULL,
78373 +#else
78374 s,
78375 +#endif
78376 atomic_read(&s->sk_refcnt),
78377 s->sk_type,
78378 ntohs(po->num),
78379 diff -urNp linux-2.6.39.3/net/phonet/af_phonet.c linux-2.6.39.3/net/phonet/af_phonet.c
78380 --- linux-2.6.39.3/net/phonet/af_phonet.c 2011-05-19 00:06:34.000000000 -0400
78381 +++ linux-2.6.39.3/net/phonet/af_phonet.c 2011-05-22 19:41:42.000000000 -0400
78382 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
78383 {
78384 struct phonet_protocol *pp;
78385
78386 - if (protocol >= PHONET_NPROTO)
78387 + if (protocol < 0 || protocol >= PHONET_NPROTO)
78388 return NULL;
78389
78390 rcu_read_lock();
78391 @@ -149,7 +149,7 @@ static int pn_header_parse(const struct
78392 return 1;
78393 }
78394
78395 -struct header_ops phonet_header_ops = {
78396 +const struct header_ops phonet_header_ops = {
78397 .create = pn_header_create,
78398 .parse = pn_header_parse,
78399 };
78400 @@ -469,7 +469,7 @@ int __init_or_module phonet_proto_regist
78401 {
78402 int err = 0;
78403
78404 - if (protocol >= PHONET_NPROTO)
78405 + if (protocol < 0 || protocol >= PHONET_NPROTO)
78406 return -EINVAL;
78407
78408 err = proto_register(pp->prot, 1);
78409 diff -urNp linux-2.6.39.3/net/phonet/pep.c linux-2.6.39.3/net/phonet/pep.c
78410 --- linux-2.6.39.3/net/phonet/pep.c 2011-05-19 00:06:34.000000000 -0400
78411 +++ linux-2.6.39.3/net/phonet/pep.c 2011-05-22 19:36:35.000000000 -0400
78412 @@ -387,7 +387,7 @@ static int pipe_do_rcv(struct sock *sk,
78413
78414 case PNS_PEP_CTRL_REQ:
78415 if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
78416 - atomic_inc(&sk->sk_drops);
78417 + atomic_inc_unchecked(&sk->sk_drops);
78418 break;
78419 }
78420 __skb_pull(skb, 4);
78421 @@ -408,7 +408,7 @@ static int pipe_do_rcv(struct sock *sk,
78422 }
78423
78424 if (pn->rx_credits == 0) {
78425 - atomic_inc(&sk->sk_drops);
78426 + atomic_inc_unchecked(&sk->sk_drops);
78427 err = -ENOBUFS;
78428 break;
78429 }
78430 @@ -556,7 +556,7 @@ static int pipe_handler_do_rcv(struct so
78431 }
78432
78433 if (pn->rx_credits == 0) {
78434 - atomic_inc(&sk->sk_drops);
78435 + atomic_inc_unchecked(&sk->sk_drops);
78436 err = NET_RX_DROP;
78437 break;
78438 }
78439 diff -urNp linux-2.6.39.3/net/phonet/socket.c linux-2.6.39.3/net/phonet/socket.c
78440 --- linux-2.6.39.3/net/phonet/socket.c 2011-05-19 00:06:34.000000000 -0400
78441 +++ linux-2.6.39.3/net/phonet/socket.c 2011-05-22 20:39:26.000000000 -0400
78442 @@ -613,8 +613,13 @@ static int pn_sock_seq_show(struct seq_f
78443 pn->resource, sk->sk_state,
78444 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
78445 sock_i_uid(sk), sock_i_ino(sk),
78446 - atomic_read(&sk->sk_refcnt), sk,
78447 - atomic_read(&sk->sk_drops), &len);
78448 + atomic_read(&sk->sk_refcnt),
78449 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78450 + NULL,
78451 +#else
78452 + sk,
78453 +#endif
78454 + atomic_read_unchecked(&sk->sk_drops), &len);
78455 }
78456 seq_printf(seq, "%*s\n", 127 - len, "");
78457 return 0;
78458 diff -urNp linux-2.6.39.3/net/rds/cong.c linux-2.6.39.3/net/rds/cong.c
78459 --- linux-2.6.39.3/net/rds/cong.c 2011-05-19 00:06:34.000000000 -0400
78460 +++ linux-2.6.39.3/net/rds/cong.c 2011-05-22 19:36:35.000000000 -0400
78461 @@ -77,7 +77,7 @@
78462 * finds that the saved generation number is smaller than the global generation
78463 * number, it wakes up the process.
78464 */
78465 -static atomic_t rds_cong_generation = ATOMIC_INIT(0);
78466 +static atomic_unchecked_t rds_cong_generation = ATOMIC_INIT(0);
78467
78468 /*
78469 * Congestion monitoring
78470 @@ -232,7 +232,7 @@ void rds_cong_map_updated(struct rds_con
78471 rdsdebug("waking map %p for %pI4\n",
78472 map, &map->m_addr);
78473 rds_stats_inc(s_cong_update_received);
78474 - atomic_inc(&rds_cong_generation);
78475 + atomic_inc_unchecked(&rds_cong_generation);
78476 if (waitqueue_active(&map->m_waitq))
78477 wake_up(&map->m_waitq);
78478 if (waitqueue_active(&rds_poll_waitq))
78479 @@ -258,7 +258,7 @@ EXPORT_SYMBOL_GPL(rds_cong_map_updated);
78480
78481 int rds_cong_updated_since(unsigned long *recent)
78482 {
78483 - unsigned long gen = atomic_read(&rds_cong_generation);
78484 + unsigned long gen = atomic_read_unchecked(&rds_cong_generation);
78485
78486 if (likely(*recent == gen))
78487 return 0;
78488 diff -urNp linux-2.6.39.3/net/rds/ib_cm.c linux-2.6.39.3/net/rds/ib_cm.c
78489 --- linux-2.6.39.3/net/rds/ib_cm.c 2011-05-19 00:06:34.000000000 -0400
78490 +++ linux-2.6.39.3/net/rds/ib_cm.c 2011-05-22 19:36:35.000000000 -0400
78491 @@ -720,7 +720,7 @@ void rds_ib_conn_shutdown(struct rds_con
78492 /* Clear the ACK state */
78493 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
78494 #ifdef KERNEL_HAS_ATOMIC64
78495 - atomic64_set(&ic->i_ack_next, 0);
78496 + atomic64_set_unchecked(&ic->i_ack_next, 0);
78497 #else
78498 ic->i_ack_next = 0;
78499 #endif
78500 diff -urNp linux-2.6.39.3/net/rds/ib.h linux-2.6.39.3/net/rds/ib.h
78501 --- linux-2.6.39.3/net/rds/ib.h 2011-05-19 00:06:34.000000000 -0400
78502 +++ linux-2.6.39.3/net/rds/ib.h 2011-05-22 19:36:35.000000000 -0400
78503 @@ -127,7 +127,7 @@ struct rds_ib_connection {
78504 /* sending acks */
78505 unsigned long i_ack_flags;
78506 #ifdef KERNEL_HAS_ATOMIC64
78507 - atomic64_t i_ack_next; /* next ACK to send */
78508 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
78509 #else
78510 spinlock_t i_ack_lock; /* protect i_ack_next */
78511 u64 i_ack_next; /* next ACK to send */
78512 diff -urNp linux-2.6.39.3/net/rds/ib_recv.c linux-2.6.39.3/net/rds/ib_recv.c
78513 --- linux-2.6.39.3/net/rds/ib_recv.c 2011-05-19 00:06:34.000000000 -0400
78514 +++ linux-2.6.39.3/net/rds/ib_recv.c 2011-05-22 19:36:35.000000000 -0400
78515 @@ -592,7 +592,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
78516 static void rds_ib_set_ack(struct rds_ib_connection *ic, u64 seq,
78517 int ack_required)
78518 {
78519 - atomic64_set(&ic->i_ack_next, seq);
78520 + atomic64_set_unchecked(&ic->i_ack_next, seq);
78521 if (ack_required) {
78522 smp_mb__before_clear_bit();
78523 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78524 @@ -604,7 +604,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
78525 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78526 smp_mb__after_clear_bit();
78527
78528 - return atomic64_read(&ic->i_ack_next);
78529 + return atomic64_read_unchecked(&ic->i_ack_next);
78530 }
78531 #endif
78532
78533 diff -urNp linux-2.6.39.3/net/rds/iw_cm.c linux-2.6.39.3/net/rds/iw_cm.c
78534 --- linux-2.6.39.3/net/rds/iw_cm.c 2011-05-19 00:06:34.000000000 -0400
78535 +++ linux-2.6.39.3/net/rds/iw_cm.c 2011-05-22 19:36:35.000000000 -0400
78536 @@ -664,7 +664,7 @@ void rds_iw_conn_shutdown(struct rds_con
78537 /* Clear the ACK state */
78538 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
78539 #ifdef KERNEL_HAS_ATOMIC64
78540 - atomic64_set(&ic->i_ack_next, 0);
78541 + atomic64_set_unchecked(&ic->i_ack_next, 0);
78542 #else
78543 ic->i_ack_next = 0;
78544 #endif
78545 diff -urNp linux-2.6.39.3/net/rds/iw.h linux-2.6.39.3/net/rds/iw.h
78546 --- linux-2.6.39.3/net/rds/iw.h 2011-05-19 00:06:34.000000000 -0400
78547 +++ linux-2.6.39.3/net/rds/iw.h 2011-05-22 19:36:35.000000000 -0400
78548 @@ -133,7 +133,7 @@ struct rds_iw_connection {
78549 /* sending acks */
78550 unsigned long i_ack_flags;
78551 #ifdef KERNEL_HAS_ATOMIC64
78552 - atomic64_t i_ack_next; /* next ACK to send */
78553 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
78554 #else
78555 spinlock_t i_ack_lock; /* protect i_ack_next */
78556 u64 i_ack_next; /* next ACK to send */
78557 diff -urNp linux-2.6.39.3/net/rds/iw_rdma.c linux-2.6.39.3/net/rds/iw_rdma.c
78558 --- linux-2.6.39.3/net/rds/iw_rdma.c 2011-05-19 00:06:34.000000000 -0400
78559 +++ linux-2.6.39.3/net/rds/iw_rdma.c 2011-05-22 19:36:35.000000000 -0400
78560 @@ -182,6 +182,8 @@ int rds_iw_update_cm_id(struct rds_iw_de
78561 struct rdma_cm_id *pcm_id;
78562 int rc;
78563
78564 + pax_track_stack();
78565 +
78566 src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
78567 dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
78568
78569 diff -urNp linux-2.6.39.3/net/rds/iw_recv.c linux-2.6.39.3/net/rds/iw_recv.c
78570 --- linux-2.6.39.3/net/rds/iw_recv.c 2011-05-19 00:06:34.000000000 -0400
78571 +++ linux-2.6.39.3/net/rds/iw_recv.c 2011-05-22 19:36:35.000000000 -0400
78572 @@ -427,7 +427,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
78573 static void rds_iw_set_ack(struct rds_iw_connection *ic, u64 seq,
78574 int ack_required)
78575 {
78576 - atomic64_set(&ic->i_ack_next, seq);
78577 + atomic64_set_unchecked(&ic->i_ack_next, seq);
78578 if (ack_required) {
78579 smp_mb__before_clear_bit();
78580 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78581 @@ -439,7 +439,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
78582 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78583 smp_mb__after_clear_bit();
78584
78585 - return atomic64_read(&ic->i_ack_next);
78586 + return atomic64_read_unchecked(&ic->i_ack_next);
78587 }
78588 #endif
78589
78590 diff -urNp linux-2.6.39.3/net/rxrpc/af_rxrpc.c linux-2.6.39.3/net/rxrpc/af_rxrpc.c
78591 --- linux-2.6.39.3/net/rxrpc/af_rxrpc.c 2011-05-19 00:06:34.000000000 -0400
78592 +++ linux-2.6.39.3/net/rxrpc/af_rxrpc.c 2011-05-22 19:36:35.000000000 -0400
78593 @@ -39,7 +39,7 @@ static const struct proto_ops rxrpc_rpc_
78594 __be32 rxrpc_epoch;
78595
78596 /* current debugging ID */
78597 -atomic_t rxrpc_debug_id;
78598 +atomic_unchecked_t rxrpc_debug_id;
78599
78600 /* count of skbs currently in use */
78601 atomic_t rxrpc_n_skbs;
78602 diff -urNp linux-2.6.39.3/net/rxrpc/ar-ack.c linux-2.6.39.3/net/rxrpc/ar-ack.c
78603 --- linux-2.6.39.3/net/rxrpc/ar-ack.c 2011-05-19 00:06:34.000000000 -0400
78604 +++ linux-2.6.39.3/net/rxrpc/ar-ack.c 2011-05-22 19:36:35.000000000 -0400
78605 @@ -175,7 +175,7 @@ static void rxrpc_resend(struct rxrpc_ca
78606
78607 _enter("{%d,%d,%d,%d},",
78608 call->acks_hard, call->acks_unacked,
78609 - atomic_read(&call->sequence),
78610 + atomic_read_unchecked(&call->sequence),
78611 CIRC_CNT(call->acks_head, call->acks_tail, call->acks_winsz));
78612
78613 stop = 0;
78614 @@ -199,7 +199,7 @@ static void rxrpc_resend(struct rxrpc_ca
78615
78616 /* each Tx packet has a new serial number */
78617 sp->hdr.serial =
78618 - htonl(atomic_inc_return(&call->conn->serial));
78619 + htonl(atomic_inc_return_unchecked(&call->conn->serial));
78620
78621 hdr = (struct rxrpc_header *) txb->head;
78622 hdr->serial = sp->hdr.serial;
78623 @@ -405,7 +405,7 @@ static void rxrpc_rotate_tx_window(struc
78624 */
78625 static void rxrpc_clear_tx_window(struct rxrpc_call *call)
78626 {
78627 - rxrpc_rotate_tx_window(call, atomic_read(&call->sequence));
78628 + rxrpc_rotate_tx_window(call, atomic_read_unchecked(&call->sequence));
78629 }
78630
78631 /*
78632 @@ -631,7 +631,7 @@ process_further:
78633
78634 latest = ntohl(sp->hdr.serial);
78635 hard = ntohl(ack.firstPacket);
78636 - tx = atomic_read(&call->sequence);
78637 + tx = atomic_read_unchecked(&call->sequence);
78638
78639 _proto("Rx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
78640 latest,
78641 @@ -844,6 +844,8 @@ void rxrpc_process_call(struct work_stru
78642 u32 abort_code = RX_PROTOCOL_ERROR;
78643 u8 *acks = NULL;
78644
78645 + pax_track_stack();
78646 +
78647 //printk("\n--------------------\n");
78648 _enter("{%d,%s,%lx} [%lu]",
78649 call->debug_id, rxrpc_call_states[call->state], call->events,
78650 @@ -1163,7 +1165,7 @@ void rxrpc_process_call(struct work_stru
78651 goto maybe_reschedule;
78652
78653 send_ACK_with_skew:
78654 - ack.maxSkew = htons(atomic_read(&call->conn->hi_serial) -
78655 + ack.maxSkew = htons(atomic_read_unchecked(&call->conn->hi_serial) -
78656 ntohl(ack.serial));
78657 send_ACK:
78658 mtu = call->conn->trans->peer->if_mtu;
78659 @@ -1175,7 +1177,7 @@ send_ACK:
78660 ackinfo.rxMTU = htonl(5692);
78661 ackinfo.jumbo_max = htonl(4);
78662
78663 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
78664 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
78665 _proto("Tx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
78666 ntohl(hdr.serial),
78667 ntohs(ack.maxSkew),
78668 @@ -1193,7 +1195,7 @@ send_ACK:
78669 send_message:
78670 _debug("send message");
78671
78672 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
78673 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
78674 _proto("Tx %s %%%u", rxrpc_pkts[hdr.type], ntohl(hdr.serial));
78675 send_message_2:
78676
78677 diff -urNp linux-2.6.39.3/net/rxrpc/ar-call.c linux-2.6.39.3/net/rxrpc/ar-call.c
78678 --- linux-2.6.39.3/net/rxrpc/ar-call.c 2011-05-19 00:06:34.000000000 -0400
78679 +++ linux-2.6.39.3/net/rxrpc/ar-call.c 2011-05-22 19:36:35.000000000 -0400
78680 @@ -83,7 +83,7 @@ static struct rxrpc_call *rxrpc_alloc_ca
78681 spin_lock_init(&call->lock);
78682 rwlock_init(&call->state_lock);
78683 atomic_set(&call->usage, 1);
78684 - call->debug_id = atomic_inc_return(&rxrpc_debug_id);
78685 + call->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78686 call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
78687
78688 memset(&call->sock_node, 0xed, sizeof(call->sock_node));
78689 diff -urNp linux-2.6.39.3/net/rxrpc/ar-connection.c linux-2.6.39.3/net/rxrpc/ar-connection.c
78690 --- linux-2.6.39.3/net/rxrpc/ar-connection.c 2011-05-19 00:06:34.000000000 -0400
78691 +++ linux-2.6.39.3/net/rxrpc/ar-connection.c 2011-05-22 19:36:35.000000000 -0400
78692 @@ -206,7 +206,7 @@ static struct rxrpc_connection *rxrpc_al
78693 rwlock_init(&conn->lock);
78694 spin_lock_init(&conn->state_lock);
78695 atomic_set(&conn->usage, 1);
78696 - conn->debug_id = atomic_inc_return(&rxrpc_debug_id);
78697 + conn->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78698 conn->avail_calls = RXRPC_MAXCALLS;
78699 conn->size_align = 4;
78700 conn->header_size = sizeof(struct rxrpc_header);
78701 diff -urNp linux-2.6.39.3/net/rxrpc/ar-connevent.c linux-2.6.39.3/net/rxrpc/ar-connevent.c
78702 --- linux-2.6.39.3/net/rxrpc/ar-connevent.c 2011-05-19 00:06:34.000000000 -0400
78703 +++ linux-2.6.39.3/net/rxrpc/ar-connevent.c 2011-05-22 19:36:35.000000000 -0400
78704 @@ -109,7 +109,7 @@ static int rxrpc_abort_connection(struct
78705
78706 len = iov[0].iov_len + iov[1].iov_len;
78707
78708 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
78709 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78710 _proto("Tx CONN ABORT %%%u { %d }", ntohl(hdr.serial), abort_code);
78711
78712 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
78713 diff -urNp linux-2.6.39.3/net/rxrpc/ar-input.c linux-2.6.39.3/net/rxrpc/ar-input.c
78714 --- linux-2.6.39.3/net/rxrpc/ar-input.c 2011-05-19 00:06:34.000000000 -0400
78715 +++ linux-2.6.39.3/net/rxrpc/ar-input.c 2011-05-22 19:36:35.000000000 -0400
78716 @@ -340,9 +340,9 @@ void rxrpc_fast_process_packet(struct rx
78717 /* track the latest serial number on this connection for ACK packet
78718 * information */
78719 serial = ntohl(sp->hdr.serial);
78720 - hi_serial = atomic_read(&call->conn->hi_serial);
78721 + hi_serial = atomic_read_unchecked(&call->conn->hi_serial);
78722 while (serial > hi_serial)
78723 - hi_serial = atomic_cmpxchg(&call->conn->hi_serial, hi_serial,
78724 + hi_serial = atomic_cmpxchg_unchecked(&call->conn->hi_serial, hi_serial,
78725 serial);
78726
78727 /* request ACK generation for any ACK or DATA packet that requests
78728 diff -urNp linux-2.6.39.3/net/rxrpc/ar-internal.h linux-2.6.39.3/net/rxrpc/ar-internal.h
78729 --- linux-2.6.39.3/net/rxrpc/ar-internal.h 2011-05-19 00:06:34.000000000 -0400
78730 +++ linux-2.6.39.3/net/rxrpc/ar-internal.h 2011-05-22 19:36:35.000000000 -0400
78731 @@ -272,8 +272,8 @@ struct rxrpc_connection {
78732 int error; /* error code for local abort */
78733 int debug_id; /* debug ID for printks */
78734 unsigned call_counter; /* call ID counter */
78735 - atomic_t serial; /* packet serial number counter */
78736 - atomic_t hi_serial; /* highest serial number received */
78737 + atomic_unchecked_t serial; /* packet serial number counter */
78738 + atomic_unchecked_t hi_serial; /* highest serial number received */
78739 u8 avail_calls; /* number of calls available */
78740 u8 size_align; /* data size alignment (for security) */
78741 u8 header_size; /* rxrpc + security header size */
78742 @@ -346,7 +346,7 @@ struct rxrpc_call {
78743 spinlock_t lock;
78744 rwlock_t state_lock; /* lock for state transition */
78745 atomic_t usage;
78746 - atomic_t sequence; /* Tx data packet sequence counter */
78747 + atomic_unchecked_t sequence; /* Tx data packet sequence counter */
78748 u32 abort_code; /* local/remote abort code */
78749 enum { /* current state of call */
78750 RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
78751 @@ -420,7 +420,7 @@ static inline void rxrpc_abort_call(stru
78752 */
78753 extern atomic_t rxrpc_n_skbs;
78754 extern __be32 rxrpc_epoch;
78755 -extern atomic_t rxrpc_debug_id;
78756 +extern atomic_unchecked_t rxrpc_debug_id;
78757 extern struct workqueue_struct *rxrpc_workqueue;
78758
78759 /*
78760 diff -urNp linux-2.6.39.3/net/rxrpc/ar-local.c linux-2.6.39.3/net/rxrpc/ar-local.c
78761 --- linux-2.6.39.3/net/rxrpc/ar-local.c 2011-05-19 00:06:34.000000000 -0400
78762 +++ linux-2.6.39.3/net/rxrpc/ar-local.c 2011-05-22 19:36:35.000000000 -0400
78763 @@ -45,7 +45,7 @@ struct rxrpc_local *rxrpc_alloc_local(st
78764 spin_lock_init(&local->lock);
78765 rwlock_init(&local->services_lock);
78766 atomic_set(&local->usage, 1);
78767 - local->debug_id = atomic_inc_return(&rxrpc_debug_id);
78768 + local->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78769 memcpy(&local->srx, srx, sizeof(*srx));
78770 }
78771
78772 diff -urNp linux-2.6.39.3/net/rxrpc/ar-output.c linux-2.6.39.3/net/rxrpc/ar-output.c
78773 --- linux-2.6.39.3/net/rxrpc/ar-output.c 2011-05-19 00:06:34.000000000 -0400
78774 +++ linux-2.6.39.3/net/rxrpc/ar-output.c 2011-05-22 19:36:35.000000000 -0400
78775 @@ -681,9 +681,9 @@ static int rxrpc_send_data(struct kiocb
78776 sp->hdr.cid = call->cid;
78777 sp->hdr.callNumber = call->call_id;
78778 sp->hdr.seq =
78779 - htonl(atomic_inc_return(&call->sequence));
78780 + htonl(atomic_inc_return_unchecked(&call->sequence));
78781 sp->hdr.serial =
78782 - htonl(atomic_inc_return(&conn->serial));
78783 + htonl(atomic_inc_return_unchecked(&conn->serial));
78784 sp->hdr.type = RXRPC_PACKET_TYPE_DATA;
78785 sp->hdr.userStatus = 0;
78786 sp->hdr.securityIndex = conn->security_ix;
78787 diff -urNp linux-2.6.39.3/net/rxrpc/ar-peer.c linux-2.6.39.3/net/rxrpc/ar-peer.c
78788 --- linux-2.6.39.3/net/rxrpc/ar-peer.c 2011-05-19 00:06:34.000000000 -0400
78789 +++ linux-2.6.39.3/net/rxrpc/ar-peer.c 2011-05-22 19:36:35.000000000 -0400
78790 @@ -71,7 +71,7 @@ static struct rxrpc_peer *rxrpc_alloc_pe
78791 INIT_LIST_HEAD(&peer->error_targets);
78792 spin_lock_init(&peer->lock);
78793 atomic_set(&peer->usage, 1);
78794 - peer->debug_id = atomic_inc_return(&rxrpc_debug_id);
78795 + peer->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78796 memcpy(&peer->srx, srx, sizeof(*srx));
78797
78798 rxrpc_assess_MTU_size(peer);
78799 diff -urNp linux-2.6.39.3/net/rxrpc/ar-proc.c linux-2.6.39.3/net/rxrpc/ar-proc.c
78800 --- linux-2.6.39.3/net/rxrpc/ar-proc.c 2011-05-19 00:06:34.000000000 -0400
78801 +++ linux-2.6.39.3/net/rxrpc/ar-proc.c 2011-05-22 19:36:35.000000000 -0400
78802 @@ -164,8 +164,8 @@ static int rxrpc_connection_seq_show(str
78803 atomic_read(&conn->usage),
78804 rxrpc_conn_states[conn->state],
78805 key_serial(conn->key),
78806 - atomic_read(&conn->serial),
78807 - atomic_read(&conn->hi_serial));
78808 + atomic_read_unchecked(&conn->serial),
78809 + atomic_read_unchecked(&conn->hi_serial));
78810
78811 return 0;
78812 }
78813 diff -urNp linux-2.6.39.3/net/rxrpc/ar-transport.c linux-2.6.39.3/net/rxrpc/ar-transport.c
78814 --- linux-2.6.39.3/net/rxrpc/ar-transport.c 2011-05-19 00:06:34.000000000 -0400
78815 +++ linux-2.6.39.3/net/rxrpc/ar-transport.c 2011-05-22 19:36:35.000000000 -0400
78816 @@ -47,7 +47,7 @@ static struct rxrpc_transport *rxrpc_all
78817 spin_lock_init(&trans->client_lock);
78818 rwlock_init(&trans->conn_lock);
78819 atomic_set(&trans->usage, 1);
78820 - trans->debug_id = atomic_inc_return(&rxrpc_debug_id);
78821 + trans->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78822
78823 if (peer->srx.transport.family == AF_INET) {
78824 switch (peer->srx.transport_type) {
78825 diff -urNp linux-2.6.39.3/net/rxrpc/rxkad.c linux-2.6.39.3/net/rxrpc/rxkad.c
78826 --- linux-2.6.39.3/net/rxrpc/rxkad.c 2011-05-19 00:06:34.000000000 -0400
78827 +++ linux-2.6.39.3/net/rxrpc/rxkad.c 2011-05-22 19:36:35.000000000 -0400
78828 @@ -211,6 +211,8 @@ static int rxkad_secure_packet_encrypt(c
78829 u16 check;
78830 int nsg;
78831
78832 + pax_track_stack();
78833 +
78834 sp = rxrpc_skb(skb);
78835
78836 _enter("");
78837 @@ -338,6 +340,8 @@ static int rxkad_verify_packet_auth(cons
78838 u16 check;
78839 int nsg;
78840
78841 + pax_track_stack();
78842 +
78843 _enter("");
78844
78845 sp = rxrpc_skb(skb);
78846 @@ -610,7 +614,7 @@ static int rxkad_issue_challenge(struct
78847
78848 len = iov[0].iov_len + iov[1].iov_len;
78849
78850 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
78851 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78852 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
78853
78854 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
78855 @@ -660,7 +664,7 @@ static int rxkad_send_response(struct rx
78856
78857 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
78858
78859 - hdr->serial = htonl(atomic_inc_return(&conn->serial));
78860 + hdr->serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78861 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
78862
78863 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
78864 diff -urNp linux-2.6.39.3/net/sched/em_meta.c linux-2.6.39.3/net/sched/em_meta.c
78865 --- linux-2.6.39.3/net/sched/em_meta.c 2011-05-19 00:06:34.000000000 -0400
78866 +++ linux-2.6.39.3/net/sched/em_meta.c 2011-05-22 19:36:35.000000000 -0400
78867 @@ -832,7 +832,7 @@ static int em_meta_dump(struct sk_buff *
78868 {
78869 struct meta_match *meta = (struct meta_match *) em->data;
78870 struct tcf_meta_hdr hdr;
78871 - struct meta_type_ops *ops;
78872 + const struct meta_type_ops *ops;
78873
78874 memset(&hdr, 0, sizeof(hdr));
78875 memcpy(&hdr.left, &meta->lvalue.hdr, sizeof(hdr.left));
78876 diff -urNp linux-2.6.39.3/net/sctp/proc.c linux-2.6.39.3/net/sctp/proc.c
78877 --- linux-2.6.39.3/net/sctp/proc.c 2011-05-19 00:06:34.000000000 -0400
78878 +++ linux-2.6.39.3/net/sctp/proc.c 2011-05-22 19:41:42.000000000 -0400
78879 @@ -212,7 +212,12 @@ static int sctp_eps_seq_show(struct seq_
78880 sctp_for_each_hentry(epb, node, &head->chain) {
78881 ep = sctp_ep(epb);
78882 sk = epb->sk;
78883 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
78884 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
78885 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78886 + NULL, NULL,
78887 +#else
78888 + ep, sk,
78889 +#endif
78890 sctp_sk(sk)->type, sk->sk_state, hash,
78891 epb->bind_addr.port,
78892 sock_i_uid(sk), sock_i_ino(sk));
78893 @@ -318,7 +323,12 @@ static int sctp_assocs_seq_show(struct s
78894 seq_printf(seq,
78895 "%8p %8p %-3d %-3d %-2d %-4d "
78896 "%4d %8d %8d %7d %5lu %-5d %5d ",
78897 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
78898 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78899 + NULL, NULL,
78900 +#else
78901 + assoc, sk,
78902 +#endif
78903 + sctp_sk(sk)->type, sk->sk_state,
78904 assoc->state, hash,
78905 assoc->assoc_id,
78906 assoc->sndbuf_used,
78907 diff -urNp linux-2.6.39.3/net/sctp/socket.c linux-2.6.39.3/net/sctp/socket.c
78908 --- linux-2.6.39.3/net/sctp/socket.c 2011-05-19 00:06:34.000000000 -0400
78909 +++ linux-2.6.39.3/net/sctp/socket.c 2011-05-22 19:36:35.000000000 -0400
78910 @@ -4433,7 +4433,7 @@ static int sctp_getsockopt_peer_addrs(st
78911 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
78912 if (space_left < addrlen)
78913 return -ENOMEM;
78914 - if (copy_to_user(to, &temp, addrlen))
78915 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
78916 return -EFAULT;
78917 to += addrlen;
78918 cnt++;
78919 diff -urNp linux-2.6.39.3/net/socket.c linux-2.6.39.3/net/socket.c
78920 --- linux-2.6.39.3/net/socket.c 2011-06-03 00:04:14.000000000 -0400
78921 +++ linux-2.6.39.3/net/socket.c 2011-06-03 00:32:08.000000000 -0400
78922 @@ -88,6 +88,7 @@
78923 #include <linux/nsproxy.h>
78924 #include <linux/magic.h>
78925 #include <linux/slab.h>
78926 +#include <linux/in.h>
78927
78928 #include <asm/uaccess.h>
78929 #include <asm/unistd.h>
78930 @@ -105,6 +106,8 @@
78931 #include <linux/sockios.h>
78932 #include <linux/atalk.h>
78933
78934 +#include <linux/grsock.h>
78935 +
78936 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
78937 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
78938 unsigned long nr_segs, loff_t pos);
78939 @@ -330,7 +333,7 @@ static struct dentry *sockfs_mount(struc
78940 &sockfs_dentry_operations, SOCKFS_MAGIC);
78941 }
78942
78943 -static struct vfsmount *sock_mnt __read_mostly;
78944 +struct vfsmount *sock_mnt __read_mostly;
78945
78946 static struct file_system_type sock_fs_type = {
78947 .name = "sockfs",
78948 @@ -1179,6 +1182,8 @@ int __sock_create(struct net *net, int f
78949 return -EAFNOSUPPORT;
78950 if (type < 0 || type >= SOCK_MAX)
78951 return -EINVAL;
78952 + if (protocol < 0)
78953 + return -EINVAL;
78954
78955 /* Compatibility.
78956
78957 @@ -1311,6 +1316,16 @@ SYSCALL_DEFINE3(socket, int, family, int
78958 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
78959 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
78960
78961 + if(!gr_search_socket(family, type, protocol)) {
78962 + retval = -EACCES;
78963 + goto out;
78964 + }
78965 +
78966 + if (gr_handle_sock_all(family, type, protocol)) {
78967 + retval = -EACCES;
78968 + goto out;
78969 + }
78970 +
78971 retval = sock_create(family, type, protocol, &sock);
78972 if (retval < 0)
78973 goto out;
78974 @@ -1423,6 +1438,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
78975 if (sock) {
78976 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
78977 if (err >= 0) {
78978 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
78979 + err = -EACCES;
78980 + goto error;
78981 + }
78982 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
78983 + if (err)
78984 + goto error;
78985 +
78986 err = security_socket_bind(sock,
78987 (struct sockaddr *)&address,
78988 addrlen);
78989 @@ -1431,6 +1454,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
78990 (struct sockaddr *)
78991 &address, addrlen);
78992 }
78993 +error:
78994 fput_light(sock->file, fput_needed);
78995 }
78996 return err;
78997 @@ -1454,10 +1478,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
78998 if ((unsigned)backlog > somaxconn)
78999 backlog = somaxconn;
79000
79001 + if (gr_handle_sock_server_other(sock->sk)) {
79002 + err = -EPERM;
79003 + goto error;
79004 + }
79005 +
79006 + err = gr_search_listen(sock);
79007 + if (err)
79008 + goto error;
79009 +
79010 err = security_socket_listen(sock, backlog);
79011 if (!err)
79012 err = sock->ops->listen(sock, backlog);
79013
79014 +error:
79015 fput_light(sock->file, fput_needed);
79016 }
79017 return err;
79018 @@ -1501,6 +1535,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
79019 newsock->type = sock->type;
79020 newsock->ops = sock->ops;
79021
79022 + if (gr_handle_sock_server_other(sock->sk)) {
79023 + err = -EPERM;
79024 + sock_release(newsock);
79025 + goto out_put;
79026 + }
79027 +
79028 + err = gr_search_accept(sock);
79029 + if (err) {
79030 + sock_release(newsock);
79031 + goto out_put;
79032 + }
79033 +
79034 /*
79035 * We don't need try_module_get here, as the listening socket (sock)
79036 * has the protocol module (sock->ops->owner) held.
79037 @@ -1539,6 +1585,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
79038 fd_install(newfd, newfile);
79039 err = newfd;
79040
79041 + gr_attach_curr_ip(newsock->sk);
79042 +
79043 out_put:
79044 fput_light(sock->file, fput_needed);
79045 out:
79046 @@ -1571,6 +1619,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
79047 int, addrlen)
79048 {
79049 struct socket *sock;
79050 + struct sockaddr *sck;
79051 struct sockaddr_storage address;
79052 int err, fput_needed;
79053
79054 @@ -1581,6 +1630,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
79055 if (err < 0)
79056 goto out_put;
79057
79058 + sck = (struct sockaddr *)&address;
79059 +
79060 + if (gr_handle_sock_client(sck)) {
79061 + err = -EACCES;
79062 + goto out_put;
79063 + }
79064 +
79065 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
79066 + if (err)
79067 + goto out_put;
79068 +
79069 err =
79070 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
79071 if (err)
79072 @@ -1882,6 +1942,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct
79073 int err, ctl_len, iov_size, total_len;
79074 int fput_needed;
79075
79076 + pax_track_stack();
79077 +
79078 err = -EFAULT;
79079 if (MSG_CMSG_COMPAT & flags) {
79080 if (get_compat_msghdr(&msg_sys, msg_compat))
79081 diff -urNp linux-2.6.39.3/net/sunrpc/sched.c linux-2.6.39.3/net/sunrpc/sched.c
79082 --- linux-2.6.39.3/net/sunrpc/sched.c 2011-07-09 09:18:51.000000000 -0400
79083 +++ linux-2.6.39.3/net/sunrpc/sched.c 2011-07-09 09:19:27.000000000 -0400
79084 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
79085 #ifdef RPC_DEBUG
79086 static void rpc_task_set_debuginfo(struct rpc_task *task)
79087 {
79088 - static atomic_t rpc_pid;
79089 + static atomic_unchecked_t rpc_pid;
79090
79091 - task->tk_pid = atomic_inc_return(&rpc_pid);
79092 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
79093 }
79094 #else
79095 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
79096 diff -urNp linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma.c
79097 --- linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma.c 2011-05-19 00:06:34.000000000 -0400
79098 +++ linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma.c 2011-05-22 19:36:35.000000000 -0400
79099 @@ -61,15 +61,15 @@ unsigned int svcrdma_max_req_size = RPCR
79100 static unsigned int min_max_inline = 4096;
79101 static unsigned int max_max_inline = 65536;
79102
79103 -atomic_t rdma_stat_recv;
79104 -atomic_t rdma_stat_read;
79105 -atomic_t rdma_stat_write;
79106 -atomic_t rdma_stat_sq_starve;
79107 -atomic_t rdma_stat_rq_starve;
79108 -atomic_t rdma_stat_rq_poll;
79109 -atomic_t rdma_stat_rq_prod;
79110 -atomic_t rdma_stat_sq_poll;
79111 -atomic_t rdma_stat_sq_prod;
79112 +atomic_unchecked_t rdma_stat_recv;
79113 +atomic_unchecked_t rdma_stat_read;
79114 +atomic_unchecked_t rdma_stat_write;
79115 +atomic_unchecked_t rdma_stat_sq_starve;
79116 +atomic_unchecked_t rdma_stat_rq_starve;
79117 +atomic_unchecked_t rdma_stat_rq_poll;
79118 +atomic_unchecked_t rdma_stat_rq_prod;
79119 +atomic_unchecked_t rdma_stat_sq_poll;
79120 +atomic_unchecked_t rdma_stat_sq_prod;
79121
79122 /* Temporary NFS request map and context caches */
79123 struct kmem_cache *svc_rdma_map_cachep;
79124 @@ -109,7 +109,7 @@ static int read_reset_stat(ctl_table *ta
79125 len -= *ppos;
79126 if (len > *lenp)
79127 len = *lenp;
79128 - if (len && copy_to_user(buffer, str_buf, len))
79129 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
79130 return -EFAULT;
79131 *lenp = len;
79132 *ppos += len;
79133 @@ -150,63 +150,63 @@ static ctl_table svcrdma_parm_table[] =
79134 {
79135 .procname = "rdma_stat_read",
79136 .data = &rdma_stat_read,
79137 - .maxlen = sizeof(atomic_t),
79138 + .maxlen = sizeof(atomic_unchecked_t),
79139 .mode = 0644,
79140 .proc_handler = read_reset_stat,
79141 },
79142 {
79143 .procname = "rdma_stat_recv",
79144 .data = &rdma_stat_recv,
79145 - .maxlen = sizeof(atomic_t),
79146 + .maxlen = sizeof(atomic_unchecked_t),
79147 .mode = 0644,
79148 .proc_handler = read_reset_stat,
79149 },
79150 {
79151 .procname = "rdma_stat_write",
79152 .data = &rdma_stat_write,
79153 - .maxlen = sizeof(atomic_t),
79154 + .maxlen = sizeof(atomic_unchecked_t),
79155 .mode = 0644,
79156 .proc_handler = read_reset_stat,
79157 },
79158 {
79159 .procname = "rdma_stat_sq_starve",
79160 .data = &rdma_stat_sq_starve,
79161 - .maxlen = sizeof(atomic_t),
79162 + .maxlen = sizeof(atomic_unchecked_t),
79163 .mode = 0644,
79164 .proc_handler = read_reset_stat,
79165 },
79166 {
79167 .procname = "rdma_stat_rq_starve",
79168 .data = &rdma_stat_rq_starve,
79169 - .maxlen = sizeof(atomic_t),
79170 + .maxlen = sizeof(atomic_unchecked_t),
79171 .mode = 0644,
79172 .proc_handler = read_reset_stat,
79173 },
79174 {
79175 .procname = "rdma_stat_rq_poll",
79176 .data = &rdma_stat_rq_poll,
79177 - .maxlen = sizeof(atomic_t),
79178 + .maxlen = sizeof(atomic_unchecked_t),
79179 .mode = 0644,
79180 .proc_handler = read_reset_stat,
79181 },
79182 {
79183 .procname = "rdma_stat_rq_prod",
79184 .data = &rdma_stat_rq_prod,
79185 - .maxlen = sizeof(atomic_t),
79186 + .maxlen = sizeof(atomic_unchecked_t),
79187 .mode = 0644,
79188 .proc_handler = read_reset_stat,
79189 },
79190 {
79191 .procname = "rdma_stat_sq_poll",
79192 .data = &rdma_stat_sq_poll,
79193 - .maxlen = sizeof(atomic_t),
79194 + .maxlen = sizeof(atomic_unchecked_t),
79195 .mode = 0644,
79196 .proc_handler = read_reset_stat,
79197 },
79198 {
79199 .procname = "rdma_stat_sq_prod",
79200 .data = &rdma_stat_sq_prod,
79201 - .maxlen = sizeof(atomic_t),
79202 + .maxlen = sizeof(atomic_unchecked_t),
79203 .mode = 0644,
79204 .proc_handler = read_reset_stat,
79205 },
79206 diff -urNp linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
79207 --- linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-05-19 00:06:34.000000000 -0400
79208 +++ linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-05-22 19:36:35.000000000 -0400
79209 @@ -499,7 +499,7 @@ next_sge:
79210 svc_rdma_put_context(ctxt, 0);
79211 goto out;
79212 }
79213 - atomic_inc(&rdma_stat_read);
79214 + atomic_inc_unchecked(&rdma_stat_read);
79215
79216 if (read_wr.num_sge < chl_map->ch[ch_no].count) {
79217 chl_map->ch[ch_no].count -= read_wr.num_sge;
79218 @@ -609,7 +609,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
79219 dto_q);
79220 list_del_init(&ctxt->dto_q);
79221 } else {
79222 - atomic_inc(&rdma_stat_rq_starve);
79223 + atomic_inc_unchecked(&rdma_stat_rq_starve);
79224 clear_bit(XPT_DATA, &xprt->xpt_flags);
79225 ctxt = NULL;
79226 }
79227 @@ -629,7 +629,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
79228 dprintk("svcrdma: processing ctxt=%p on xprt=%p, rqstp=%p, status=%d\n",
79229 ctxt, rdma_xprt, rqstp, ctxt->wc_status);
79230 BUG_ON(ctxt->wc_status != IB_WC_SUCCESS);
79231 - atomic_inc(&rdma_stat_recv);
79232 + atomic_inc_unchecked(&rdma_stat_recv);
79233
79234 /* Build up the XDR from the receive buffers. */
79235 rdma_build_arg_xdr(rqstp, ctxt, ctxt->byte_len);
79236 diff -urNp linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_sendto.c linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_sendto.c
79237 --- linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-05-19 00:06:34.000000000 -0400
79238 +++ linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-05-22 19:36:35.000000000 -0400
79239 @@ -362,7 +362,7 @@ static int send_write(struct svcxprt_rdm
79240 write_wr.wr.rdma.remote_addr = to;
79241
79242 /* Post It */
79243 - atomic_inc(&rdma_stat_write);
79244 + atomic_inc_unchecked(&rdma_stat_write);
79245 if (svc_rdma_send(xprt, &write_wr))
79246 goto err;
79247 return 0;
79248 diff -urNp linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_transport.c linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_transport.c
79249 --- linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-05-19 00:06:34.000000000 -0400
79250 +++ linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-05-22 19:36:35.000000000 -0400
79251 @@ -298,7 +298,7 @@ static void rq_cq_reap(struct svcxprt_rd
79252 return;
79253
79254 ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
79255 - atomic_inc(&rdma_stat_rq_poll);
79256 + atomic_inc_unchecked(&rdma_stat_rq_poll);
79257
79258 while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
79259 ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
79260 @@ -320,7 +320,7 @@ static void rq_cq_reap(struct svcxprt_rd
79261 }
79262
79263 if (ctxt)
79264 - atomic_inc(&rdma_stat_rq_prod);
79265 + atomic_inc_unchecked(&rdma_stat_rq_prod);
79266
79267 set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
79268 /*
79269 @@ -392,7 +392,7 @@ static void sq_cq_reap(struct svcxprt_rd
79270 return;
79271
79272 ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
79273 - atomic_inc(&rdma_stat_sq_poll);
79274 + atomic_inc_unchecked(&rdma_stat_sq_poll);
79275 while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
79276 if (wc.status != IB_WC_SUCCESS)
79277 /* Close the transport */
79278 @@ -410,7 +410,7 @@ static void sq_cq_reap(struct svcxprt_rd
79279 }
79280
79281 if (ctxt)
79282 - atomic_inc(&rdma_stat_sq_prod);
79283 + atomic_inc_unchecked(&rdma_stat_sq_prod);
79284 }
79285
79286 static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
79287 @@ -1271,7 +1271,7 @@ int svc_rdma_send(struct svcxprt_rdma *x
79288 spin_lock_bh(&xprt->sc_lock);
79289 if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
79290 spin_unlock_bh(&xprt->sc_lock);
79291 - atomic_inc(&rdma_stat_sq_starve);
79292 + atomic_inc_unchecked(&rdma_stat_sq_starve);
79293
79294 /* See if we can opportunistically reap SQ WR to make room */
79295 sq_cq_reap(xprt);
79296 diff -urNp linux-2.6.39.3/net/sysctl_net.c linux-2.6.39.3/net/sysctl_net.c
79297 --- linux-2.6.39.3/net/sysctl_net.c 2011-05-19 00:06:34.000000000 -0400
79298 +++ linux-2.6.39.3/net/sysctl_net.c 2011-05-22 19:41:42.000000000 -0400
79299 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
79300 struct ctl_table *table)
79301 {
79302 /* Allow network administrator to have same access as root. */
79303 - if (capable(CAP_NET_ADMIN)) {
79304 + if (capable_nolog(CAP_NET_ADMIN)) {
79305 int mode = (table->mode >> 6) & 7;
79306 return (mode << 6) | (mode << 3) | mode;
79307 }
79308 diff -urNp linux-2.6.39.3/net/unix/af_unix.c linux-2.6.39.3/net/unix/af_unix.c
79309 --- linux-2.6.39.3/net/unix/af_unix.c 2011-05-19 00:06:34.000000000 -0400
79310 +++ linux-2.6.39.3/net/unix/af_unix.c 2011-05-22 19:41:42.000000000 -0400
79311 @@ -767,6 +767,12 @@ static struct sock *unix_find_other(stru
79312 err = -ECONNREFUSED;
79313 if (!S_ISSOCK(inode->i_mode))
79314 goto put_fail;
79315 +
79316 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
79317 + err = -EACCES;
79318 + goto put_fail;
79319 + }
79320 +
79321 u = unix_find_socket_byinode(inode);
79322 if (!u)
79323 goto put_fail;
79324 @@ -787,6 +793,13 @@ static struct sock *unix_find_other(stru
79325 if (u) {
79326 struct dentry *dentry;
79327 dentry = unix_sk(u)->dentry;
79328 +
79329 + if (!gr_handle_chroot_unix(u->sk_peer_pid)) {
79330 + err = -EPERM;
79331 + sock_put(u);
79332 + goto fail;
79333 + }
79334 +
79335 if (dentry)
79336 touch_atime(unix_sk(u)->mnt, dentry);
79337 } else
79338 @@ -872,11 +885,18 @@ static int unix_bind(struct socket *sock
79339 err = security_path_mknod(&nd.path, dentry, mode, 0);
79340 if (err)
79341 goto out_mknod_drop_write;
79342 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
79343 + err = -EACCES;
79344 + goto out_mknod_drop_write;
79345 + }
79346 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
79347 out_mknod_drop_write:
79348 mnt_drop_write(nd.path.mnt);
79349 if (err)
79350 goto out_mknod_dput;
79351 +
79352 + gr_handle_create(dentry, nd.path.mnt);
79353 +
79354 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
79355 dput(nd.path.dentry);
79356 nd.path.dentry = dentry;
79357 @@ -894,6 +914,11 @@ out_mknod_drop_write:
79358 goto out_unlock;
79359 }
79360
79361 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
79362 + put_pid(sk->sk_peer_pid);
79363 + sk->sk_peer_pid = get_pid(task_tgid(current));
79364 +#endif
79365 +
79366 list = &unix_socket_table[addr->hash];
79367 } else {
79368 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
79369 @@ -2255,7 +2280,11 @@ static int unix_seq_show(struct seq_file
79370 unix_state_lock(s);
79371
79372 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
79373 +#ifdef CONFIG_GRKERNSEC_HIDESYM
79374 + NULL,
79375 +#else
79376 s,
79377 +#endif
79378 atomic_read(&s->sk_refcnt),
79379 0,
79380 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
79381 diff -urNp linux-2.6.39.3/net/wireless/wext-core.c linux-2.6.39.3/net/wireless/wext-core.c
79382 --- linux-2.6.39.3/net/wireless/wext-core.c 2011-05-19 00:06:34.000000000 -0400
79383 +++ linux-2.6.39.3/net/wireless/wext-core.c 2011-05-22 19:36:35.000000000 -0400
79384 @@ -746,8 +746,7 @@ static int ioctl_standard_iw_point(struc
79385 */
79386
79387 /* Support for very large requests */
79388 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
79389 - (user_length > descr->max_tokens)) {
79390 + if (user_length > descr->max_tokens) {
79391 /* Allow userspace to GET more than max so
79392 * we can support any size GET requests.
79393 * There is still a limit : -ENOMEM.
79394 @@ -784,22 +783,6 @@ static int ioctl_standard_iw_point(struc
79395 }
79396 }
79397
79398 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
79399 - /*
79400 - * If this is a GET, but not NOMAX, it means that the extra
79401 - * data is not bounded by userspace, but by max_tokens. Thus
79402 - * set the length to max_tokens. This matches the extra data
79403 - * allocation.
79404 - * The driver should fill it with the number of tokens it
79405 - * provided, and it may check iwp->length rather than having
79406 - * knowledge of max_tokens. If the driver doesn't change the
79407 - * iwp->length, this ioctl just copies back max_token tokens
79408 - * filled with zeroes. Hopefully the driver isn't claiming
79409 - * them to be valid data.
79410 - */
79411 - iwp->length = descr->max_tokens;
79412 - }
79413 -
79414 err = handler(dev, info, (union iwreq_data *) iwp, extra);
79415
79416 iwp->length += essid_compat;
79417 diff -urNp linux-2.6.39.3/net/xfrm/xfrm_policy.c linux-2.6.39.3/net/xfrm/xfrm_policy.c
79418 --- linux-2.6.39.3/net/xfrm/xfrm_policy.c 2011-05-19 00:06:34.000000000 -0400
79419 +++ linux-2.6.39.3/net/xfrm/xfrm_policy.c 2011-05-22 19:36:35.000000000 -0400
79420 @@ -299,7 +299,7 @@ static void xfrm_policy_kill(struct xfrm
79421 {
79422 policy->walk.dead = 1;
79423
79424 - atomic_inc(&policy->genid);
79425 + atomic_inc_unchecked(&policy->genid);
79426
79427 if (del_timer(&policy->timer))
79428 xfrm_pol_put(policy);
79429 @@ -583,7 +583,7 @@ int xfrm_policy_insert(int dir, struct x
79430 hlist_add_head(&policy->bydst, chain);
79431 xfrm_pol_hold(policy);
79432 net->xfrm.policy_count[dir]++;
79433 - atomic_inc(&flow_cache_genid);
79434 + atomic_inc_unchecked(&flow_cache_genid);
79435 if (delpol)
79436 __xfrm_policy_unlink(delpol, dir);
79437 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
79438 @@ -1527,7 +1527,7 @@ free_dst:
79439 goto out;
79440 }
79441
79442 -static int inline
79443 +static inline int
79444 xfrm_dst_alloc_copy(void **target, const void *src, int size)
79445 {
79446 if (!*target) {
79447 @@ -1539,7 +1539,7 @@ xfrm_dst_alloc_copy(void **target, const
79448 return 0;
79449 }
79450
79451 -static int inline
79452 +static inline int
79453 xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
79454 {
79455 #ifdef CONFIG_XFRM_SUB_POLICY
79456 @@ -1551,7 +1551,7 @@ xfrm_dst_update_parent(struct dst_entry
79457 #endif
79458 }
79459
79460 -static int inline
79461 +static inline int
79462 xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl)
79463 {
79464 #ifdef CONFIG_XFRM_SUB_POLICY
79465 @@ -1645,7 +1645,7 @@ xfrm_resolve_and_create_bundle(struct xf
79466
79467 xdst->num_pols = num_pols;
79468 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
79469 - xdst->policy_genid = atomic_read(&pols[0]->genid);
79470 + xdst->policy_genid = atomic_read_unchecked(&pols[0]->genid);
79471
79472 return xdst;
79473 }
79474 @@ -2332,7 +2332,7 @@ static int xfrm_bundle_ok(struct xfrm_ds
79475 if (xdst->xfrm_genid != dst->xfrm->genid)
79476 return 0;
79477 if (xdst->num_pols > 0 &&
79478 - xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
79479 + xdst->policy_genid != atomic_read_unchecked(&xdst->pols[0]->genid))
79480 return 0;
79481
79482 mtu = dst_mtu(dst->child);
79483 @@ -2860,7 +2860,7 @@ static int xfrm_policy_migrate(struct xf
79484 sizeof(pol->xfrm_vec[i].saddr));
79485 pol->xfrm_vec[i].encap_family = mp->new_family;
79486 /* flush bundles */
79487 - atomic_inc(&pol->genid);
79488 + atomic_inc_unchecked(&pol->genid);
79489 }
79490 }
79491
79492 diff -urNp linux-2.6.39.3/net/xfrm/xfrm_user.c linux-2.6.39.3/net/xfrm/xfrm_user.c
79493 --- linux-2.6.39.3/net/xfrm/xfrm_user.c 2011-05-19 00:06:34.000000000 -0400
79494 +++ linux-2.6.39.3/net/xfrm/xfrm_user.c 2011-05-22 19:36:35.000000000 -0400
79495 @@ -1394,6 +1394,8 @@ static int copy_to_user_tmpl(struct xfrm
79496 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
79497 int i;
79498
79499 + pax_track_stack();
79500 +
79501 if (xp->xfrm_nr == 0)
79502 return 0;
79503
79504 @@ -2062,6 +2064,8 @@ static int xfrm_do_migrate(struct sk_buf
79505 int err;
79506 int n = 0;
79507
79508 + pax_track_stack();
79509 +
79510 if (attrs[XFRMA_MIGRATE] == NULL)
79511 return -EINVAL;
79512
79513 diff -urNp linux-2.6.39.3/scripts/basic/fixdep.c linux-2.6.39.3/scripts/basic/fixdep.c
79514 --- linux-2.6.39.3/scripts/basic/fixdep.c 2011-05-19 00:06:34.000000000 -0400
79515 +++ linux-2.6.39.3/scripts/basic/fixdep.c 2011-05-22 19:36:35.000000000 -0400
79516 @@ -235,9 +235,9 @@ static void use_config(const char *m, in
79517
79518 static void parse_config_file(const char *map, size_t len)
79519 {
79520 - const int *end = (const int *) (map + len);
79521 + const unsigned int *end = (const unsigned int *) (map + len);
79522 /* start at +1, so that p can never be < map */
79523 - const int *m = (const int *) map + 1;
79524 + const unsigned int *m = (const unsigned int *) map + 1;
79525 const char *p, *q;
79526
79527 for (; m < end; m++) {
79528 @@ -405,7 +405,7 @@ static void print_deps(void)
79529 static void traps(void)
79530 {
79531 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
79532 - int *p = (int *)test;
79533 + unsigned int *p = (unsigned int *)test;
79534
79535 if (*p != INT_CONF) {
79536 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
79537 diff -urNp linux-2.6.39.3/scripts/dtc/flattree.c linux-2.6.39.3/scripts/dtc/flattree.c
79538 --- linux-2.6.39.3/scripts/dtc/flattree.c 2011-05-19 00:06:34.000000000 -0400
79539 +++ linux-2.6.39.3/scripts/dtc/flattree.c 2011-05-22 19:36:35.000000000 -0400
79540 @@ -104,7 +104,7 @@ static void bin_emit_property(void *e, s
79541 bin_emit_cell(e, FDT_PROP);
79542 }
79543
79544 -static struct emitter bin_emitter = {
79545 +static const struct emitter bin_emitter = {
79546 .cell = bin_emit_cell,
79547 .string = bin_emit_string,
79548 .align = bin_emit_align,
79549 @@ -230,7 +230,7 @@ static void asm_emit_property(void *e, s
79550 asm_emit_cell(e, FDT_PROP);
79551 }
79552
79553 -static struct emitter asm_emitter = {
79554 +static const struct emitter asm_emitter = {
79555 .cell = asm_emit_cell,
79556 .string = asm_emit_string,
79557 .align = asm_emit_align,
79558 diff -urNp linux-2.6.39.3/scripts/Makefile.build linux-2.6.39.3/scripts/Makefile.build
79559 --- linux-2.6.39.3/scripts/Makefile.build 2011-05-19 00:06:34.000000000 -0400
79560 +++ linux-2.6.39.3/scripts/Makefile.build 2011-06-03 01:15:00.000000000 -0400
79561 @@ -93,7 +93,7 @@ endif
79562 endif
79563
79564 # Do not include host rules unless needed
79565 -ifneq ($(hostprogs-y)$(hostprogs-m),)
79566 +ifneq ($(hostprogs-y)$(hostprogs-m)$(hostlibs-y)$(hostlibs-m),)
79567 include scripts/Makefile.host
79568 endif
79569
79570 diff -urNp linux-2.6.39.3/scripts/Makefile.clean linux-2.6.39.3/scripts/Makefile.clean
79571 --- linux-2.6.39.3/scripts/Makefile.clean 2011-05-19 00:06:34.000000000 -0400
79572 +++ linux-2.6.39.3/scripts/Makefile.clean 2011-06-03 01:16:02.000000000 -0400
79573 @@ -43,7 +43,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subd
79574 __clean-files := $(extra-y) $(always) \
79575 $(targets) $(clean-files) \
79576 $(host-progs) \
79577 - $(hostprogs-y) $(hostprogs-m) $(hostprogs-)
79578 + $(hostprogs-y) $(hostprogs-m) $(hostprogs-) \
79579 + $(hostlibs-y) $(hostlibs-m) $(hostlibs-)
79580
79581 __clean-files := $(filter-out $(no-clean-files), $(__clean-files))
79582
79583 diff -urNp linux-2.6.39.3/scripts/Makefile.host linux-2.6.39.3/scripts/Makefile.host
79584 --- linux-2.6.39.3/scripts/Makefile.host 2011-05-19 00:06:34.000000000 -0400
79585 +++ linux-2.6.39.3/scripts/Makefile.host 2011-06-03 01:17:12.000000000 -0400
79586 @@ -31,6 +31,7 @@
79587 # Note: Shared libraries consisting of C++ files are not supported
79588
79589 __hostprogs := $(sort $(hostprogs-y) $(hostprogs-m))
79590 +__hostlibs := $(sort $(hostlibs-y) $(hostlibs-m))
79591
79592 # C code
79593 # Executables compiled from a single .c file
79594 @@ -54,6 +55,7 @@ host-cxxobjs := $(sort $(foreach m,$(hos
79595 # Shared libaries (only .c supported)
79596 # Shared libraries (.so) - all .so files referenced in "xxx-objs"
79597 host-cshlib := $(sort $(filter %.so, $(host-cobjs)))
79598 +host-cshlib += $(sort $(filter %.so, $(__hostlibs)))
79599 # Remove .so files from "xxx-objs"
79600 host-cobjs := $(filter-out %.so,$(host-cobjs))
79601
79602 diff -urNp linux-2.6.39.3/scripts/mod/file2alias.c linux-2.6.39.3/scripts/mod/file2alias.c
79603 --- linux-2.6.39.3/scripts/mod/file2alias.c 2011-05-19 00:06:34.000000000 -0400
79604 +++ linux-2.6.39.3/scripts/mod/file2alias.c 2011-05-22 19:36:35.000000000 -0400
79605 @@ -72,7 +72,7 @@ static void device_id_check(const char *
79606 unsigned long size, unsigned long id_size,
79607 void *symval)
79608 {
79609 - int i;
79610 + unsigned int i;
79611
79612 if (size % id_size || size < id_size) {
79613 if (cross_build != 0)
79614 @@ -102,7 +102,7 @@ static void device_id_check(const char *
79615 /* USB is special because the bcdDevice can be matched against a numeric range */
79616 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
79617 static void do_usb_entry(struct usb_device_id *id,
79618 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
79619 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
79620 unsigned char range_lo, unsigned char range_hi,
79621 unsigned char max, struct module *mod)
79622 {
79623 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
79624 for (i = 0; i < count; i++) {
79625 const char *id = (char *)devs[i].id;
79626 char acpi_id[sizeof(devs[0].id)];
79627 - int j;
79628 + unsigned int j;
79629
79630 buf_printf(&mod->dev_table_buf,
79631 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
79632 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
79633
79634 for (j = 0; j < PNP_MAX_DEVICES; j++) {
79635 const char *id = (char *)card->devs[j].id;
79636 - int i2, j2;
79637 + unsigned int i2, j2;
79638 int dup = 0;
79639
79640 if (!id[0])
79641 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
79642 /* add an individual alias for every device entry */
79643 if (!dup) {
79644 char acpi_id[sizeof(card->devs[0].id)];
79645 - int k;
79646 + unsigned int k;
79647
79648 buf_printf(&mod->dev_table_buf,
79649 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
79650 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
79651 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
79652 char *alias)
79653 {
79654 - int i, j;
79655 + unsigned int i, j;
79656
79657 sprintf(alias, "dmi*");
79658
79659 diff -urNp linux-2.6.39.3/scripts/mod/modpost.c linux-2.6.39.3/scripts/mod/modpost.c
79660 --- linux-2.6.39.3/scripts/mod/modpost.c 2011-05-19 00:06:34.000000000 -0400
79661 +++ linux-2.6.39.3/scripts/mod/modpost.c 2011-07-06 20:00:13.000000000 -0400
79662 @@ -896,6 +896,7 @@ enum mismatch {
79663 ANY_INIT_TO_ANY_EXIT,
79664 ANY_EXIT_TO_ANY_INIT,
79665 EXPORT_TO_INIT_EXIT,
79666 + DATA_TO_TEXT
79667 };
79668
79669 struct sectioncheck {
79670 @@ -1004,6 +1005,12 @@ const struct sectioncheck sectioncheck[]
79671 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
79672 .mismatch = EXPORT_TO_INIT_EXIT,
79673 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
79674 +},
79675 +/* Do not reference code from writable data */
79676 +{
79677 + .fromsec = { DATA_SECTIONS, NULL },
79678 + .tosec = { TEXT_SECTIONS, NULL },
79679 + .mismatch = DATA_TO_TEXT
79680 }
79681 };
79682
79683 @@ -1126,10 +1133,10 @@ static Elf_Sym *find_elf_symbol(struct e
79684 continue;
79685 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
79686 continue;
79687 - if (sym->st_value == addr)
79688 - return sym;
79689 /* Find a symbol nearby - addr are maybe negative */
79690 d = sym->st_value - addr;
79691 + if (d == 0)
79692 + return sym;
79693 if (d < 0)
79694 d = addr - sym->st_value;
79695 if (d < distance) {
79696 @@ -1408,6 +1415,14 @@ static void report_sec_mismatch(const ch
79697 tosym, prl_to, prl_to, tosym);
79698 free(prl_to);
79699 break;
79700 + case DATA_TO_TEXT:
79701 +/*
79702 + fprintf(stderr,
79703 + "The variable %s references\n"
79704 + "the %s %s%s%s\n",
79705 + fromsym, to, sec2annotation(tosec), tosym, to_p);
79706 +*/
79707 + break;
79708 }
79709 fprintf(stderr, "\n");
79710 }
79711 @@ -1633,7 +1648,7 @@ static void section_rel(const char *modn
79712 static void check_sec_ref(struct module *mod, const char *modname,
79713 struct elf_info *elf)
79714 {
79715 - int i;
79716 + unsigned int i;
79717 Elf_Shdr *sechdrs = elf->sechdrs;
79718
79719 /* Walk through all sections */
79720 @@ -1731,7 +1746,7 @@ void __attribute__((format(printf, 2, 3)
79721 va_end(ap);
79722 }
79723
79724 -void buf_write(struct buffer *buf, const char *s, int len)
79725 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
79726 {
79727 if (buf->size - buf->pos < len) {
79728 buf->size += len + SZ;
79729 @@ -1943,7 +1958,7 @@ static void write_if_changed(struct buff
79730 if (fstat(fileno(file), &st) < 0)
79731 goto close_write;
79732
79733 - if (st.st_size != b->pos)
79734 + if (st.st_size != (off_t)b->pos)
79735 goto close_write;
79736
79737 tmp = NOFAIL(malloc(b->pos));
79738 diff -urNp linux-2.6.39.3/scripts/mod/modpost.h linux-2.6.39.3/scripts/mod/modpost.h
79739 --- linux-2.6.39.3/scripts/mod/modpost.h 2011-05-19 00:06:34.000000000 -0400
79740 +++ linux-2.6.39.3/scripts/mod/modpost.h 2011-05-22 19:36:35.000000000 -0400
79741 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
79742
79743 struct buffer {
79744 char *p;
79745 - int pos;
79746 - int size;
79747 + unsigned int pos;
79748 + unsigned int size;
79749 };
79750
79751 void __attribute__((format(printf, 2, 3)))
79752 buf_printf(struct buffer *buf, const char *fmt, ...);
79753
79754 void
79755 -buf_write(struct buffer *buf, const char *s, int len);
79756 +buf_write(struct buffer *buf, const char *s, unsigned int len);
79757
79758 struct module {
79759 struct module *next;
79760 diff -urNp linux-2.6.39.3/scripts/mod/sumversion.c linux-2.6.39.3/scripts/mod/sumversion.c
79761 --- linux-2.6.39.3/scripts/mod/sumversion.c 2011-05-19 00:06:34.000000000 -0400
79762 +++ linux-2.6.39.3/scripts/mod/sumversion.c 2011-05-22 19:36:35.000000000 -0400
79763 @@ -470,7 +470,7 @@ static void write_version(const char *fi
79764 goto out;
79765 }
79766
79767 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
79768 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
79769 warn("writing sum in %s failed: %s\n",
79770 filename, strerror(errno));
79771 goto out;
79772 diff -urNp linux-2.6.39.3/scripts/pnmtologo.c linux-2.6.39.3/scripts/pnmtologo.c
79773 --- linux-2.6.39.3/scripts/pnmtologo.c 2011-05-19 00:06:34.000000000 -0400
79774 +++ linux-2.6.39.3/scripts/pnmtologo.c 2011-05-22 19:36:35.000000000 -0400
79775 @@ -237,14 +237,14 @@ static void write_header(void)
79776 fprintf(out, " * Linux logo %s\n", logoname);
79777 fputs(" */\n\n", out);
79778 fputs("#include <linux/linux_logo.h>\n\n", out);
79779 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
79780 + fprintf(out, "static unsigned char %s_data[] = {\n",
79781 logoname);
79782 }
79783
79784 static void write_footer(void)
79785 {
79786 fputs("\n};\n\n", out);
79787 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
79788 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
79789 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
79790 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
79791 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
79792 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
79793 fputs("\n};\n\n", out);
79794
79795 /* write logo clut */
79796 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
79797 + fprintf(out, "static unsigned char %s_clut[] = {\n",
79798 logoname);
79799 write_hex_cnt = 0;
79800 for (i = 0; i < logo_clutsize; i++) {
79801 diff -urNp linux-2.6.39.3/security/apparmor/lsm.c linux-2.6.39.3/security/apparmor/lsm.c
79802 --- linux-2.6.39.3/security/apparmor/lsm.c 2011-06-25 12:55:23.000000000 -0400
79803 +++ linux-2.6.39.3/security/apparmor/lsm.c 2011-06-25 13:00:28.000000000 -0400
79804 @@ -621,7 +621,7 @@ static int apparmor_task_setrlimit(struc
79805 return error;
79806 }
79807
79808 -static struct security_operations apparmor_ops = {
79809 +static struct security_operations apparmor_ops __read_only = {
79810 .name = "apparmor",
79811
79812 .ptrace_access_check = apparmor_ptrace_access_check,
79813 @@ -672,7 +672,7 @@ static struct security_operations apparm
79814 static int param_set_aabool(const char *val, const struct kernel_param *kp);
79815 static int param_get_aabool(char *buffer, const struct kernel_param *kp);
79816 #define param_check_aabool(name, p) __param_check(name, p, int)
79817 -static struct kernel_param_ops param_ops_aabool = {
79818 +static const struct kernel_param_ops param_ops_aabool = {
79819 .set = param_set_aabool,
79820 .get = param_get_aabool
79821 };
79822 @@ -680,7 +680,7 @@ static struct kernel_param_ops param_ops
79823 static int param_set_aauint(const char *val, const struct kernel_param *kp);
79824 static int param_get_aauint(char *buffer, const struct kernel_param *kp);
79825 #define param_check_aauint(name, p) __param_check(name, p, int)
79826 -static struct kernel_param_ops param_ops_aauint = {
79827 +static const struct kernel_param_ops param_ops_aauint = {
79828 .set = param_set_aauint,
79829 .get = param_get_aauint
79830 };
79831 @@ -688,7 +688,7 @@ static struct kernel_param_ops param_ops
79832 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
79833 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
79834 #define param_check_aalockpolicy(name, p) __param_check(name, p, int)
79835 -static struct kernel_param_ops param_ops_aalockpolicy = {
79836 +static const struct kernel_param_ops param_ops_aalockpolicy = {
79837 .set = param_set_aalockpolicy,
79838 .get = param_get_aalockpolicy
79839 };
79840 diff -urNp linux-2.6.39.3/security/commoncap.c linux-2.6.39.3/security/commoncap.c
79841 --- linux-2.6.39.3/security/commoncap.c 2011-05-19 00:06:34.000000000 -0400
79842 +++ linux-2.6.39.3/security/commoncap.c 2011-05-22 20:28:59.000000000 -0400
79843 @@ -28,6 +28,7 @@
79844 #include <linux/prctl.h>
79845 #include <linux/securebits.h>
79846 #include <linux/user_namespace.h>
79847 +#include <net/sock.h>
79848
79849 /*
79850 * If a non-root user executes a setuid-root binary in
79851 @@ -58,7 +59,7 @@ int cap_netlink_send(struct sock *sk, st
79852
79853 int cap_netlink_recv(struct sk_buff *skb, int cap)
79854 {
79855 - if (!cap_raised(current_cap(), cap))
79856 + if (!cap_raised(current_cap(), cap) || !gr_is_capable(cap))
79857 return -EPERM;
79858 return 0;
79859 }
79860 @@ -580,6 +581,9 @@ int cap_bprm_secureexec(struct linux_bin
79861 {
79862 const struct cred *cred = current_cred();
79863
79864 + if (gr_acl_enable_at_secure())
79865 + return 1;
79866 +
79867 if (cred->uid != 0) {
79868 if (bprm->cap_effective)
79869 return 1;
79870 diff -urNp linux-2.6.39.3/security/integrity/ima/ima_api.c linux-2.6.39.3/security/integrity/ima/ima_api.c
79871 --- linux-2.6.39.3/security/integrity/ima/ima_api.c 2011-05-19 00:06:34.000000000 -0400
79872 +++ linux-2.6.39.3/security/integrity/ima/ima_api.c 2011-05-22 19:36:35.000000000 -0400
79873 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
79874 int result;
79875
79876 /* can overflow, only indicator */
79877 - atomic_long_inc(&ima_htable.violations);
79878 + atomic_long_inc_unchecked(&ima_htable.violations);
79879
79880 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
79881 if (!entry) {
79882 diff -urNp linux-2.6.39.3/security/integrity/ima/ima_fs.c linux-2.6.39.3/security/integrity/ima/ima_fs.c
79883 --- linux-2.6.39.3/security/integrity/ima/ima_fs.c 2011-05-19 00:06:34.000000000 -0400
79884 +++ linux-2.6.39.3/security/integrity/ima/ima_fs.c 2011-05-22 19:36:35.000000000 -0400
79885 @@ -28,12 +28,12 @@
79886 static int valid_policy = 1;
79887 #define TMPBUFLEN 12
79888 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
79889 - loff_t *ppos, atomic_long_t *val)
79890 + loff_t *ppos, atomic_long_unchecked_t *val)
79891 {
79892 char tmpbuf[TMPBUFLEN];
79893 ssize_t len;
79894
79895 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
79896 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
79897 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
79898 }
79899
79900 diff -urNp linux-2.6.39.3/security/integrity/ima/ima.h linux-2.6.39.3/security/integrity/ima/ima.h
79901 --- linux-2.6.39.3/security/integrity/ima/ima.h 2011-05-19 00:06:34.000000000 -0400
79902 +++ linux-2.6.39.3/security/integrity/ima/ima.h 2011-05-22 19:36:35.000000000 -0400
79903 @@ -85,8 +85,8 @@ void ima_add_violation(struct inode *ino
79904 extern spinlock_t ima_queue_lock;
79905
79906 struct ima_h_table {
79907 - atomic_long_t len; /* number of stored measurements in the list */
79908 - atomic_long_t violations;
79909 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
79910 + atomic_long_unchecked_t violations;
79911 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
79912 };
79913 extern struct ima_h_table ima_htable;
79914 diff -urNp linux-2.6.39.3/security/integrity/ima/ima_queue.c linux-2.6.39.3/security/integrity/ima/ima_queue.c
79915 --- linux-2.6.39.3/security/integrity/ima/ima_queue.c 2011-05-19 00:06:34.000000000 -0400
79916 +++ linux-2.6.39.3/security/integrity/ima/ima_queue.c 2011-05-22 19:36:35.000000000 -0400
79917 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
79918 INIT_LIST_HEAD(&qe->later);
79919 list_add_tail_rcu(&qe->later, &ima_measurements);
79920
79921 - atomic_long_inc(&ima_htable.len);
79922 + atomic_long_inc_unchecked(&ima_htable.len);
79923 key = ima_hash_key(entry->digest);
79924 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
79925 return 0;
79926 diff -urNp linux-2.6.39.3/security/Kconfig linux-2.6.39.3/security/Kconfig
79927 --- linux-2.6.39.3/security/Kconfig 2011-05-19 00:06:34.000000000 -0400
79928 +++ linux-2.6.39.3/security/Kconfig 2011-07-06 19:58:46.000000000 -0400
79929 @@ -4,6 +4,554 @@
79930
79931 menu "Security options"
79932
79933 +source grsecurity/Kconfig
79934 +
79935 +menu "PaX"
79936 +
79937 + config ARCH_TRACK_EXEC_LIMIT
79938 + bool
79939 +
79940 + config PAX_PER_CPU_PGD
79941 + bool
79942 +
79943 + config TASK_SIZE_MAX_SHIFT
79944 + int
79945 + depends on X86_64
79946 + default 47 if !PAX_PER_CPU_PGD
79947 + default 42 if PAX_PER_CPU_PGD
79948 +
79949 + config PAX_ENABLE_PAE
79950 + bool
79951 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
79952 +
79953 +config PAX
79954 + bool "Enable various PaX features"
79955 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
79956 + help
79957 + This allows you to enable various PaX features. PaX adds
79958 + intrusion prevention mechanisms to the kernel that reduce
79959 + the risks posed by exploitable memory corruption bugs.
79960 +
79961 +menu "PaX Control"
79962 + depends on PAX
79963 +
79964 +config PAX_SOFTMODE
79965 + bool 'Support soft mode'
79966 + select PAX_PT_PAX_FLAGS
79967 + help
79968 + Enabling this option will allow you to run PaX in soft mode, that
79969 + is, PaX features will not be enforced by default, only on executables
79970 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
79971 + is the only way to mark executables for soft mode use.
79972 +
79973 + Soft mode can be activated by using the "pax_softmode=1" kernel command
79974 + line option on boot. Furthermore you can control various PaX features
79975 + at runtime via the entries in /proc/sys/kernel/pax.
79976 +
79977 +config PAX_EI_PAX
79978 + bool 'Use legacy ELF header marking'
79979 + help
79980 + Enabling this option will allow you to control PaX features on
79981 + a per executable basis via the 'chpax' utility available at
79982 + http://pax.grsecurity.net/. The control flags will be read from
79983 + an otherwise reserved part of the ELF header. This marking has
79984 + numerous drawbacks (no support for soft-mode, toolchain does not
79985 + know about the non-standard use of the ELF header) therefore it
79986 + has been deprecated in favour of PT_PAX_FLAGS support.
79987 +
79988 + Note that if you enable PT_PAX_FLAGS marking support as well,
79989 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
79990 +
79991 +config PAX_PT_PAX_FLAGS
79992 + bool 'Use ELF program header marking'
79993 + help
79994 + Enabling this option will allow you to control PaX features on
79995 + a per executable basis via the 'paxctl' utility available at
79996 + http://pax.grsecurity.net/. The control flags will be read from
79997 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
79998 + has the benefits of supporting both soft mode and being fully
79999 + integrated into the toolchain (the binutils patch is available
80000 + from http://pax.grsecurity.net).
80001 +
80002 + If your toolchain does not support PT_PAX_FLAGS markings,
80003 + you can create one in most cases with 'paxctl -C'.
80004 +
80005 + Note that if you enable the legacy EI_PAX marking support as well,
80006 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
80007 +
80008 +choice
80009 + prompt 'MAC system integration'
80010 + default PAX_HAVE_ACL_FLAGS
80011 + help
80012 + Mandatory Access Control systems have the option of controlling
80013 + PaX flags on a per executable basis, choose the method supported
80014 + by your particular system.
80015 +
80016 + - "none": if your MAC system does not interact with PaX,
80017 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
80018 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
80019 +
80020 + NOTE: this option is for developers/integrators only.
80021 +
80022 + config PAX_NO_ACL_FLAGS
80023 + bool 'none'
80024 +
80025 + config PAX_HAVE_ACL_FLAGS
80026 + bool 'direct'
80027 +
80028 + config PAX_HOOK_ACL_FLAGS
80029 + bool 'hook'
80030 +endchoice
80031 +
80032 +endmenu
80033 +
80034 +menu "Non-executable pages"
80035 + depends on PAX
80036 +
80037 +config PAX_NOEXEC
80038 + bool "Enforce non-executable pages"
80039 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
80040 + help
80041 + By design some architectures do not allow for protecting memory
80042 + pages against execution or even if they do, Linux does not make
80043 + use of this feature. In practice this means that if a page is
80044 + readable (such as the stack or heap) it is also executable.
80045 +
80046 + There is a well known exploit technique that makes use of this
80047 + fact and a common programming mistake where an attacker can
80048 + introduce code of his choice somewhere in the attacked program's
80049 + memory (typically the stack or the heap) and then execute it.
80050 +
80051 + If the attacked program was running with different (typically
80052 + higher) privileges than that of the attacker, then he can elevate
80053 + his own privilege level (e.g. get a root shell, write to files for
80054 + which he does not have write access to, etc).
80055 +
80056 + Enabling this option will let you choose from various features
80057 + that prevent the injection and execution of 'foreign' code in
80058 + a program.
80059 +
80060 + This will also break programs that rely on the old behaviour and
80061 + expect that dynamically allocated memory via the malloc() family
80062 + of functions is executable (which it is not). Notable examples
80063 + are the XFree86 4.x server, the java runtime and wine.
80064 +
80065 +config PAX_PAGEEXEC
80066 + bool "Paging based non-executable pages"
80067 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
80068 + select S390_SWITCH_AMODE if S390
80069 + select S390_EXEC_PROTECT if S390
80070 + select ARCH_TRACK_EXEC_LIMIT if X86_32
80071 + help
80072 + This implementation is based on the paging feature of the CPU.
80073 + On i386 without hardware non-executable bit support there is a
80074 + variable but usually low performance impact, however on Intel's
80075 + P4 core based CPUs it is very high so you should not enable this
80076 + for kernels meant to be used on such CPUs.
80077 +
80078 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
80079 + with hardware non-executable bit support there is no performance
80080 + impact, on ppc the impact is negligible.
80081 +
80082 + Note that several architectures require various emulations due to
80083 + badly designed userland ABIs, this will cause a performance impact
80084 + but will disappear as soon as userland is fixed. For example, ppc
80085 + userland MUST have been built with secure-plt by a recent toolchain.
80086 +
80087 +config PAX_SEGMEXEC
80088 + bool "Segmentation based non-executable pages"
80089 + depends on PAX_NOEXEC && X86_32
80090 + help
80091 + This implementation is based on the segmentation feature of the
80092 + CPU and has a very small performance impact, however applications
80093 + will be limited to a 1.5 GB address space instead of the normal
80094 + 3 GB.
80095 +
80096 +config PAX_EMUTRAMP
80097 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
80098 + default y if PARISC
80099 + help
80100 + There are some programs and libraries that for one reason or
80101 + another attempt to execute special small code snippets from
80102 + non-executable memory pages. Most notable examples are the
80103 + signal handler return code generated by the kernel itself and
80104 + the GCC trampolines.
80105 +
80106 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
80107 + such programs will no longer work under your kernel.
80108 +
80109 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
80110 + utilities to enable trampoline emulation for the affected programs
80111 + yet still have the protection provided by the non-executable pages.
80112 +
80113 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
80114 + your system will not even boot.
80115 +
80116 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
80117 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
80118 + for the affected files.
80119 +
80120 + NOTE: enabling this feature *may* open up a loophole in the
80121 + protection provided by non-executable pages that an attacker
80122 + could abuse. Therefore the best solution is to not have any
80123 + files on your system that would require this option. This can
80124 + be achieved by not using libc5 (which relies on the kernel
80125 + signal handler return code) and not using or rewriting programs
80126 + that make use of the nested function implementation of GCC.
80127 + Skilled users can just fix GCC itself so that it implements
80128 + nested function calls in a way that does not interfere with PaX.
80129 +
80130 +config PAX_EMUSIGRT
80131 + bool "Automatically emulate sigreturn trampolines"
80132 + depends on PAX_EMUTRAMP && PARISC
80133 + default y
80134 + help
80135 + Enabling this option will have the kernel automatically detect
80136 + and emulate signal return trampolines executing on the stack
80137 + that would otherwise lead to task termination.
80138 +
80139 + This solution is intended as a temporary one for users with
80140 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
80141 + Modula-3 runtime, etc) or executables linked to such, basically
80142 + everything that does not specify its own SA_RESTORER function in
80143 + normal executable memory like glibc 2.1+ does.
80144 +
80145 + On parisc you MUST enable this option, otherwise your system will
80146 + not even boot.
80147 +
80148 + NOTE: this feature cannot be disabled on a per executable basis
80149 + and since it *does* open up a loophole in the protection provided
80150 + by non-executable pages, the best solution is to not have any
80151 + files on your system that would require this option.
80152 +
80153 +config PAX_MPROTECT
80154 + bool "Restrict mprotect()"
80155 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
80156 + help
80157 + Enabling this option will prevent programs from
80158 + - changing the executable status of memory pages that were
80159 + not originally created as executable,
80160 + - making read-only executable pages writable again,
80161 + - creating executable pages from anonymous memory,
80162 + - making read-only-after-relocations (RELRO) data pages writable again.
80163 +
80164 + You should say Y here to complete the protection provided by
80165 + the enforcement of non-executable pages.
80166 +
80167 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
80168 + this feature on a per file basis.
80169 +
80170 +config PAX_MPROTECT_COMPAT
80171 + bool "Use legacy/compat protection demoting (read help)"
80172 + depends on PAX_MPROTECT
80173 + default n
80174 + help
80175 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
80176 + by sending the proper error code to the application. For some broken
80177 + userland, this can cause problems with Python or other applications. The
80178 + current implementation however allows for applications like clamav to
80179 + detect if JIT compilation/execution is allowed and to fall back gracefully
80180 + to an interpreter-based mode if it does not. While we encourage everyone
80181 + to use the current implementation as-is and push upstream to fix broken
80182 + userland (note that the RWX logging option can assist with this), in some
80183 + environments this may not be possible. Having to disable MPROTECT
80184 + completely on certain binaries reduces the security benefit of PaX,
80185 + so this option is provided for those environments to revert to the old
80186 + behavior.
80187 +
80188 +config PAX_ELFRELOCS
80189 + bool "Allow ELF text relocations (read help)"
80190 + depends on PAX_MPROTECT
80191 + default n
80192 + help
80193 + Non-executable pages and mprotect() restrictions are effective
80194 + in preventing the introduction of new executable code into an
80195 + attacked task's address space. There remain only two venues
80196 + for this kind of attack: if the attacker can execute already
80197 + existing code in the attacked task then he can either have it
80198 + create and mmap() a file containing his code or have it mmap()
80199 + an already existing ELF library that does not have position
80200 + independent code in it and use mprotect() on it to make it
80201 + writable and copy his code there. While protecting against
80202 + the former approach is beyond PaX, the latter can be prevented
80203 + by having only PIC ELF libraries on one's system (which do not
80204 + need to relocate their code). If you are sure this is your case,
80205 + as is the case with all modern Linux distributions, then leave
80206 + this option disabled. You should say 'n' here.
80207 +
80208 +config PAX_ETEXECRELOCS
80209 + bool "Allow ELF ET_EXEC text relocations"
80210 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
80211 + select PAX_ELFRELOCS
80212 + default y
80213 + help
80214 + On some architectures there are incorrectly created applications
80215 + that require text relocations and would not work without enabling
80216 + this option. If you are an alpha, ia64 or parisc user, you should
80217 + enable this option and disable it once you have made sure that
80218 + none of your applications need it.
80219 +
80220 +config PAX_EMUPLT
80221 + bool "Automatically emulate ELF PLT"
80222 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
80223 + default y
80224 + help
80225 + Enabling this option will have the kernel automatically detect
80226 + and emulate the Procedure Linkage Table entries in ELF files.
80227 + On some architectures such entries are in writable memory, and
80228 + become non-executable leading to task termination. Therefore
80229 + it is mandatory that you enable this option on alpha, parisc,
80230 + sparc and sparc64, otherwise your system would not even boot.
80231 +
80232 + NOTE: this feature *does* open up a loophole in the protection
80233 + provided by the non-executable pages, therefore the proper
80234 + solution is to modify the toolchain to produce a PLT that does
80235 + not need to be writable.
80236 +
80237 +config PAX_DLRESOLVE
80238 + bool 'Emulate old glibc resolver stub'
80239 + depends on PAX_EMUPLT && SPARC
80240 + default n
80241 + help
80242 + This option is needed if userland has an old glibc (before 2.4)
80243 + that puts a 'save' instruction into the runtime generated resolver
80244 + stub that needs special emulation.
80245 +
80246 +config PAX_KERNEXEC
80247 + bool "Enforce non-executable kernel pages"
80248 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
80249 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
80250 + help
80251 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
80252 + that is, enabling this option will make it harder to inject
80253 + and execute 'foreign' code in kernel memory itself.
80254 +
80255 + Note that on x86_64 kernels there is a known regression when
80256 + this feature and KVM/VMX are both enabled in the host kernel.
80257 +
80258 +config PAX_KERNEXEC_MODULE_TEXT
80259 + int "Minimum amount of memory reserved for module code"
80260 + default "4"
80261 + depends on PAX_KERNEXEC && X86_32 && MODULES
80262 + help
80263 + Due to implementation details the kernel must reserve a fixed
80264 + amount of memory for module code at compile time that cannot be
80265 + changed at runtime. Here you can specify the minimum amount
80266 + in MB that will be reserved. Due to the same implementation
80267 + details this size will always be rounded up to the next 2/4 MB
80268 + boundary (depends on PAE) so the actually available memory for
80269 + module code will usually be more than this minimum.
80270 +
80271 + The default 4 MB should be enough for most users but if you have
80272 + an excessive number of modules (e.g., most distribution configs
80273 + compile many drivers as modules) or use huge modules such as
80274 + nvidia's kernel driver, you will need to adjust this amount.
80275 + A good rule of thumb is to look at your currently loaded kernel
80276 + modules and add up their sizes.
80277 +
80278 +endmenu
80279 +
80280 +menu "Address Space Layout Randomization"
80281 + depends on PAX
80282 +
80283 +config PAX_ASLR
80284 + bool "Address Space Layout Randomization"
80285 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
80286 + help
80287 + Many if not most exploit techniques rely on the knowledge of
80288 + certain addresses in the attacked program. The following options
80289 + will allow the kernel to apply a certain amount of randomization
80290 + to specific parts of the program thereby forcing an attacker to
80291 + guess them in most cases. Any failed guess will most likely crash
80292 + the attacked program which allows the kernel to detect such attempts
80293 + and react on them. PaX itself provides no reaction mechanisms,
80294 + instead it is strongly encouraged that you make use of Nergal's
80295 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
80296 + (http://www.grsecurity.net/) built-in crash detection features or
80297 + develop one yourself.
80298 +
80299 + By saying Y here you can choose to randomize the following areas:
80300 + - top of the task's kernel stack
80301 + - top of the task's userland stack
80302 + - base address for mmap() requests that do not specify one
80303 + (this includes all libraries)
80304 + - base address of the main executable
80305 +
80306 + It is strongly recommended to say Y here as address space layout
80307 + randomization has negligible impact on performance yet it provides
80308 + a very effective protection.
80309 +
80310 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
80311 + this feature on a per file basis.
80312 +
80313 +config PAX_RANDKSTACK
80314 + bool "Randomize kernel stack base"
80315 + depends on PAX_ASLR && X86_TSC && X86
80316 + help
80317 + By saying Y here the kernel will randomize every task's kernel
80318 + stack on every system call. This will not only force an attacker
80319 + to guess it but also prevent him from making use of possible
80320 + leaked information about it.
80321 +
80322 + Since the kernel stack is a rather scarce resource, randomization
80323 + may cause unexpected stack overflows, therefore you should very
80324 + carefully test your system. Note that once enabled in the kernel
80325 + configuration, this feature cannot be disabled on a per file basis.
80326 +
80327 +config PAX_RANDUSTACK
80328 + bool "Randomize user stack base"
80329 + depends on PAX_ASLR
80330 + help
80331 + By saying Y here the kernel will randomize every task's userland
80332 + stack. The randomization is done in two steps where the second
80333 + one may apply a big amount of shift to the top of the stack and
80334 + cause problems for programs that want to use lots of memory (more
80335 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
80336 + For this reason the second step can be controlled by 'chpax' or
80337 + 'paxctl' on a per file basis.
80338 +
80339 +config PAX_RANDMMAP
80340 + bool "Randomize mmap() base"
80341 + depends on PAX_ASLR
80342 + help
80343 + By saying Y here the kernel will use a randomized base address for
80344 + mmap() requests that do not specify one themselves. As a result
80345 + all dynamically loaded libraries will appear at random addresses
80346 + and therefore be harder to exploit by a technique where an attacker
80347 + attempts to execute library code for his purposes (e.g. spawn a
80348 + shell from an exploited program that is running at an elevated
80349 + privilege level).
80350 +
80351 + Furthermore, if a program is relinked as a dynamic ELF file, its
80352 + base address will be randomized as well, completing the full
80353 + randomization of the address space layout. Attacking such programs
80354 + becomes a guess game. You can find an example of doing this at
80355 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
80356 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
80357 +
80358 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
80359 + feature on a per file basis.
80360 +
80361 +endmenu
80362 +
80363 +menu "Miscellaneous hardening features"
80364 +
80365 +config PAX_MEMORY_SANITIZE
80366 + bool "Sanitize all freed memory"
80367 + help
80368 + By saying Y here the kernel will erase memory pages as soon as they
80369 + are freed. This in turn reduces the lifetime of data stored in the
80370 + pages, making it less likely that sensitive information such as
80371 + passwords, cryptographic secrets, etc stay in memory for too long.
80372 +
80373 + This is especially useful for programs whose runtime is short, long
80374 + lived processes and the kernel itself benefit from this as long as
80375 + they operate on whole memory pages and ensure timely freeing of pages
80376 + that may hold sensitive information.
80377 +
80378 + The tradeoff is performance impact, on a single CPU system kernel
80379 + compilation sees a 3% slowdown, other systems and workloads may vary
80380 + and you are advised to test this feature on your expected workload
80381 + before deploying it.
80382 +
80383 + Note that this feature does not protect data stored in live pages,
80384 + e.g., process memory swapped to disk may stay there for a long time.
80385 +
80386 +config PAX_MEMORY_STACKLEAK
80387 + bool "Sanitize kernel stack"
80388 + depends on X86
80389 + help
80390 + By saying Y here the kernel will erase the kernel stack before it
80391 + returns from a system call. This in turn reduces the information
80392 + that a kernel stack leak bug can reveal.
80393 +
80394 + Note that such a bug can still leak information that was put on
80395 + the stack by the current system call (the one eventually triggering
80396 + the bug) but traces of earlier system calls on the kernel stack
80397 + cannot leak anymore.
80398 +
80399 + The tradeoff is performance impact: on a single CPU system kernel
80400 + compilation sees a 1% slowdown, other systems and workloads may vary
80401 + and you are advised to test this feature on your expected workload
80402 + before deploying it.
80403 +
80404 + Note: full support for this feature requires gcc with plugin support
80405 + so make sure your compiler is at least gcc 4.5.0 (cross compilation
80406 + is not supported). Using older gcc versions means that functions
80407 + with large enough stack frames may leave uninitialized memory behind
80408 + that may be exposed to a later syscall leaking the stack.
80409 +
80410 +config PAX_MEMORY_UDEREF
80411 + bool "Prevent invalid userland pointer dereference"
80412 + depends on X86 && !UML_X86 && !XEN
80413 + select PAX_PER_CPU_PGD if X86_64
80414 + help
80415 + By saying Y here the kernel will be prevented from dereferencing
80416 + userland pointers in contexts where the kernel expects only kernel
80417 + pointers. This is both a useful runtime debugging feature and a
80418 + security measure that prevents exploiting a class of kernel bugs.
80419 +
80420 + The tradeoff is that some virtualization solutions may experience
80421 + a huge slowdown and therefore you should not enable this feature
80422 + for kernels meant to run in such environments. Whether a given VM
80423 + solution is affected or not is best determined by simply trying it
80424 + out, the performance impact will be obvious right on boot as this
80425 + mechanism engages from very early on. A good rule of thumb is that
80426 + VMs running on CPUs without hardware virtualization support (i.e.,
80427 + the majority of IA-32 CPUs) will likely experience the slowdown.
80428 +
80429 +config PAX_REFCOUNT
80430 + bool "Prevent various kernel object reference counter overflows"
80431 + depends on GRKERNSEC && (X86 || SPARC64)
80432 + help
80433 + By saying Y here the kernel will detect and prevent overflowing
80434 + various (but not all) kinds of object reference counters. Such
80435 + overflows can normally occur due to bugs only and are often, if
80436 + not always, exploitable.
80437 +
80438 + The tradeoff is that data structures protected by an overflowed
80439 + refcount will never be freed and therefore will leak memory. Note
80440 + that this leak also happens even without this protection but in
80441 + that case the overflow can eventually trigger the freeing of the
80442 + data structure while it is still being used elsewhere, resulting
80443 + in the exploitable situation that this feature prevents.
80444 +
80445 + Since this has a negligible performance impact, you should enable
80446 + this feature.
80447 +
80448 +config PAX_USERCOPY
80449 + bool "Harden heap object copies between kernel and userland"
80450 + depends on X86 || PPC || SPARC || ARM
80451 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
80452 + help
80453 + By saying Y here the kernel will enforce the size of heap objects
80454 + when they are copied in either direction between the kernel and
80455 + userland, even if only a part of the heap object is copied.
80456 +
80457 + Specifically, this checking prevents information leaking from the
80458 + kernel heap during kernel to userland copies (if the kernel heap
80459 + object is otherwise fully initialized) and prevents kernel heap
80460 + overflows during userland to kernel copies.
80461 +
80462 + Note that the current implementation provides the strictest bounds
80463 + checks for the SLUB allocator.
80464 +
80465 + Enabling this option also enables per-slab cache protection against
80466 + data in a given cache being copied into/out of via userland
80467 + accessors. Though the whitelist of regions will be reduced over
80468 + time, it notably protects important data structures like task structs.
80469 +
80470 + If frame pointers are enabled on x86, this option will also restrict
80471 + copies into and out of the kernel stack to local variables within a
80472 + single frame.
80473 +
80474 + Since this has a negligible performance impact, you should enable
80475 + this feature.
80476 +
80477 +endmenu
80478 +
80479 +endmenu
80480 +
80481 config KEYS
80482 bool "Enable access key retention support"
80483 help
80484 @@ -167,7 +715,7 @@ config INTEL_TXT
80485 config LSM_MMAP_MIN_ADDR
80486 int "Low address space for LSM to protect from user allocation"
80487 depends on SECURITY && SECURITY_SELINUX
80488 - default 65536
80489 + default 32768
80490 help
80491 This is the portion of low virtual memory which should be protected
80492 from userspace allocation. Keeping a user from writing to low pages
80493 diff -urNp linux-2.6.39.3/security/keys/keyring.c linux-2.6.39.3/security/keys/keyring.c
80494 --- linux-2.6.39.3/security/keys/keyring.c 2011-05-19 00:06:34.000000000 -0400
80495 +++ linux-2.6.39.3/security/keys/keyring.c 2011-05-22 19:36:35.000000000 -0400
80496 @@ -213,15 +213,15 @@ static long keyring_read(const struct ke
80497 ret = -EFAULT;
80498
80499 for (loop = 0; loop < klist->nkeys; loop++) {
80500 + key_serial_t serial;
80501 key = klist->keys[loop];
80502 + serial = key->serial;
80503
80504 tmp = sizeof(key_serial_t);
80505 if (tmp > buflen)
80506 tmp = buflen;
80507
80508 - if (copy_to_user(buffer,
80509 - &key->serial,
80510 - tmp) != 0)
80511 + if (copy_to_user(buffer, &serial, tmp))
80512 goto error;
80513
80514 buflen -= tmp;
80515 diff -urNp linux-2.6.39.3/security/min_addr.c linux-2.6.39.3/security/min_addr.c
80516 --- linux-2.6.39.3/security/min_addr.c 2011-05-19 00:06:34.000000000 -0400
80517 +++ linux-2.6.39.3/security/min_addr.c 2011-05-22 19:41:42.000000000 -0400
80518 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
80519 */
80520 static void update_mmap_min_addr(void)
80521 {
80522 +#ifndef SPARC
80523 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
80524 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
80525 mmap_min_addr = dac_mmap_min_addr;
80526 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
80527 #else
80528 mmap_min_addr = dac_mmap_min_addr;
80529 #endif
80530 +#endif
80531 }
80532
80533 /*
80534 diff -urNp linux-2.6.39.3/security/security.c linux-2.6.39.3/security/security.c
80535 --- linux-2.6.39.3/security/security.c 2011-05-19 00:06:34.000000000 -0400
80536 +++ linux-2.6.39.3/security/security.c 2011-05-22 19:41:42.000000000 -0400
80537 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
80538 /* things that live in capability.c */
80539 extern void __init security_fixup_ops(struct security_operations *ops);
80540
80541 -static struct security_operations *security_ops;
80542 -static struct security_operations default_security_ops = {
80543 +static struct security_operations *security_ops __read_only;
80544 +static struct security_operations default_security_ops __read_only = {
80545 .name = "default",
80546 };
80547
80548 @@ -67,7 +67,9 @@ int __init security_init(void)
80549
80550 void reset_security_ops(void)
80551 {
80552 + pax_open_kernel();
80553 security_ops = &default_security_ops;
80554 + pax_close_kernel();
80555 }
80556
80557 /* Save user chosen LSM */
80558 diff -urNp linux-2.6.39.3/security/selinux/hooks.c linux-2.6.39.3/security/selinux/hooks.c
80559 --- linux-2.6.39.3/security/selinux/hooks.c 2011-05-19 00:06:34.000000000 -0400
80560 +++ linux-2.6.39.3/security/selinux/hooks.c 2011-05-22 19:41:42.000000000 -0400
80561 @@ -93,7 +93,6 @@
80562 #define NUM_SEL_MNT_OPTS 5
80563
80564 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
80565 -extern struct security_operations *security_ops;
80566
80567 /* SECMARK reference count */
80568 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
80569 @@ -5431,7 +5430,7 @@ static int selinux_key_getsecurity(struc
80570
80571 #endif
80572
80573 -static struct security_operations selinux_ops = {
80574 +static struct security_operations selinux_ops __read_only = {
80575 .name = "selinux",
80576
80577 .ptrace_access_check = selinux_ptrace_access_check,
80578 diff -urNp linux-2.6.39.3/security/selinux/include/xfrm.h linux-2.6.39.3/security/selinux/include/xfrm.h
80579 --- linux-2.6.39.3/security/selinux/include/xfrm.h 2011-05-19 00:06:34.000000000 -0400
80580 +++ linux-2.6.39.3/security/selinux/include/xfrm.h 2011-05-22 19:36:35.000000000 -0400
80581 @@ -48,7 +48,7 @@ int selinux_xfrm_decode_session(struct s
80582
80583 static inline void selinux_xfrm_notify_policyload(void)
80584 {
80585 - atomic_inc(&flow_cache_genid);
80586 + atomic_inc_unchecked(&flow_cache_genid);
80587 }
80588 #else
80589 static inline int selinux_xfrm_enabled(void)
80590 diff -urNp linux-2.6.39.3/security/selinux/ss/services.c linux-2.6.39.3/security/selinux/ss/services.c
80591 --- linux-2.6.39.3/security/selinux/ss/services.c 2011-05-19 00:06:34.000000000 -0400
80592 +++ linux-2.6.39.3/security/selinux/ss/services.c 2011-05-22 19:36:35.000000000 -0400
80593 @@ -1806,6 +1806,8 @@ int security_load_policy(void *data, siz
80594 int rc = 0;
80595 struct policy_file file = { data, len }, *fp = &file;
80596
80597 + pax_track_stack();
80598 +
80599 if (!ss_initialized) {
80600 avtab_cache_init();
80601 rc = policydb_read(&policydb, fp);
80602 diff -urNp linux-2.6.39.3/security/smack/smack_lsm.c linux-2.6.39.3/security/smack/smack_lsm.c
80603 --- linux-2.6.39.3/security/smack/smack_lsm.c 2011-05-19 00:06:34.000000000 -0400
80604 +++ linux-2.6.39.3/security/smack/smack_lsm.c 2011-05-22 19:36:35.000000000 -0400
80605 @@ -3386,7 +3386,7 @@ static int smack_inode_getsecctx(struct
80606 return 0;
80607 }
80608
80609 -struct security_operations smack_ops = {
80610 +struct security_operations smack_ops __read_only = {
80611 .name = "smack",
80612
80613 .ptrace_access_check = smack_ptrace_access_check,
80614 diff -urNp linux-2.6.39.3/security/tomoyo/tomoyo.c linux-2.6.39.3/security/tomoyo/tomoyo.c
80615 --- linux-2.6.39.3/security/tomoyo/tomoyo.c 2011-05-19 00:06:34.000000000 -0400
80616 +++ linux-2.6.39.3/security/tomoyo/tomoyo.c 2011-05-22 19:36:35.000000000 -0400
80617 @@ -240,7 +240,7 @@ static int tomoyo_sb_pivotroot(struct pa
80618 * tomoyo_security_ops is a "struct security_operations" which is used for
80619 * registering TOMOYO.
80620 */
80621 -static struct security_operations tomoyo_security_ops = {
80622 +static struct security_operations tomoyo_security_ops __read_only = {
80623 .name = "tomoyo",
80624 .cred_alloc_blank = tomoyo_cred_alloc_blank,
80625 .cred_prepare = tomoyo_cred_prepare,
80626 diff -urNp linux-2.6.39.3/sound/aoa/aoa.h linux-2.6.39.3/sound/aoa/aoa.h
80627 --- linux-2.6.39.3/sound/aoa/aoa.h 2011-05-19 00:06:34.000000000 -0400
80628 +++ linux-2.6.39.3/sound/aoa/aoa.h 2011-05-22 19:36:35.000000000 -0400
80629 @@ -122,8 +122,8 @@ extern struct snd_card *aoa_get_card(voi
80630 extern int aoa_snd_ctl_add(struct snd_kcontrol* control);
80631
80632 /* GPIO stuff */
80633 -extern struct gpio_methods *pmf_gpio_methods;
80634 -extern struct gpio_methods *ftr_gpio_methods;
80635 +extern const struct gpio_methods *pmf_gpio_methods;
80636 +extern const struct gpio_methods *ftr_gpio_methods;
80637 /* extern struct gpio_methods *map_gpio_methods; */
80638
80639 #endif /* __AOA_H */
80640 diff -urNp linux-2.6.39.3/sound/aoa/codecs/onyx.c linux-2.6.39.3/sound/aoa/codecs/onyx.c
80641 --- linux-2.6.39.3/sound/aoa/codecs/onyx.c 2011-05-19 00:06:34.000000000 -0400
80642 +++ linux-2.6.39.3/sound/aoa/codecs/onyx.c 2011-05-22 19:36:35.000000000 -0400
80643 @@ -54,7 +54,7 @@ struct onyx {
80644 spdif_locked:1,
80645 analog_locked:1,
80646 original_mute:2;
80647 - int open_count;
80648 + local_t open_count;
80649 struct codec_info *codec_info;
80650
80651 /* mutex serializes concurrent access to the device
80652 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
80653 struct onyx *onyx = cii->codec_data;
80654
80655 mutex_lock(&onyx->mutex);
80656 - onyx->open_count++;
80657 + local_inc(&onyx->open_count);
80658 mutex_unlock(&onyx->mutex);
80659
80660 return 0;
80661 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
80662 struct onyx *onyx = cii->codec_data;
80663
80664 mutex_lock(&onyx->mutex);
80665 - onyx->open_count--;
80666 - if (!onyx->open_count)
80667 + if (local_dec_and_test(&onyx->open_count))
80668 onyx->spdif_locked = onyx->analog_locked = 0;
80669 mutex_unlock(&onyx->mutex);
80670
80671 diff -urNp linux-2.6.39.3/sound/aoa/codecs/onyx.h linux-2.6.39.3/sound/aoa/codecs/onyx.h
80672 --- linux-2.6.39.3/sound/aoa/codecs/onyx.h 2011-05-19 00:06:34.000000000 -0400
80673 +++ linux-2.6.39.3/sound/aoa/codecs/onyx.h 2011-05-22 19:36:35.000000000 -0400
80674 @@ -11,6 +11,7 @@
80675 #include <linux/i2c.h>
80676 #include <asm/pmac_low_i2c.h>
80677 #include <asm/prom.h>
80678 +#include <asm/local.h>
80679
80680 /* PCM3052 register definitions */
80681
80682 diff -urNp linux-2.6.39.3/sound/arm/aaci.c linux-2.6.39.3/sound/arm/aaci.c
80683 --- linux-2.6.39.3/sound/arm/aaci.c 2011-05-19 00:06:34.000000000 -0400
80684 +++ linux-2.6.39.3/sound/arm/aaci.c 2011-05-22 19:36:35.000000000 -0400
80685 @@ -635,7 +635,7 @@ static int aaci_pcm_playback_trigger(str
80686 return ret;
80687 }
80688
80689 -static struct snd_pcm_ops aaci_playback_ops = {
80690 +static const struct snd_pcm_ops aaci_playback_ops = {
80691 .open = aaci_pcm_open,
80692 .close = aaci_pcm_close,
80693 .ioctl = snd_pcm_lib_ioctl,
80694 @@ -738,7 +738,7 @@ static int aaci_pcm_capture_prepare(stru
80695 return 0;
80696 }
80697
80698 -static struct snd_pcm_ops aaci_capture_ops = {
80699 +static const struct snd_pcm_ops aaci_capture_ops = {
80700 .open = aaci_pcm_open,
80701 .close = aaci_pcm_close,
80702 .ioctl = snd_pcm_lib_ioctl,
80703 @@ -827,7 +827,7 @@ static struct ac97_pcm ac97_defs[] __dev
80704 }
80705 };
80706
80707 -static struct snd_ac97_bus_ops aaci_bus_ops = {
80708 +static const struct snd_ac97_bus_ops aaci_bus_ops = {
80709 .write = aaci_ac97_write,
80710 .read = aaci_ac97_read,
80711 };
80712 diff -urNp linux-2.6.39.3/sound/arm/pxa2xx-ac97.c linux-2.6.39.3/sound/arm/pxa2xx-ac97.c
80713 --- linux-2.6.39.3/sound/arm/pxa2xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
80714 +++ linux-2.6.39.3/sound/arm/pxa2xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
80715 @@ -34,7 +34,7 @@ static void pxa2xx_ac97_reset(struct snd
80716 pxa2xx_ac97_finish_reset(ac97);
80717 }
80718
80719 -static struct snd_ac97_bus_ops pxa2xx_ac97_ops = {
80720 +static const struct snd_ac97_bus_ops pxa2xx_ac97_ops = {
80721 .read = pxa2xx_ac97_read,
80722 .write = pxa2xx_ac97_write,
80723 .reset = pxa2xx_ac97_reset,
80724 diff -urNp linux-2.6.39.3/sound/atmel/abdac.c linux-2.6.39.3/sound/atmel/abdac.c
80725 --- linux-2.6.39.3/sound/atmel/abdac.c 2011-05-19 00:06:34.000000000 -0400
80726 +++ linux-2.6.39.3/sound/atmel/abdac.c 2011-05-22 19:36:35.000000000 -0400
80727 @@ -297,7 +297,7 @@ static irqreturn_t abdac_interrupt(int i
80728 return IRQ_HANDLED;
80729 }
80730
80731 -static struct snd_pcm_ops atmel_abdac_ops = {
80732 +static const struct snd_pcm_ops atmel_abdac_ops = {
80733 .open = atmel_abdac_open,
80734 .close = atmel_abdac_close,
80735 .ioctl = snd_pcm_lib_ioctl,
80736 diff -urNp linux-2.6.39.3/sound/atmel/ac97c.c linux-2.6.39.3/sound/atmel/ac97c.c
80737 --- linux-2.6.39.3/sound/atmel/ac97c.c 2011-05-19 00:06:34.000000000 -0400
80738 +++ linux-2.6.39.3/sound/atmel/ac97c.c 2011-05-22 19:36:35.000000000 -0400
80739 @@ -626,7 +626,7 @@ atmel_ac97c_capture_pointer(struct snd_p
80740 return frames;
80741 }
80742
80743 -static struct snd_pcm_ops atmel_ac97_playback_ops = {
80744 +static const struct snd_pcm_ops atmel_ac97_playback_ops = {
80745 .open = atmel_ac97c_playback_open,
80746 .close = atmel_ac97c_playback_close,
80747 .ioctl = snd_pcm_lib_ioctl,
80748 @@ -637,7 +637,7 @@ static struct snd_pcm_ops atmel_ac97_pla
80749 .pointer = atmel_ac97c_playback_pointer,
80750 };
80751
80752 -static struct snd_pcm_ops atmel_ac97_capture_ops = {
80753 +static const struct snd_pcm_ops atmel_ac97_capture_ops = {
80754 .open = atmel_ac97c_capture_open,
80755 .close = atmel_ac97c_capture_close,
80756 .ioctl = snd_pcm_lib_ioctl,
80757 @@ -909,7 +909,7 @@ static int __devinit atmel_ac97c_probe(s
80758 struct resource *regs;
80759 struct ac97c_platform_data *pdata;
80760 struct clk *pclk;
80761 - static struct snd_ac97_bus_ops ops = {
80762 + static const struct snd_ac97_bus_ops ops = {
80763 .write = atmel_ac97c_write,
80764 .read = atmel_ac97c_read,
80765 };
80766 diff -urNp linux-2.6.39.3/sound/core/control.c linux-2.6.39.3/sound/core/control.c
80767 --- linux-2.6.39.3/sound/core/control.c 2011-05-19 00:06:34.000000000 -0400
80768 +++ linux-2.6.39.3/sound/core/control.c 2011-05-22 19:36:35.000000000 -0400
80769 @@ -1520,7 +1520,7 @@ static int snd_ctl_dev_free(struct snd_d
80770 */
80771 int snd_ctl_create(struct snd_card *card)
80772 {
80773 - static struct snd_device_ops ops = {
80774 + static const struct snd_device_ops ops = {
80775 .dev_free = snd_ctl_dev_free,
80776 .dev_register = snd_ctl_dev_register,
80777 .dev_disconnect = snd_ctl_dev_disconnect,
80778 diff -urNp linux-2.6.39.3/sound/core/device.c linux-2.6.39.3/sound/core/device.c
80779 --- linux-2.6.39.3/sound/core/device.c 2011-05-19 00:06:34.000000000 -0400
80780 +++ linux-2.6.39.3/sound/core/device.c 2011-05-22 19:36:35.000000000 -0400
80781 @@ -41,7 +41,7 @@
80782 * Returns zero if successful, or a negative error code on failure.
80783 */
80784 int snd_device_new(struct snd_card *card, snd_device_type_t type,
80785 - void *device_data, struct snd_device_ops *ops)
80786 + void *device_data, const struct snd_device_ops *ops)
80787 {
80788 struct snd_device *dev;
80789
80790 diff -urNp linux-2.6.39.3/sound/core/hwdep.c linux-2.6.39.3/sound/core/hwdep.c
80791 --- linux-2.6.39.3/sound/core/hwdep.c 2011-05-19 00:06:34.000000000 -0400
80792 +++ linux-2.6.39.3/sound/core/hwdep.c 2011-05-22 19:36:35.000000000 -0400
80793 @@ -348,7 +348,7 @@ int snd_hwdep_new(struct snd_card *card,
80794 {
80795 struct snd_hwdep *hwdep;
80796 int err;
80797 - static struct snd_device_ops ops = {
80798 + static const struct snd_device_ops ops = {
80799 .dev_free = snd_hwdep_dev_free,
80800 .dev_register = snd_hwdep_dev_register,
80801 .dev_disconnect = snd_hwdep_dev_disconnect,
80802 diff -urNp linux-2.6.39.3/sound/core/info.c linux-2.6.39.3/sound/core/info.c
80803 --- linux-2.6.39.3/sound/core/info.c 2011-05-19 00:06:34.000000000 -0400
80804 +++ linux-2.6.39.3/sound/core/info.c 2011-05-22 19:36:35.000000000 -0400
80805 @@ -897,7 +897,7 @@ static int snd_info_dev_register_entry(s
80806 int snd_card_proc_new(struct snd_card *card, const char *name,
80807 struct snd_info_entry **entryp)
80808 {
80809 - static struct snd_device_ops ops = {
80810 + static const struct snd_device_ops ops = {
80811 .dev_free = snd_info_dev_free_entry,
80812 .dev_register = snd_info_dev_register_entry,
80813 /* disconnect is done via snd_info_card_disconnect() */
80814 diff -urNp linux-2.6.39.3/sound/core/jack.c linux-2.6.39.3/sound/core/jack.c
80815 --- linux-2.6.39.3/sound/core/jack.c 2011-05-19 00:06:34.000000000 -0400
80816 +++ linux-2.6.39.3/sound/core/jack.c 2011-05-22 19:36:35.000000000 -0400
80817 @@ -105,7 +105,7 @@ int snd_jack_new(struct snd_card *card,
80818 struct snd_jack *jack;
80819 int err;
80820 int i;
80821 - static struct snd_device_ops ops = {
80822 + static const struct snd_device_ops ops = {
80823 .dev_free = snd_jack_dev_free,
80824 .dev_register = snd_jack_dev_register,
80825 };
80826 diff -urNp linux-2.6.39.3/sound/core/pcm.c linux-2.6.39.3/sound/core/pcm.c
80827 --- linux-2.6.39.3/sound/core/pcm.c 2011-05-19 00:06:34.000000000 -0400
80828 +++ linux-2.6.39.3/sound/core/pcm.c 2011-05-22 19:36:35.000000000 -0400
80829 @@ -717,7 +717,7 @@ int snd_pcm_new(struct snd_card *card, c
80830 {
80831 struct snd_pcm *pcm;
80832 int err;
80833 - static struct snd_device_ops ops = {
80834 + static const struct snd_device_ops ops = {
80835 .dev_free = snd_pcm_dev_free,
80836 .dev_register = snd_pcm_dev_register,
80837 .dev_disconnect = snd_pcm_dev_disconnect,
80838 diff -urNp linux-2.6.39.3/sound/core/pcm_lib.c linux-2.6.39.3/sound/core/pcm_lib.c
80839 --- linux-2.6.39.3/sound/core/pcm_lib.c 2011-05-19 00:06:34.000000000 -0400
80840 +++ linux-2.6.39.3/sound/core/pcm_lib.c 2011-05-22 19:36:35.000000000 -0400
80841 @@ -505,7 +505,7 @@ int snd_pcm_update_hw_ptr(struct snd_pcm
80842 *
80843 * Sets the given PCM operators to the pcm instance.
80844 */
80845 -void snd_pcm_set_ops(struct snd_pcm *pcm, int direction, struct snd_pcm_ops *ops)
80846 +void snd_pcm_set_ops(struct snd_pcm *pcm, int direction, const struct snd_pcm_ops *ops)
80847 {
80848 struct snd_pcm_str *stream = &pcm->streams[direction];
80849 struct snd_pcm_substream *substream;
80850 diff -urNp linux-2.6.39.3/sound/core/pcm_native.c linux-2.6.39.3/sound/core/pcm_native.c
80851 --- linux-2.6.39.3/sound/core/pcm_native.c 2011-05-19 00:06:34.000000000 -0400
80852 +++ linux-2.6.39.3/sound/core/pcm_native.c 2011-05-22 19:36:35.000000000 -0400
80853 @@ -702,7 +702,7 @@ struct action_ops {
80854 * Note: the stream state might be changed also on failure
80855 * Note2: call with calling stream lock + link lock
80856 */
80857 -static int snd_pcm_action_group(struct action_ops *ops,
80858 +static int snd_pcm_action_group(const struct action_ops *ops,
80859 struct snd_pcm_substream *substream,
80860 int state, int do_lock)
80861 {
80862 @@ -751,7 +751,7 @@ static int snd_pcm_action_group(struct a
80863 /*
80864 * Note: call with stream lock
80865 */
80866 -static int snd_pcm_action_single(struct action_ops *ops,
80867 +static int snd_pcm_action_single(const struct action_ops *ops,
80868 struct snd_pcm_substream *substream,
80869 int state)
80870 {
80871 @@ -771,7 +771,7 @@ static int snd_pcm_action_single(struct
80872 /*
80873 * Note: call with stream lock
80874 */
80875 -static int snd_pcm_action(struct action_ops *ops,
80876 +static int snd_pcm_action(const struct action_ops *ops,
80877 struct snd_pcm_substream *substream,
80878 int state)
80879 {
80880 @@ -794,7 +794,7 @@ static int snd_pcm_action(struct action_
80881 /*
80882 * Note: don't use any locks before
80883 */
80884 -static int snd_pcm_action_lock_irq(struct action_ops *ops,
80885 +static int snd_pcm_action_lock_irq(const struct action_ops *ops,
80886 struct snd_pcm_substream *substream,
80887 int state)
80888 {
80889 @@ -818,7 +818,7 @@ static int snd_pcm_action_lock_irq(struc
80890
80891 /*
80892 */
80893 -static int snd_pcm_action_nonatomic(struct action_ops *ops,
80894 +static int snd_pcm_action_nonatomic(const struct action_ops *ops,
80895 struct snd_pcm_substream *substream,
80896 int state)
80897 {
80898 @@ -877,7 +877,7 @@ static void snd_pcm_post_start(struct sn
80899 &runtime->trigger_tstamp);
80900 }
80901
80902 -static struct action_ops snd_pcm_action_start = {
80903 +static const struct action_ops snd_pcm_action_start = {
80904 .pre_action = snd_pcm_pre_start,
80905 .do_action = snd_pcm_do_start,
80906 .undo_action = snd_pcm_undo_start,
80907 @@ -928,7 +928,7 @@ static void snd_pcm_post_stop(struct snd
80908 wake_up(&runtime->tsleep);
80909 }
80910
80911 -static struct action_ops snd_pcm_action_stop = {
80912 +static const struct action_ops snd_pcm_action_stop = {
80913 .pre_action = snd_pcm_pre_stop,
80914 .do_action = snd_pcm_do_stop,
80915 .post_action = snd_pcm_post_stop
80916 @@ -1025,7 +1025,7 @@ static void snd_pcm_post_pause(struct sn
80917 }
80918 }
80919
80920 -static struct action_ops snd_pcm_action_pause = {
80921 +static const struct action_ops snd_pcm_action_pause = {
80922 .pre_action = snd_pcm_pre_pause,
80923 .do_action = snd_pcm_do_pause,
80924 .undo_action = snd_pcm_undo_pause,
80925 @@ -1076,7 +1076,7 @@ static void snd_pcm_post_suspend(struct
80926 wake_up(&runtime->tsleep);
80927 }
80928
80929 -static struct action_ops snd_pcm_action_suspend = {
80930 +static const struct action_ops snd_pcm_action_suspend = {
80931 .pre_action = snd_pcm_pre_suspend,
80932 .do_action = snd_pcm_do_suspend,
80933 .post_action = snd_pcm_post_suspend
80934 @@ -1175,7 +1175,7 @@ static void snd_pcm_post_resume(struct s
80935 runtime->status->state = runtime->status->suspended_state;
80936 }
80937
80938 -static struct action_ops snd_pcm_action_resume = {
80939 +static const struct action_ops snd_pcm_action_resume = {
80940 .pre_action = snd_pcm_pre_resume,
80941 .do_action = snd_pcm_do_resume,
80942 .undo_action = snd_pcm_undo_resume,
80943 @@ -1278,7 +1278,7 @@ static void snd_pcm_post_reset(struct sn
80944 snd_pcm_playback_silence(substream, ULONG_MAX);
80945 }
80946
80947 -static struct action_ops snd_pcm_action_reset = {
80948 +static const struct action_ops snd_pcm_action_reset = {
80949 .pre_action = snd_pcm_pre_reset,
80950 .do_action = snd_pcm_do_reset,
80951 .post_action = snd_pcm_post_reset
80952 @@ -1322,7 +1322,7 @@ static void snd_pcm_post_prepare(struct
80953 runtime->status->state = SNDRV_PCM_STATE_PREPARED;
80954 }
80955
80956 -static struct action_ops snd_pcm_action_prepare = {
80957 +static const struct action_ops snd_pcm_action_prepare = {
80958 .pre_action = snd_pcm_pre_prepare,
80959 .do_action = snd_pcm_do_prepare,
80960 .post_action = snd_pcm_post_prepare
80961 @@ -1397,7 +1397,7 @@ static void snd_pcm_post_drain_init(stru
80962 {
80963 }
80964
80965 -static struct action_ops snd_pcm_action_drain_init = {
80966 +static const struct action_ops snd_pcm_action_drain_init = {
80967 .pre_action = snd_pcm_pre_drain_init,
80968 .do_action = snd_pcm_do_drain_init,
80969 .post_action = snd_pcm_post_drain_init
80970 diff -urNp linux-2.6.39.3/sound/core/rawmidi.c linux-2.6.39.3/sound/core/rawmidi.c
80971 --- linux-2.6.39.3/sound/core/rawmidi.c 2011-05-19 00:06:34.000000000 -0400
80972 +++ linux-2.6.39.3/sound/core/rawmidi.c 2011-05-22 19:36:35.000000000 -0400
80973 @@ -1449,7 +1449,7 @@ int snd_rawmidi_new(struct snd_card *car
80974 {
80975 struct snd_rawmidi *rmidi;
80976 int err;
80977 - static struct snd_device_ops ops = {
80978 + static const struct snd_device_ops ops = {
80979 .dev_free = snd_rawmidi_dev_free,
80980 .dev_register = snd_rawmidi_dev_register,
80981 .dev_disconnect = snd_rawmidi_dev_disconnect,
80982 @@ -1654,7 +1654,7 @@ static int snd_rawmidi_dev_disconnect(st
80983 * Sets the rawmidi operators for the given stream direction.
80984 */
80985 void snd_rawmidi_set_ops(struct snd_rawmidi *rmidi, int stream,
80986 - struct snd_rawmidi_ops *ops)
80987 + const struct snd_rawmidi_ops *ops)
80988 {
80989 struct snd_rawmidi_substream *substream;
80990
80991 diff -urNp linux-2.6.39.3/sound/core/seq/seq_device.c linux-2.6.39.3/sound/core/seq/seq_device.c
80992 --- linux-2.6.39.3/sound/core/seq/seq_device.c 2011-05-19 00:06:34.000000000 -0400
80993 +++ linux-2.6.39.3/sound/core/seq/seq_device.c 2011-05-22 19:36:35.000000000 -0400
80994 @@ -178,7 +178,7 @@ int snd_seq_device_new(struct snd_card *
80995 struct snd_seq_device *dev;
80996 struct ops_list *ops;
80997 int err;
80998 - static struct snd_device_ops dops = {
80999 + static const struct snd_device_ops dops = {
81000 .dev_free = snd_seq_device_dev_free,
81001 .dev_register = snd_seq_device_dev_register,
81002 .dev_disconnect = snd_seq_device_dev_disconnect,
81003 @@ -307,7 +307,7 @@ static int snd_seq_device_dev_disconnect
81004 * id = driver id
81005 * entry = driver operators - duplicated to each instance
81006 */
81007 -int snd_seq_device_register_driver(char *id, struct snd_seq_dev_ops *entry,
81008 +int snd_seq_device_register_driver(char *id, const struct snd_seq_dev_ops *entry,
81009 int argsize)
81010 {
81011 struct ops_list *ops;
81012 diff -urNp linux-2.6.39.3/sound/core/seq/seq_midi.c linux-2.6.39.3/sound/core/seq/seq_midi.c
81013 --- linux-2.6.39.3/sound/core/seq/seq_midi.c 2011-05-19 00:06:34.000000000 -0400
81014 +++ linux-2.6.39.3/sound/core/seq/seq_midi.c 2011-05-22 19:36:35.000000000 -0400
81015 @@ -461,7 +461,7 @@ snd_seq_midisynth_unregister_port(struct
81016
81017 static int __init alsa_seq_midi_init(void)
81018 {
81019 - static struct snd_seq_dev_ops ops = {
81020 + static const struct snd_seq_dev_ops ops = {
81021 snd_seq_midisynth_register_port,
81022 snd_seq_midisynth_unregister_port,
81023 };
81024 diff -urNp linux-2.6.39.3/sound/core/seq/seq_virmidi.c linux-2.6.39.3/sound/core/seq/seq_virmidi.c
81025 --- linux-2.6.39.3/sound/core/seq/seq_virmidi.c 2011-05-19 00:06:34.000000000 -0400
81026 +++ linux-2.6.39.3/sound/core/seq/seq_virmidi.c 2011-05-22 19:36:35.000000000 -0400
81027 @@ -337,13 +337,13 @@ static int snd_virmidi_unuse(void *priva
81028 * Register functions
81029 */
81030
81031 -static struct snd_rawmidi_ops snd_virmidi_input_ops = {
81032 +static const struct snd_rawmidi_ops snd_virmidi_input_ops = {
81033 .open = snd_virmidi_input_open,
81034 .close = snd_virmidi_input_close,
81035 .trigger = snd_virmidi_input_trigger,
81036 };
81037
81038 -static struct snd_rawmidi_ops snd_virmidi_output_ops = {
81039 +static const struct snd_rawmidi_ops snd_virmidi_output_ops = {
81040 .open = snd_virmidi_output_open,
81041 .close = snd_virmidi_output_close,
81042 .trigger = snd_virmidi_output_trigger,
81043 @@ -467,7 +467,7 @@ static int snd_virmidi_dev_unregister(st
81044 /*
81045 *
81046 */
81047 -static struct snd_rawmidi_global_ops snd_virmidi_global_ops = {
81048 +static const struct snd_rawmidi_global_ops snd_virmidi_global_ops = {
81049 .dev_register = snd_virmidi_dev_register,
81050 .dev_unregister = snd_virmidi_dev_unregister,
81051 };
81052 diff -urNp linux-2.6.39.3/sound/core/timer.c linux-2.6.39.3/sound/core/timer.c
81053 --- linux-2.6.39.3/sound/core/timer.c 2011-05-19 00:06:34.000000000 -0400
81054 +++ linux-2.6.39.3/sound/core/timer.c 2011-05-22 19:36:35.000000000 -0400
81055 @@ -756,7 +756,7 @@ int snd_timer_new(struct snd_card *card,
81056 {
81057 struct snd_timer *timer;
81058 int err;
81059 - static struct snd_device_ops ops = {
81060 + static const struct snd_device_ops ops = {
81061 .dev_free = snd_timer_dev_free,
81062 .dev_register = snd_timer_dev_register,
81063 .dev_disconnect = snd_timer_dev_disconnect,
81064 diff -urNp linux-2.6.39.3/sound/drivers/aloop.c linux-2.6.39.3/sound/drivers/aloop.c
81065 --- linux-2.6.39.3/sound/drivers/aloop.c 2011-05-19 00:06:34.000000000 -0400
81066 +++ linux-2.6.39.3/sound/drivers/aloop.c 2011-05-22 19:36:35.000000000 -0400
81067 @@ -731,7 +731,7 @@ static int loopback_close(struct snd_pcm
81068 return 0;
81069 }
81070
81071 -static struct snd_pcm_ops loopback_playback_ops = {
81072 +static const struct snd_pcm_ops loopback_playback_ops = {
81073 .open = loopback_open,
81074 .close = loopback_close,
81075 .ioctl = snd_pcm_lib_ioctl,
81076 @@ -742,7 +742,7 @@ static struct snd_pcm_ops loopback_playb
81077 .pointer = loopback_pointer,
81078 };
81079
81080 -static struct snd_pcm_ops loopback_capture_ops = {
81081 +static const struct snd_pcm_ops loopback_capture_ops = {
81082 .open = loopback_open,
81083 .close = loopback_close,
81084 .ioctl = snd_pcm_lib_ioctl,
81085 diff -urNp linux-2.6.39.3/sound/drivers/dummy.c linux-2.6.39.3/sound/drivers/dummy.c
81086 --- linux-2.6.39.3/sound/drivers/dummy.c 2011-05-19 00:06:34.000000000 -0400
81087 +++ linux-2.6.39.3/sound/drivers/dummy.c 2011-05-22 19:36:35.000000000 -0400
81088 @@ -350,7 +350,7 @@ static void dummy_systimer_free(struct s
81089 kfree(substream->runtime->private_data);
81090 }
81091
81092 -static struct dummy_timer_ops dummy_systimer_ops = {
81093 +static const struct dummy_timer_ops dummy_systimer_ops = {
81094 .create = dummy_systimer_create,
81095 .free = dummy_systimer_free,
81096 .prepare = dummy_systimer_prepare,
81097 @@ -474,7 +474,7 @@ static void dummy_hrtimer_free(struct sn
81098 kfree(dpcm);
81099 }
81100
81101 -static struct dummy_timer_ops dummy_hrtimer_ops = {
81102 +static const struct dummy_timer_ops dummy_hrtimer_ops = {
81103 .create = dummy_hrtimer_create,
81104 .free = dummy_hrtimer_free,
81105 .prepare = dummy_hrtimer_prepare,
81106 @@ -660,7 +660,7 @@ static struct page *dummy_pcm_page(struc
81107 return virt_to_page(dummy_page[substream->stream]); /* the same page */
81108 }
81109
81110 -static struct snd_pcm_ops dummy_pcm_ops = {
81111 +static const struct snd_pcm_ops dummy_pcm_ops = {
81112 .open = dummy_pcm_open,
81113 .close = dummy_pcm_close,
81114 .ioctl = snd_pcm_lib_ioctl,
81115 @@ -671,7 +671,7 @@ static struct snd_pcm_ops dummy_pcm_ops
81116 .pointer = dummy_pcm_pointer,
81117 };
81118
81119 -static struct snd_pcm_ops dummy_pcm_ops_no_buf = {
81120 +static const struct snd_pcm_ops dummy_pcm_ops_no_buf = {
81121 .open = dummy_pcm_open,
81122 .close = dummy_pcm_close,
81123 .ioctl = snd_pcm_lib_ioctl,
81124 @@ -689,7 +689,7 @@ static int __devinit snd_card_dummy_pcm(
81125 int substreams)
81126 {
81127 struct snd_pcm *pcm;
81128 - struct snd_pcm_ops *ops;
81129 + const struct snd_pcm_ops *ops;
81130 int err;
81131
81132 err = snd_pcm_new(dummy->card, "Dummy PCM", device,
81133 diff -urNp linux-2.6.39.3/sound/drivers/ml403-ac97cr.c linux-2.6.39.3/sound/drivers/ml403-ac97cr.c
81134 --- linux-2.6.39.3/sound/drivers/ml403-ac97cr.c 2011-05-19 00:06:34.000000000 -0400
81135 +++ linux-2.6.39.3/sound/drivers/ml403-ac97cr.c 2011-05-22 19:36:35.000000000 -0400
81136 @@ -759,7 +759,7 @@ static int snd_ml403_ac97cr_capture_clos
81137 return 0;
81138 }
81139
81140 -static struct snd_pcm_ops snd_ml403_ac97cr_playback_ops = {
81141 +static const struct snd_pcm_ops snd_ml403_ac97cr_playback_ops = {
81142 .open = snd_ml403_ac97cr_playback_open,
81143 .close = snd_ml403_ac97cr_playback_close,
81144 .ioctl = snd_pcm_lib_ioctl,
81145 @@ -770,7 +770,7 @@ static struct snd_pcm_ops snd_ml403_ac97
81146 .pointer = snd_ml403_ac97cr_pcm_pointer,
81147 };
81148
81149 -static struct snd_pcm_ops snd_ml403_ac97cr_capture_ops = {
81150 +static const struct snd_pcm_ops snd_ml403_ac97cr_capture_ops = {
81151 .open = snd_ml403_ac97cr_capture_open,
81152 .close = snd_ml403_ac97cr_capture_close,
81153 .ioctl = snd_pcm_lib_ioctl,
81154 @@ -1114,7 +1114,7 @@ snd_ml403_ac97cr_create(struct snd_card
81155 {
81156 struct snd_ml403_ac97cr *ml403_ac97cr;
81157 int err;
81158 - static struct snd_device_ops ops = {
81159 + static const struct snd_device_ops ops = {
81160 .dev_free = snd_ml403_ac97cr_dev_free,
81161 };
81162 struct resource *resource;
81163 @@ -1210,7 +1210,7 @@ snd_ml403_ac97cr_mixer(struct snd_ml403_
81164 struct snd_ac97_bus *bus;
81165 struct snd_ac97_template ac97;
81166 int err;
81167 - static struct snd_ac97_bus_ops ops = {
81168 + static const struct snd_ac97_bus_ops ops = {
81169 .write = snd_ml403_ac97cr_codec_write,
81170 .read = snd_ml403_ac97cr_codec_read,
81171 };
81172 diff -urNp linux-2.6.39.3/sound/drivers/mtpav.c linux-2.6.39.3/sound/drivers/mtpav.c
81173 --- linux-2.6.39.3/sound/drivers/mtpav.c 2011-05-19 00:06:34.000000000 -0400
81174 +++ linux-2.6.39.3/sound/drivers/mtpav.c 2011-05-22 19:36:35.000000000 -0400
81175 @@ -601,13 +601,13 @@ static int __devinit snd_mtpav_get_ISA(s
81176 /*
81177 */
81178
81179 -static struct snd_rawmidi_ops snd_mtpav_output = {
81180 +static const struct snd_rawmidi_ops snd_mtpav_output = {
81181 .open = snd_mtpav_output_open,
81182 .close = snd_mtpav_output_close,
81183 .trigger = snd_mtpav_output_trigger,
81184 };
81185
81186 -static struct snd_rawmidi_ops snd_mtpav_input = {
81187 +static const struct snd_rawmidi_ops snd_mtpav_input = {
81188 .open = snd_mtpav_input_open,
81189 .close = snd_mtpav_input_close,
81190 .trigger = snd_mtpav_input_trigger,
81191 diff -urNp linux-2.6.39.3/sound/drivers/mts64.c linux-2.6.39.3/sound/drivers/mts64.c
81192 --- linux-2.6.39.3/sound/drivers/mts64.c 2011-05-19 00:06:34.000000000 -0400
81193 +++ linux-2.6.39.3/sound/drivers/mts64.c 2011-05-22 19:36:35.000000000 -0400
81194 @@ -28,6 +28,7 @@
81195 #include <sound/initval.h>
81196 #include <sound/rawmidi.h>
81197 #include <sound/control.h>
81198 +#include <asm/local.h>
81199
81200 #define CARD_NAME "Miditerminal 4140"
81201 #define DRIVER_NAME "MTS64"
81202 @@ -66,7 +67,7 @@ struct mts64 {
81203 struct pardevice *pardev;
81204 int pardev_claimed;
81205
81206 - int open_count;
81207 + local_t open_count;
81208 int current_midi_output_port;
81209 int current_midi_input_port;
81210 u8 mode[MTS64_NUM_INPUT_PORTS];
81211 @@ -696,7 +697,7 @@ static int snd_mts64_rawmidi_open(struct
81212 {
81213 struct mts64 *mts = substream->rmidi->private_data;
81214
81215 - if (mts->open_count == 0) {
81216 + if (local_read(&mts->open_count) == 0) {
81217 /* We don't need a spinlock here, because this is just called
81218 if the device has not been opened before.
81219 So there aren't any IRQs from the device */
81220 @@ -704,7 +705,7 @@ static int snd_mts64_rawmidi_open(struct
81221
81222 msleep(50);
81223 }
81224 - ++(mts->open_count);
81225 + local_inc(&mts->open_count);
81226
81227 return 0;
81228 }
81229 @@ -714,8 +715,7 @@ static int snd_mts64_rawmidi_close(struc
81230 struct mts64 *mts = substream->rmidi->private_data;
81231 unsigned long flags;
81232
81233 - --(mts->open_count);
81234 - if (mts->open_count == 0) {
81235 + if (local_dec_return(&mts->open_count) == 0) {
81236 /* We need the spinlock_irqsave here because we can still
81237 have IRQs at this point */
81238 spin_lock_irqsave(&mts->lock, flags);
81239 @@ -724,8 +724,8 @@ static int snd_mts64_rawmidi_close(struc
81240
81241 msleep(500);
81242
81243 - } else if (mts->open_count < 0)
81244 - mts->open_count = 0;
81245 + } else if (local_read(&mts->open_count) < 0)
81246 + local_set(&mts->open_count, 0);
81247
81248 return 0;
81249 }
81250 @@ -760,13 +760,13 @@ static void snd_mts64_rawmidi_input_trig
81251 spin_unlock_irqrestore(&mts->lock, flags);
81252 }
81253
81254 -static struct snd_rawmidi_ops snd_mts64_rawmidi_output_ops = {
81255 +static const struct snd_rawmidi_ops snd_mts64_rawmidi_output_ops = {
81256 .open = snd_mts64_rawmidi_open,
81257 .close = snd_mts64_rawmidi_close,
81258 .trigger = snd_mts64_rawmidi_output_trigger
81259 };
81260
81261 -static struct snd_rawmidi_ops snd_mts64_rawmidi_input_ops = {
81262 +static const struct snd_rawmidi_ops snd_mts64_rawmidi_input_ops = {
81263 .open = snd_mts64_rawmidi_open,
81264 .close = snd_mts64_rawmidi_close,
81265 .trigger = snd_mts64_rawmidi_input_trigger
81266 diff -urNp linux-2.6.39.3/sound/drivers/pcsp/pcsp.c linux-2.6.39.3/sound/drivers/pcsp/pcsp.c
81267 --- linux-2.6.39.3/sound/drivers/pcsp/pcsp.c 2011-05-19 00:06:34.000000000 -0400
81268 +++ linux-2.6.39.3/sound/drivers/pcsp/pcsp.c 2011-05-22 19:36:35.000000000 -0400
81269 @@ -41,7 +41,7 @@ struct snd_pcsp pcsp_chip;
81270
81271 static int __devinit snd_pcsp_create(struct snd_card *card)
81272 {
81273 - static struct snd_device_ops ops = { };
81274 + static const struct snd_device_ops ops = { };
81275 struct timespec tp;
81276 int err;
81277 int div, min_div, order;
81278 diff -urNp linux-2.6.39.3/sound/drivers/pcsp/pcsp_lib.c linux-2.6.39.3/sound/drivers/pcsp/pcsp_lib.c
81279 --- linux-2.6.39.3/sound/drivers/pcsp/pcsp_lib.c 2011-05-19 00:06:34.000000000 -0400
81280 +++ linux-2.6.39.3/sound/drivers/pcsp/pcsp_lib.c 2011-05-22 19:36:35.000000000 -0400
81281 @@ -323,7 +323,7 @@ static int snd_pcsp_playback_open(struct
81282 return 0;
81283 }
81284
81285 -static struct snd_pcm_ops snd_pcsp_playback_ops = {
81286 +static const struct snd_pcm_ops snd_pcsp_playback_ops = {
81287 .open = snd_pcsp_playback_open,
81288 .close = snd_pcsp_playback_close,
81289 .ioctl = snd_pcm_lib_ioctl,
81290 diff -urNp linux-2.6.39.3/sound/drivers/portman2x4.c linux-2.6.39.3/sound/drivers/portman2x4.c
81291 --- linux-2.6.39.3/sound/drivers/portman2x4.c 2011-05-19 00:06:34.000000000 -0400
81292 +++ linux-2.6.39.3/sound/drivers/portman2x4.c 2011-05-22 19:36:35.000000000 -0400
81293 @@ -47,6 +47,7 @@
81294 #include <sound/initval.h>
81295 #include <sound/rawmidi.h>
81296 #include <sound/control.h>
81297 +#include <asm/local.h>
81298
81299 #define CARD_NAME "Portman 2x4"
81300 #define DRIVER_NAME "portman"
81301 @@ -84,7 +85,7 @@ struct portman {
81302 struct pardevice *pardev;
81303 int pardev_claimed;
81304
81305 - int open_count;
81306 + local_t open_count;
81307 int mode[PORTMAN_NUM_INPUT_PORTS];
81308 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
81309 };
81310 @@ -547,13 +548,13 @@ static void snd_portman_midi_output_trig
81311 spin_unlock_irqrestore(&pm->reg_lock, flags);
81312 }
81313
81314 -static struct snd_rawmidi_ops snd_portman_midi_output = {
81315 +static const struct snd_rawmidi_ops snd_portman_midi_output = {
81316 .open = snd_portman_midi_open,
81317 .close = snd_portman_midi_close,
81318 .trigger = snd_portman_midi_output_trigger,
81319 };
81320
81321 -static struct snd_rawmidi_ops snd_portman_midi_input = {
81322 +static const struct snd_rawmidi_ops snd_portman_midi_input = {
81323 .open = snd_portman_midi_open,
81324 .close = snd_portman_midi_close,
81325 .trigger = snd_portman_midi_input_trigger,
81326 diff -urNp linux-2.6.39.3/sound/drivers/serial-u16550.c linux-2.6.39.3/sound/drivers/serial-u16550.c
81327 --- linux-2.6.39.3/sound/drivers/serial-u16550.c 2011-05-19 00:06:34.000000000 -0400
81328 +++ linux-2.6.39.3/sound/drivers/serial-u16550.c 2011-05-22 19:36:35.000000000 -0400
81329 @@ -754,15 +754,13 @@ static void snd_uart16550_output_trigger
81330 snd_uart16550_output_write(substream);
81331 }
81332
81333 -static struct snd_rawmidi_ops snd_uart16550_output =
81334 -{
81335 +static const struct snd_rawmidi_ops snd_uart16550_output = {
81336 .open = snd_uart16550_output_open,
81337 .close = snd_uart16550_output_close,
81338 .trigger = snd_uart16550_output_trigger,
81339 };
81340
81341 -static struct snd_rawmidi_ops snd_uart16550_input =
81342 -{
81343 +static const struct snd_rawmidi_ops snd_uart16550_input = {
81344 .open = snd_uart16550_input_open,
81345 .close = snd_uart16550_input_close,
81346 .trigger = snd_uart16550_input_trigger,
81347 @@ -792,7 +790,7 @@ static int __devinit snd_uart16550_creat
81348 int droponfull,
81349 struct snd_uart16550 **ruart)
81350 {
81351 - static struct snd_device_ops ops = {
81352 + static const struct snd_device_ops ops = {
81353 .dev_free = snd_uart16550_dev_free,
81354 };
81355 struct snd_uart16550 *uart;
81356 diff -urNp linux-2.6.39.3/sound/drivers/vx/vx_pcm.c linux-2.6.39.3/sound/drivers/vx/vx_pcm.c
81357 --- linux-2.6.39.3/sound/drivers/vx/vx_pcm.c 2011-05-19 00:06:34.000000000 -0400
81358 +++ linux-2.6.39.3/sound/drivers/vx/vx_pcm.c 2011-05-22 19:36:35.000000000 -0400
81359 @@ -895,7 +895,7 @@ static int vx_pcm_prepare(struct snd_pcm
81360 /*
81361 * operators for PCM playback
81362 */
81363 -static struct snd_pcm_ops vx_pcm_playback_ops = {
81364 +static const struct snd_pcm_ops vx_pcm_playback_ops = {
81365 .open = vx_pcm_playback_open,
81366 .close = vx_pcm_playback_close,
81367 .ioctl = snd_pcm_lib_ioctl,
81368 @@ -1116,7 +1116,7 @@ static snd_pcm_uframes_t vx_pcm_capture_
81369 /*
81370 * operators for PCM capture
81371 */
81372 -static struct snd_pcm_ops vx_pcm_capture_ops = {
81373 +static const struct snd_pcm_ops vx_pcm_capture_ops = {
81374 .open = vx_pcm_capture_open,
81375 .close = vx_pcm_capture_close,
81376 .ioctl = snd_pcm_lib_ioctl,
81377 diff -urNp linux-2.6.39.3/sound/firewire/amdtp.c linux-2.6.39.3/sound/firewire/amdtp.c
81378 --- linux-2.6.39.3/sound/firewire/amdtp.c 2011-05-19 00:06:34.000000000 -0400
81379 +++ linux-2.6.39.3/sound/firewire/amdtp.c 2011-05-22 19:36:35.000000000 -0400
81380 @@ -371,7 +371,7 @@ static void queue_out_packet(struct amdt
81381 ptr = s->pcm_buffer_pointer + data_blocks;
81382 if (ptr >= pcm->runtime->buffer_size)
81383 ptr -= pcm->runtime->buffer_size;
81384 - ACCESS_ONCE(s->pcm_buffer_pointer) = ptr;
81385 + ACCESS_ONCE_RW(s->pcm_buffer_pointer) = ptr;
81386
81387 s->pcm_period_pointer += data_blocks;
81388 if (s->pcm_period_pointer >= pcm->runtime->period_size) {
81389 @@ -510,7 +510,7 @@ EXPORT_SYMBOL(amdtp_out_stream_start);
81390 */
81391 void amdtp_out_stream_update(struct amdtp_out_stream *s)
81392 {
81393 - ACCESS_ONCE(s->source_node_id_field) =
81394 + ACCESS_ONCE_RW(s->source_node_id_field) =
81395 (fw_parent_device(s->unit)->card->node_id & 0x3f) << 24;
81396 }
81397 EXPORT_SYMBOL(amdtp_out_stream_update);
81398 diff -urNp linux-2.6.39.3/sound/firewire/amdtp.h linux-2.6.39.3/sound/firewire/amdtp.h
81399 --- linux-2.6.39.3/sound/firewire/amdtp.h 2011-05-19 00:06:34.000000000 -0400
81400 +++ linux-2.6.39.3/sound/firewire/amdtp.h 2011-05-22 19:36:35.000000000 -0400
81401 @@ -146,7 +146,7 @@ static inline void amdtp_out_stream_pcm_
81402 static inline void amdtp_out_stream_pcm_trigger(struct amdtp_out_stream *s,
81403 struct snd_pcm_substream *pcm)
81404 {
81405 - ACCESS_ONCE(s->pcm) = pcm;
81406 + ACCESS_ONCE_RW(s->pcm) = pcm;
81407 }
81408
81409 /**
81410 diff -urNp linux-2.6.39.3/sound/i2c/i2c.c linux-2.6.39.3/sound/i2c/i2c.c
81411 --- linux-2.6.39.3/sound/i2c/i2c.c 2011-05-19 00:06:34.000000000 -0400
81412 +++ linux-2.6.39.3/sound/i2c/i2c.c 2011-05-22 19:36:35.000000000 -0400
81413 @@ -80,7 +80,7 @@ int snd_i2c_bus_create(struct snd_card *
81414 {
81415 struct snd_i2c_bus *bus;
81416 int err;
81417 - static struct snd_device_ops ops = {
81418 + static const struct snd_device_ops ops = {
81419 .dev_free = snd_i2c_bus_dev_free,
81420 };
81421
81422 diff -urNp linux-2.6.39.3/sound/i2c/other/ak4113.c linux-2.6.39.3/sound/i2c/other/ak4113.c
81423 --- linux-2.6.39.3/sound/i2c/other/ak4113.c 2011-05-19 00:06:34.000000000 -0400
81424 +++ linux-2.6.39.3/sound/i2c/other/ak4113.c 2011-05-22 19:36:35.000000000 -0400
81425 @@ -75,7 +75,7 @@ int snd_ak4113_create(struct snd_card *c
81426 struct ak4113 *chip;
81427 int err = 0;
81428 unsigned char reg;
81429 - static struct snd_device_ops ops = {
81430 + static const struct snd_device_ops ops = {
81431 .dev_free = snd_ak4113_dev_free,
81432 };
81433
81434 diff -urNp linux-2.6.39.3/sound/i2c/other/ak4114.c linux-2.6.39.3/sound/i2c/other/ak4114.c
81435 --- linux-2.6.39.3/sound/i2c/other/ak4114.c 2011-05-19 00:06:34.000000000 -0400
81436 +++ linux-2.6.39.3/sound/i2c/other/ak4114.c 2011-05-22 19:36:35.000000000 -0400
81437 @@ -86,7 +86,7 @@ int snd_ak4114_create(struct snd_card *c
81438 struct ak4114 *chip;
81439 int err = 0;
81440 unsigned char reg;
81441 - static struct snd_device_ops ops = {
81442 + static const struct snd_device_ops ops = {
81443 .dev_free = snd_ak4114_dev_free,
81444 };
81445
81446 diff -urNp linux-2.6.39.3/sound/i2c/other/ak4117.c linux-2.6.39.3/sound/i2c/other/ak4117.c
81447 --- linux-2.6.39.3/sound/i2c/other/ak4117.c 2011-05-19 00:06:34.000000000 -0400
81448 +++ linux-2.6.39.3/sound/i2c/other/ak4117.c 2011-05-22 19:36:35.000000000 -0400
81449 @@ -78,7 +78,7 @@ int snd_ak4117_create(struct snd_card *c
81450 struct ak4117 *chip;
81451 int err = 0;
81452 unsigned char reg;
81453 - static struct snd_device_ops ops = {
81454 + static const struct snd_device_ops ops = {
81455 .dev_free = snd_ak4117_dev_free,
81456 };
81457
81458 diff -urNp linux-2.6.39.3/sound/isa/ad1816a/ad1816a_lib.c linux-2.6.39.3/sound/isa/ad1816a/ad1816a_lib.c
81459 --- linux-2.6.39.3/sound/isa/ad1816a/ad1816a_lib.c 2011-05-19 00:06:34.000000000 -0400
81460 +++ linux-2.6.39.3/sound/isa/ad1816a/ad1816a_lib.c 2011-05-22 19:36:35.000000000 -0400
81461 @@ -575,7 +575,7 @@ int __devinit snd_ad1816a_create(struct
81462 unsigned long port, int irq, int dma1, int dma2,
81463 struct snd_ad1816a **rchip)
81464 {
81465 - static struct snd_device_ops ops = {
81466 + static const struct snd_device_ops ops = {
81467 .dev_free = snd_ad1816a_dev_free,
81468 };
81469 int error;
81470 diff -urNp linux-2.6.39.3/sound/isa/es1688/es1688_lib.c linux-2.6.39.3/sound/isa/es1688/es1688_lib.c
81471 --- linux-2.6.39.3/sound/isa/es1688/es1688_lib.c 2011-05-19 00:06:34.000000000 -0400
81472 +++ linux-2.6.39.3/sound/isa/es1688/es1688_lib.c 2011-05-22 19:36:35.000000000 -0400
81473 @@ -646,7 +646,7 @@ int snd_es1688_create(struct snd_card *c
81474 int dma8,
81475 unsigned short hardware)
81476 {
81477 - static struct snd_device_ops ops = {
81478 + static const struct snd_device_ops ops = {
81479 .dev_free = snd_es1688_dev_free,
81480 };
81481
81482 diff -urNp linux-2.6.39.3/sound/isa/es18xx.c linux-2.6.39.3/sound/isa/es18xx.c
81483 --- linux-2.6.39.3/sound/isa/es18xx.c 2011-05-19 00:06:34.000000000 -0400
81484 +++ linux-2.6.39.3/sound/isa/es18xx.c 2011-05-22 19:36:35.000000000 -0400
81485 @@ -1658,7 +1658,7 @@ static int __devinit snd_es18xx_probe(st
81486 return snd_es18xx_initialize(chip, mpu_port, fm_port);
81487 }
81488
81489 -static struct snd_pcm_ops snd_es18xx_playback_ops = {
81490 +static const struct snd_pcm_ops snd_es18xx_playback_ops = {
81491 .open = snd_es18xx_playback_open,
81492 .close = snd_es18xx_playback_close,
81493 .ioctl = snd_pcm_lib_ioctl,
81494 @@ -1669,7 +1669,7 @@ static struct snd_pcm_ops snd_es18xx_pla
81495 .pointer = snd_es18xx_playback_pointer,
81496 };
81497
81498 -static struct snd_pcm_ops snd_es18xx_capture_ops = {
81499 +static const struct snd_pcm_ops snd_es18xx_capture_ops = {
81500 .open = snd_es18xx_capture_open,
81501 .close = snd_es18xx_capture_close,
81502 .ioctl = snd_pcm_lib_ioctl,
81503 @@ -1784,7 +1784,7 @@ static int __devinit snd_es18xx_new_devi
81504 int irq, int dma1, int dma2)
81505 {
81506 struct snd_es18xx *chip = card->private_data;
81507 - static struct snd_device_ops ops = {
81508 + static const struct snd_device_ops ops = {
81509 .dev_free = snd_es18xx_dev_free,
81510 };
81511 int err;
81512 diff -urNp linux-2.6.39.3/sound/isa/gus/gus_main.c linux-2.6.39.3/sound/isa/gus/gus_main.c
81513 --- linux-2.6.39.3/sound/isa/gus/gus_main.c 2011-05-19 00:06:34.000000000 -0400
81514 +++ linux-2.6.39.3/sound/isa/gus/gus_main.c 2011-05-22 19:36:35.000000000 -0400
81515 @@ -139,7 +139,7 @@ int snd_gus_create(struct snd_card *card
81516 {
81517 struct snd_gus_card *gus;
81518 int err;
81519 - static struct snd_device_ops ops = {
81520 + static const struct snd_device_ops ops = {
81521 .dev_free = snd_gus_dev_free,
81522 };
81523
81524 diff -urNp linux-2.6.39.3/sound/isa/msnd/msnd.c linux-2.6.39.3/sound/isa/msnd/msnd.c
81525 --- linux-2.6.39.3/sound/isa/msnd/msnd.c 2011-05-19 00:06:34.000000000 -0400
81526 +++ linux-2.6.39.3/sound/isa/msnd/msnd.c 2011-05-22 19:36:35.000000000 -0400
81527 @@ -570,7 +570,7 @@ snd_msnd_playback_pointer(struct snd_pcm
81528 }
81529
81530
81531 -static struct snd_pcm_ops snd_msnd_playback_ops = {
81532 +static const struct snd_pcm_ops snd_msnd_playback_ops = {
81533 .open = snd_msnd_playback_open,
81534 .close = snd_msnd_playback_close,
81535 .ioctl = snd_pcm_lib_ioctl,
81536 @@ -667,7 +667,7 @@ static int snd_msnd_capture_hw_params(st
81537 }
81538
81539
81540 -static struct snd_pcm_ops snd_msnd_capture_ops = {
81541 +static const struct snd_pcm_ops snd_msnd_capture_ops = {
81542 .open = snd_msnd_capture_open,
81543 .close = snd_msnd_capture_close,
81544 .ioctl = snd_pcm_lib_ioctl,
81545 diff -urNp linux-2.6.39.3/sound/isa/msnd/msnd_midi.c linux-2.6.39.3/sound/isa/msnd/msnd_midi.c
81546 --- linux-2.6.39.3/sound/isa/msnd/msnd_midi.c 2011-05-19 00:06:34.000000000 -0400
81547 +++ linux-2.6.39.3/sound/isa/msnd/msnd_midi.c 2011-05-22 19:36:35.000000000 -0400
81548 @@ -141,7 +141,7 @@ void snd_msndmidi_input_read(void *mpuv)
81549 }
81550 EXPORT_SYMBOL(snd_msndmidi_input_read);
81551
81552 -static struct snd_rawmidi_ops snd_msndmidi_input = {
81553 +static const struct snd_rawmidi_ops snd_msndmidi_input = {
81554 .open = snd_msndmidi_input_open,
81555 .close = snd_msndmidi_input_close,
81556 .trigger = snd_msndmidi_input_trigger,
81557 diff -urNp linux-2.6.39.3/sound/isa/msnd/msnd_pinnacle.c linux-2.6.39.3/sound/isa/msnd/msnd_pinnacle.c
81558 --- linux-2.6.39.3/sound/isa/msnd/msnd_pinnacle.c 2011-05-19 00:06:34.000000000 -0400
81559 +++ linux-2.6.39.3/sound/isa/msnd/msnd_pinnacle.c 2011-05-22 19:36:35.000000000 -0400
81560 @@ -539,7 +539,7 @@ static int __devinit snd_msnd_attach(str
81561 {
81562 struct snd_msnd *chip = card->private_data;
81563 int err;
81564 - static struct snd_device_ops ops = {
81565 + static const struct snd_device_ops ops = {
81566 .dev_free = snd_msnd_dev_free,
81567 };
81568
81569 diff -urNp linux-2.6.39.3/sound/isa/sb/emu8000.c linux-2.6.39.3/sound/isa/sb/emu8000.c
81570 --- linux-2.6.39.3/sound/isa/sb/emu8000.c 2011-05-19 00:06:34.000000000 -0400
81571 +++ linux-2.6.39.3/sound/isa/sb/emu8000.c 2011-05-22 19:36:35.000000000 -0400
81572 @@ -1079,7 +1079,7 @@ snd_emu8000_new(struct snd_card *card, i
81573 struct snd_seq_device *awe;
81574 struct snd_emu8000 *hw;
81575 int err;
81576 - static struct snd_device_ops ops = {
81577 + static const struct snd_device_ops ops = {
81578 .dev_free = snd_emu8000_dev_free,
81579 };
81580
81581 diff -urNp linux-2.6.39.3/sound/isa/sb/emu8000_pcm.c linux-2.6.39.3/sound/isa/sb/emu8000_pcm.c
81582 --- linux-2.6.39.3/sound/isa/sb/emu8000_pcm.c 2011-05-19 00:06:34.000000000 -0400
81583 +++ linux-2.6.39.3/sound/isa/sb/emu8000_pcm.c 2011-05-22 19:36:35.000000000 -0400
81584 @@ -667,7 +667,7 @@ static snd_pcm_uframes_t emu8k_pcm_point
81585 }
81586
81587
81588 -static struct snd_pcm_ops emu8k_pcm_ops = {
81589 +static const struct snd_pcm_ops emu8k_pcm_ops = {
81590 .open = emu8k_pcm_open,
81591 .close = emu8k_pcm_close,
81592 .ioctl = snd_pcm_lib_ioctl,
81593 diff -urNp linux-2.6.39.3/sound/isa/sb/sb_common.c linux-2.6.39.3/sound/isa/sb/sb_common.c
81594 --- linux-2.6.39.3/sound/isa/sb/sb_common.c 2011-05-19 00:06:34.000000000 -0400
81595 +++ linux-2.6.39.3/sound/isa/sb/sb_common.c 2011-05-22 19:36:35.000000000 -0400
81596 @@ -218,7 +218,7 @@ int snd_sbdsp_create(struct snd_card *ca
81597 {
81598 struct snd_sb *chip;
81599 int err;
81600 - static struct snd_device_ops ops = {
81601 + static const struct snd_device_ops ops = {
81602 .dev_free = snd_sbdsp_dev_free,
81603 };
81604
81605 diff -urNp linux-2.6.39.3/sound/isa/wavefront/wavefront_midi.c linux-2.6.39.3/sound/isa/wavefront/wavefront_midi.c
81606 --- linux-2.6.39.3/sound/isa/wavefront/wavefront_midi.c 2011-05-19 00:06:34.000000000 -0400
81607 +++ linux-2.6.39.3/sound/isa/wavefront/wavefront_midi.c 2011-05-22 19:36:35.000000000 -0400
81608 @@ -561,14 +561,14 @@ snd_wavefront_midi_start (snd_wavefront_
81609 return 0;
81610 }
81611
81612 -struct snd_rawmidi_ops snd_wavefront_midi_output =
81613 +const struct snd_rawmidi_ops snd_wavefront_midi_output =
81614 {
81615 .open = snd_wavefront_midi_output_open,
81616 .close = snd_wavefront_midi_output_close,
81617 .trigger = snd_wavefront_midi_output_trigger,
81618 };
81619
81620 -struct snd_rawmidi_ops snd_wavefront_midi_input =
81621 +const struct snd_rawmidi_ops snd_wavefront_midi_input =
81622 {
81623 .open = snd_wavefront_midi_input_open,
81624 .close = snd_wavefront_midi_input_close,
81625 diff -urNp linux-2.6.39.3/sound/isa/wss/wss_lib.c linux-2.6.39.3/sound/isa/wss/wss_lib.c
81626 --- linux-2.6.39.3/sound/isa/wss/wss_lib.c 2011-05-19 00:06:34.000000000 -0400
81627 +++ linux-2.6.39.3/sound/isa/wss/wss_lib.c 2011-05-22 19:36:35.000000000 -0400
81628 @@ -1801,7 +1801,7 @@ int snd_wss_create(struct snd_card *card
81629 unsigned short hwshare,
81630 struct snd_wss **rchip)
81631 {
81632 - static struct snd_device_ops ops = {
81633 + static const struct snd_device_ops ops = {
81634 .dev_free = snd_wss_dev_free,
81635 };
81636 struct snd_wss *chip;
81637 diff -urNp linux-2.6.39.3/sound/mips/au1x00.c linux-2.6.39.3/sound/mips/au1x00.c
81638 --- linux-2.6.39.3/sound/mips/au1x00.c 2011-05-19 00:06:34.000000000 -0400
81639 +++ linux-2.6.39.3/sound/mips/au1x00.c 2011-05-22 19:36:35.000000000 -0400
81640 @@ -416,7 +416,7 @@ snd_au1000_pointer(struct snd_pcm_substr
81641 return bytes_to_frames(runtime,location);
81642 }
81643
81644 -static struct snd_pcm_ops snd_card_au1000_playback_ops = {
81645 +static const struct snd_pcm_ops snd_card_au1000_playback_ops = {
81646 .open = snd_au1000_playback_open,
81647 .close = snd_au1000_playback_close,
81648 .ioctl = snd_pcm_lib_ioctl,
81649 @@ -427,7 +427,7 @@ static struct snd_pcm_ops snd_card_au100
81650 .pointer = snd_au1000_pointer,
81651 };
81652
81653 -static struct snd_pcm_ops snd_card_au1000_capture_ops = {
81654 +static const struct snd_pcm_ops snd_card_au1000_capture_ops = {
81655 .open = snd_au1000_capture_open,
81656 .close = snd_au1000_capture_close,
81657 .ioctl = snd_pcm_lib_ioctl,
81658 @@ -557,7 +557,7 @@ snd_au1000_ac97_new(struct snd_au1000 *a
81659 int err;
81660 struct snd_ac97_bus *pbus;
81661 struct snd_ac97_template ac97;
81662 - static struct snd_ac97_bus_ops ops = {
81663 + static const struct snd_ac97_bus_ops ops = {
81664 .write = snd_au1000_ac97_write,
81665 .read = snd_au1000_ac97_read,
81666 };
81667 diff -urNp linux-2.6.39.3/sound/mips/hal2.c linux-2.6.39.3/sound/mips/hal2.c
81668 --- linux-2.6.39.3/sound/mips/hal2.c 2011-05-19 00:06:34.000000000 -0400
81669 +++ linux-2.6.39.3/sound/mips/hal2.c 2011-05-22 19:36:35.000000000 -0400
81670 @@ -708,7 +708,7 @@ static int hal2_capture_ack(struct snd_p
81671 return 0;
81672 }
81673
81674 -static struct snd_pcm_ops hal2_playback_ops = {
81675 +static const struct snd_pcm_ops hal2_playback_ops = {
81676 .open = hal2_playback_open,
81677 .close = hal2_playback_close,
81678 .ioctl = snd_pcm_lib_ioctl,
81679 @@ -720,7 +720,7 @@ static struct snd_pcm_ops hal2_playback_
81680 .ack = hal2_playback_ack,
81681 };
81682
81683 -static struct snd_pcm_ops hal2_capture_ops = {
81684 +static const struct snd_pcm_ops hal2_capture_ops = {
81685 .open = hal2_capture_open,
81686 .close = hal2_capture_close,
81687 .ioctl = snd_pcm_lib_ioctl,
81688 @@ -766,7 +766,7 @@ static int hal2_dev_free(struct snd_devi
81689 return 0;
81690 }
81691
81692 -static struct snd_device_ops hal2_ops = {
81693 +static const struct snd_device_ops hal2_ops = {
81694 .dev_free = hal2_dev_free,
81695 };
81696
81697 diff -urNp linux-2.6.39.3/sound/mips/sgio2audio.c linux-2.6.39.3/sound/mips/sgio2audio.c
81698 --- linux-2.6.39.3/sound/mips/sgio2audio.c 2011-05-19 00:06:34.000000000 -0400
81699 +++ linux-2.6.39.3/sound/mips/sgio2audio.c 2011-05-22 19:36:35.000000000 -0400
81700 @@ -681,7 +681,7 @@ snd_sgio2audio_pcm_pointer(struct snd_pc
81701 }
81702
81703 /* operators */
81704 -static struct snd_pcm_ops snd_sgio2audio_playback1_ops = {
81705 +static const struct snd_pcm_ops snd_sgio2audio_playback1_ops = {
81706 .open = snd_sgio2audio_playback1_open,
81707 .close = snd_sgio2audio_pcm_close,
81708 .ioctl = snd_pcm_lib_ioctl,
81709 @@ -694,7 +694,7 @@ static struct snd_pcm_ops snd_sgio2audio
81710 .mmap = snd_pcm_lib_mmap_vmalloc,
81711 };
81712
81713 -static struct snd_pcm_ops snd_sgio2audio_playback2_ops = {
81714 +static const struct snd_pcm_ops snd_sgio2audio_playback2_ops = {
81715 .open = snd_sgio2audio_playback2_open,
81716 .close = snd_sgio2audio_pcm_close,
81717 .ioctl = snd_pcm_lib_ioctl,
81718 @@ -707,7 +707,7 @@ static struct snd_pcm_ops snd_sgio2audio
81719 .mmap = snd_pcm_lib_mmap_vmalloc,
81720 };
81721
81722 -static struct snd_pcm_ops snd_sgio2audio_capture_ops = {
81723 +static const struct snd_pcm_ops snd_sgio2audio_capture_ops = {
81724 .open = snd_sgio2audio_capture_open,
81725 .close = snd_sgio2audio_pcm_close,
81726 .ioctl = snd_pcm_lib_ioctl,
81727 @@ -829,7 +829,7 @@ static int snd_sgio2audio_dev_free(struc
81728 return snd_sgio2audio_free(chip);
81729 }
81730
81731 -static struct snd_device_ops ops = {
81732 +static const struct snd_device_ops ops = {
81733 .dev_free = snd_sgio2audio_dev_free,
81734 };
81735
81736 diff -urNp linux-2.6.39.3/sound/oss/ac97_codec.c linux-2.6.39.3/sound/oss/ac97_codec.c
81737 --- linux-2.6.39.3/sound/oss/ac97_codec.c 2011-05-19 00:06:34.000000000 -0400
81738 +++ linux-2.6.39.3/sound/oss/ac97_codec.c 2011-05-22 19:36:35.000000000 -0400
81739 @@ -99,23 +99,23 @@ static int generic_digital_control(struc
81740 * operations yet
81741 */
81742
81743 -static struct ac97_ops null_ops = { NULL, NULL, NULL };
81744 -static struct ac97_ops default_ops = { NULL, eapd_control, NULL };
81745 -static struct ac97_ops default_digital_ops = { NULL, eapd_control, generic_digital_control};
81746 -static struct ac97_ops wolfson_ops03 = { wolfson_init03, NULL, NULL };
81747 -static struct ac97_ops wolfson_ops04 = { wolfson_init04, NULL, NULL };
81748 -static struct ac97_ops wolfson_ops05 = { wolfson_init05, NULL, NULL };
81749 -static struct ac97_ops wolfson_ops11 = { wolfson_init11, NULL, NULL };
81750 -static struct ac97_ops wolfson_ops13 = { wolfson_init13, NULL, NULL };
81751 -static struct ac97_ops tritech_ops = { tritech_init, NULL, NULL };
81752 -static struct ac97_ops tritech_m_ops = { tritech_maestro_init, NULL, NULL };
81753 -static struct ac97_ops sigmatel_9708_ops = { sigmatel_9708_init, NULL, NULL };
81754 -static struct ac97_ops sigmatel_9721_ops = { sigmatel_9721_init, NULL, NULL };
81755 -static struct ac97_ops sigmatel_9744_ops = { sigmatel_9744_init, NULL, NULL };
81756 -static struct ac97_ops crystal_digital_ops = { NULL, eapd_control, crystal_digital_control };
81757 -static struct ac97_ops ad1886_ops = { ad1886_init, eapd_control, NULL };
81758 -static struct ac97_ops cmedia_ops = { NULL, eapd_control, NULL};
81759 -static struct ac97_ops cmedia_digital_ops = { cmedia_init, eapd_control, cmedia_digital_control};
81760 +static const struct ac97_ops null_ops = { NULL, NULL, NULL };
81761 +static const struct ac97_ops default_ops = { NULL, eapd_control, NULL };
81762 +static const struct ac97_ops default_digital_ops = { NULL, eapd_control, generic_digital_control};
81763 +static const struct ac97_ops wolfson_ops03 = { wolfson_init03, NULL, NULL };
81764 +static const struct ac97_ops wolfson_ops04 = { wolfson_init04, NULL, NULL };
81765 +static const struct ac97_ops wolfson_ops05 = { wolfson_init05, NULL, NULL };
81766 +static const struct ac97_ops wolfson_ops11 = { wolfson_init11, NULL, NULL };
81767 +static const struct ac97_ops wolfson_ops13 = { wolfson_init13, NULL, NULL };
81768 +static const struct ac97_ops tritech_ops = { tritech_init, NULL, NULL };
81769 +static const struct ac97_ops tritech_m_ops = { tritech_maestro_init, NULL, NULL };
81770 +static const struct ac97_ops sigmatel_9708_ops = { sigmatel_9708_init, NULL, NULL };
81771 +static const struct ac97_ops sigmatel_9721_ops = { sigmatel_9721_init, NULL, NULL };
81772 +static const struct ac97_ops sigmatel_9744_ops = { sigmatel_9744_init, NULL, NULL };
81773 +static const struct ac97_ops crystal_digital_ops = { NULL, eapd_control, crystal_digital_control };
81774 +static const struct ac97_ops ad1886_ops = { ad1886_init, eapd_control, NULL };
81775 +static const struct ac97_ops cmedia_ops = { NULL, eapd_control, NULL};
81776 +static const struct ac97_ops cmedia_digital_ops = { cmedia_init, eapd_control, cmedia_digital_control};
81777
81778 /* sorted by vendor/device id */
81779 static const struct {
81780 diff -urNp linux-2.6.39.3/sound/oss/sb_audio.c linux-2.6.39.3/sound/oss/sb_audio.c
81781 --- linux-2.6.39.3/sound/oss/sb_audio.c 2011-05-19 00:06:34.000000000 -0400
81782 +++ linux-2.6.39.3/sound/oss/sb_audio.c 2011-05-22 19:36:35.000000000 -0400
81783 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
81784 buf16 = (signed short *)(localbuf + localoffs);
81785 while (c)
81786 {
81787 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
81788 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
81789 if (copy_from_user(lbuf8,
81790 userbuf+useroffs + p,
81791 locallen))
81792 diff -urNp linux-2.6.39.3/sound/oss/swarm_cs4297a.c linux-2.6.39.3/sound/oss/swarm_cs4297a.c
81793 --- linux-2.6.39.3/sound/oss/swarm_cs4297a.c 2011-05-19 00:06:34.000000000 -0400
81794 +++ linux-2.6.39.3/sound/oss/swarm_cs4297a.c 2011-05-22 19:36:35.000000000 -0400
81795 @@ -2606,7 +2606,6 @@ static int __init cs4297a_init(void)
81796 {
81797 struct cs4297a_state *s;
81798 u32 pwr, id;
81799 - mm_segment_t fs;
81800 int rval;
81801 #ifndef CONFIG_BCM_CS4297A_CSWARM
81802 u64 cfg;
81803 @@ -2696,22 +2695,23 @@ static int __init cs4297a_init(void)
81804 if (!rval) {
81805 char *sb1250_duart_present;
81806
81807 +#if 0
81808 + mm_segment_t fs;
81809 fs = get_fs();
81810 set_fs(KERNEL_DS);
81811 -#if 0
81812 val = SOUND_MASK_LINE;
81813 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
81814 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
81815 val = initvol[i].vol;
81816 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
81817 }
81818 + set_fs(fs);
81819 // cs4297a_write_ac97(s, 0x18, 0x0808);
81820 #else
81821 // cs4297a_write_ac97(s, 0x5e, 0x180);
81822 cs4297a_write_ac97(s, 0x02, 0x0808);
81823 cs4297a_write_ac97(s, 0x18, 0x0808);
81824 #endif
81825 - set_fs(fs);
81826
81827 list_add(&s->list, &cs4297a_devs);
81828
81829 diff -urNp linux-2.6.39.3/sound/parisc/harmony.c linux-2.6.39.3/sound/parisc/harmony.c
81830 --- linux-2.6.39.3/sound/parisc/harmony.c 2011-05-19 00:06:34.000000000 -0400
81831 +++ linux-2.6.39.3/sound/parisc/harmony.c 2011-05-22 19:36:35.000000000 -0400
81832 @@ -596,7 +596,7 @@ snd_harmony_hw_free(struct snd_pcm_subst
81833 return snd_pcm_lib_free_pages(ss);
81834 }
81835
81836 -static struct snd_pcm_ops snd_harmony_playback_ops = {
81837 +static const struct snd_pcm_ops snd_harmony_playback_ops = {
81838 .open = snd_harmony_playback_open,
81839 .close = snd_harmony_playback_close,
81840 .ioctl = snd_pcm_lib_ioctl,
81841 @@ -607,7 +607,7 @@ static struct snd_pcm_ops snd_harmony_pl
81842 .pointer = snd_harmony_playback_pointer,
81843 };
81844
81845 -static struct snd_pcm_ops snd_harmony_capture_ops = {
81846 +static const struct snd_pcm_ops snd_harmony_capture_ops = {
81847 .open = snd_harmony_capture_open,
81848 .close = snd_harmony_capture_close,
81849 .ioctl = snd_pcm_lib_ioctl,
81850 @@ -922,7 +922,7 @@ snd_harmony_create(struct snd_card *card
81851 {
81852 int err;
81853 struct snd_harmony *h;
81854 - static struct snd_device_ops ops = {
81855 + static const struct snd_device_ops ops = {
81856 .dev_free = snd_harmony_dev_free,
81857 };
81858
81859 diff -urNp linux-2.6.39.3/sound/pci/ac97/ac97_codec.c linux-2.6.39.3/sound/pci/ac97/ac97_codec.c
81860 --- linux-2.6.39.3/sound/pci/ac97/ac97_codec.c 2011-05-19 00:06:34.000000000 -0400
81861 +++ linux-2.6.39.3/sound/pci/ac97/ac97_codec.c 2011-05-22 19:36:35.000000000 -0400
81862 @@ -1910,12 +1910,12 @@ static int ac97_reset_wait(struct snd_ac
81863 *
81864 * Returns zero if successful, or a negative error code on failure.
81865 */
81866 -int snd_ac97_bus(struct snd_card *card, int num, struct snd_ac97_bus_ops *ops,
81867 +int snd_ac97_bus(struct snd_card *card, int num, const struct snd_ac97_bus_ops *ops,
81868 void *private_data, struct snd_ac97_bus **rbus)
81869 {
81870 int err;
81871 struct snd_ac97_bus *bus;
81872 - static struct snd_device_ops dev_ops = {
81873 + static const struct snd_device_ops dev_ops = {
81874 .dev_free = snd_ac97_bus_dev_free,
81875 };
81876
81877 @@ -2015,7 +2015,7 @@ int snd_ac97_mixer(struct snd_ac97_bus *
81878 unsigned long end_time;
81879 unsigned int reg;
81880 const struct ac97_codec_id *pid;
81881 - static struct snd_device_ops ops = {
81882 + static const struct snd_device_ops ops = {
81883 .dev_free = snd_ac97_dev_free,
81884 .dev_register = snd_ac97_dev_register,
81885 .dev_disconnect = snd_ac97_dev_disconnect,
81886 diff -urNp linux-2.6.39.3/sound/pci/ad1889.c linux-2.6.39.3/sound/pci/ad1889.c
81887 --- linux-2.6.39.3/sound/pci/ad1889.c 2011-05-19 00:06:34.000000000 -0400
81888 +++ linux-2.6.39.3/sound/pci/ad1889.c 2011-05-22 19:36:35.000000000 -0400
81889 @@ -574,7 +574,7 @@ snd_ad1889_capture_pointer(struct snd_pc
81890 return bytes_to_frames(ss->runtime, ptr);
81891 }
81892
81893 -static struct snd_pcm_ops snd_ad1889_playback_ops = {
81894 +static const struct snd_pcm_ops snd_ad1889_playback_ops = {
81895 .open = snd_ad1889_playback_open,
81896 .close = snd_ad1889_playback_close,
81897 .ioctl = snd_pcm_lib_ioctl,
81898 @@ -585,7 +585,7 @@ static struct snd_pcm_ops snd_ad1889_pla
81899 .pointer = snd_ad1889_playback_pointer,
81900 };
81901
81902 -static struct snd_pcm_ops snd_ad1889_capture_ops = {
81903 +static const struct snd_pcm_ops snd_ad1889_capture_ops = {
81904 .open = snd_ad1889_capture_open,
81905 .close = snd_ad1889_capture_close,
81906 .ioctl = snd_pcm_lib_ioctl,
81907 @@ -809,7 +809,7 @@ snd_ad1889_ac97_init(struct snd_ad1889 *
81908 {
81909 int err;
81910 struct snd_ac97_template ac97;
81911 - static struct snd_ac97_bus_ops ops = {
81912 + static const struct snd_ac97_bus_ops ops = {
81913 .write = snd_ad1889_ac97_write,
81914 .read = snd_ad1889_ac97_read,
81915 };
81916 @@ -899,7 +899,7 @@ snd_ad1889_create(struct snd_card *card,
81917 int err;
81918
81919 struct snd_ad1889 *chip;
81920 - static struct snd_device_ops ops = {
81921 + static const struct snd_device_ops ops = {
81922 .dev_free = snd_ad1889_dev_free,
81923 };
81924
81925 diff -urNp linux-2.6.39.3/sound/pci/ak4531_codec.c linux-2.6.39.3/sound/pci/ak4531_codec.c
81926 --- linux-2.6.39.3/sound/pci/ak4531_codec.c 2011-05-19 00:06:34.000000000 -0400
81927 +++ linux-2.6.39.3/sound/pci/ak4531_codec.c 2011-05-22 19:36:35.000000000 -0400
81928 @@ -389,7 +389,7 @@ int __devinit snd_ak4531_mixer(struct sn
81929 unsigned int idx;
81930 int err;
81931 struct snd_ak4531 *ak4531;
81932 - static struct snd_device_ops ops = {
81933 + static const struct snd_device_ops ops = {
81934 .dev_free = snd_ak4531_dev_free,
81935 };
81936
81937 diff -urNp linux-2.6.39.3/sound/pci/ali5451/ali5451.c linux-2.6.39.3/sound/pci/ali5451/ali5451.c
81938 --- linux-2.6.39.3/sound/pci/ali5451/ali5451.c 2011-05-19 00:06:34.000000000 -0400
81939 +++ linux-2.6.39.3/sound/pci/ali5451/ali5451.c 2011-05-22 19:36:35.000000000 -0400
81940 @@ -1847,7 +1847,7 @@ static int __devinit snd_ali_mixer(struc
81941 struct snd_ac97_template ac97;
81942 unsigned int idx;
81943 int i, err;
81944 - static struct snd_ac97_bus_ops ops = {
81945 + static const struct snd_ac97_bus_ops ops = {
81946 .write = snd_ali_codec_write,
81947 .read = snd_ali_codec_read,
81948 };
81949 @@ -2114,7 +2114,7 @@ static int __devinit snd_ali_create(stru
81950 struct snd_ali *codec;
81951 int i, err;
81952 unsigned short cmdw;
81953 - static struct snd_device_ops ops = {
81954 + static const struct snd_device_ops ops = {
81955 .dev_free = snd_ali_dev_free,
81956 };
81957
81958 diff -urNp linux-2.6.39.3/sound/pci/als300.c linux-2.6.39.3/sound/pci/als300.c
81959 --- linux-2.6.39.3/sound/pci/als300.c 2011-05-19 00:06:34.000000000 -0400
81960 +++ linux-2.6.39.3/sound/pci/als300.c 2011-05-22 19:36:35.000000000 -0400
81961 @@ -319,7 +319,7 @@ static int snd_als300_ac97(struct snd_al
81962 struct snd_ac97_bus *bus;
81963 struct snd_ac97_template ac97;
81964 int err;
81965 - static struct snd_ac97_bus_ops ops = {
81966 + static const struct snd_ac97_bus_ops ops = {
81967 .write = snd_als300_ac97_write,
81968 .read = snd_als300_ac97_read,
81969 };
81970 @@ -589,7 +589,7 @@ static snd_pcm_uframes_t snd_als300_poin
81971 return bytes_to_frames(substream->runtime, current_ptr);
81972 }
81973
81974 -static struct snd_pcm_ops snd_als300_playback_ops = {
81975 +static const struct snd_pcm_ops snd_als300_playback_ops = {
81976 .open = snd_als300_playback_open,
81977 .close = snd_als300_playback_close,
81978 .ioctl = snd_pcm_lib_ioctl,
81979 @@ -600,7 +600,7 @@ static struct snd_pcm_ops snd_als300_pla
81980 .pointer = snd_als300_pointer,
81981 };
81982
81983 -static struct snd_pcm_ops snd_als300_capture_ops = {
81984 +static const struct snd_pcm_ops snd_als300_capture_ops = {
81985 .open = snd_als300_capture_open,
81986 .close = snd_als300_capture_close,
81987 .ioctl = snd_pcm_lib_ioctl,
81988 @@ -680,7 +680,7 @@ static int __devinit snd_als300_create(s
81989 void *irq_handler;
81990 int err;
81991
81992 - static struct snd_device_ops ops = {
81993 + static const struct snd_device_ops ops = {
81994 .dev_free = snd_als300_dev_free,
81995 };
81996 *rchip = NULL;
81997 diff -urNp linux-2.6.39.3/sound/pci/als4000.c linux-2.6.39.3/sound/pci/als4000.c
81998 --- linux-2.6.39.3/sound/pci/als4000.c 2011-05-19 00:06:34.000000000 -0400
81999 +++ linux-2.6.39.3/sound/pci/als4000.c 2011-05-22 19:36:35.000000000 -0400
82000 @@ -672,7 +672,7 @@ static int snd_als4000_capture_close(str
82001
82002 /******************************************************************/
82003
82004 -static struct snd_pcm_ops snd_als4000_playback_ops = {
82005 +static const struct snd_pcm_ops snd_als4000_playback_ops = {
82006 .open = snd_als4000_playback_open,
82007 .close = snd_als4000_playback_close,
82008 .ioctl = snd_pcm_lib_ioctl,
82009 @@ -683,7 +683,7 @@ static struct snd_pcm_ops snd_als4000_pl
82010 .pointer = snd_als4000_playback_pointer
82011 };
82012
82013 -static struct snd_pcm_ops snd_als4000_capture_ops = {
82014 +static const struct snd_pcm_ops snd_als4000_capture_ops = {
82015 .open = snd_als4000_capture_open,
82016 .close = snd_als4000_capture_close,
82017 .ioctl = snd_pcm_lib_ioctl,
82018 diff -urNp linux-2.6.39.3/sound/pci/asihpi/asihpi.c linux-2.6.39.3/sound/pci/asihpi/asihpi.c
82019 --- linux-2.6.39.3/sound/pci/asihpi/asihpi.c 2011-05-19 00:06:34.000000000 -0400
82020 +++ linux-2.6.39.3/sound/pci/asihpi/asihpi.c 2011-05-22 19:36:35.000000000 -0400
82021 @@ -1067,7 +1067,7 @@ static int snd_card_asihpi_playback_sile
82022 return 0;
82023 }
82024
82025 -static struct snd_pcm_ops snd_card_asihpi_playback_ops = {
82026 +static const struct snd_pcm_ops snd_card_asihpi_playback_ops = {
82027 .open = snd_card_asihpi_playback_open,
82028 .close = snd_card_asihpi_playback_close,
82029 .ioctl = snd_card_asihpi_playback_ioctl,
82030 @@ -1080,7 +1080,7 @@ static struct snd_pcm_ops snd_card_asihp
82031 .silence = snd_card_asihpi_playback_silence,
82032 };
82033
82034 -static struct snd_pcm_ops snd_card_asihpi_playback_mmap_ops = {
82035 +static const struct snd_pcm_ops snd_card_asihpi_playback_mmap_ops = {
82036 .open = snd_card_asihpi_playback_open,
82037 .close = snd_card_asihpi_playback_close,
82038 .ioctl = snd_card_asihpi_playback_ioctl,
82039 @@ -1268,7 +1268,7 @@ static int snd_card_asihpi_capture_copy(
82040 return 0;
82041 }
82042
82043 -static struct snd_pcm_ops snd_card_asihpi_capture_mmap_ops = {
82044 +static const struct snd_pcm_ops snd_card_asihpi_capture_mmap_ops = {
82045 .open = snd_card_asihpi_capture_open,
82046 .close = snd_card_asihpi_capture_close,
82047 .ioctl = snd_card_asihpi_capture_ioctl,
82048 @@ -1279,7 +1279,7 @@ static struct snd_pcm_ops snd_card_asihp
82049 .pointer = snd_card_asihpi_capture_pointer,
82050 };
82051
82052 -static struct snd_pcm_ops snd_card_asihpi_capture_ops = {
82053 +static const struct snd_pcm_ops snd_card_asihpi_capture_ops = {
82054 .open = snd_card_asihpi_capture_open,
82055 .close = snd_card_asihpi_capture_close,
82056 .ioctl = snd_card_asihpi_capture_ioctl,
82057 diff -urNp linux-2.6.39.3/sound/pci/atiixp.c linux-2.6.39.3/sound/pci/atiixp.c
82058 --- linux-2.6.39.3/sound/pci/atiixp.c 2011-05-19 00:06:34.000000000 -0400
82059 +++ linux-2.6.39.3/sound/pci/atiixp.c 2011-05-22 19:36:35.000000000 -0400
82060 @@ -1148,7 +1148,7 @@ static int snd_atiixp_spdif_close(struct
82061 }
82062
82063 /* AC97 playback */
82064 -static struct snd_pcm_ops snd_atiixp_playback_ops = {
82065 +static const struct snd_pcm_ops snd_atiixp_playback_ops = {
82066 .open = snd_atiixp_playback_open,
82067 .close = snd_atiixp_playback_close,
82068 .ioctl = snd_pcm_lib_ioctl,
82069 @@ -1160,7 +1160,7 @@ static struct snd_pcm_ops snd_atiixp_pla
82070 };
82071
82072 /* AC97 capture */
82073 -static struct snd_pcm_ops snd_atiixp_capture_ops = {
82074 +static const struct snd_pcm_ops snd_atiixp_capture_ops = {
82075 .open = snd_atiixp_capture_open,
82076 .close = snd_atiixp_capture_close,
82077 .ioctl = snd_pcm_lib_ioctl,
82078 @@ -1172,7 +1172,7 @@ static struct snd_pcm_ops snd_atiixp_cap
82079 };
82080
82081 /* SPDIF playback */
82082 -static struct snd_pcm_ops snd_atiixp_spdif_ops = {
82083 +static const struct snd_pcm_ops snd_atiixp_spdif_ops = {
82084 .open = snd_atiixp_spdif_open,
82085 .close = snd_atiixp_spdif_close,
82086 .ioctl = snd_pcm_lib_ioctl,
82087 @@ -1410,7 +1410,7 @@ static int __devinit snd_atiixp_mixer_ne
82088 struct snd_ac97_template ac97;
82089 int i, err;
82090 int codec_count;
82091 - static struct snd_ac97_bus_ops ops = {
82092 + static const struct snd_ac97_bus_ops ops = {
82093 .write = snd_atiixp_ac97_write,
82094 .read = snd_atiixp_ac97_read,
82095 };
82096 @@ -1590,7 +1590,7 @@ static int __devinit snd_atiixp_create(s
82097 struct pci_dev *pci,
82098 struct atiixp **r_chip)
82099 {
82100 - static struct snd_device_ops ops = {
82101 + static const struct snd_device_ops ops = {
82102 .dev_free = snd_atiixp_dev_free,
82103 };
82104 struct atiixp *chip;
82105 diff -urNp linux-2.6.39.3/sound/pci/atiixp_modem.c linux-2.6.39.3/sound/pci/atiixp_modem.c
82106 --- linux-2.6.39.3/sound/pci/atiixp_modem.c 2011-05-19 00:06:34.000000000 -0400
82107 +++ linux-2.6.39.3/sound/pci/atiixp_modem.c 2011-05-22 19:36:35.000000000 -0400
82108 @@ -947,7 +947,7 @@ static int snd_atiixp_capture_close(stru
82109
82110
82111 /* AC97 playback */
82112 -static struct snd_pcm_ops snd_atiixp_playback_ops = {
82113 +static const struct snd_pcm_ops snd_atiixp_playback_ops = {
82114 .open = snd_atiixp_playback_open,
82115 .close = snd_atiixp_playback_close,
82116 .ioctl = snd_pcm_lib_ioctl,
82117 @@ -959,7 +959,7 @@ static struct snd_pcm_ops snd_atiixp_pla
82118 };
82119
82120 /* AC97 capture */
82121 -static struct snd_pcm_ops snd_atiixp_capture_ops = {
82122 +static const struct snd_pcm_ops snd_atiixp_capture_ops = {
82123 .open = snd_atiixp_capture_open,
82124 .close = snd_atiixp_capture_close,
82125 .ioctl = snd_pcm_lib_ioctl,
82126 @@ -1067,7 +1067,7 @@ static int __devinit snd_atiixp_mixer_ne
82127 struct snd_ac97_template ac97;
82128 int i, err;
82129 int codec_count;
82130 - static struct snd_ac97_bus_ops ops = {
82131 + static const struct snd_ac97_bus_ops ops = {
82132 .write = snd_atiixp_ac97_write,
82133 .read = snd_atiixp_ac97_read,
82134 };
82135 @@ -1226,7 +1226,7 @@ static int __devinit snd_atiixp_create(s
82136 struct pci_dev *pci,
82137 struct atiixp_modem **r_chip)
82138 {
82139 - static struct snd_device_ops ops = {
82140 + static const struct snd_device_ops ops = {
82141 .dev_free = snd_atiixp_dev_free,
82142 };
82143 struct atiixp_modem *chip;
82144 diff -urNp linux-2.6.39.3/sound/pci/au88x0/au88x0_pcm.c linux-2.6.39.3/sound/pci/au88x0/au88x0_pcm.c
82145 --- linux-2.6.39.3/sound/pci/au88x0/au88x0_pcm.c 2011-05-19 00:06:34.000000000 -0400
82146 +++ linux-2.6.39.3/sound/pci/au88x0/au88x0_pcm.c 2011-05-22 19:36:35.000000000 -0400
82147 @@ -409,7 +409,7 @@ static snd_pcm_uframes_t snd_vortex_pcm_
82148 }
82149
82150 /* operators */
82151 -static struct snd_pcm_ops snd_vortex_playback_ops = {
82152 +static const struct snd_pcm_ops snd_vortex_playback_ops = {
82153 .open = snd_vortex_pcm_open,
82154 .close = snd_vortex_pcm_close,
82155 .ioctl = snd_pcm_lib_ioctl,
82156 diff -urNp linux-2.6.39.3/sound/pci/aw2/aw2-alsa.c linux-2.6.39.3/sound/pci/aw2/aw2-alsa.c
82157 --- linux-2.6.39.3/sound/pci/aw2/aw2-alsa.c 2011-05-19 00:06:34.000000000 -0400
82158 +++ linux-2.6.39.3/sound/pci/aw2/aw2-alsa.c 2011-05-22 19:36:35.000000000 -0400
82159 @@ -178,7 +178,7 @@ static struct pci_driver driver = {
82160 };
82161
82162 /* operators for playback PCM alsa interface */
82163 -static struct snd_pcm_ops snd_aw2_playback_ops = {
82164 +static const struct snd_pcm_ops snd_aw2_playback_ops = {
82165 .open = snd_aw2_pcm_playback_open,
82166 .close = snd_aw2_pcm_playback_close,
82167 .ioctl = snd_pcm_lib_ioctl,
82168 @@ -190,7 +190,7 @@ static struct snd_pcm_ops snd_aw2_playba
82169 };
82170
82171 /* operators for capture PCM alsa interface */
82172 -static struct snd_pcm_ops snd_aw2_capture_ops = {
82173 +static const struct snd_pcm_ops snd_aw2_capture_ops = {
82174 .open = snd_aw2_pcm_capture_open,
82175 .close = snd_aw2_pcm_capture_close,
82176 .ioctl = snd_pcm_lib_ioctl,
82177 @@ -263,7 +263,7 @@ static int __devinit snd_aw2_create(stru
82178 {
82179 struct aw2 *chip;
82180 int err;
82181 - static struct snd_device_ops ops = {
82182 + static const struct snd_device_ops ops = {
82183 .dev_free = snd_aw2_dev_free,
82184 };
82185
82186 diff -urNp linux-2.6.39.3/sound/pci/azt3328.c linux-2.6.39.3/sound/pci/azt3328.c
82187 --- linux-2.6.39.3/sound/pci/azt3328.c 2011-05-19 00:06:34.000000000 -0400
82188 +++ linux-2.6.39.3/sound/pci/azt3328.c 2011-05-22 19:36:35.000000000 -0400
82189 @@ -822,7 +822,7 @@ snd_azf3328_mixer_new(struct snd_azf3328
82190 {
82191 struct snd_ac97_bus *bus;
82192 struct snd_ac97_template ac97;
82193 - static struct snd_ac97_bus_ops ops = {
82194 + static const struct snd_ac97_bus_ops ops = {
82195 .write = snd_azf3328_mixer_ac97_write,
82196 .read = snd_azf3328_mixer_ac97_read,
82197 };
82198 @@ -2179,7 +2179,7 @@ snd_azf3328_pcm_close(struct snd_pcm_sub
82199
82200 /******************************************************************/
82201
82202 -static struct snd_pcm_ops snd_azf3328_playback_ops = {
82203 +static const struct snd_pcm_ops snd_azf3328_playback_ops = {
82204 .open = snd_azf3328_pcm_playback_open,
82205 .close = snd_azf3328_pcm_close,
82206 .ioctl = snd_pcm_lib_ioctl,
82207 @@ -2190,7 +2190,7 @@ static struct snd_pcm_ops snd_azf3328_pl
82208 .pointer = snd_azf3328_pcm_pointer
82209 };
82210
82211 -static struct snd_pcm_ops snd_azf3328_capture_ops = {
82212 +static const struct snd_pcm_ops snd_azf3328_capture_ops = {
82213 .open = snd_azf3328_pcm_capture_open,
82214 .close = snd_azf3328_pcm_close,
82215 .ioctl = snd_pcm_lib_ioctl,
82216 @@ -2201,7 +2201,7 @@ static struct snd_pcm_ops snd_azf3328_ca
82217 .pointer = snd_azf3328_pcm_pointer
82218 };
82219
82220 -static struct snd_pcm_ops snd_azf3328_i2s_out_ops = {
82221 +static const struct snd_pcm_ops snd_azf3328_i2s_out_ops = {
82222 .open = snd_azf3328_pcm_i2s_out_open,
82223 .close = snd_azf3328_pcm_close,
82224 .ioctl = snd_pcm_lib_ioctl,
82225 @@ -2497,7 +2497,7 @@ snd_azf3328_create(struct snd_card *card
82226 {
82227 struct snd_azf3328 *chip;
82228 int err;
82229 - static struct snd_device_ops ops = {
82230 + static const struct snd_device_ops ops = {
82231 .dev_free = snd_azf3328_dev_free,
82232 };
82233 u8 dma_init;
82234 diff -urNp linux-2.6.39.3/sound/pci/bt87x.c linux-2.6.39.3/sound/pci/bt87x.c
82235 --- linux-2.6.39.3/sound/pci/bt87x.c 2011-05-19 00:06:34.000000000 -0400
82236 +++ linux-2.6.39.3/sound/pci/bt87x.c 2011-05-22 19:36:35.000000000 -0400
82237 @@ -542,7 +542,7 @@ static snd_pcm_uframes_t snd_bt87x_point
82238 return (snd_pcm_uframes_t)bytes_to_frames(runtime, chip->current_line * chip->line_bytes);
82239 }
82240
82241 -static struct snd_pcm_ops snd_bt87x_pcm_ops = {
82242 +static const struct snd_pcm_ops snd_bt87x_pcm_ops = {
82243 .open = snd_bt87x_pcm_open,
82244 .close = snd_bt87x_close,
82245 .ioctl = snd_pcm_lib_ioctl,
82246 @@ -720,7 +720,7 @@ static int __devinit snd_bt87x_create(st
82247 {
82248 struct snd_bt87x *chip;
82249 int err;
82250 - static struct snd_device_ops ops = {
82251 + static const struct snd_device_ops ops = {
82252 .dev_free = snd_bt87x_dev_free
82253 };
82254
82255 diff -urNp linux-2.6.39.3/sound/pci/ca0106/ca0106_main.c linux-2.6.39.3/sound/pci/ca0106/ca0106_main.c
82256 --- linux-2.6.39.3/sound/pci/ca0106/ca0106_main.c 2011-05-19 00:06:34.000000000 -0400
82257 +++ linux-2.6.39.3/sound/pci/ca0106/ca0106_main.c 2011-05-22 19:36:35.000000000 -0400
82258 @@ -1103,7 +1103,7 @@ snd_ca0106_pcm_pointer_capture(struct sn
82259 }
82260
82261 /* operators */
82262 -static struct snd_pcm_ops snd_ca0106_playback_front_ops = {
82263 +static const struct snd_pcm_ops snd_ca0106_playback_front_ops = {
82264 .open = snd_ca0106_pcm_open_playback_front,
82265 .close = snd_ca0106_pcm_close_playback,
82266 .ioctl = snd_pcm_lib_ioctl,
82267 @@ -1114,7 +1114,7 @@ static struct snd_pcm_ops snd_ca0106_pla
82268 .pointer = snd_ca0106_pcm_pointer_playback,
82269 };
82270
82271 -static struct snd_pcm_ops snd_ca0106_capture_0_ops = {
82272 +static const struct snd_pcm_ops snd_ca0106_capture_0_ops = {
82273 .open = snd_ca0106_pcm_open_0_capture,
82274 .close = snd_ca0106_pcm_close_capture,
82275 .ioctl = snd_pcm_lib_ioctl,
82276 @@ -1125,7 +1125,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82277 .pointer = snd_ca0106_pcm_pointer_capture,
82278 };
82279
82280 -static struct snd_pcm_ops snd_ca0106_capture_1_ops = {
82281 +static const struct snd_pcm_ops snd_ca0106_capture_1_ops = {
82282 .open = snd_ca0106_pcm_open_1_capture,
82283 .close = snd_ca0106_pcm_close_capture,
82284 .ioctl = snd_pcm_lib_ioctl,
82285 @@ -1136,7 +1136,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82286 .pointer = snd_ca0106_pcm_pointer_capture,
82287 };
82288
82289 -static struct snd_pcm_ops snd_ca0106_capture_2_ops = {
82290 +static const struct snd_pcm_ops snd_ca0106_capture_2_ops = {
82291 .open = snd_ca0106_pcm_open_2_capture,
82292 .close = snd_ca0106_pcm_close_capture,
82293 .ioctl = snd_pcm_lib_ioctl,
82294 @@ -1147,7 +1147,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82295 .pointer = snd_ca0106_pcm_pointer_capture,
82296 };
82297
82298 -static struct snd_pcm_ops snd_ca0106_capture_3_ops = {
82299 +static const struct snd_pcm_ops snd_ca0106_capture_3_ops = {
82300 .open = snd_ca0106_pcm_open_3_capture,
82301 .close = snd_ca0106_pcm_close_capture,
82302 .ioctl = snd_pcm_lib_ioctl,
82303 @@ -1158,7 +1158,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82304 .pointer = snd_ca0106_pcm_pointer_capture,
82305 };
82306
82307 -static struct snd_pcm_ops snd_ca0106_playback_center_lfe_ops = {
82308 +static const struct snd_pcm_ops snd_ca0106_playback_center_lfe_ops = {
82309 .open = snd_ca0106_pcm_open_playback_center_lfe,
82310 .close = snd_ca0106_pcm_close_playback,
82311 .ioctl = snd_pcm_lib_ioctl,
82312 @@ -1169,7 +1169,7 @@ static struct snd_pcm_ops snd_ca0106_pla
82313 .pointer = snd_ca0106_pcm_pointer_playback,
82314 };
82315
82316 -static struct snd_pcm_ops snd_ca0106_playback_unknown_ops = {
82317 +static const struct snd_pcm_ops snd_ca0106_playback_unknown_ops = {
82318 .open = snd_ca0106_pcm_open_playback_unknown,
82319 .close = snd_ca0106_pcm_close_playback,
82320 .ioctl = snd_pcm_lib_ioctl,
82321 @@ -1180,7 +1180,7 @@ static struct snd_pcm_ops snd_ca0106_pla
82322 .pointer = snd_ca0106_pcm_pointer_playback,
82323 };
82324
82325 -static struct snd_pcm_ops snd_ca0106_playback_rear_ops = {
82326 +static const struct snd_pcm_ops snd_ca0106_playback_rear_ops = {
82327 .open = snd_ca0106_pcm_open_playback_rear,
82328 .close = snd_ca0106_pcm_close_playback,
82329 .ioctl = snd_pcm_lib_ioctl,
82330 @@ -1223,7 +1223,7 @@ static int snd_ca0106_ac97(struct snd_ca
82331 struct snd_ac97_bus *pbus;
82332 struct snd_ac97_template ac97;
82333 int err;
82334 - static struct snd_ac97_bus_ops ops = {
82335 + static const struct snd_ac97_bus_ops ops = {
82336 .write = snd_ca0106_ac97_write,
82337 .read = snd_ca0106_ac97_read,
82338 };
82339 @@ -1629,7 +1629,7 @@ static int __devinit snd_ca0106_create(i
82340 struct snd_ca0106 *chip;
82341 struct snd_ca0106_details *c;
82342 int err;
82343 - static struct snd_device_ops ops = {
82344 + static const struct snd_device_ops ops = {
82345 .dev_free = snd_ca0106_dev_free,
82346 };
82347
82348 diff -urNp linux-2.6.39.3/sound/pci/ca0106/ca_midi.c linux-2.6.39.3/sound/pci/ca0106/ca_midi.c
82349 --- linux-2.6.39.3/sound/pci/ca0106/ca_midi.c 2011-05-19 00:06:34.000000000 -0400
82350 +++ linux-2.6.39.3/sound/pci/ca0106/ca_midi.c 2011-05-22 19:36:35.000000000 -0400
82351 @@ -255,15 +255,13 @@ static void ca_midi_output_trigger(struc
82352 }
82353 }
82354
82355 -static struct snd_rawmidi_ops ca_midi_output =
82356 -{
82357 +static const struct snd_rawmidi_ops ca_midi_output = {
82358 .open = ca_midi_output_open,
82359 .close = ca_midi_output_close,
82360 .trigger = ca_midi_output_trigger,
82361 };
82362
82363 -static struct snd_rawmidi_ops ca_midi_input =
82364 -{
82365 +static const struct snd_rawmidi_ops ca_midi_input = {
82366 .open = ca_midi_input_open,
82367 .close = ca_midi_input_close,
82368 .trigger = ca_midi_input_trigger,
82369 diff -urNp linux-2.6.39.3/sound/pci/cmipci.c linux-2.6.39.3/sound/pci/cmipci.c
82370 --- linux-2.6.39.3/sound/pci/cmipci.c 2011-05-19 00:06:34.000000000 -0400
82371 +++ linux-2.6.39.3/sound/pci/cmipci.c 2011-05-22 19:36:35.000000000 -0400
82372 @@ -1838,7 +1838,7 @@ static int snd_cmipci_capture_spdif_clos
82373 /*
82374 */
82375
82376 -static struct snd_pcm_ops snd_cmipci_playback_ops = {
82377 +static const struct snd_pcm_ops snd_cmipci_playback_ops = {
82378 .open = snd_cmipci_playback_open,
82379 .close = snd_cmipci_playback_close,
82380 .ioctl = snd_pcm_lib_ioctl,
82381 @@ -1849,7 +1849,7 @@ static struct snd_pcm_ops snd_cmipci_pla
82382 .pointer = snd_cmipci_playback_pointer,
82383 };
82384
82385 -static struct snd_pcm_ops snd_cmipci_capture_ops = {
82386 +static const struct snd_pcm_ops snd_cmipci_capture_ops = {
82387 .open = snd_cmipci_capture_open,
82388 .close = snd_cmipci_capture_close,
82389 .ioctl = snd_pcm_lib_ioctl,
82390 @@ -1860,7 +1860,7 @@ static struct snd_pcm_ops snd_cmipci_cap
82391 .pointer = snd_cmipci_capture_pointer,
82392 };
82393
82394 -static struct snd_pcm_ops snd_cmipci_playback2_ops = {
82395 +static const struct snd_pcm_ops snd_cmipci_playback2_ops = {
82396 .open = snd_cmipci_playback2_open,
82397 .close = snd_cmipci_playback2_close,
82398 .ioctl = snd_pcm_lib_ioctl,
82399 @@ -1871,7 +1871,7 @@ static struct snd_pcm_ops snd_cmipci_pla
82400 .pointer = snd_cmipci_capture_pointer, /* channel B */
82401 };
82402
82403 -static struct snd_pcm_ops snd_cmipci_playback_spdif_ops = {
82404 +static const struct snd_pcm_ops snd_cmipci_playback_spdif_ops = {
82405 .open = snd_cmipci_playback_spdif_open,
82406 .close = snd_cmipci_playback_spdif_close,
82407 .ioctl = snd_pcm_lib_ioctl,
82408 @@ -1882,7 +1882,7 @@ static struct snd_pcm_ops snd_cmipci_pla
82409 .pointer = snd_cmipci_playback_pointer,
82410 };
82411
82412 -static struct snd_pcm_ops snd_cmipci_capture_spdif_ops = {
82413 +static const struct snd_pcm_ops snd_cmipci_capture_spdif_ops = {
82414 .open = snd_cmipci_capture_spdif_open,
82415 .close = snd_cmipci_capture_spdif_close,
82416 .ioctl = snd_pcm_lib_ioctl,
82417 @@ -3011,7 +3011,7 @@ static int __devinit snd_cmipci_create(s
82418 {
82419 struct cmipci *cm;
82420 int err;
82421 - static struct snd_device_ops ops = {
82422 + static const struct snd_device_ops ops = {
82423 .dev_free = snd_cmipci_dev_free,
82424 };
82425 unsigned int val;
82426 diff -urNp linux-2.6.39.3/sound/pci/cs4281.c linux-2.6.39.3/sound/pci/cs4281.c
82427 --- linux-2.6.39.3/sound/pci/cs4281.c 2011-05-19 00:06:34.000000000 -0400
82428 +++ linux-2.6.39.3/sound/pci/cs4281.c 2011-05-22 19:36:35.000000000 -0400
82429 @@ -947,7 +947,7 @@ static int snd_cs4281_capture_close(stru
82430 return 0;
82431 }
82432
82433 -static struct snd_pcm_ops snd_cs4281_playback_ops = {
82434 +static const struct snd_pcm_ops snd_cs4281_playback_ops = {
82435 .open = snd_cs4281_playback_open,
82436 .close = snd_cs4281_playback_close,
82437 .ioctl = snd_pcm_lib_ioctl,
82438 @@ -958,7 +958,7 @@ static struct snd_pcm_ops snd_cs4281_pla
82439 .pointer = snd_cs4281_pointer,
82440 };
82441
82442 -static struct snd_pcm_ops snd_cs4281_capture_ops = {
82443 +static const struct snd_pcm_ops snd_cs4281_capture_ops = {
82444 .open = snd_cs4281_capture_open,
82445 .close = snd_cs4281_capture_close,
82446 .ioctl = snd_pcm_lib_ioctl,
82447 @@ -1098,7 +1098,7 @@ static int __devinit snd_cs4281_mixer(st
82448 struct snd_card *card = chip->card;
82449 struct snd_ac97_template ac97;
82450 int err;
82451 - static struct snd_ac97_bus_ops ops = {
82452 + static const struct snd_ac97_bus_ops ops = {
82453 .write = snd_cs4281_ac97_write,
82454 .read = snd_cs4281_ac97_read,
82455 };
82456 @@ -1343,7 +1343,7 @@ static int __devinit snd_cs4281_create(s
82457 struct cs4281 *chip;
82458 unsigned int tmp;
82459 int err;
82460 - static struct snd_device_ops ops = {
82461 + static const struct snd_device_ops ops = {
82462 .dev_free = snd_cs4281_dev_free,
82463 };
82464
82465 @@ -1765,15 +1765,13 @@ static void snd_cs4281_midi_output_trigg
82466 spin_unlock_irqrestore(&chip->reg_lock, flags);
82467 }
82468
82469 -static struct snd_rawmidi_ops snd_cs4281_midi_output =
82470 -{
82471 +static const struct snd_rawmidi_ops snd_cs4281_midi_output = {
82472 .open = snd_cs4281_midi_output_open,
82473 .close = snd_cs4281_midi_output_close,
82474 .trigger = snd_cs4281_midi_output_trigger,
82475 };
82476
82477 -static struct snd_rawmidi_ops snd_cs4281_midi_input =
82478 -{
82479 +static const struct snd_rawmidi_ops snd_cs4281_midi_input = {
82480 .open = snd_cs4281_midi_input_open,
82481 .close = snd_cs4281_midi_input_close,
82482 .trigger = snd_cs4281_midi_input_trigger,
82483 diff -urNp linux-2.6.39.3/sound/pci/cs46xx/cs46xx_lib.c linux-2.6.39.3/sound/pci/cs46xx/cs46xx_lib.c
82484 --- linux-2.6.39.3/sound/pci/cs46xx/cs46xx_lib.c 2011-05-19 00:06:34.000000000 -0400
82485 +++ linux-2.6.39.3/sound/pci/cs46xx/cs46xx_lib.c 2011-05-22 19:36:35.000000000 -0400
82486 @@ -3722,7 +3722,7 @@ int __devinit snd_cs46xx_create(struct s
82487 struct snd_cs46xx_region *region;
82488 struct cs_card_type *cp;
82489 u16 ss_card, ss_vendor;
82490 - static struct snd_device_ops ops = {
82491 + static const struct snd_device_ops ops = {
82492 .dev_free = snd_cs46xx_dev_free,
82493 };
82494
82495 diff -urNp linux-2.6.39.3/sound/pci/cs5530.c linux-2.6.39.3/sound/pci/cs5530.c
82496 --- linux-2.6.39.3/sound/pci/cs5530.c 2011-05-19 00:06:34.000000000 -0400
82497 +++ linux-2.6.39.3/sound/pci/cs5530.c 2011-05-22 19:36:35.000000000 -0400
82498 @@ -107,7 +107,7 @@ static int __devinit snd_cs5530_create(s
82499 void __iomem *mem;
82500 int err;
82501
82502 - static struct snd_device_ops ops = {
82503 + static const struct snd_device_ops ops = {
82504 .dev_free = snd_cs5530_dev_free,
82505 };
82506 *rchip = NULL;
82507 diff -urNp linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio.c linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio.c
82508 --- linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio.c 2011-05-19 00:06:34.000000000 -0400
82509 +++ linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio.c 2011-05-22 19:36:35.000000000 -0400
82510 @@ -150,7 +150,7 @@ static int __devinit snd_cs5535audio_mix
82511 struct snd_ac97_bus *pbus;
82512 struct snd_ac97_template ac97;
82513 int err;
82514 - static struct snd_ac97_bus_ops ops = {
82515 + static const struct snd_ac97_bus_ops ops = {
82516 .write = snd_cs5535audio_ac97_codec_write,
82517 .read = snd_cs5535audio_ac97_codec_read,
82518 };
82519 @@ -277,7 +277,7 @@ static int __devinit snd_cs5535audio_cre
82520 struct cs5535audio *cs5535au;
82521
82522 int err;
82523 - static struct snd_device_ops ops = {
82524 + static const struct snd_device_ops ops = {
82525 .dev_free = snd_cs5535audio_dev_free,
82526 };
82527
82528 diff -urNp linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio_pcm.c linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio_pcm.c
82529 --- linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio_pcm.c 2011-05-19 00:06:34.000000000 -0400
82530 +++ linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio_pcm.c 2011-05-22 19:36:35.000000000 -0400
82531 @@ -380,7 +380,7 @@ static int snd_cs5535audio_capture_prepa
82532 substream->runtime->rate);
82533 }
82534
82535 -static struct snd_pcm_ops snd_cs5535audio_playback_ops = {
82536 +static const struct snd_pcm_ops snd_cs5535audio_playback_ops = {
82537 .open = snd_cs5535audio_playback_open,
82538 .close = snd_cs5535audio_playback_close,
82539 .ioctl = snd_pcm_lib_ioctl,
82540 @@ -391,7 +391,7 @@ static struct snd_pcm_ops snd_cs5535audi
82541 .pointer = snd_cs5535audio_pcm_pointer,
82542 };
82543
82544 -static struct snd_pcm_ops snd_cs5535audio_capture_ops = {
82545 +static const struct snd_pcm_ops snd_cs5535audio_capture_ops = {
82546 .open = snd_cs5535audio_capture_open,
82547 .close = snd_cs5535audio_capture_close,
82548 .ioctl = snd_pcm_lib_ioctl,
82549 diff -urNp linux-2.6.39.3/sound/pci/ctxfi/ctpcm.c linux-2.6.39.3/sound/pci/ctxfi/ctpcm.c
82550 --- linux-2.6.39.3/sound/pci/ctxfi/ctpcm.c 2011-05-19 00:06:34.000000000 -0400
82551 +++ linux-2.6.39.3/sound/pci/ctxfi/ctpcm.c 2011-05-22 19:36:35.000000000 -0400
82552 @@ -370,7 +370,7 @@ ct_pcm_capture_pointer(struct snd_pcm_su
82553 }
82554
82555 /* PCM operators for playback */
82556 -static struct snd_pcm_ops ct_pcm_playback_ops = {
82557 +static const struct snd_pcm_ops ct_pcm_playback_ops = {
82558 .open = ct_pcm_playback_open,
82559 .close = ct_pcm_playback_close,
82560 .ioctl = snd_pcm_lib_ioctl,
82561 @@ -383,7 +383,7 @@ static struct snd_pcm_ops ct_pcm_playbac
82562 };
82563
82564 /* PCM operators for capture */
82565 -static struct snd_pcm_ops ct_pcm_capture_ops = {
82566 +static const struct snd_pcm_ops ct_pcm_capture_ops = {
82567 .open = ct_pcm_capture_open,
82568 .close = ct_pcm_capture_close,
82569 .ioctl = snd_pcm_lib_ioctl,
82570 diff -urNp linux-2.6.39.3/sound/pci/echoaudio/echoaudio.c linux-2.6.39.3/sound/pci/echoaudio/echoaudio.c
82571 --- linux-2.6.39.3/sound/pci/echoaudio/echoaudio.c 2011-05-19 00:06:34.000000000 -0400
82572 +++ linux-2.6.39.3/sound/pci/echoaudio/echoaudio.c 2011-05-22 19:36:35.000000000 -0400
82573 @@ -831,7 +831,7 @@ static snd_pcm_uframes_t pcm_pointer(str
82574
82575
82576 /* pcm *_ops structures */
82577 -static struct snd_pcm_ops analog_playback_ops = {
82578 +static const struct snd_pcm_ops analog_playback_ops = {
82579 .open = pcm_analog_out_open,
82580 .close = pcm_close,
82581 .ioctl = snd_pcm_lib_ioctl,
82582 @@ -842,7 +842,7 @@ static struct snd_pcm_ops analog_playbac
82583 .pointer = pcm_pointer,
82584 .page = snd_pcm_sgbuf_ops_page,
82585 };
82586 -static struct snd_pcm_ops analog_capture_ops = {
82587 +static const struct snd_pcm_ops analog_capture_ops = {
82588 .open = pcm_analog_in_open,
82589 .close = pcm_close,
82590 .ioctl = snd_pcm_lib_ioctl,
82591 @@ -855,7 +855,7 @@ static struct snd_pcm_ops analog_capture
82592 };
82593 #ifdef ECHOCARD_HAS_DIGITAL_IO
82594 #ifndef ECHOCARD_HAS_VMIXER
82595 -static struct snd_pcm_ops digital_playback_ops = {
82596 +static const struct snd_pcm_ops digital_playback_ops = {
82597 .open = pcm_digital_out_open,
82598 .close = pcm_close,
82599 .ioctl = snd_pcm_lib_ioctl,
82600 @@ -867,7 +867,7 @@ static struct snd_pcm_ops digital_playba
82601 .page = snd_pcm_sgbuf_ops_page,
82602 };
82603 #endif /* !ECHOCARD_HAS_VMIXER */
82604 -static struct snd_pcm_ops digital_capture_ops = {
82605 +static const struct snd_pcm_ops digital_capture_ops = {
82606 .open = pcm_digital_in_open,
82607 .close = pcm_close,
82608 .ioctl = snd_pcm_lib_ioctl,
82609 @@ -1945,7 +1945,7 @@ static __devinit int snd_echo_create(str
82610 struct echoaudio *chip;
82611 int err;
82612 size_t sz;
82613 - static struct snd_device_ops ops = {
82614 + static const struct snd_device_ops ops = {
82615 .dev_free = snd_echo_dev_free,
82616 };
82617
82618 diff -urNp linux-2.6.39.3/sound/pci/echoaudio/midi.c linux-2.6.39.3/sound/pci/echoaudio/midi.c
82619 --- linux-2.6.39.3/sound/pci/echoaudio/midi.c 2011-05-19 00:06:34.000000000 -0400
82620 +++ linux-2.6.39.3/sound/pci/echoaudio/midi.c 2011-05-22 19:36:35.000000000 -0400
82621 @@ -292,13 +292,13 @@ static int snd_echo_midi_output_close(st
82622
82623
82624
82625 -static struct snd_rawmidi_ops snd_echo_midi_input = {
82626 +static const struct snd_rawmidi_ops snd_echo_midi_input = {
82627 .open = snd_echo_midi_input_open,
82628 .close = snd_echo_midi_input_close,
82629 .trigger = snd_echo_midi_input_trigger,
82630 };
82631
82632 -static struct snd_rawmidi_ops snd_echo_midi_output = {
82633 +static const struct snd_rawmidi_ops snd_echo_midi_output = {
82634 .open = snd_echo_midi_output_open,
82635 .close = snd_echo_midi_output_close,
82636 .trigger = snd_echo_midi_output_trigger,
82637 diff -urNp linux-2.6.39.3/sound/pci/emu10k1/emu10k1_main.c linux-2.6.39.3/sound/pci/emu10k1/emu10k1_main.c
82638 --- linux-2.6.39.3/sound/pci/emu10k1/emu10k1_main.c 2011-05-19 00:06:34.000000000 -0400
82639 +++ linux-2.6.39.3/sound/pci/emu10k1/emu10k1_main.c 2011-05-22 19:36:35.000000000 -0400
82640 @@ -1722,7 +1722,7 @@ int __devinit snd_emu10k1_create(struct
82641 int is_audigy;
82642 unsigned int silent_page;
82643 const struct snd_emu_chip_details *c;
82644 - static struct snd_device_ops ops = {
82645 + static const struct snd_device_ops ops = {
82646 .dev_free = snd_emu10k1_dev_free,
82647 };
82648
82649 diff -urNp linux-2.6.39.3/sound/pci/emu10k1/emu10k1x.c linux-2.6.39.3/sound/pci/emu10k1/emu10k1x.c
82650 --- linux-2.6.39.3/sound/pci/emu10k1/emu10k1x.c 2011-05-19 00:06:34.000000000 -0400
82651 +++ linux-2.6.39.3/sound/pci/emu10k1/emu10k1x.c 2011-05-22 19:36:35.000000000 -0400
82652 @@ -543,7 +543,7 @@ snd_emu10k1x_pcm_pointer(struct snd_pcm_
82653 }
82654
82655 /* operators */
82656 -static struct snd_pcm_ops snd_emu10k1x_playback_ops = {
82657 +static const struct snd_pcm_ops snd_emu10k1x_playback_ops = {
82658 .open = snd_emu10k1x_playback_open,
82659 .close = snd_emu10k1x_playback_close,
82660 .ioctl = snd_pcm_lib_ioctl,
82661 @@ -689,7 +689,7 @@ snd_emu10k1x_pcm_pointer_capture(struct
82662 return ptr;
82663 }
82664
82665 -static struct snd_pcm_ops snd_emu10k1x_capture_ops = {
82666 +static const struct snd_pcm_ops snd_emu10k1x_capture_ops = {
82667 .open = snd_emu10k1x_pcm_open_capture,
82668 .close = snd_emu10k1x_pcm_close_capture,
82669 .ioctl = snd_pcm_lib_ioctl,
82670 @@ -731,7 +731,7 @@ static int snd_emu10k1x_ac97(struct emu1
82671 struct snd_ac97_bus *pbus;
82672 struct snd_ac97_template ac97;
82673 int err;
82674 - static struct snd_ac97_bus_ops ops = {
82675 + static const struct snd_ac97_bus_ops ops = {
82676 .write = snd_emu10k1x_ac97_write,
82677 .read = snd_emu10k1x_ac97_read,
82678 };
82679 @@ -888,7 +888,7 @@ static int __devinit snd_emu10k1x_create
82680 struct emu10k1x *chip;
82681 int err;
82682 int ch;
82683 - static struct snd_device_ops ops = {
82684 + static const struct snd_device_ops ops = {
82685 .dev_free = snd_emu10k1x_dev_free,
82686 };
82687
82688 @@ -1465,15 +1465,13 @@ static void snd_emu10k1x_midi_output_tri
82689
82690 */
82691
82692 -static struct snd_rawmidi_ops snd_emu10k1x_midi_output =
82693 -{
82694 +static const struct snd_rawmidi_ops snd_emu10k1x_midi_output = {
82695 .open = snd_emu10k1x_midi_output_open,
82696 .close = snd_emu10k1x_midi_output_close,
82697 .trigger = snd_emu10k1x_midi_output_trigger,
82698 };
82699
82700 -static struct snd_rawmidi_ops snd_emu10k1x_midi_input =
82701 -{
82702 +static const struct snd_rawmidi_ops snd_emu10k1x_midi_input = {
82703 .open = snd_emu10k1x_midi_input_open,
82704 .close = snd_emu10k1x_midi_input_close,
82705 .trigger = snd_emu10k1x_midi_input_trigger,
82706 diff -urNp linux-2.6.39.3/sound/pci/emu10k1/p16v.c linux-2.6.39.3/sound/pci/emu10k1/p16v.c
82707 --- linux-2.6.39.3/sound/pci/emu10k1/p16v.c 2011-05-19 00:06:34.000000000 -0400
82708 +++ linux-2.6.39.3/sound/pci/emu10k1/p16v.c 2011-05-22 19:36:35.000000000 -0400
82709 @@ -601,7 +601,7 @@ snd_p16v_pcm_pointer_capture(struct snd_
82710 }
82711
82712 /* operators */
82713 -static struct snd_pcm_ops snd_p16v_playback_front_ops = {
82714 +static const struct snd_pcm_ops snd_p16v_playback_front_ops = {
82715 .open = snd_p16v_pcm_open_playback_front,
82716 .close = snd_p16v_pcm_close_playback,
82717 .ioctl = snd_pcm_lib_ioctl,
82718 @@ -612,7 +612,7 @@ static struct snd_pcm_ops snd_p16v_playb
82719 .pointer = snd_p16v_pcm_pointer_playback,
82720 };
82721
82722 -static struct snd_pcm_ops snd_p16v_capture_ops = {
82723 +static const struct snd_pcm_ops snd_p16v_capture_ops = {
82724 .open = snd_p16v_pcm_open_capture,
82725 .close = snd_p16v_pcm_close_capture,
82726 .ioctl = snd_pcm_lib_ioctl,
82727 diff -urNp linux-2.6.39.3/sound/pci/ens1370.c linux-2.6.39.3/sound/pci/ens1370.c
82728 --- linux-2.6.39.3/sound/pci/ens1370.c 2011-05-19 00:06:34.000000000 -0400
82729 +++ linux-2.6.39.3/sound/pci/ens1370.c 2011-05-22 19:36:35.000000000 -0400
82730 @@ -1225,7 +1225,7 @@ static int snd_ensoniq_capture_close(str
82731 return 0;
82732 }
82733
82734 -static struct snd_pcm_ops snd_ensoniq_playback1_ops = {
82735 +static const struct snd_pcm_ops snd_ensoniq_playback1_ops = {
82736 .open = snd_ensoniq_playback1_open,
82737 .close = snd_ensoniq_playback1_close,
82738 .ioctl = snd_pcm_lib_ioctl,
82739 @@ -1236,7 +1236,7 @@ static struct snd_pcm_ops snd_ensoniq_pl
82740 .pointer = snd_ensoniq_playback1_pointer,
82741 };
82742
82743 -static struct snd_pcm_ops snd_ensoniq_playback2_ops = {
82744 +static const struct snd_pcm_ops snd_ensoniq_playback2_ops = {
82745 .open = snd_ensoniq_playback2_open,
82746 .close = snd_ensoniq_playback2_close,
82747 .ioctl = snd_pcm_lib_ioctl,
82748 @@ -1247,7 +1247,7 @@ static struct snd_pcm_ops snd_ensoniq_pl
82749 .pointer = snd_ensoniq_playback2_pointer,
82750 };
82751
82752 -static struct snd_pcm_ops snd_ensoniq_capture_ops = {
82753 +static const struct snd_pcm_ops snd_ensoniq_capture_ops = {
82754 .open = snd_ensoniq_capture_open,
82755 .close = snd_ensoniq_capture_close,
82756 .ioctl = snd_pcm_lib_ioctl,
82757 @@ -1633,7 +1633,7 @@ static int __devinit snd_ensoniq_1371_mi
82758 struct snd_ac97_bus *pbus;
82759 struct snd_ac97_template ac97;
82760 int err;
82761 - static struct snd_ac97_bus_ops ops = {
82762 + static const struct snd_ac97_bus_ops ops = {
82763 .write = snd_es1371_codec_write,
82764 .read = snd_es1371_codec_read,
82765 .wait = snd_es1371_codec_wait,
82766 @@ -2096,7 +2096,7 @@ static int __devinit snd_ensoniq_create(
82767 {
82768 struct ensoniq *ensoniq;
82769 int err;
82770 - static struct snd_device_ops ops = {
82771 + static const struct snd_device_ops ops = {
82772 .dev_free = snd_ensoniq_dev_free,
82773 };
82774
82775 @@ -2331,15 +2331,13 @@ static void snd_ensoniq_midi_output_trig
82776 spin_unlock_irqrestore(&ensoniq->reg_lock, flags);
82777 }
82778
82779 -static struct snd_rawmidi_ops snd_ensoniq_midi_output =
82780 -{
82781 +static const struct snd_rawmidi_ops snd_ensoniq_midi_output = {
82782 .open = snd_ensoniq_midi_output_open,
82783 .close = snd_ensoniq_midi_output_close,
82784 .trigger = snd_ensoniq_midi_output_trigger,
82785 };
82786
82787 -static struct snd_rawmidi_ops snd_ensoniq_midi_input =
82788 -{
82789 +static const struct snd_rawmidi_ops snd_ensoniq_midi_input = {
82790 .open = snd_ensoniq_midi_input_open,
82791 .close = snd_ensoniq_midi_input_close,
82792 .trigger = snd_ensoniq_midi_input_trigger,
82793 diff -urNp linux-2.6.39.3/sound/pci/es1938.c linux-2.6.39.3/sound/pci/es1938.c
82794 --- linux-2.6.39.3/sound/pci/es1938.c 2011-05-19 00:06:34.000000000 -0400
82795 +++ linux-2.6.39.3/sound/pci/es1938.c 2011-05-22 19:36:35.000000000 -0400
82796 @@ -1004,7 +1004,7 @@ static int snd_es1938_playback_close(str
82797 return 0;
82798 }
82799
82800 -static struct snd_pcm_ops snd_es1938_playback_ops = {
82801 +static const struct snd_pcm_ops snd_es1938_playback_ops = {
82802 .open = snd_es1938_playback_open,
82803 .close = snd_es1938_playback_close,
82804 .ioctl = snd_pcm_lib_ioctl,
82805 @@ -1015,7 +1015,7 @@ static struct snd_pcm_ops snd_es1938_pla
82806 .pointer = snd_es1938_playback_pointer,
82807 };
82808
82809 -static struct snd_pcm_ops snd_es1938_capture_ops = {
82810 +static const struct snd_pcm_ops snd_es1938_capture_ops = {
82811 .open = snd_es1938_capture_open,
82812 .close = snd_es1938_capture_close,
82813 .ioctl = snd_pcm_lib_ioctl,
82814 @@ -1598,7 +1598,7 @@ static int __devinit snd_es1938_create(s
82815 {
82816 struct es1938 *chip;
82817 int err;
82818 - static struct snd_device_ops ops = {
82819 + static const struct snd_device_ops ops = {
82820 .dev_free = snd_es1938_dev_free,
82821 };
82822
82823 diff -urNp linux-2.6.39.3/sound/pci/es1968.c linux-2.6.39.3/sound/pci/es1968.c
82824 --- linux-2.6.39.3/sound/pci/es1968.c 2011-05-19 00:06:34.000000000 -0400
82825 +++ linux-2.6.39.3/sound/pci/es1968.c 2011-05-22 19:36:35.000000000 -0400
82826 @@ -1682,7 +1682,7 @@ static int snd_es1968_capture_close(stru
82827 return 0;
82828 }
82829
82830 -static struct snd_pcm_ops snd_es1968_playback_ops = {
82831 +static const struct snd_pcm_ops snd_es1968_playback_ops = {
82832 .open = snd_es1968_playback_open,
82833 .close = snd_es1968_playback_close,
82834 .ioctl = snd_pcm_lib_ioctl,
82835 @@ -1693,7 +1693,7 @@ static struct snd_pcm_ops snd_es1968_pla
82836 .pointer = snd_es1968_pcm_pointer,
82837 };
82838
82839 -static struct snd_pcm_ops snd_es1968_capture_ops = {
82840 +static const struct snd_pcm_ops snd_es1968_capture_ops = {
82841 .open = snd_es1968_capture_open,
82842 .close = snd_es1968_capture_close,
82843 .ioctl = snd_pcm_lib_ioctl,
82844 @@ -2053,7 +2053,7 @@ snd_es1968_mixer(struct es1968 *chip)
82845 struct snd_ctl_elem_id elem_id;
82846 #endif
82847 int err;
82848 - static struct snd_ac97_bus_ops ops = {
82849 + static const struct snd_ac97_bus_ops ops = {
82850 .write = snd_es1968_ac97_write,
82851 .read = snd_es1968_ac97_read,
82852 };
82853 @@ -2627,7 +2627,7 @@ static int __devinit snd_es1968_create(s
82854 int do_pm,
82855 struct es1968 **chip_ret)
82856 {
82857 - static struct snd_device_ops ops = {
82858 + static const struct snd_device_ops ops = {
82859 .dev_free = snd_es1968_dev_free,
82860 };
82861 struct es1968 *chip;
82862 diff -urNp linux-2.6.39.3/sound/pci/fm801.c linux-2.6.39.3/sound/pci/fm801.c
82863 --- linux-2.6.39.3/sound/pci/fm801.c 2011-05-19 00:06:34.000000000 -0400
82864 +++ linux-2.6.39.3/sound/pci/fm801.c 2011-05-22 19:36:35.000000000 -0400
82865 @@ -662,7 +662,7 @@ static int snd_fm801_capture_close(struc
82866 return 0;
82867 }
82868
82869 -static struct snd_pcm_ops snd_fm801_playback_ops = {
82870 +static const struct snd_pcm_ops snd_fm801_playback_ops = {
82871 .open = snd_fm801_playback_open,
82872 .close = snd_fm801_playback_close,
82873 .ioctl = snd_pcm_lib_ioctl,
82874 @@ -673,7 +673,7 @@ static struct snd_pcm_ops snd_fm801_play
82875 .pointer = snd_fm801_playback_pointer,
82876 };
82877
82878 -static struct snd_pcm_ops snd_fm801_capture_ops = {
82879 +static const struct snd_pcm_ops snd_fm801_capture_ops = {
82880 .open = snd_fm801_capture_open,
82881 .close = snd_fm801_capture_close,
82882 .ioctl = snd_pcm_lib_ioctl,
82883 @@ -1236,7 +1236,7 @@ static int __devinit snd_fm801_mixer(str
82884 struct snd_ac97_template ac97;
82885 unsigned int i;
82886 int err;
82887 - static struct snd_ac97_bus_ops ops = {
82888 + static const struct snd_ac97_bus_ops ops = {
82889 .write = snd_fm801_codec_write,
82890 .read = snd_fm801_codec_read,
82891 };
82892 @@ -1396,7 +1396,7 @@ static int __devinit snd_fm801_create(st
82893 {
82894 struct fm801 *chip;
82895 int err;
82896 - static struct snd_device_ops ops = {
82897 + static const struct snd_device_ops ops = {
82898 .dev_free = snd_fm801_dev_free,
82899 };
82900
82901 diff -urNp linux-2.6.39.3/sound/pci/hda/hda_generic.c linux-2.6.39.3/sound/pci/hda/hda_generic.c
82902 --- linux-2.6.39.3/sound/pci/hda/hda_generic.c 2011-05-19 00:06:34.000000000 -0400
82903 +++ linux-2.6.39.3/sound/pci/hda/hda_generic.c 2011-05-22 19:36:35.000000000 -0400
82904 @@ -1038,7 +1038,7 @@ static int generic_check_power_status(st
82905
82906 /*
82907 */
82908 -static struct hda_codec_ops generic_patch_ops = {
82909 +static const struct hda_codec_ops generic_patch_ops = {
82910 .build_controls = build_generic_controls,
82911 .build_pcms = build_generic_pcms,
82912 .free = snd_hda_generic_free,
82913 diff -urNp linux-2.6.39.3/sound/pci/hda/hda_intel.c linux-2.6.39.3/sound/pci/hda/hda_intel.c
82914 --- linux-2.6.39.3/sound/pci/hda/hda_intel.c 2011-06-03 00:04:14.000000000 -0400
82915 +++ linux-2.6.39.3/sound/pci/hda/hda_intel.c 2011-06-03 00:32:08.000000000 -0400
82916 @@ -2459,7 +2459,7 @@ static int __devinit azx_create(struct s
82917 struct azx *chip;
82918 int i, err;
82919 unsigned short gcap;
82920 - static struct snd_device_ops ops = {
82921 + static const struct snd_device_ops ops = {
82922 .dev_free = azx_dev_free,
82923 };
82924
82925 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_ca0110.c linux-2.6.39.3/sound/pci/hda/patch_ca0110.c
82926 --- linux-2.6.39.3/sound/pci/hda/patch_ca0110.c 2011-05-19 00:06:34.000000000 -0400
82927 +++ linux-2.6.39.3/sound/pci/hda/patch_ca0110.c 2011-05-22 19:36:35.000000000 -0400
82928 @@ -389,7 +389,7 @@ static void ca0110_free(struct hda_codec
82929 kfree(codec->spec);
82930 }
82931
82932 -static struct hda_codec_ops ca0110_patch_ops = {
82933 +static const struct hda_codec_ops ca0110_patch_ops = {
82934 .build_controls = ca0110_build_controls,
82935 .build_pcms = ca0110_build_pcms,
82936 .init = ca0110_init,
82937 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_cirrus.c linux-2.6.39.3/sound/pci/hda/patch_cirrus.c
82938 --- linux-2.6.39.3/sound/pci/hda/patch_cirrus.c 2011-05-19 00:06:34.000000000 -0400
82939 +++ linux-2.6.39.3/sound/pci/hda/patch_cirrus.c 2011-05-22 19:36:35.000000000 -0400
82940 @@ -1126,7 +1126,7 @@ static void cs_unsol_event(struct hda_co
82941 }
82942 }
82943
82944 -static struct hda_codec_ops cs_patch_ops = {
82945 +static const struct hda_codec_ops cs_patch_ops = {
82946 .build_controls = cs_build_controls,
82947 .build_pcms = cs_build_pcms,
82948 .init = cs_init,
82949 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_cmedia.c linux-2.6.39.3/sound/pci/hda/patch_cmedia.c
82950 --- linux-2.6.39.3/sound/pci/hda/patch_cmedia.c 2011-05-19 00:06:34.000000000 -0400
82951 +++ linux-2.6.39.3/sound/pci/hda/patch_cmedia.c 2011-05-22 19:36:35.000000000 -0400
82952 @@ -624,7 +624,7 @@ static struct snd_pci_quirk cmi9880_cfg_
82953 {} /* terminator */
82954 };
82955
82956 -static struct hda_codec_ops cmi9880_patch_ops = {
82957 +static const struct hda_codec_ops cmi9880_patch_ops = {
82958 .build_controls = cmi9880_build_controls,
82959 .build_pcms = cmi9880_build_pcms,
82960 .init = cmi9880_init,
82961 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_conexant.c linux-2.6.39.3/sound/pci/hda/patch_conexant.c
82962 --- linux-2.6.39.3/sound/pci/hda/patch_conexant.c 2011-07-09 09:18:51.000000000 -0400
82963 +++ linux-2.6.39.3/sound/pci/hda/patch_conexant.c 2011-07-09 09:19:27.000000000 -0400
82964 @@ -546,7 +546,7 @@ static int conexant_suspend(struct hda_c
82965 }
82966 #endif
82967
82968 -static struct hda_codec_ops conexant_patch_ops = {
82969 +static const struct hda_codec_ops conexant_patch_ops = {
82970 .build_controls = conexant_build_controls,
82971 .build_pcms = conexant_build_pcms,
82972 .init = conexant_init,
82973 @@ -3792,7 +3792,7 @@ static int cx_auto_build_controls(struct
82974 return conexant_build_controls(codec);
82975 }
82976
82977 -static struct hda_codec_ops cx_auto_patch_ops = {
82978 +static const struct hda_codec_ops cx_auto_patch_ops = {
82979 .build_controls = cx_auto_build_controls,
82980 .build_pcms = conexant_build_pcms,
82981 .init = cx_auto_init,
82982 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_hdmi.c linux-2.6.39.3/sound/pci/hda/patch_hdmi.c
82983 --- linux-2.6.39.3/sound/pci/hda/patch_hdmi.c 2011-05-19 00:06:34.000000000 -0400
82984 +++ linux-2.6.39.3/sound/pci/hda/patch_hdmi.c 2011-05-22 19:36:35.000000000 -0400
82985 @@ -1124,7 +1124,7 @@ static void generic_hdmi_free(struct hda
82986 kfree(spec);
82987 }
82988
82989 -static struct hda_codec_ops generic_hdmi_patch_ops = {
82990 +static const struct hda_codec_ops generic_hdmi_patch_ops = {
82991 .init = generic_hdmi_init,
82992 .free = generic_hdmi_free,
82993 .build_pcms = generic_hdmi_build_pcms,
82994 @@ -1465,14 +1465,14 @@ static struct hda_pcm_stream nvhdmi_pcm_
82995 },
82996 };
82997
82998 -static struct hda_codec_ops nvhdmi_patch_ops_8ch_7x = {
82999 +static const struct hda_codec_ops nvhdmi_patch_ops_8ch_7x = {
83000 .build_controls = generic_hdmi_build_controls,
83001 .build_pcms = generic_hdmi_build_pcms,
83002 .init = nvhdmi_7x_init,
83003 .free = generic_hdmi_free,
83004 };
83005
83006 -static struct hda_codec_ops nvhdmi_patch_ops_2ch = {
83007 +static const struct hda_codec_ops nvhdmi_patch_ops_2ch = {
83008 .build_controls = generic_hdmi_build_controls,
83009 .build_pcms = generic_hdmi_build_pcms,
83010 .init = nvhdmi_7x_init,
83011 @@ -1599,7 +1599,7 @@ static int atihdmi_init(struct hda_codec
83012 return 0;
83013 }
83014
83015 -static struct hda_codec_ops atihdmi_patch_ops = {
83016 +static const struct hda_codec_ops atihdmi_patch_ops = {
83017 .build_controls = generic_hdmi_build_controls,
83018 .build_pcms = generic_hdmi_build_pcms,
83019 .init = atihdmi_init,
83020 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_realtek.c linux-2.6.39.3/sound/pci/hda/patch_realtek.c
83021 --- linux-2.6.39.3/sound/pci/hda/patch_realtek.c 2011-07-09 09:18:51.000000000 -0400
83022 +++ linux-2.6.39.3/sound/pci/hda/patch_realtek.c 2011-07-09 09:19:27.000000000 -0400
83023 @@ -4273,7 +4273,7 @@ static int alc_resume(struct hda_codec *
83024
83025 /*
83026 */
83027 -static struct hda_codec_ops alc_patch_ops = {
83028 +static const struct hda_codec_ops alc_patch_ops = {
83029 .build_controls = alc_build_controls,
83030 .build_pcms = alc_build_pcms,
83031 .init = alc_init,
83032 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_si3054.c linux-2.6.39.3/sound/pci/hda/patch_si3054.c
83033 --- linux-2.6.39.3/sound/pci/hda/patch_si3054.c 2011-05-19 00:06:34.000000000 -0400
83034 +++ linux-2.6.39.3/sound/pci/hda/patch_si3054.c 2011-05-22 19:36:35.000000000 -0400
83035 @@ -263,7 +263,7 @@ static void si3054_free(struct hda_codec
83036 /*
83037 */
83038
83039 -static struct hda_codec_ops si3054_patch_ops = {
83040 +static const struct hda_codec_ops si3054_patch_ops = {
83041 .build_controls = si3054_build_controls,
83042 .build_pcms = si3054_build_pcms,
83043 .init = si3054_init,
83044 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_sigmatel.c linux-2.6.39.3/sound/pci/hda/patch_sigmatel.c
83045 --- linux-2.6.39.3/sound/pci/hda/patch_sigmatel.c 2011-06-03 00:04:14.000000000 -0400
83046 +++ linux-2.6.39.3/sound/pci/hda/patch_sigmatel.c 2011-06-03 00:32:08.000000000 -0400
83047 @@ -4968,7 +4968,7 @@ static int stac92xx_suspend(struct hda_c
83048 }
83049 #endif
83050
83051 -static struct hda_codec_ops stac92xx_patch_ops = {
83052 +static const struct hda_codec_ops stac92xx_patch_ops = {
83053 .build_controls = stac92xx_build_controls,
83054 .build_pcms = stac92xx_build_pcms,
83055 .init = stac92xx_init,
83056 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_via.c linux-2.6.39.3/sound/pci/hda/patch_via.c
83057 --- linux-2.6.39.3/sound/pci/hda/patch_via.c 2011-05-19 00:06:34.000000000 -0400
83058 +++ linux-2.6.39.3/sound/pci/hda/patch_via.c 2011-05-22 19:36:35.000000000 -0400
83059 @@ -2254,7 +2254,7 @@ static int via_check_power_status(struct
83060
83061 /*
83062 */
83063 -static struct hda_codec_ops via_patch_ops = {
83064 +static const struct hda_codec_ops via_patch_ops = {
83065 .build_controls = via_build_controls,
83066 .build_pcms = via_build_pcms,
83067 .init = via_init,
83068 diff -urNp linux-2.6.39.3/sound/pci/ice1712/ice1712.c linux-2.6.39.3/sound/pci/ice1712/ice1712.c
83069 --- linux-2.6.39.3/sound/pci/ice1712/ice1712.c 2011-05-19 00:06:34.000000000 -0400
83070 +++ linux-2.6.39.3/sound/pci/ice1712/ice1712.c 2011-05-22 19:36:35.000000000 -0400
83071 @@ -2541,7 +2541,7 @@ static int __devinit snd_ice1712_create(
83072 {
83073 struct snd_ice1712 *ice;
83074 int err;
83075 - static struct snd_device_ops ops = {
83076 + static const struct snd_device_ops ops = {
83077 .dev_free = snd_ice1712_dev_free,
83078 };
83079
83080 diff -urNp linux-2.6.39.3/sound/pci/ice1712/ice1724.c linux-2.6.39.3/sound/pci/ice1712/ice1724.c
83081 --- linux-2.6.39.3/sound/pci/ice1712/ice1724.c 2011-05-19 00:06:34.000000000 -0400
83082 +++ linux-2.6.39.3/sound/pci/ice1712/ice1724.c 2011-05-22 19:36:35.000000000 -0400
83083 @@ -367,7 +367,7 @@ static void vt1724_midi_output_drain(str
83084 } while (time_after(timeout, jiffies));
83085 }
83086
83087 -static struct snd_rawmidi_ops vt1724_midi_output_ops = {
83088 +static const struct snd_rawmidi_ops vt1724_midi_output_ops = {
83089 .open = vt1724_midi_output_open,
83090 .close = vt1724_midi_output_close,
83091 .trigger = vt1724_midi_output_trigger,
83092 @@ -402,7 +402,7 @@ static void vt1724_midi_input_trigger(st
83093 spin_unlock_irqrestore(&ice->reg_lock, flags);
83094 }
83095
83096 -static struct snd_rawmidi_ops vt1724_midi_input_ops = {
83097 +static const struct snd_rawmidi_ops vt1724_midi_input_ops = {
83098 .open = vt1724_midi_input_open,
83099 .close = vt1724_midi_input_close,
83100 .trigger = vt1724_midi_input_trigger,
83101 @@ -2463,7 +2463,7 @@ static int __devinit snd_vt1724_create(s
83102 {
83103 struct snd_ice1712 *ice;
83104 int err;
83105 - static struct snd_device_ops ops = {
83106 + static const struct snd_device_ops ops = {
83107 .dev_free = snd_vt1724_dev_free,
83108 };
83109
83110 diff -urNp linux-2.6.39.3/sound/pci/intel8x0.c linux-2.6.39.3/sound/pci/intel8x0.c
83111 --- linux-2.6.39.3/sound/pci/intel8x0.c 2011-05-19 00:06:34.000000000 -0400
83112 +++ linux-2.6.39.3/sound/pci/intel8x0.c 2011-05-22 19:36:35.000000000 -0400
83113 @@ -2152,12 +2152,12 @@ static int __devinit snd_intel8x0_mixer(
83114 int err;
83115 unsigned int i, codecs;
83116 unsigned int glob_sta = 0;
83117 - struct snd_ac97_bus_ops *ops;
83118 - static struct snd_ac97_bus_ops standard_bus_ops = {
83119 + const struct snd_ac97_bus_ops *ops;
83120 + static const struct snd_ac97_bus_ops standard_bus_ops = {
83121 .write = snd_intel8x0_codec_write,
83122 .read = snd_intel8x0_codec_read,
83123 };
83124 - static struct snd_ac97_bus_ops ali_bus_ops = {
83125 + static const struct snd_ac97_bus_ops ali_bus_ops = {
83126 .write = snd_intel8x0_ali_codec_write,
83127 .read = snd_intel8x0_ali_codec_read,
83128 };
83129 @@ -2921,7 +2921,7 @@ static int __devinit snd_intel8x0_create
83130 unsigned int i;
83131 unsigned int int_sta_masks;
83132 struct ichdev *ichdev;
83133 - static struct snd_device_ops ops = {
83134 + static const struct snd_device_ops ops = {
83135 .dev_free = snd_intel8x0_dev_free,
83136 };
83137
83138 diff -urNp linux-2.6.39.3/sound/pci/intel8x0m.c linux-2.6.39.3/sound/pci/intel8x0m.c
83139 --- linux-2.6.39.3/sound/pci/intel8x0m.c 2011-05-19 00:06:34.000000000 -0400
83140 +++ linux-2.6.39.3/sound/pci/intel8x0m.c 2011-05-22 19:36:35.000000000 -0400
83141 @@ -826,7 +826,7 @@ static int __devinit snd_intel8x0m_mixer
83142 struct snd_ac97 *x97;
83143 int err;
83144 unsigned int glob_sta = 0;
83145 - static struct snd_ac97_bus_ops ops = {
83146 + static const struct snd_ac97_bus_ops ops = {
83147 .write = snd_intel8x0m_codec_write,
83148 .read = snd_intel8x0m_codec_read,
83149 };
83150 @@ -1116,7 +1116,7 @@ static int __devinit snd_intel8x0m_creat
83151 unsigned int i;
83152 unsigned int int_sta_masks;
83153 struct ichdev *ichdev;
83154 - static struct snd_device_ops ops = {
83155 + static const struct snd_device_ops ops = {
83156 .dev_free = snd_intel8x0m_dev_free,
83157 };
83158 static struct ich_reg_info intel_regs[2] = {
83159 @@ -1265,7 +1265,7 @@ static struct shortname_table {
83160 { 0x5455, "ALi M5455" },
83161 { 0x746d, "AMD AMD8111" },
83162 #endif
83163 - { 0 },
83164 + { 0, },
83165 };
83166
83167 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
83168 diff -urNp linux-2.6.39.3/sound/pci/korg1212/korg1212.c linux-2.6.39.3/sound/pci/korg1212/korg1212.c
83169 --- linux-2.6.39.3/sound/pci/korg1212/korg1212.c 2011-05-19 00:06:34.000000000 -0400
83170 +++ linux-2.6.39.3/sound/pci/korg1212/korg1212.c 2011-05-22 19:36:35.000000000 -0400
83171 @@ -1682,7 +1682,7 @@ static int snd_korg1212_capture_copy(str
83172 return snd_korg1212_copy_to(korg1212, dst, pos, count, 0, korg1212->channels * 2);
83173 }
83174
83175 -static struct snd_pcm_ops snd_korg1212_playback_ops = {
83176 +static const struct snd_pcm_ops snd_korg1212_playback_ops = {
83177 .open = snd_korg1212_playback_open,
83178 .close = snd_korg1212_playback_close,
83179 .ioctl = snd_korg1212_ioctl,
83180 @@ -1694,7 +1694,7 @@ static struct snd_pcm_ops snd_korg1212_p
83181 .silence = snd_korg1212_playback_silence,
83182 };
83183
83184 -static struct snd_pcm_ops snd_korg1212_capture_ops = {
83185 +static const struct snd_pcm_ops snd_korg1212_capture_ops = {
83186 .open = snd_korg1212_capture_open,
83187 .close = snd_korg1212_capture_close,
83188 .ioctl = snd_korg1212_ioctl,
83189 @@ -2164,7 +2164,7 @@ static int __devinit snd_korg1212_create
83190 struct snd_korg1212 * korg1212;
83191 const struct firmware *dsp_code;
83192
83193 - static struct snd_device_ops ops = {
83194 + static const struct snd_device_ops ops = {
83195 .dev_free = snd_korg1212_dev_free,
83196 };
83197
83198 diff -urNp linux-2.6.39.3/sound/pci/maestro3.c linux-2.6.39.3/sound/pci/maestro3.c
83199 --- linux-2.6.39.3/sound/pci/maestro3.c 2011-05-19 00:06:34.000000000 -0400
83200 +++ linux-2.6.39.3/sound/pci/maestro3.c 2011-05-22 19:36:35.000000000 -0400
83201 @@ -1926,7 +1926,7 @@ snd_m3_capture_close(struct snd_pcm_subs
83202 * create pcm instance
83203 */
83204
83205 -static struct snd_pcm_ops snd_m3_playback_ops = {
83206 +static const struct snd_pcm_ops snd_m3_playback_ops = {
83207 .open = snd_m3_playback_open,
83208 .close = snd_m3_playback_close,
83209 .ioctl = snd_pcm_lib_ioctl,
83210 @@ -1937,7 +1937,7 @@ static struct snd_pcm_ops snd_m3_playbac
83211 .pointer = snd_m3_pcm_pointer,
83212 };
83213
83214 -static struct snd_pcm_ops snd_m3_capture_ops = {
83215 +static const struct snd_pcm_ops snd_m3_capture_ops = {
83216 .open = snd_m3_capture_open,
83217 .close = snd_m3_capture_close,
83218 .ioctl = snd_pcm_lib_ioctl,
83219 @@ -2150,7 +2150,7 @@ static int __devinit snd_m3_mixer(struct
83220 struct snd_ctl_elem_id elem_id;
83221 #endif
83222 int err;
83223 - static struct snd_ac97_bus_ops ops = {
83224 + static const struct snd_ac97_bus_ops ops = {
83225 .write = snd_m3_ac97_write,
83226 .read = snd_m3_ac97_read,
83227 };
83228 @@ -2643,7 +2643,7 @@ snd_m3_create(struct snd_card *card, str
83229 struct snd_m3 *chip;
83230 int i, err;
83231 const struct snd_pci_quirk *quirk;
83232 - static struct snd_device_ops ops = {
83233 + static const struct snd_device_ops ops = {
83234 .dev_free = snd_m3_dev_free,
83235 };
83236
83237 diff -urNp linux-2.6.39.3/sound/pci/mixart/mixart.c linux-2.6.39.3/sound/pci/mixart/mixart.c
83238 --- linux-2.6.39.3/sound/pci/mixart/mixart.c 2011-05-19 00:06:34.000000000 -0400
83239 +++ linux-2.6.39.3/sound/pci/mixart/mixart.c 2011-05-22 19:36:35.000000000 -0400
83240 @@ -887,7 +887,7 @@ static snd_pcm_uframes_t snd_mixart_stre
83241
83242
83243
83244 -static struct snd_pcm_ops snd_mixart_playback_ops = {
83245 +static const struct snd_pcm_ops snd_mixart_playback_ops = {
83246 .open = snd_mixart_playback_open,
83247 .close = snd_mixart_close,
83248 .ioctl = snd_pcm_lib_ioctl,
83249 @@ -898,7 +898,7 @@ static struct snd_pcm_ops snd_mixart_pla
83250 .pointer = snd_mixart_stream_pointer,
83251 };
83252
83253 -static struct snd_pcm_ops snd_mixart_capture_ops = {
83254 +static const struct snd_pcm_ops snd_mixart_capture_ops = {
83255 .open = snd_mixart_capture_open,
83256 .close = snd_mixart_close,
83257 .ioctl = snd_pcm_lib_ioctl,
83258 @@ -1008,7 +1008,7 @@ static int __devinit snd_mixart_create(s
83259 {
83260 int err;
83261 struct snd_mixart *chip;
83262 - static struct snd_device_ops ops = {
83263 + static const struct snd_device_ops ops = {
83264 .dev_free = snd_mixart_chip_dev_free,
83265 };
83266
83267 diff -urNp linux-2.6.39.3/sound/pci/nm256/nm256.c linux-2.6.39.3/sound/pci/nm256/nm256.c
83268 --- linux-2.6.39.3/sound/pci/nm256/nm256.c 2011-05-19 00:06:34.000000000 -0400
83269 +++ linux-2.6.39.3/sound/pci/nm256/nm256.c 2011-05-22 19:36:35.000000000 -0400
83270 @@ -899,7 +899,7 @@ snd_nm256_capture_close(struct snd_pcm_s
83271 /*
83272 * create a pcm instance
83273 */
83274 -static struct snd_pcm_ops snd_nm256_playback_ops = {
83275 +static const struct snd_pcm_ops snd_nm256_playback_ops = {
83276 .open = snd_nm256_playback_open,
83277 .close = snd_nm256_playback_close,
83278 .ioctl = snd_pcm_lib_ioctl,
83279 @@ -914,7 +914,7 @@ static struct snd_pcm_ops snd_nm256_play
83280 .mmap = snd_pcm_lib_mmap_iomem,
83281 };
83282
83283 -static struct snd_pcm_ops snd_nm256_capture_ops = {
83284 +static const struct snd_pcm_ops snd_nm256_capture_ops = {
83285 .open = snd_nm256_capture_open,
83286 .close = snd_nm256_capture_close,
83287 .ioctl = snd_pcm_lib_ioctl,
83288 @@ -1301,7 +1301,7 @@ snd_nm256_mixer(struct nm256 *chip)
83289 struct snd_ac97_bus *pbus;
83290 struct snd_ac97_template ac97;
83291 int err;
83292 - static struct snd_ac97_bus_ops ops = {
83293 + static const struct snd_ac97_bus_ops ops = {
83294 .reset = snd_nm256_ac97_reset,
83295 .write = snd_nm256_ac97_write,
83296 .read = snd_nm256_ac97_read,
83297 @@ -1471,7 +1471,7 @@ snd_nm256_create(struct snd_card *card,
83298 {
83299 struct nm256 *chip;
83300 int err, pval;
83301 - static struct snd_device_ops ops = {
83302 + static const struct snd_device_ops ops = {
83303 .dev_free = snd_nm256_dev_free,
83304 };
83305 u32 addr;
83306 diff -urNp linux-2.6.39.3/sound/pci/oxygen/oxygen_pcm.c linux-2.6.39.3/sound/pci/oxygen/oxygen_pcm.c
83307 --- linux-2.6.39.3/sound/pci/oxygen/oxygen_pcm.c 2011-05-19 00:06:34.000000000 -0400
83308 +++ linux-2.6.39.3/sound/pci/oxygen/oxygen_pcm.c 2011-05-22 19:36:35.000000000 -0400
83309 @@ -606,7 +606,7 @@ static snd_pcm_uframes_t oxygen_pointer(
83310 return bytes_to_frames(runtime, curr_addr - (u32)runtime->dma_addr);
83311 }
83312
83313 -static struct snd_pcm_ops oxygen_rec_a_ops = {
83314 +static const struct snd_pcm_ops oxygen_rec_a_ops = {
83315 .open = oxygen_rec_a_open,
83316 .close = oxygen_close,
83317 .ioctl = snd_pcm_lib_ioctl,
83318 @@ -617,7 +617,7 @@ static struct snd_pcm_ops oxygen_rec_a_o
83319 .pointer = oxygen_pointer,
83320 };
83321
83322 -static struct snd_pcm_ops oxygen_rec_b_ops = {
83323 +static const struct snd_pcm_ops oxygen_rec_b_ops = {
83324 .open = oxygen_rec_b_open,
83325 .close = oxygen_close,
83326 .ioctl = snd_pcm_lib_ioctl,
83327 @@ -628,7 +628,7 @@ static struct snd_pcm_ops oxygen_rec_b_o
83328 .pointer = oxygen_pointer,
83329 };
83330
83331 -static struct snd_pcm_ops oxygen_rec_c_ops = {
83332 +static const struct snd_pcm_ops oxygen_rec_c_ops = {
83333 .open = oxygen_rec_c_open,
83334 .close = oxygen_close,
83335 .ioctl = snd_pcm_lib_ioctl,
83336 @@ -639,7 +639,7 @@ static struct snd_pcm_ops oxygen_rec_c_o
83337 .pointer = oxygen_pointer,
83338 };
83339
83340 -static struct snd_pcm_ops oxygen_spdif_ops = {
83341 +static const struct snd_pcm_ops oxygen_spdif_ops = {
83342 .open = oxygen_spdif_open,
83343 .close = oxygen_close,
83344 .ioctl = snd_pcm_lib_ioctl,
83345 @@ -650,7 +650,7 @@ static struct snd_pcm_ops oxygen_spdif_o
83346 .pointer = oxygen_pointer,
83347 };
83348
83349 -static struct snd_pcm_ops oxygen_multich_ops = {
83350 +static const struct snd_pcm_ops oxygen_multich_ops = {
83351 .open = oxygen_multich_open,
83352 .close = oxygen_close,
83353 .ioctl = snd_pcm_lib_ioctl,
83354 @@ -661,7 +661,7 @@ static struct snd_pcm_ops oxygen_multich
83355 .pointer = oxygen_pointer,
83356 };
83357
83358 -static struct snd_pcm_ops oxygen_ac97_ops = {
83359 +static const struct snd_pcm_ops oxygen_ac97_ops = {
83360 .open = oxygen_ac97_open,
83361 .close = oxygen_close,
83362 .ioctl = snd_pcm_lib_ioctl,
83363 diff -urNp linux-2.6.39.3/sound/pci/pcxhr/pcxhr.c linux-2.6.39.3/sound/pci/pcxhr/pcxhr.c
83364 --- linux-2.6.39.3/sound/pci/pcxhr/pcxhr.c 2011-05-19 00:06:34.000000000 -0400
83365 +++ linux-2.6.39.3/sound/pci/pcxhr/pcxhr.c 2011-05-22 19:36:35.000000000 -0400
83366 @@ -1121,7 +1121,7 @@ static snd_pcm_uframes_t pcxhr_stream_po
83367 }
83368
83369
83370 -static struct snd_pcm_ops pcxhr_ops = {
83371 +static const struct snd_pcm_ops pcxhr_ops = {
83372 .open = pcxhr_open,
83373 .close = pcxhr_close,
83374 .ioctl = snd_pcm_lib_ioctl,
83375 @@ -1184,7 +1184,7 @@ static int __devinit pcxhr_create(struct
83376 {
83377 int err;
83378 struct snd_pcxhr *chip;
83379 - static struct snd_device_ops ops = {
83380 + static const struct snd_device_ops ops = {
83381 .dev_free = pcxhr_chip_dev_free,
83382 };
83383
83384 diff -urNp linux-2.6.39.3/sound/pci/riptide/riptide.c linux-2.6.39.3/sound/pci/riptide/riptide.c
83385 --- linux-2.6.39.3/sound/pci/riptide/riptide.c 2011-05-19 00:06:34.000000000 -0400
83386 +++ linux-2.6.39.3/sound/pci/riptide/riptide.c 2011-05-22 19:36:35.000000000 -0400
83387 @@ -1675,7 +1675,7 @@ static int snd_riptide_capture_close(str
83388 return 0;
83389 }
83390
83391 -static struct snd_pcm_ops snd_riptide_playback_ops = {
83392 +static const struct snd_pcm_ops snd_riptide_playback_ops = {
83393 .open = snd_riptide_playback_open,
83394 .close = snd_riptide_playback_close,
83395 .ioctl = snd_pcm_lib_ioctl,
83396 @@ -1686,7 +1686,7 @@ static struct snd_pcm_ops snd_riptide_pl
83397 .trigger = snd_riptide_trigger,
83398 .pointer = snd_riptide_pointer,
83399 };
83400 -static struct snd_pcm_ops snd_riptide_capture_ops = {
83401 +static const struct snd_pcm_ops snd_riptide_capture_ops = {
83402 .open = snd_riptide_capture_open,
83403 .close = snd_riptide_capture_close,
83404 .ioctl = snd_pcm_lib_ioctl,
83405 @@ -1857,7 +1857,7 @@ snd_riptide_create(struct snd_card *card
83406 struct snd_riptide *chip;
83407 struct riptideport *hwport;
83408 int err;
83409 - static struct snd_device_ops ops = {
83410 + static const struct snd_device_ops ops = {
83411 .dev_free = snd_riptide_dev_free,
83412 };
83413
83414 @@ -1999,7 +1999,7 @@ static int __devinit snd_riptide_mixer(s
83415 struct snd_ac97_bus *pbus;
83416 struct snd_ac97_template ac97;
83417 int err = 0;
83418 - static struct snd_ac97_bus_ops ops = {
83419 + static const struct snd_ac97_bus_ops ops = {
83420 .write = snd_riptide_codec_write,
83421 .read = snd_riptide_codec_read,
83422 };
83423 diff -urNp linux-2.6.39.3/sound/pci/rme32.c linux-2.6.39.3/sound/pci/rme32.c
83424 --- linux-2.6.39.3/sound/pci/rme32.c 2011-05-19 00:06:34.000000000 -0400
83425 +++ linux-2.6.39.3/sound/pci/rme32.c 2011-05-22 19:36:35.000000000 -0400
83426 @@ -1197,7 +1197,7 @@ snd_rme32_capture_fd_pointer(struct snd_
83427 }
83428
83429 /* for halfduplex mode */
83430 -static struct snd_pcm_ops snd_rme32_playback_spdif_ops = {
83431 +static const struct snd_pcm_ops snd_rme32_playback_spdif_ops = {
83432 .open = snd_rme32_playback_spdif_open,
83433 .close = snd_rme32_playback_close,
83434 .ioctl = snd_pcm_lib_ioctl,
83435 @@ -1211,7 +1211,7 @@ static struct snd_pcm_ops snd_rme32_play
83436 .mmap = snd_pcm_lib_mmap_iomem,
83437 };
83438
83439 -static struct snd_pcm_ops snd_rme32_capture_spdif_ops = {
83440 +static const struct snd_pcm_ops snd_rme32_capture_spdif_ops = {
83441 .open = snd_rme32_capture_spdif_open,
83442 .close = snd_rme32_capture_close,
83443 .ioctl = snd_pcm_lib_ioctl,
83444 @@ -1224,7 +1224,7 @@ static struct snd_pcm_ops snd_rme32_capt
83445 .mmap = snd_pcm_lib_mmap_iomem,
83446 };
83447
83448 -static struct snd_pcm_ops snd_rme32_playback_adat_ops = {
83449 +static const struct snd_pcm_ops snd_rme32_playback_adat_ops = {
83450 .open = snd_rme32_playback_adat_open,
83451 .close = snd_rme32_playback_close,
83452 .ioctl = snd_pcm_lib_ioctl,
83453 @@ -1237,7 +1237,7 @@ static struct snd_pcm_ops snd_rme32_play
83454 .mmap = snd_pcm_lib_mmap_iomem,
83455 };
83456
83457 -static struct snd_pcm_ops snd_rme32_capture_adat_ops = {
83458 +static const struct snd_pcm_ops snd_rme32_capture_adat_ops = {
83459 .open = snd_rme32_capture_adat_open,
83460 .close = snd_rme32_capture_close,
83461 .ioctl = snd_pcm_lib_ioctl,
83462 @@ -1250,7 +1250,7 @@ static struct snd_pcm_ops snd_rme32_capt
83463 };
83464
83465 /* for fullduplex mode */
83466 -static struct snd_pcm_ops snd_rme32_playback_spdif_fd_ops = {
83467 +static const struct snd_pcm_ops snd_rme32_playback_spdif_fd_ops = {
83468 .open = snd_rme32_playback_spdif_open,
83469 .close = snd_rme32_playback_close,
83470 .ioctl = snd_pcm_lib_ioctl,
83471 @@ -1262,7 +1262,7 @@ static struct snd_pcm_ops snd_rme32_play
83472 .ack = snd_rme32_playback_fd_ack,
83473 };
83474
83475 -static struct snd_pcm_ops snd_rme32_capture_spdif_fd_ops = {
83476 +static const struct snd_pcm_ops snd_rme32_capture_spdif_fd_ops = {
83477 .open = snd_rme32_capture_spdif_open,
83478 .close = snd_rme32_capture_close,
83479 .ioctl = snd_pcm_lib_ioctl,
83480 @@ -1274,7 +1274,7 @@ static struct snd_pcm_ops snd_rme32_capt
83481 .ack = snd_rme32_capture_fd_ack,
83482 };
83483
83484 -static struct snd_pcm_ops snd_rme32_playback_adat_fd_ops = {
83485 +static const struct snd_pcm_ops snd_rme32_playback_adat_fd_ops = {
83486 .open = snd_rme32_playback_adat_open,
83487 .close = snd_rme32_playback_close,
83488 .ioctl = snd_pcm_lib_ioctl,
83489 @@ -1285,7 +1285,7 @@ static struct snd_pcm_ops snd_rme32_play
83490 .ack = snd_rme32_playback_fd_ack,
83491 };
83492
83493 -static struct snd_pcm_ops snd_rme32_capture_adat_fd_ops = {
83494 +static const struct snd_pcm_ops snd_rme32_capture_adat_fd_ops = {
83495 .open = snd_rme32_capture_adat_open,
83496 .close = snd_rme32_capture_close,
83497 .ioctl = snd_pcm_lib_ioctl,
83498 diff -urNp linux-2.6.39.3/sound/pci/rme9652/hdsp.c linux-2.6.39.3/sound/pci/rme9652/hdsp.c
83499 --- linux-2.6.39.3/sound/pci/rme9652/hdsp.c 2011-05-19 00:06:34.000000000 -0400
83500 +++ linux-2.6.39.3/sound/pci/rme9652/hdsp.c 2011-05-22 19:36:35.000000000 -0400
83501 @@ -1469,15 +1469,13 @@ static int snd_hdsp_midi_output_close(st
83502 return 0;
83503 }
83504
83505 -static struct snd_rawmidi_ops snd_hdsp_midi_output =
83506 -{
83507 +static const struct snd_rawmidi_ops snd_hdsp_midi_output = {
83508 .open = snd_hdsp_midi_output_open,
83509 .close = snd_hdsp_midi_output_close,
83510 .trigger = snd_hdsp_midi_output_trigger,
83511 };
83512
83513 -static struct snd_rawmidi_ops snd_hdsp_midi_input =
83514 -{
83515 +static const struct snd_rawmidi_ops snd_hdsp_midi_input = {
83516 .open = snd_hdsp_midi_input_open,
83517 .close = snd_hdsp_midi_input_close,
83518 .trigger = snd_hdsp_midi_input_trigger,
83519 @@ -5135,7 +5133,7 @@ static int snd_hdsp_hwdep_ioctl(struct s
83520 return 0;
83521 }
83522
83523 -static struct snd_pcm_ops snd_hdsp_playback_ops = {
83524 +static const struct snd_pcm_ops snd_hdsp_playback_ops = {
83525 .open = snd_hdsp_playback_open,
83526 .close = snd_hdsp_playback_release,
83527 .ioctl = snd_hdsp_ioctl,
83528 @@ -5147,7 +5145,7 @@ static struct snd_pcm_ops snd_hdsp_playb
83529 .silence = snd_hdsp_hw_silence,
83530 };
83531
83532 -static struct snd_pcm_ops snd_hdsp_capture_ops = {
83533 +static const struct snd_pcm_ops snd_hdsp_capture_ops = {
83534 .open = snd_hdsp_capture_open,
83535 .close = snd_hdsp_capture_release,
83536 .ioctl = snd_hdsp_ioctl,
83537 diff -urNp linux-2.6.39.3/sound/pci/rme9652/hdspm.c linux-2.6.39.3/sound/pci/rme9652/hdspm.c
83538 --- linux-2.6.39.3/sound/pci/rme9652/hdspm.c 2011-05-19 00:06:34.000000000 -0400
83539 +++ linux-2.6.39.3/sound/pci/rme9652/hdspm.c 2011-05-22 19:36:35.000000000 -0400
83540 @@ -1773,15 +1773,13 @@ static int snd_hdspm_midi_output_close(s
83541 return 0;
83542 }
83543
83544 -static struct snd_rawmidi_ops snd_hdspm_midi_output =
83545 -{
83546 +static const struct snd_rawmidi_ops snd_hdspm_midi_output = {
83547 .open = snd_hdspm_midi_output_open,
83548 .close = snd_hdspm_midi_output_close,
83549 .trigger = snd_hdspm_midi_output_trigger,
83550 };
83551
83552 -static struct snd_rawmidi_ops snd_hdspm_midi_input =
83553 -{
83554 +static const struct snd_rawmidi_ops snd_hdspm_midi_input = {
83555 .open = snd_hdspm_midi_input_open,
83556 .close = snd_hdspm_midi_input_close,
83557 .trigger = snd_hdspm_midi_input_trigger,
83558 @@ -6172,7 +6170,7 @@ static int snd_hdspm_hwdep_ioctl(struct
83559 return 0;
83560 }
83561
83562 -static struct snd_pcm_ops snd_hdspm_playback_ops = {
83563 +static const struct snd_pcm_ops snd_hdspm_playback_ops = {
83564 .open = snd_hdspm_playback_open,
83565 .close = snd_hdspm_playback_release,
83566 .ioctl = snd_hdspm_ioctl,
83567 @@ -6184,7 +6182,7 @@ static struct snd_pcm_ops snd_hdspm_play
83568 .page = snd_pcm_sgbuf_ops_page,
83569 };
83570
83571 -static struct snd_pcm_ops snd_hdspm_capture_ops = {
83572 +static const struct snd_pcm_ops snd_hdspm_capture_ops = {
83573 .open = snd_hdspm_capture_open,
83574 .close = snd_hdspm_capture_release,
83575 .ioctl = snd_hdspm_ioctl,
83576 diff -urNp linux-2.6.39.3/sound/pci/rme9652/rme9652.c linux-2.6.39.3/sound/pci/rme9652/rme9652.c
83577 --- linux-2.6.39.3/sound/pci/rme9652/rme9652.c 2011-05-19 00:06:34.000000000 -0400
83578 +++ linux-2.6.39.3/sound/pci/rme9652/rme9652.c 2011-05-22 19:36:35.000000000 -0400
83579 @@ -2391,7 +2391,7 @@ static int snd_rme9652_capture_release(s
83580 return 0;
83581 }
83582
83583 -static struct snd_pcm_ops snd_rme9652_playback_ops = {
83584 +static const struct snd_pcm_ops snd_rme9652_playback_ops = {
83585 .open = snd_rme9652_playback_open,
83586 .close = snd_rme9652_playback_release,
83587 .ioctl = snd_rme9652_ioctl,
83588 @@ -2403,7 +2403,7 @@ static struct snd_pcm_ops snd_rme9652_pl
83589 .silence = snd_rme9652_hw_silence,
83590 };
83591
83592 -static struct snd_pcm_ops snd_rme9652_capture_ops = {
83593 +static const struct snd_pcm_ops snd_rme9652_capture_ops = {
83594 .open = snd_rme9652_capture_open,
83595 .close = snd_rme9652_capture_release,
83596 .ioctl = snd_rme9652_ioctl,
83597 diff -urNp linux-2.6.39.3/sound/pci/rme96.c linux-2.6.39.3/sound/pci/rme96.c
83598 --- linux-2.6.39.3/sound/pci/rme96.c 2011-05-19 00:06:34.000000000 -0400
83599 +++ linux-2.6.39.3/sound/pci/rme96.c 2011-05-22 19:36:35.000000000 -0400
83600 @@ -1447,7 +1447,7 @@ snd_rme96_capture_pointer(struct snd_pcm
83601 return snd_rme96_capture_ptr(rme96);
83602 }
83603
83604 -static struct snd_pcm_ops snd_rme96_playback_spdif_ops = {
83605 +static const struct snd_pcm_ops snd_rme96_playback_spdif_ops = {
83606 .open = snd_rme96_playback_spdif_open,
83607 .close = snd_rme96_playback_close,
83608 .ioctl = snd_pcm_lib_ioctl,
83609 @@ -1460,7 +1460,7 @@ static struct snd_pcm_ops snd_rme96_play
83610 .mmap = snd_pcm_lib_mmap_iomem,
83611 };
83612
83613 -static struct snd_pcm_ops snd_rme96_capture_spdif_ops = {
83614 +static const struct snd_pcm_ops snd_rme96_capture_spdif_ops = {
83615 .open = snd_rme96_capture_spdif_open,
83616 .close = snd_rme96_capture_close,
83617 .ioctl = snd_pcm_lib_ioctl,
83618 @@ -1472,7 +1472,7 @@ static struct snd_pcm_ops snd_rme96_capt
83619 .mmap = snd_pcm_lib_mmap_iomem,
83620 };
83621
83622 -static struct snd_pcm_ops snd_rme96_playback_adat_ops = {
83623 +static const struct snd_pcm_ops snd_rme96_playback_adat_ops = {
83624 .open = snd_rme96_playback_adat_open,
83625 .close = snd_rme96_playback_close,
83626 .ioctl = snd_pcm_lib_ioctl,
83627 @@ -1485,7 +1485,7 @@ static struct snd_pcm_ops snd_rme96_play
83628 .mmap = snd_pcm_lib_mmap_iomem,
83629 };
83630
83631 -static struct snd_pcm_ops snd_rme96_capture_adat_ops = {
83632 +static const struct snd_pcm_ops snd_rme96_capture_adat_ops = {
83633 .open = snd_rme96_capture_adat_open,
83634 .close = snd_rme96_capture_close,
83635 .ioctl = snd_pcm_lib_ioctl,
83636 diff -urNp linux-2.6.39.3/sound/pci/sis7019.c linux-2.6.39.3/sound/pci/sis7019.c
83637 --- linux-2.6.39.3/sound/pci/sis7019.c 2011-05-19 00:06:34.000000000 -0400
83638 +++ linux-2.6.39.3/sound/pci/sis7019.c 2011-05-22 19:36:35.000000000 -0400
83639 @@ -1011,7 +1011,7 @@ static int __devinit sis_mixer_create(st
83640 {
83641 struct snd_ac97_bus *bus;
83642 struct snd_ac97_template ac97;
83643 - static struct snd_ac97_bus_ops ops = {
83644 + static const struct snd_ac97_bus_ops ops = {
83645 .write = sis_ac97_write,
83646 .read = sis_ac97_read,
83647 };
83648 @@ -1293,7 +1293,7 @@ static int __devinit sis_chip_create(str
83649 {
83650 struct sis7019 *sis = card->private_data;
83651 struct voice *voice;
83652 - static struct snd_device_ops ops = {
83653 + static const struct snd_device_ops ops = {
83654 .dev_free = sis_dev_free,
83655 };
83656 int rc;
83657 diff -urNp linux-2.6.39.3/sound/pci/sonicvibes.c linux-2.6.39.3/sound/pci/sonicvibes.c
83658 --- linux-2.6.39.3/sound/pci/sonicvibes.c 2011-05-19 00:06:34.000000000 -0400
83659 +++ linux-2.6.39.3/sound/pci/sonicvibes.c 2011-05-22 19:36:35.000000000 -0400
83660 @@ -855,7 +855,7 @@ static int snd_sonicvibes_capture_close(
83661 return 0;
83662 }
83663
83664 -static struct snd_pcm_ops snd_sonicvibes_playback_ops = {
83665 +static const struct snd_pcm_ops snd_sonicvibes_playback_ops = {
83666 .open = snd_sonicvibes_playback_open,
83667 .close = snd_sonicvibes_playback_close,
83668 .ioctl = snd_pcm_lib_ioctl,
83669 @@ -866,7 +866,7 @@ static struct snd_pcm_ops snd_sonicvibes
83670 .pointer = snd_sonicvibes_playback_pointer,
83671 };
83672
83673 -static struct snd_pcm_ops snd_sonicvibes_capture_ops = {
83674 +static const struct snd_pcm_ops snd_sonicvibes_capture_ops = {
83675 .open = snd_sonicvibes_capture_open,
83676 .close = snd_sonicvibes_capture_close,
83677 .ioctl = snd_pcm_lib_ioctl,
83678 @@ -1255,7 +1255,7 @@ static int __devinit snd_sonicvibes_crea
83679 struct sonicvibes *sonic;
83680 unsigned int dmaa, dmac;
83681 int err;
83682 - static struct snd_device_ops ops = {
83683 + static const struct snd_device_ops ops = {
83684 .dev_free = snd_sonicvibes_dev_free,
83685 };
83686
83687 diff -urNp linux-2.6.39.3/sound/pci/trident/trident_main.c linux-2.6.39.3/sound/pci/trident/trident_main.c
83688 --- linux-2.6.39.3/sound/pci/trident/trident_main.c 2011-05-19 00:06:34.000000000 -0400
83689 +++ linux-2.6.39.3/sound/pci/trident/trident_main.c 2011-05-22 19:36:35.000000000 -0400
83690 @@ -3549,7 +3549,7 @@ int __devinit snd_trident_create(struct
83691 int i, err;
83692 struct snd_trident_voice *voice;
83693 struct snd_trident_pcm_mixer *tmix;
83694 - static struct snd_device_ops ops = {
83695 + static const struct snd_device_ops ops = {
83696 .dev_free = snd_trident_dev_free,
83697 };
83698
83699 diff -urNp linux-2.6.39.3/sound/pci/via82xx.c linux-2.6.39.3/sound/pci/via82xx.c
83700 --- linux-2.6.39.3/sound/pci/via82xx.c 2011-05-19 00:06:34.000000000 -0400
83701 +++ linux-2.6.39.3/sound/pci/via82xx.c 2011-05-22 19:36:35.000000000 -0400
83702 @@ -1352,7 +1352,7 @@ static int snd_via8233_playback_close(st
83703
83704
83705 /* via686 playback callbacks */
83706 -static struct snd_pcm_ops snd_via686_playback_ops = {
83707 +static const struct snd_pcm_ops snd_via686_playback_ops = {
83708 .open = snd_via686_playback_open,
83709 .close = snd_via82xx_pcm_close,
83710 .ioctl = snd_pcm_lib_ioctl,
83711 @@ -1365,7 +1365,7 @@ static struct snd_pcm_ops snd_via686_pla
83712 };
83713
83714 /* via686 capture callbacks */
83715 -static struct snd_pcm_ops snd_via686_capture_ops = {
83716 +static const struct snd_pcm_ops snd_via686_capture_ops = {
83717 .open = snd_via82xx_capture_open,
83718 .close = snd_via82xx_pcm_close,
83719 .ioctl = snd_pcm_lib_ioctl,
83720 @@ -1378,7 +1378,7 @@ static struct snd_pcm_ops snd_via686_cap
83721 };
83722
83723 /* via823x DSX playback callbacks */
83724 -static struct snd_pcm_ops snd_via8233_playback_ops = {
83725 +static const struct snd_pcm_ops snd_via8233_playback_ops = {
83726 .open = snd_via8233_playback_open,
83727 .close = snd_via8233_playback_close,
83728 .ioctl = snd_pcm_lib_ioctl,
83729 @@ -1391,7 +1391,7 @@ static struct snd_pcm_ops snd_via8233_pl
83730 };
83731
83732 /* via823x multi-channel playback callbacks */
83733 -static struct snd_pcm_ops snd_via8233_multi_ops = {
83734 +static const struct snd_pcm_ops snd_via8233_multi_ops = {
83735 .open = snd_via8233_multi_open,
83736 .close = snd_via82xx_pcm_close,
83737 .ioctl = snd_pcm_lib_ioctl,
83738 @@ -1404,7 +1404,7 @@ static struct snd_pcm_ops snd_via8233_mu
83739 };
83740
83741 /* via823x capture callbacks */
83742 -static struct snd_pcm_ops snd_via8233_capture_ops = {
83743 +static const struct snd_pcm_ops snd_via8233_capture_ops = {
83744 .open = snd_via82xx_capture_open,
83745 .close = snd_via82xx_pcm_close,
83746 .ioctl = snd_pcm_lib_ioctl,
83747 @@ -1868,7 +1868,7 @@ static int __devinit snd_via82xx_mixer_n
83748 {
83749 struct snd_ac97_template ac97;
83750 int err;
83751 - static struct snd_ac97_bus_ops ops = {
83752 + static const struct snd_ac97_bus_ops ops = {
83753 .write = snd_via82xx_codec_write,
83754 .read = snd_via82xx_codec_read,
83755 .wait = snd_via82xx_codec_wait,
83756 @@ -2340,7 +2340,7 @@ static int __devinit snd_via82xx_create(
83757 {
83758 struct via82xx *chip;
83759 int err;
83760 - static struct snd_device_ops ops = {
83761 + static const struct snd_device_ops ops = {
83762 .dev_free = snd_via82xx_dev_free,
83763 };
83764
83765 diff -urNp linux-2.6.39.3/sound/pci/via82xx_modem.c linux-2.6.39.3/sound/pci/via82xx_modem.c
83766 --- linux-2.6.39.3/sound/pci/via82xx_modem.c 2011-05-19 00:06:34.000000000 -0400
83767 +++ linux-2.6.39.3/sound/pci/via82xx_modem.c 2011-05-22 19:36:35.000000000 -0400
83768 @@ -799,7 +799,7 @@ static int snd_via82xx_pcm_close(struct
83769
83770
83771 /* via686 playback callbacks */
83772 -static struct snd_pcm_ops snd_via686_playback_ops = {
83773 +static const struct snd_pcm_ops snd_via686_playback_ops = {
83774 .open = snd_via82xx_playback_open,
83775 .close = snd_via82xx_pcm_close,
83776 .ioctl = snd_pcm_lib_ioctl,
83777 @@ -812,7 +812,7 @@ static struct snd_pcm_ops snd_via686_pla
83778 };
83779
83780 /* via686 capture callbacks */
83781 -static struct snd_pcm_ops snd_via686_capture_ops = {
83782 +static const struct snd_pcm_ops snd_via686_capture_ops = {
83783 .open = snd_via82xx_capture_open,
83784 .close = snd_via82xx_pcm_close,
83785 .ioctl = snd_pcm_lib_ioctl,
83786 @@ -889,7 +889,7 @@ static int __devinit snd_via82xx_mixer_n
83787 {
83788 struct snd_ac97_template ac97;
83789 int err;
83790 - static struct snd_ac97_bus_ops ops = {
83791 + static const struct snd_ac97_bus_ops ops = {
83792 .write = snd_via82xx_codec_write,
83793 .read = snd_via82xx_codec_read,
83794 .wait = snd_via82xx_codec_wait,
83795 @@ -1105,7 +1105,7 @@ static int __devinit snd_via82xx_create(
83796 {
83797 struct via82xx_modem *chip;
83798 int err;
83799 - static struct snd_device_ops ops = {
83800 + static const struct snd_device_ops ops = {
83801 .dev_free = snd_via82xx_dev_free,
83802 };
83803
83804 diff -urNp linux-2.6.39.3/sound/pci/vx222/vx222.c linux-2.6.39.3/sound/pci/vx222/vx222.c
83805 --- linux-2.6.39.3/sound/pci/vx222/vx222.c 2011-05-19 00:06:34.000000000 -0400
83806 +++ linux-2.6.39.3/sound/pci/vx222/vx222.c 2011-05-22 19:36:35.000000000 -0400
83807 @@ -141,7 +141,7 @@ static int __devinit snd_vx222_create(st
83808 struct vx_core *chip;
83809 struct snd_vx222 *vx;
83810 int i, err;
83811 - static struct snd_device_ops ops = {
83812 + static const struct snd_device_ops ops = {
83813 .dev_free = snd_vx222_dev_free,
83814 };
83815 struct snd_vx_ops *vx_ops;
83816 diff -urNp linux-2.6.39.3/sound/pci/ymfpci/ymfpci_main.c linux-2.6.39.3/sound/pci/ymfpci/ymfpci_main.c
83817 --- linux-2.6.39.3/sound/pci/ymfpci/ymfpci_main.c 2011-05-19 00:06:34.000000000 -0400
83818 +++ linux-2.6.39.3/sound/pci/ymfpci/ymfpci_main.c 2011-05-22 19:36:35.000000000 -0400
83819 @@ -202,8 +202,8 @@ static void snd_ymfpci_hw_stop(struct sn
83820 if ((snd_ymfpci_readl(chip, YDSXGR_STATUS) & 2) == 0)
83821 break;
83822 }
83823 - if (atomic_read(&chip->interrupt_sleep_count)) {
83824 - atomic_set(&chip->interrupt_sleep_count, 0);
83825 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
83826 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
83827 wake_up(&chip->interrupt_sleep);
83828 }
83829 __end:
83830 @@ -787,7 +787,7 @@ static void snd_ymfpci_irq_wait(struct s
83831 continue;
83832 init_waitqueue_entry(&wait, current);
83833 add_wait_queue(&chip->interrupt_sleep, &wait);
83834 - atomic_inc(&chip->interrupt_sleep_count);
83835 + atomic_inc_unchecked(&chip->interrupt_sleep_count);
83836 schedule_timeout_uninterruptible(msecs_to_jiffies(50));
83837 remove_wait_queue(&chip->interrupt_sleep, &wait);
83838 }
83839 @@ -825,8 +825,8 @@ static irqreturn_t snd_ymfpci_interrupt(
83840 snd_ymfpci_writel(chip, YDSXGR_MODE, mode);
83841 spin_unlock(&chip->reg_lock);
83842
83843 - if (atomic_read(&chip->interrupt_sleep_count)) {
83844 - atomic_set(&chip->interrupt_sleep_count, 0);
83845 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
83846 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
83847 wake_up(&chip->interrupt_sleep);
83848 }
83849 }
83850 @@ -2344,7 +2344,7 @@ int __devinit snd_ymfpci_create(struct s
83851 {
83852 struct snd_ymfpci *chip;
83853 int err;
83854 - static struct snd_device_ops ops = {
83855 + static const struct snd_device_ops ops = {
83856 .dev_free = snd_ymfpci_dev_free,
83857 };
83858
83859 @@ -2363,7 +2363,7 @@ int __devinit snd_ymfpci_create(struct s
83860 spin_lock_init(&chip->reg_lock);
83861 spin_lock_init(&chip->voice_lock);
83862 init_waitqueue_head(&chip->interrupt_sleep);
83863 - atomic_set(&chip->interrupt_sleep_count, 0);
83864 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
83865 chip->card = card;
83866 chip->pci = pci;
83867 chip->irq = -1;
83868 diff -urNp linux-2.6.39.3/sound/pcmcia/pdaudiocf/pdaudiocf.c linux-2.6.39.3/sound/pcmcia/pdaudiocf/pdaudiocf.c
83869 --- linux-2.6.39.3/sound/pcmcia/pdaudiocf/pdaudiocf.c 2011-05-19 00:06:34.000000000 -0400
83870 +++ linux-2.6.39.3/sound/pcmcia/pdaudiocf/pdaudiocf.c 2011-05-22 19:36:35.000000000 -0400
83871 @@ -94,7 +94,7 @@ static int snd_pdacf_probe(struct pcmcia
83872 int i, err;
83873 struct snd_pdacf *pdacf;
83874 struct snd_card *card;
83875 - static struct snd_device_ops ops = {
83876 + static const struct snd_device_ops ops = {
83877 .dev_free = snd_pdacf_dev_free,
83878 };
83879
83880 diff -urNp linux-2.6.39.3/sound/pcmcia/vx/vxpocket.c linux-2.6.39.3/sound/pcmcia/vx/vxpocket.c
83881 --- linux-2.6.39.3/sound/pcmcia/vx/vxpocket.c 2011-05-19 00:06:34.000000000 -0400
83882 +++ linux-2.6.39.3/sound/pcmcia/vx/vxpocket.c 2011-05-22 19:36:35.000000000 -0400
83883 @@ -137,7 +137,7 @@ static int snd_vxpocket_new(struct snd_c
83884 {
83885 struct vx_core *chip;
83886 struct snd_vxpocket *vxp;
83887 - static struct snd_device_ops ops = {
83888 + static const struct snd_device_ops ops = {
83889 .dev_free = snd_vxpocket_dev_free,
83890 };
83891 int err;
83892 diff -urNp linux-2.6.39.3/sound/ppc/pmac.c linux-2.6.39.3/sound/ppc/pmac.c
83893 --- linux-2.6.39.3/sound/ppc/pmac.c 2011-05-19 00:06:34.000000000 -0400
83894 +++ linux-2.6.39.3/sound/ppc/pmac.c 2011-05-22 19:36:35.000000000 -0400
83895 @@ -1186,7 +1186,7 @@ int __devinit snd_pmac_new(struct snd_ca
83896 int i, err;
83897 unsigned int irq;
83898 unsigned long ctrl_addr, txdma_addr, rxdma_addr;
83899 - static struct snd_device_ops ops = {
83900 + static const struct snd_device_ops ops = {
83901 .dev_free = snd_pmac_dev_free,
83902 };
83903
83904 diff -urNp linux-2.6.39.3/sound/ppc/snd_ps3.c linux-2.6.39.3/sound/ppc/snd_ps3.c
83905 --- linux-2.6.39.3/sound/ppc/snd_ps3.c 2011-05-19 00:06:34.000000000 -0400
83906 +++ linux-2.6.39.3/sound/ppc/snd_ps3.c 2011-05-22 19:36:35.000000000 -0400
83907 @@ -773,7 +773,7 @@ static struct snd_kcontrol_new spdif_ctl
83908 },
83909 };
83910
83911 -static struct snd_pcm_ops snd_ps3_pcm_spdif_ops = {
83912 +static const struct snd_pcm_ops snd_ps3_pcm_spdif_ops = {
83913 .open = snd_ps3_pcm_open,
83914 .close = snd_ps3_pcm_close,
83915 .ioctl = snd_pcm_lib_ioctl,
83916 diff -urNp linux-2.6.39.3/sound/sh/aica.c linux-2.6.39.3/sound/sh/aica.c
83917 --- linux-2.6.39.3/sound/sh/aica.c 2011-05-19 00:06:34.000000000 -0400
83918 +++ linux-2.6.39.3/sound/sh/aica.c 2011-05-22 19:36:35.000000000 -0400
83919 @@ -441,7 +441,7 @@ static unsigned long snd_aicapcm_pcm_poi
83920 return readl(AICA_CONTROL_CHANNEL_SAMPLE_NUMBER);
83921 }
83922
83923 -static struct snd_pcm_ops snd_aicapcm_playback_ops = {
83924 +static const struct snd_pcm_ops snd_aicapcm_playback_ops = {
83925 .open = snd_aicapcm_pcm_open,
83926 .close = snd_aicapcm_pcm_close,
83927 .ioctl = snd_pcm_lib_ioctl,
83928 diff -urNp linux-2.6.39.3/sound/sh/sh_dac_audio.c linux-2.6.39.3/sound/sh/sh_dac_audio.c
83929 --- linux-2.6.39.3/sound/sh/sh_dac_audio.c 2011-05-19 00:06:34.000000000 -0400
83930 +++ linux-2.6.39.3/sound/sh/sh_dac_audio.c 2011-05-22 19:36:35.000000000 -0400
83931 @@ -246,7 +246,7 @@ snd_pcm_uframes_t snd_sh_dac_pcm_pointer
83932 }
83933
83934 /* pcm ops */
83935 -static struct snd_pcm_ops snd_sh_dac_pcm_ops = {
83936 +static const struct snd_pcm_ops snd_sh_dac_pcm_ops = {
83937 .open = snd_sh_dac_pcm_open,
83938 .close = snd_sh_dac_pcm_close,
83939 .ioctl = snd_pcm_lib_ioctl,
83940 @@ -352,7 +352,7 @@ static int __devinit snd_sh_dac_create(s
83941 struct snd_sh_dac *chip;
83942 int err;
83943
83944 - static struct snd_device_ops ops = {
83945 + static const struct snd_device_ops ops = {
83946 .dev_free = snd_sh_dac_dev_free,
83947 };
83948
83949 diff -urNp linux-2.6.39.3/sound/soc/atmel/atmel-pcm.c linux-2.6.39.3/sound/soc/atmel/atmel-pcm.c
83950 --- linux-2.6.39.3/sound/soc/atmel/atmel-pcm.c 2011-05-19 00:06:34.000000000 -0400
83951 +++ linux-2.6.39.3/sound/soc/atmel/atmel-pcm.c 2011-05-22 19:36:35.000000000 -0400
83952 @@ -346,7 +346,7 @@ static int atmel_pcm_mmap(struct snd_pcm
83953 vma->vm_end - vma->vm_start, vma->vm_page_prot);
83954 }
83955
83956 -static struct snd_pcm_ops atmel_pcm_ops = {
83957 +static const struct snd_pcm_ops atmel_pcm_ops = {
83958 .open = atmel_pcm_open,
83959 .close = atmel_pcm_close,
83960 .ioctl = snd_pcm_lib_ioctl,
83961 diff -urNp linux-2.6.39.3/sound/soc/atmel/playpaq_wm8510.c linux-2.6.39.3/sound/soc/atmel/playpaq_wm8510.c
83962 --- linux-2.6.39.3/sound/soc/atmel/playpaq_wm8510.c 2011-05-19 00:06:34.000000000 -0400
83963 +++ linux-2.6.39.3/sound/soc/atmel/playpaq_wm8510.c 2011-05-22 19:36:35.000000000 -0400
83964 @@ -289,7 +289,7 @@ static int playpaq_wm8510_hw_params(stru
83965
83966
83967
83968 -static struct snd_soc_ops playpaq_wm8510_ops = {
83969 +static const struct snd_soc_ops playpaq_wm8510_ops = {
83970 .hw_params = playpaq_wm8510_hw_params,
83971 };
83972
83973 diff -urNp linux-2.6.39.3/sound/soc/atmel/sam9g20_wm8731.c linux-2.6.39.3/sound/soc/atmel/sam9g20_wm8731.c
83974 --- linux-2.6.39.3/sound/soc/atmel/sam9g20_wm8731.c 2011-05-19 00:06:34.000000000 -0400
83975 +++ linux-2.6.39.3/sound/soc/atmel/sam9g20_wm8731.c 2011-05-22 19:36:35.000000000 -0400
83976 @@ -87,7 +87,7 @@ static int at91sam9g20ek_hw_params(struc
83977 return 0;
83978 }
83979
83980 -static struct snd_soc_ops at91sam9g20ek_ops = {
83981 +static const struct snd_soc_ops at91sam9g20ek_ops = {
83982 .hw_params = at91sam9g20ek_hw_params,
83983 };
83984
83985 diff -urNp linux-2.6.39.3/sound/soc/atmel/snd-soc-afeb9260.c linux-2.6.39.3/sound/soc/atmel/snd-soc-afeb9260.c
83986 --- linux-2.6.39.3/sound/soc/atmel/snd-soc-afeb9260.c 2011-05-19 00:06:34.000000000 -0400
83987 +++ linux-2.6.39.3/sound/soc/atmel/snd-soc-afeb9260.c 2011-05-22 19:36:35.000000000 -0400
83988 @@ -81,7 +81,7 @@ static int afeb9260_hw_params(struct snd
83989 return err;
83990 }
83991
83992 -static struct snd_soc_ops afeb9260_ops = {
83993 +static const struct snd_soc_ops afeb9260_ops = {
83994 .hw_params = afeb9260_hw_params,
83995 };
83996
83997 diff -urNp linux-2.6.39.3/sound/soc/au1x/db1200.c linux-2.6.39.3/sound/soc/au1x/db1200.c
83998 --- linux-2.6.39.3/sound/soc/au1x/db1200.c 2011-05-19 00:06:34.000000000 -0400
83999 +++ linux-2.6.39.3/sound/soc/au1x/db1200.c 2011-05-22 19:36:35.000000000 -0400
84000 @@ -67,7 +67,7 @@ out:
84001 return ret;
84002 }
84003
84004 -static struct snd_soc_ops db1200_i2s_wm8731_ops = {
84005 +static const struct snd_soc_ops db1200_i2s_wm8731_ops = {
84006 .startup = db1200_i2s_startup,
84007 };
84008
84009 diff -urNp linux-2.6.39.3/sound/soc/au1x/dbdma2.c linux-2.6.39.3/sound/soc/au1x/dbdma2.c
84010 --- linux-2.6.39.3/sound/soc/au1x/dbdma2.c 2011-05-19 00:06:34.000000000 -0400
84011 +++ linux-2.6.39.3/sound/soc/au1x/dbdma2.c 2011-05-22 19:36:35.000000000 -0400
84012 @@ -303,7 +303,7 @@ static int au1xpsc_pcm_close(struct snd_
84013 return 0;
84014 }
84015
84016 -static struct snd_pcm_ops au1xpsc_pcm_ops = {
84017 +static const struct snd_pcm_ops au1xpsc_pcm_ops = {
84018 .open = au1xpsc_pcm_open,
84019 .close = au1xpsc_pcm_close,
84020 .ioctl = snd_pcm_lib_ioctl,
84021 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.c
84022 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
84023 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
84024 @@ -244,7 +244,7 @@ static void bf5xx_ac97_cold_reset(struct
84025 #endif
84026 }
84027
84028 -struct snd_ac97_bus_ops soc_ac97_ops = {
84029 +const struct snd_ac97_bus_ops soc_ac97_ops = {
84030 .read = bf5xx_ac97_read,
84031 .write = bf5xx_ac97_write,
84032 .warm_reset = bf5xx_ac97_warm_reset,
84033 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.h linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.h
84034 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.h 2011-05-19 00:06:34.000000000 -0400
84035 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.h 2011-05-22 19:36:35.000000000 -0400
84036 @@ -9,7 +9,7 @@
84037 #ifndef _BF5XX_AC97_H
84038 #define _BF5XX_AC97_H
84039
84040 -extern struct snd_ac97_bus_ops bf5xx_ac97_ops;
84041 +extern const struct snd_ac97_bus_ops bf5xx_ac97_ops;
84042 extern struct snd_ac97 *ac97;
84043 /* Frame format in memory, only support stereo currently */
84044 struct ac97_frame {
84045 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97-pcm.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97-pcm.c
84046 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97-pcm.c 2011-05-19 00:06:34.000000000 -0400
84047 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97-pcm.c 2011-05-22 19:36:35.000000000 -0400
84048 @@ -297,7 +297,7 @@ static int bf5xx_pcm_copy(struct snd_pcm
84049 }
84050 #endif
84051
84052 -static struct snd_pcm_ops bf5xx_pcm_ac97_ops = {
84053 +static const struct snd_pcm_ops bf5xx_pcm_ac97_ops = {
84054 .open = bf5xx_pcm_open,
84055 .ioctl = snd_pcm_lib_ioctl,
84056 .hw_params = bf5xx_pcm_hw_params,
84057 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1836.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1836.c
84058 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1836.c 2011-05-19 00:06:34.000000000 -0400
84059 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1836.c 2011-05-22 19:36:35.000000000 -0400
84060 @@ -74,7 +74,7 @@ static int bf5xx_ad1836_hw_params(struct
84061 return 0;
84062 }
84063
84064 -static struct snd_soc_ops bf5xx_ad1836_ops = {
84065 +static const struct snd_soc_ops bf5xx_ad1836_ops = {
84066 .startup = bf5xx_ad1836_startup,
84067 .hw_params = bf5xx_ad1836_hw_params,
84068 };
84069 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad193x.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad193x.c
84070 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad193x.c 2011-05-19 00:06:34.000000000 -0400
84071 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad193x.c 2011-05-22 19:36:35.000000000 -0400
84072 @@ -88,7 +88,7 @@ static int bf5xx_ad193x_hw_params(struct
84073 return 0;
84074 }
84075
84076 -static struct snd_soc_ops bf5xx_ad193x_ops = {
84077 +static const struct snd_soc_ops bf5xx_ad193x_ops = {
84078 .startup = bf5xx_ad193x_startup,
84079 .hw_params = bf5xx_ad193x_hw_params,
84080 };
84081 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1980.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1980.c
84082 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1980.c 2011-05-19 00:06:34.000000000 -0400
84083 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1980.c 2011-05-22 19:36:35.000000000 -0400
84084 @@ -63,7 +63,7 @@ static int bf5xx_board_startup(struct sn
84085 return 0;
84086 }
84087
84088 -static struct snd_soc_ops bf5xx_board_ops = {
84089 +static const struct snd_soc_ops bf5xx_board_ops = {
84090 .startup = bf5xx_board_startup,
84091 };
84092
84093 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad73311.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad73311.c
84094 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad73311.c 2011-05-19 00:06:34.000000000 -0400
84095 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad73311.c 2011-05-22 19:36:35.000000000 -0400
84096 @@ -175,7 +175,7 @@ static int bf5xx_ad73311_hw_params(struc
84097 }
84098
84099
84100 -static struct snd_soc_ops bf5xx_ad73311_ops = {
84101 +static const struct snd_soc_ops bf5xx_ad73311_ops = {
84102 .startup = bf5xx_ad73311_startup,
84103 .hw_params = bf5xx_ad73311_hw_params,
84104 };
84105 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-i2s-pcm.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-i2s-pcm.c
84106 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-i2s-pcm.c 2011-05-19 00:06:34.000000000 -0400
84107 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-i2s-pcm.c 2011-05-22 19:36:35.000000000 -0400
84108 @@ -183,7 +183,7 @@ static int bf5xx_pcm_mmap(struct snd_pcm
84109 return 0 ;
84110 }
84111
84112 -static struct snd_pcm_ops bf5xx_pcm_i2s_ops = {
84113 +static const struct snd_pcm_ops bf5xx_pcm_i2s_ops = {
84114 .open = bf5xx_pcm_open,
84115 .ioctl = snd_pcm_lib_ioctl,
84116 .hw_params = bf5xx_pcm_hw_params,
84117 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ssm2602.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ssm2602.c
84118 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ssm2602.c 2011-05-19 00:06:34.000000000 -0400
84119 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ssm2602.c 2011-05-22 19:36:35.000000000 -0400
84120 @@ -108,7 +108,7 @@ static int bf5xx_ssm2602_hw_params(struc
84121 return 0;
84122 }
84123
84124 -static struct snd_soc_ops bf5xx_ssm2602_ops = {
84125 +static const struct snd_soc_ops bf5xx_ssm2602_ops = {
84126 .startup = bf5xx_ssm2602_startup,
84127 .hw_params = bf5xx_ssm2602_hw_params,
84128 };
84129 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-tdm-pcm.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-tdm-pcm.c
84130 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-tdm-pcm.c 2011-05-19 00:06:34.000000000 -0400
84131 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-tdm-pcm.c 2011-05-22 19:36:35.000000000 -0400
84132 @@ -220,7 +220,7 @@ static int bf5xx_pcm_silence(struct snd_
84133 }
84134
84135
84136 -struct snd_pcm_ops bf5xx_pcm_tdm_ops = {
84137 +const struct snd_pcm_ops bf5xx_pcm_tdm_ops = {
84138 .open = bf5xx_pcm_open,
84139 .ioctl = snd_pcm_lib_ioctl,
84140 .hw_params = bf5xx_pcm_hw_params,
84141 diff -urNp linux-2.6.39.3/sound/soc/davinci/davinci-evm.c linux-2.6.39.3/sound/soc/davinci/davinci-evm.c
84142 --- linux-2.6.39.3/sound/soc/davinci/davinci-evm.c 2011-05-19 00:06:34.000000000 -0400
84143 +++ linux-2.6.39.3/sound/soc/davinci/davinci-evm.c 2011-05-22 19:36:35.000000000 -0400
84144 @@ -88,11 +88,11 @@ static int evm_spdif_hw_params(struct sn
84145 return snd_soc_dai_set_fmt(cpu_dai, AUDIO_FORMAT);
84146 }
84147
84148 -static struct snd_soc_ops evm_ops = {
84149 +static const struct snd_soc_ops evm_ops = {
84150 .hw_params = evm_hw_params,
84151 };
84152
84153 -static struct snd_soc_ops evm_spdif_ops = {
84154 +static const struct snd_soc_ops evm_spdif_ops = {
84155 .hw_params = evm_spdif_hw_params,
84156 };
84157
84158 diff -urNp linux-2.6.39.3/sound/soc/davinci/davinci-pcm.c linux-2.6.39.3/sound/soc/davinci/davinci-pcm.c
84159 --- linux-2.6.39.3/sound/soc/davinci/davinci-pcm.c 2011-05-19 00:06:34.000000000 -0400
84160 +++ linux-2.6.39.3/sound/soc/davinci/davinci-pcm.c 2011-05-22 19:36:35.000000000 -0400
84161 @@ -748,7 +748,7 @@ static int davinci_pcm_mmap(struct snd_p
84162 runtime->dma_bytes);
84163 }
84164
84165 -static struct snd_pcm_ops davinci_pcm_ops = {
84166 +static const struct snd_pcm_ops davinci_pcm_ops = {
84167 .open = davinci_pcm_open,
84168 .close = davinci_pcm_close,
84169 .ioctl = snd_pcm_lib_ioctl,
84170 diff -urNp linux-2.6.39.3/sound/soc/davinci/davinci-sffsdr.c linux-2.6.39.3/sound/soc/davinci/davinci-sffsdr.c
84171 --- linux-2.6.39.3/sound/soc/davinci/davinci-sffsdr.c 2011-05-19 00:06:34.000000000 -0400
84172 +++ linux-2.6.39.3/sound/soc/davinci/davinci-sffsdr.c 2011-05-22 19:36:35.000000000 -0400
84173 @@ -75,7 +75,7 @@ static int sffsdr_hw_params(struct snd_p
84174 #endif
84175 }
84176
84177 -static struct snd_soc_ops sffsdr_ops = {
84178 +static const struct snd_soc_ops sffsdr_ops = {
84179 .hw_params = sffsdr_hw_params,
84180 };
84181
84182 diff -urNp linux-2.6.39.3/sound/soc/ep93xx/edb93xx.c linux-2.6.39.3/sound/soc/ep93xx/edb93xx.c
84183 --- linux-2.6.39.3/sound/soc/ep93xx/edb93xx.c 2011-05-19 00:06:34.000000000 -0400
84184 +++ linux-2.6.39.3/sound/soc/ep93xx/edb93xx.c 2011-05-22 19:36:35.000000000 -0400
84185 @@ -74,7 +74,7 @@ static int edb93xx_hw_params(struct snd_
84186 SND_SOC_CLOCK_OUT);
84187 }
84188
84189 -static struct snd_soc_ops edb93xx_ops = {
84190 +static const struct snd_soc_ops edb93xx_ops = {
84191 .hw_params = edb93xx_hw_params,
84192 };
84193
84194 diff -urNp linux-2.6.39.3/sound/soc/ep93xx/ep93xx-ac97.c linux-2.6.39.3/sound/soc/ep93xx/ep93xx-ac97.c
84195 --- linux-2.6.39.3/sound/soc/ep93xx/ep93xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
84196 +++ linux-2.6.39.3/sound/soc/ep93xx/ep93xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
84197 @@ -239,7 +239,7 @@ static irqreturn_t ep93xx_ac97_interrupt
84198 return IRQ_HANDLED;
84199 }
84200
84201 -struct snd_ac97_bus_ops soc_ac97_ops = {
84202 +const struct snd_ac97_bus_ops soc_ac97_ops = {
84203 .read = ep93xx_ac97_read,
84204 .write = ep93xx_ac97_write,
84205 .reset = ep93xx_ac97_cold_reset,
84206 diff -urNp linux-2.6.39.3/sound/soc/ep93xx/ep93xx-pcm.c linux-2.6.39.3/sound/soc/ep93xx/ep93xx-pcm.c
84207 --- linux-2.6.39.3/sound/soc/ep93xx/ep93xx-pcm.c 2011-05-19 00:06:34.000000000 -0400
84208 +++ linux-2.6.39.3/sound/soc/ep93xx/ep93xx-pcm.c 2011-05-22 19:36:35.000000000 -0400
84209 @@ -216,7 +216,7 @@ static int ep93xx_pcm_mmap(struct snd_pc
84210 runtime->dma_bytes);
84211 }
84212
84213 -static struct snd_pcm_ops ep93xx_pcm_ops = {
84214 +static const struct snd_pcm_ops ep93xx_pcm_ops = {
84215 .open = ep93xx_pcm_open,
84216 .close = ep93xx_pcm_close,
84217 .ioctl = snd_pcm_lib_ioctl,
84218 diff -urNp linux-2.6.39.3/sound/soc/ep93xx/snappercl15.c linux-2.6.39.3/sound/soc/ep93xx/snappercl15.c
84219 --- linux-2.6.39.3/sound/soc/ep93xx/snappercl15.c 2011-05-19 00:06:34.000000000 -0400
84220 +++ linux-2.6.39.3/sound/soc/ep93xx/snappercl15.c 2011-05-22 19:36:35.000000000 -0400
84221 @@ -55,7 +55,7 @@ static int snappercl15_hw_params(struct
84222 return 0;
84223 }
84224
84225 -static struct snd_soc_ops snappercl15_ops = {
84226 +static const struct snd_soc_ops snappercl15_ops = {
84227 .hw_params = snappercl15_hw_params,
84228 };
84229
84230 diff -urNp linux-2.6.39.3/sound/soc/fsl/fsl_dma.c linux-2.6.39.3/sound/soc/fsl/fsl_dma.c
84231 --- linux-2.6.39.3/sound/soc/fsl/fsl_dma.c 2011-05-19 00:06:34.000000000 -0400
84232 +++ linux-2.6.39.3/sound/soc/fsl/fsl_dma.c 2011-05-22 19:36:35.000000000 -0400
84233 @@ -887,7 +887,7 @@ static struct device_node *find_ssi_node
84234 return NULL;
84235 }
84236
84237 -static struct snd_pcm_ops fsl_dma_ops = {
84238 +static const struct snd_pcm_ops fsl_dma_ops = {
84239 .open = fsl_dma_open,
84240 .close = fsl_dma_close,
84241 .ioctl = snd_pcm_lib_ioctl,
84242 diff -urNp linux-2.6.39.3/sound/soc/fsl/mpc8610_hpcd.c linux-2.6.39.3/sound/soc/fsl/mpc8610_hpcd.c
84243 --- linux-2.6.39.3/sound/soc/fsl/mpc8610_hpcd.c 2011-05-19 00:06:34.000000000 -0400
84244 +++ linux-2.6.39.3/sound/soc/fsl/mpc8610_hpcd.c 2011-05-22 19:36:35.000000000 -0400
84245 @@ -175,7 +175,7 @@ static int mpc8610_hpcd_machine_remove(s
84246 /**
84247 * mpc8610_hpcd_ops: ASoC machine driver operations
84248 */
84249 -static struct snd_soc_ops mpc8610_hpcd_ops = {
84250 +static const struct snd_soc_ops mpc8610_hpcd_ops = {
84251 .startup = mpc8610_hpcd_startup,
84252 };
84253
84254 diff -urNp linux-2.6.39.3/sound/soc/fsl/p1022_ds.c linux-2.6.39.3/sound/soc/fsl/p1022_ds.c
84255 --- linux-2.6.39.3/sound/soc/fsl/p1022_ds.c 2011-05-19 00:06:34.000000000 -0400
84256 +++ linux-2.6.39.3/sound/soc/fsl/p1022_ds.c 2011-05-22 19:36:35.000000000 -0400
84257 @@ -185,7 +185,7 @@ static int p1022_ds_machine_remove(struc
84258 /**
84259 * p1022_ds_ops: ASoC machine driver operations
84260 */
84261 -static struct snd_soc_ops p1022_ds_ops = {
84262 +static const struct snd_soc_ops p1022_ds_ops = {
84263 .startup = p1022_ds_startup,
84264 };
84265
84266 diff -urNp linux-2.6.39.3/sound/soc/imx/eukrea-tlv320.c linux-2.6.39.3/sound/soc/imx/eukrea-tlv320.c
84267 --- linux-2.6.39.3/sound/soc/imx/eukrea-tlv320.c 2011-05-19 00:06:34.000000000 -0400
84268 +++ linux-2.6.39.3/sound/soc/imx/eukrea-tlv320.c 2011-05-22 19:36:35.000000000 -0400
84269 @@ -71,7 +71,7 @@ static int eukrea_tlv320_hw_params(struc
84270 return 0;
84271 }
84272
84273 -static struct snd_soc_ops eukrea_tlv320_snd_ops = {
84274 +static const struct snd_soc_ops eukrea_tlv320_snd_ops = {
84275 .hw_params = eukrea_tlv320_hw_params,
84276 };
84277
84278 diff -urNp linux-2.6.39.3/sound/soc/imx/imx-pcm-dma-mx2.c linux-2.6.39.3/sound/soc/imx/imx-pcm-dma-mx2.c
84279 --- linux-2.6.39.3/sound/soc/imx/imx-pcm-dma-mx2.c 2011-05-19 00:06:34.000000000 -0400
84280 +++ linux-2.6.39.3/sound/soc/imx/imx-pcm-dma-mx2.c 2011-05-22 19:36:35.000000000 -0400
84281 @@ -283,7 +283,7 @@ static int snd_imx_close(struct snd_pcm_
84282 return 0;
84283 }
84284
84285 -static struct snd_pcm_ops imx_pcm_ops = {
84286 +static const struct snd_pcm_ops imx_pcm_ops = {
84287 .open = snd_imx_open,
84288 .close = snd_imx_close,
84289 .ioctl = snd_pcm_lib_ioctl,
84290 diff -urNp linux-2.6.39.3/sound/soc/imx/imx-pcm-fiq.c linux-2.6.39.3/sound/soc/imx/imx-pcm-fiq.c
84291 --- linux-2.6.39.3/sound/soc/imx/imx-pcm-fiq.c 2011-05-19 00:06:34.000000000 -0400
84292 +++ linux-2.6.39.3/sound/soc/imx/imx-pcm-fiq.c 2011-05-22 19:36:35.000000000 -0400
84293 @@ -225,7 +225,7 @@ static int snd_imx_close(struct snd_pcm_
84294 return 0;
84295 }
84296
84297 -static struct snd_pcm_ops imx_pcm_ops = {
84298 +static const struct snd_pcm_ops imx_pcm_ops = {
84299 .open = snd_imx_open,
84300 .close = snd_imx_close,
84301 .ioctl = snd_pcm_lib_ioctl,
84302 diff -urNp linux-2.6.39.3/sound/soc/imx/mx27vis-aic32x4.c linux-2.6.39.3/sound/soc/imx/mx27vis-aic32x4.c
84303 --- linux-2.6.39.3/sound/soc/imx/mx27vis-aic32x4.c 2011-05-19 00:06:34.000000000 -0400
84304 +++ linux-2.6.39.3/sound/soc/imx/mx27vis-aic32x4.c 2011-05-22 19:36:35.000000000 -0400
84305 @@ -70,7 +70,7 @@ static int mx27vis_aic32x4_hw_params(str
84306 return 0;
84307 }
84308
84309 -static struct snd_soc_ops mx27vis_aic32x4_snd_ops = {
84310 +static const struct snd_soc_ops mx27vis_aic32x4_snd_ops = {
84311 .hw_params = mx27vis_aic32x4_hw_params,
84312 };
84313
84314 diff -urNp linux-2.6.39.3/sound/soc/imx/phycore-ac97.c linux-2.6.39.3/sound/soc/imx/phycore-ac97.c
84315 --- linux-2.6.39.3/sound/soc/imx/phycore-ac97.c 2011-05-19 00:06:34.000000000 -0400
84316 +++ linux-2.6.39.3/sound/soc/imx/phycore-ac97.c 2011-05-22 19:36:35.000000000 -0400
84317 @@ -21,7 +21,7 @@
84318
84319 static struct snd_soc_card imx_phycore;
84320
84321 -static struct snd_soc_ops imx_phycore_hifi_ops = {
84322 +static const struct snd_soc_ops imx_phycore_hifi_ops = {
84323 };
84324
84325 static struct snd_soc_dai_link imx_phycore_dai_ac97[] = {
84326 diff -urNp linux-2.6.39.3/sound/soc/imx/wm1133-ev1.c linux-2.6.39.3/sound/soc/imx/wm1133-ev1.c
84327 --- linux-2.6.39.3/sound/soc/imx/wm1133-ev1.c 2011-05-19 00:06:34.000000000 -0400
84328 +++ linux-2.6.39.3/sound/soc/imx/wm1133-ev1.c 2011-05-22 19:36:35.000000000 -0400
84329 @@ -149,7 +149,7 @@ static int wm1133_ev1_hw_params(struct s
84330 return 0;
84331 }
84332
84333 -static struct snd_soc_ops wm1133_ev1_ops = {
84334 +static const struct snd_soc_ops wm1133_ev1_ops = {
84335 .hw_params = wm1133_ev1_hw_params,
84336 };
84337
84338 diff -urNp linux-2.6.39.3/sound/soc/jz4740/jz4740-pcm.c linux-2.6.39.3/sound/soc/jz4740/jz4740-pcm.c
84339 --- linux-2.6.39.3/sound/soc/jz4740/jz4740-pcm.c 2011-05-19 00:06:34.000000000 -0400
84340 +++ linux-2.6.39.3/sound/soc/jz4740/jz4740-pcm.c 2011-05-22 19:36:35.000000000 -0400
84341 @@ -244,7 +244,7 @@ static int jz4740_pcm_mmap(struct snd_pc
84342 vma->vm_end - vma->vm_start, vma->vm_page_prot);
84343 }
84344
84345 -static struct snd_pcm_ops jz4740_pcm_ops = {
84346 +static const struct snd_pcm_ops jz4740_pcm_ops = {
84347 .open = jz4740_pcm_open,
84348 .close = jz4740_pcm_close,
84349 .ioctl = snd_pcm_lib_ioctl,
84350 diff -urNp linux-2.6.39.3/sound/soc/kirkwood/kirkwood-openrd.c linux-2.6.39.3/sound/soc/kirkwood/kirkwood-openrd.c
84351 --- linux-2.6.39.3/sound/soc/kirkwood/kirkwood-openrd.c 2011-05-19 00:06:34.000000000 -0400
84352 +++ linux-2.6.39.3/sound/soc/kirkwood/kirkwood-openrd.c 2011-05-22 19:36:35.000000000 -0400
84353 @@ -56,7 +56,7 @@ static int openrd_client_hw_params(struc
84354
84355 }
84356
84357 -static struct snd_soc_ops openrd_client_ops = {
84358 +static const struct snd_soc_ops openrd_client_ops = {
84359 .hw_params = openrd_client_hw_params,
84360 };
84361
84362 diff -urNp linux-2.6.39.3/sound/soc/kirkwood/kirkwood-t5325.c linux-2.6.39.3/sound/soc/kirkwood/kirkwood-t5325.c
84363 --- linux-2.6.39.3/sound/soc/kirkwood/kirkwood-t5325.c 2011-05-19 00:06:34.000000000 -0400
84364 +++ linux-2.6.39.3/sound/soc/kirkwood/kirkwood-t5325.c 2011-05-22 19:36:35.000000000 -0400
84365 @@ -44,7 +44,7 @@ static int t5325_hw_params(struct snd_pc
84366
84367 }
84368
84369 -static struct snd_soc_ops t5325_ops = {
84370 +static const struct snd_soc_ops t5325_ops = {
84371 .hw_params = t5325_hw_params,
84372 };
84373
84374 diff -urNp linux-2.6.39.3/sound/soc/mid-x86/sst_platform.c linux-2.6.39.3/sound/soc/mid-x86/sst_platform.c
84375 --- linux-2.6.39.3/sound/soc/mid-x86/sst_platform.c 2011-05-19 00:06:34.000000000 -0400
84376 +++ linux-2.6.39.3/sound/soc/mid-x86/sst_platform.c 2011-05-22 19:36:35.000000000 -0400
84377 @@ -381,7 +381,7 @@ static int sst_platform_pcm_hw_free(stru
84378 return snd_pcm_lib_free_pages(substream);
84379 }
84380
84381 -static struct snd_pcm_ops sst_platform_ops = {
84382 +static const struct snd_pcm_ops sst_platform_ops = {
84383 .open = sst_platform_open,
84384 .close = sst_platform_close,
84385 .ioctl = snd_pcm_lib_ioctl,
84386 diff -urNp linux-2.6.39.3/sound/soc/nuc900/nuc900-pcm.c linux-2.6.39.3/sound/soc/nuc900/nuc900-pcm.c
84387 --- linux-2.6.39.3/sound/soc/nuc900/nuc900-pcm.c 2011-05-19 00:06:34.000000000 -0400
84388 +++ linux-2.6.39.3/sound/soc/nuc900/nuc900-pcm.c 2011-05-22 19:36:35.000000000 -0400
84389 @@ -297,7 +297,7 @@ static int nuc900_dma_mmap(struct snd_pc
84390 runtime->dma_bytes);
84391 }
84392
84393 -static struct snd_pcm_ops nuc900_dma_ops = {
84394 +static const struct snd_pcm_ops nuc900_dma_ops = {
84395 .open = nuc900_dma_open,
84396 .close = nuc900_dma_close,
84397 .ioctl = snd_pcm_lib_ioctl,
84398 diff -urNp linux-2.6.39.3/sound/soc/omap/am3517evm.c linux-2.6.39.3/sound/soc/omap/am3517evm.c
84399 --- linux-2.6.39.3/sound/soc/omap/am3517evm.c 2011-05-19 00:06:34.000000000 -0400
84400 +++ linux-2.6.39.3/sound/soc/omap/am3517evm.c 2011-05-22 19:36:35.000000000 -0400
84401 @@ -88,7 +88,7 @@ static int am3517evm_hw_params(struct sn
84402 return 0;
84403 }
84404
84405 -static struct snd_soc_ops am3517evm_ops = {
84406 +static const struct snd_soc_ops am3517evm_ops = {
84407 .hw_params = am3517evm_hw_params,
84408 };
84409
84410 diff -urNp linux-2.6.39.3/sound/soc/omap/ams-delta.c linux-2.6.39.3/sound/soc/omap/ams-delta.c
84411 --- linux-2.6.39.3/sound/soc/omap/ams-delta.c 2011-05-19 00:06:34.000000000 -0400
84412 +++ linux-2.6.39.3/sound/soc/omap/ams-delta.c 2011-05-22 19:36:35.000000000 -0400
84413 @@ -420,7 +420,7 @@ static int ams_delta_hw_params(struct sn
84414 SND_SOC_DAIFMT_CBM_CFM);
84415 }
84416
84417 -static struct snd_soc_ops ams_delta_ops = {
84418 +static const struct snd_soc_ops ams_delta_ops = {
84419 .hw_params = ams_delta_hw_params,
84420 };
84421
84422 diff -urNp linux-2.6.39.3/sound/soc/omap/igep0020.c linux-2.6.39.3/sound/soc/omap/igep0020.c
84423 --- linux-2.6.39.3/sound/soc/omap/igep0020.c 2011-05-19 00:06:34.000000000 -0400
84424 +++ linux-2.6.39.3/sound/soc/omap/igep0020.c 2011-05-22 19:36:35.000000000 -0400
84425 @@ -72,7 +72,7 @@ static int igep2_hw_params(struct snd_pc
84426 return 0;
84427 }
84428
84429 -static struct snd_soc_ops igep2_ops = {
84430 +static const struct snd_soc_ops igep2_ops = {
84431 .hw_params = igep2_hw_params,
84432 };
84433
84434 diff -urNp linux-2.6.39.3/sound/soc/omap/n810.c linux-2.6.39.3/sound/soc/omap/n810.c
84435 --- linux-2.6.39.3/sound/soc/omap/n810.c 2011-05-19 00:06:34.000000000 -0400
84436 +++ linux-2.6.39.3/sound/soc/omap/n810.c 2011-05-22 19:36:35.000000000 -0400
84437 @@ -141,7 +141,7 @@ static int n810_hw_params(struct snd_pcm
84438 return err;
84439 }
84440
84441 -static struct snd_soc_ops n810_ops = {
84442 +static const struct snd_soc_ops n810_ops = {
84443 .startup = n810_startup,
84444 .hw_params = n810_hw_params,
84445 .shutdown = n810_shutdown,
84446 diff -urNp linux-2.6.39.3/sound/soc/omap/omap2evm.c linux-2.6.39.3/sound/soc/omap/omap2evm.c
84447 --- linux-2.6.39.3/sound/soc/omap/omap2evm.c 2011-05-19 00:06:34.000000000 -0400
84448 +++ linux-2.6.39.3/sound/soc/omap/omap2evm.c 2011-05-22 19:36:35.000000000 -0400
84449 @@ -74,7 +74,7 @@ static int omap2evm_hw_params(struct snd
84450 return 0;
84451 }
84452
84453 -static struct snd_soc_ops omap2evm_ops = {
84454 +static const struct snd_soc_ops omap2evm_ops = {
84455 .hw_params = omap2evm_hw_params,
84456 };
84457
84458 diff -urNp linux-2.6.39.3/sound/soc/omap/omap3beagle.c linux-2.6.39.3/sound/soc/omap/omap3beagle.c
84459 --- linux-2.6.39.3/sound/soc/omap/omap3beagle.c 2011-05-19 00:06:34.000000000 -0400
84460 +++ linux-2.6.39.3/sound/soc/omap/omap3beagle.c 2011-05-22 19:36:35.000000000 -0400
84461 @@ -82,7 +82,7 @@ static int omap3beagle_hw_params(struct
84462 return 0;
84463 }
84464
84465 -static struct snd_soc_ops omap3beagle_ops = {
84466 +static const struct snd_soc_ops omap3beagle_ops = {
84467 .hw_params = omap3beagle_hw_params,
84468 };
84469
84470 diff -urNp linux-2.6.39.3/sound/soc/omap/omap3evm.c linux-2.6.39.3/sound/soc/omap/omap3evm.c
84471 --- linux-2.6.39.3/sound/soc/omap/omap3evm.c 2011-05-19 00:06:34.000000000 -0400
84472 +++ linux-2.6.39.3/sound/soc/omap/omap3evm.c 2011-05-22 19:36:35.000000000 -0400
84473 @@ -70,7 +70,7 @@ static int omap3evm_hw_params(struct snd
84474 return 0;
84475 }
84476
84477 -static struct snd_soc_ops omap3evm_ops = {
84478 +static const struct snd_soc_ops omap3evm_ops = {
84479 .hw_params = omap3evm_hw_params,
84480 };
84481
84482 diff -urNp linux-2.6.39.3/sound/soc/omap/omap3pandora.c linux-2.6.39.3/sound/soc/omap/omap3pandora.c
84483 --- linux-2.6.39.3/sound/soc/omap/omap3pandora.c 2011-05-19 00:06:34.000000000 -0400
84484 +++ linux-2.6.39.3/sound/soc/omap/omap3pandora.c 2011-05-22 19:36:35.000000000 -0400
84485 @@ -218,7 +218,7 @@ static int omap3pandora_in_init(struct s
84486 return snd_soc_dapm_sync(dapm);
84487 }
84488
84489 -static struct snd_soc_ops omap3pandora_ops = {
84490 +static const struct snd_soc_ops omap3pandora_ops = {
84491 .hw_params = omap3pandora_hw_params,
84492 };
84493
84494 diff -urNp linux-2.6.39.3/sound/soc/omap/omap-pcm.c linux-2.6.39.3/sound/soc/omap/omap-pcm.c
84495 --- linux-2.6.39.3/sound/soc/omap/omap-pcm.c 2011-05-19 00:06:34.000000000 -0400
84496 +++ linux-2.6.39.3/sound/soc/omap/omap-pcm.c 2011-05-22 19:36:35.000000000 -0400
84497 @@ -311,7 +311,7 @@ static int omap_pcm_mmap(struct snd_pcm_
84498 runtime->dma_bytes);
84499 }
84500
84501 -static struct snd_pcm_ops omap_pcm_ops = {
84502 +static const struct snd_pcm_ops omap_pcm_ops = {
84503 .open = omap_pcm_open,
84504 .close = omap_pcm_close,
84505 .ioctl = snd_pcm_lib_ioctl,
84506 diff -urNp linux-2.6.39.3/sound/soc/omap/osk5912.c linux-2.6.39.3/sound/soc/omap/osk5912.c
84507 --- linux-2.6.39.3/sound/soc/omap/osk5912.c 2011-05-19 00:06:34.000000000 -0400
84508 +++ linux-2.6.39.3/sound/soc/omap/osk5912.c 2011-05-22 19:36:35.000000000 -0400
84509 @@ -90,7 +90,7 @@ static int osk_hw_params(struct snd_pcm_
84510 return err;
84511 }
84512
84513 -static struct snd_soc_ops osk_ops = {
84514 +static const struct snd_soc_ops osk_ops = {
84515 .startup = osk_startup,
84516 .hw_params = osk_hw_params,
84517 .shutdown = osk_shutdown,
84518 diff -urNp linux-2.6.39.3/sound/soc/omap/overo.c linux-2.6.39.3/sound/soc/omap/overo.c
84519 --- linux-2.6.39.3/sound/soc/omap/overo.c 2011-05-19 00:06:34.000000000 -0400
84520 +++ linux-2.6.39.3/sound/soc/omap/overo.c 2011-05-22 19:36:35.000000000 -0400
84521 @@ -72,7 +72,7 @@ static int overo_hw_params(struct snd_pc
84522 return 0;
84523 }
84524
84525 -static struct snd_soc_ops overo_ops = {
84526 +static const struct snd_soc_ops overo_ops = {
84527 .hw_params = overo_hw_params,
84528 };
84529
84530 diff -urNp linux-2.6.39.3/sound/soc/omap/rx51.c linux-2.6.39.3/sound/soc/omap/rx51.c
84531 --- linux-2.6.39.3/sound/soc/omap/rx51.c 2011-05-19 00:06:34.000000000 -0400
84532 +++ linux-2.6.39.3/sound/soc/omap/rx51.c 2011-05-22 19:36:35.000000000 -0400
84533 @@ -139,7 +139,7 @@ static int rx51_hw_params(struct snd_pcm
84534 SND_SOC_CLOCK_IN);
84535 }
84536
84537 -static struct snd_soc_ops rx51_ops = {
84538 +static const struct snd_soc_ops rx51_ops = {
84539 .startup = rx51_startup,
84540 .hw_params = rx51_hw_params,
84541 };
84542 diff -urNp linux-2.6.39.3/sound/soc/omap/sdp3430.c linux-2.6.39.3/sound/soc/omap/sdp3430.c
84543 --- linux-2.6.39.3/sound/soc/omap/sdp3430.c 2011-05-19 00:06:34.000000000 -0400
84544 +++ linux-2.6.39.3/sound/soc/omap/sdp3430.c 2011-05-22 19:36:35.000000000 -0400
84545 @@ -87,7 +87,7 @@ static int sdp3430_hw_params(struct snd_
84546 return 0;
84547 }
84548
84549 -static struct snd_soc_ops sdp3430_ops = {
84550 +static const struct snd_soc_ops sdp3430_ops = {
84551 .hw_params = sdp3430_hw_params,
84552 };
84553
84554 @@ -130,7 +130,7 @@ static int sdp3430_hw_voice_params(struc
84555 return 0;
84556 }
84557
84558 -static struct snd_soc_ops sdp3430_voice_ops = {
84559 +static const struct snd_soc_ops sdp3430_voice_ops = {
84560 .hw_params = sdp3430_hw_voice_params,
84561 };
84562
84563 diff -urNp linux-2.6.39.3/sound/soc/omap/sdp4430.c linux-2.6.39.3/sound/soc/omap/sdp4430.c
84564 --- linux-2.6.39.3/sound/soc/omap/sdp4430.c 2011-05-19 00:06:34.000000000 -0400
84565 +++ linux-2.6.39.3/sound/soc/omap/sdp4430.c 2011-05-22 19:36:35.000000000 -0400
84566 @@ -62,7 +62,7 @@ static int sdp4430_hw_params(struct snd_
84567 return ret;
84568 }
84569
84570 -static struct snd_soc_ops sdp4430_ops = {
84571 +static const struct snd_soc_ops sdp4430_ops = {
84572 .hw_params = sdp4430_hw_params,
84573 };
84574
84575 diff -urNp linux-2.6.39.3/sound/soc/omap/zoom2.c linux-2.6.39.3/sound/soc/omap/zoom2.c
84576 --- linux-2.6.39.3/sound/soc/omap/zoom2.c 2011-05-19 00:06:34.000000000 -0400
84577 +++ linux-2.6.39.3/sound/soc/omap/zoom2.c 2011-05-22 19:36:35.000000000 -0400
84578 @@ -78,7 +78,7 @@ static int zoom2_hw_params(struct snd_pc
84579 return 0;
84580 }
84581
84582 -static struct snd_soc_ops zoom2_ops = {
84583 +static const struct snd_soc_ops zoom2_ops = {
84584 .hw_params = zoom2_hw_params,
84585 };
84586
84587 @@ -121,7 +121,7 @@ static int zoom2_hw_voice_params(struct
84588 return 0;
84589 }
84590
84591 -static struct snd_soc_ops zoom2_voice_ops = {
84592 +static const struct snd_soc_ops zoom2_voice_ops = {
84593 .hw_params = zoom2_hw_voice_params,
84594 };
84595
84596 diff -urNp linux-2.6.39.3/sound/soc/pxa/corgi.c linux-2.6.39.3/sound/soc/pxa/corgi.c
84597 --- linux-2.6.39.3/sound/soc/pxa/corgi.c 2011-05-19 00:06:34.000000000 -0400
84598 +++ linux-2.6.39.3/sound/soc/pxa/corgi.c 2011-05-22 19:36:35.000000000 -0400
84599 @@ -169,7 +169,7 @@ static int corgi_hw_params(struct snd_pc
84600 return 0;
84601 }
84602
84603 -static struct snd_soc_ops corgi_ops = {
84604 +static const struct snd_soc_ops corgi_ops = {
84605 .startup = corgi_startup,
84606 .hw_params = corgi_hw_params,
84607 .shutdown = corgi_shutdown,
84608 diff -urNp linux-2.6.39.3/sound/soc/pxa/imote2.c linux-2.6.39.3/sound/soc/pxa/imote2.c
84609 --- linux-2.6.39.3/sound/soc/pxa/imote2.c 2011-05-19 00:06:34.000000000 -0400
84610 +++ linux-2.6.39.3/sound/soc/pxa/imote2.c 2011-05-22 19:36:35.000000000 -0400
84611 @@ -56,7 +56,7 @@ static int imote2_asoc_hw_params(struct
84612 return ret;
84613 }
84614
84615 -static struct snd_soc_ops imote2_asoc_ops = {
84616 +static const struct snd_soc_ops imote2_asoc_ops = {
84617 .hw_params = imote2_asoc_hw_params,
84618 };
84619
84620 diff -urNp linux-2.6.39.3/sound/soc/pxa/magician.c linux-2.6.39.3/sound/soc/pxa/magician.c
84621 --- linux-2.6.39.3/sound/soc/pxa/magician.c 2011-05-19 00:06:34.000000000 -0400
84622 +++ linux-2.6.39.3/sound/soc/pxa/magician.c 2011-05-22 19:36:35.000000000 -0400
84623 @@ -258,12 +258,12 @@ static int magician_capture_hw_params(st
84624 return 0;
84625 }
84626
84627 -static struct snd_soc_ops magician_capture_ops = {
84628 +static const struct snd_soc_ops magician_capture_ops = {
84629 .startup = magician_startup,
84630 .hw_params = magician_capture_hw_params,
84631 };
84632
84633 -static struct snd_soc_ops magician_playback_ops = {
84634 +static const struct snd_soc_ops magician_playback_ops = {
84635 .startup = magician_startup,
84636 .hw_params = magician_playback_hw_params,
84637 };
84638 diff -urNp linux-2.6.39.3/sound/soc/pxa/mioa701_wm9713.c linux-2.6.39.3/sound/soc/pxa/mioa701_wm9713.c
84639 --- linux-2.6.39.3/sound/soc/pxa/mioa701_wm9713.c 2011-05-19 00:06:34.000000000 -0400
84640 +++ linux-2.6.39.3/sound/soc/pxa/mioa701_wm9713.c 2011-05-22 19:36:35.000000000 -0400
84641 @@ -156,7 +156,7 @@ static int mioa701_wm9713_init(struct sn
84642 return 0;
84643 }
84644
84645 -static struct snd_soc_ops mioa701_ops;
84646 +static const struct snd_soc_ops mioa701_ops;
84647
84648 static struct snd_soc_dai_link mioa701_dai[] = {
84649 {
84650 diff -urNp linux-2.6.39.3/sound/soc/pxa/poodle.c linux-2.6.39.3/sound/soc/pxa/poodle.c
84651 --- linux-2.6.39.3/sound/soc/pxa/poodle.c 2011-05-19 00:06:34.000000000 -0400
84652 +++ linux-2.6.39.3/sound/soc/pxa/poodle.c 2011-05-22 19:36:35.000000000 -0400
84653 @@ -148,7 +148,7 @@ static int poodle_hw_params(struct snd_p
84654 return 0;
84655 }
84656
84657 -static struct snd_soc_ops poodle_ops = {
84658 +static const struct snd_soc_ops poodle_ops = {
84659 .startup = poodle_startup,
84660 .hw_params = poodle_hw_params,
84661 .shutdown = poodle_shutdown,
84662 diff -urNp linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.c linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.c
84663 --- linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
84664 +++ linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
84665 @@ -40,7 +40,7 @@ static void pxa2xx_ac97_cold_reset(struc
84666 pxa2xx_ac97_finish_reset(ac97);
84667 }
84668
84669 -struct snd_ac97_bus_ops soc_ac97_ops = {
84670 +const struct snd_ac97_bus_ops soc_ac97_ops = {
84671 .read = pxa2xx_ac97_read,
84672 .write = pxa2xx_ac97_write,
84673 .warm_reset = pxa2xx_ac97_warm_reset,
84674 diff -urNp linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.h linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.h
84675 --- linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.h 2011-05-19 00:06:34.000000000 -0400
84676 +++ linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.h 2011-05-22 19:36:35.000000000 -0400
84677 @@ -15,6 +15,6 @@
84678 #define PXA2XX_DAI_AC97_MIC 2
84679
84680 /* platform data */
84681 -extern struct snd_ac97_bus_ops pxa2xx_ac97_ops;
84682 +extern const struct snd_ac97_bus_ops pxa2xx_ac97_ops;
84683
84684 #endif
84685 diff -urNp linux-2.6.39.3/sound/soc/pxa/raumfeld.c linux-2.6.39.3/sound/soc/pxa/raumfeld.c
84686 --- linux-2.6.39.3/sound/soc/pxa/raumfeld.c 2011-06-03 00:04:14.000000000 -0400
84687 +++ linux-2.6.39.3/sound/soc/pxa/raumfeld.c 2011-06-03 00:32:09.000000000 -0400
84688 @@ -145,7 +145,7 @@ static int raumfeld_cs4270_hw_params(str
84689 return 0;
84690 }
84691
84692 -static struct snd_soc_ops raumfeld_cs4270_ops = {
84693 +static const struct snd_soc_ops raumfeld_cs4270_ops = {
84694 .startup = raumfeld_cs4270_startup,
84695 .shutdown = raumfeld_cs4270_shutdown,
84696 .hw_params = raumfeld_cs4270_hw_params,
84697 @@ -221,7 +221,7 @@ static int raumfeld_ak4104_hw_params(str
84698 return 0;
84699 }
84700
84701 -static struct snd_soc_ops raumfeld_ak4104_ops = {
84702 +static const struct snd_soc_ops raumfeld_ak4104_ops = {
84703 .hw_params = raumfeld_ak4104_hw_params,
84704 };
84705
84706 diff -urNp linux-2.6.39.3/sound/soc/pxa/saarb.c linux-2.6.39.3/sound/soc/pxa/saarb.c
84707 --- linux-2.6.39.3/sound/soc/pxa/saarb.c 2011-05-19 00:06:34.000000000 -0400
84708 +++ linux-2.6.39.3/sound/soc/pxa/saarb.c 2011-05-22 19:36:35.000000000 -0400
84709 @@ -106,7 +106,7 @@ static int saarb_i2s_hw_params(struct sn
84710 return ret;
84711 }
84712
84713 -static struct snd_soc_ops saarb_i2s_ops = {
84714 +static const struct snd_soc_ops saarb_i2s_ops = {
84715 .hw_params = saarb_i2s_hw_params,
84716 };
84717
84718 diff -urNp linux-2.6.39.3/sound/soc/pxa/spitz.c linux-2.6.39.3/sound/soc/pxa/spitz.c
84719 --- linux-2.6.39.3/sound/soc/pxa/spitz.c 2011-05-19 00:06:34.000000000 -0400
84720 +++ linux-2.6.39.3/sound/soc/pxa/spitz.c 2011-05-22 19:36:35.000000000 -0400
84721 @@ -169,7 +169,7 @@ static int spitz_hw_params(struct snd_pc
84722 return 0;
84723 }
84724
84725 -static struct snd_soc_ops spitz_ops = {
84726 +static const struct snd_soc_ops spitz_ops = {
84727 .startup = spitz_startup,
84728 .hw_params = spitz_hw_params,
84729 };
84730 diff -urNp linux-2.6.39.3/sound/soc/pxa/tavorevb3.c linux-2.6.39.3/sound/soc/pxa/tavorevb3.c
84731 --- linux-2.6.39.3/sound/soc/pxa/tavorevb3.c 2011-05-19 00:06:34.000000000 -0400
84732 +++ linux-2.6.39.3/sound/soc/pxa/tavorevb3.c 2011-05-22 19:36:35.000000000 -0400
84733 @@ -106,7 +106,7 @@ static int evb3_i2s_hw_params(struct snd
84734 return ret;
84735 }
84736
84737 -static struct snd_soc_ops evb3_i2s_ops = {
84738 +static const struct snd_soc_ops evb3_i2s_ops = {
84739 .hw_params = evb3_i2s_hw_params,
84740 };
84741
84742 diff -urNp linux-2.6.39.3/sound/soc/pxa/tosa.c linux-2.6.39.3/sound/soc/pxa/tosa.c
84743 --- linux-2.6.39.3/sound/soc/pxa/tosa.c 2011-05-19 00:06:34.000000000 -0400
84744 +++ linux-2.6.39.3/sound/soc/pxa/tosa.c 2011-05-22 19:36:35.000000000 -0400
84745 @@ -92,7 +92,7 @@ static int tosa_startup(struct snd_pcm_s
84746 return 0;
84747 }
84748
84749 -static struct snd_soc_ops tosa_ops = {
84750 +static const struct snd_soc_ops tosa_ops = {
84751 .startup = tosa_startup,
84752 };
84753
84754 diff -urNp linux-2.6.39.3/sound/soc/pxa/z2.c linux-2.6.39.3/sound/soc/pxa/z2.c
84755 --- linux-2.6.39.3/sound/soc/pxa/z2.c 2011-05-19 00:06:34.000000000 -0400
84756 +++ linux-2.6.39.3/sound/soc/pxa/z2.c 2011-05-22 19:36:35.000000000 -0400
84757 @@ -187,7 +187,7 @@ err:
84758 return ret;
84759 }
84760
84761 -static struct snd_soc_ops z2_ops = {
84762 +static const struct snd_soc_ops z2_ops = {
84763 .hw_params = z2_hw_params,
84764 };
84765
84766 diff -urNp linux-2.6.39.3/sound/soc/pxa/zylonite.c linux-2.6.39.3/sound/soc/pxa/zylonite.c
84767 --- linux-2.6.39.3/sound/soc/pxa/zylonite.c 2011-05-19 00:06:34.000000000 -0400
84768 +++ linux-2.6.39.3/sound/soc/pxa/zylonite.c 2011-05-22 19:36:35.000000000 -0400
84769 @@ -156,7 +156,7 @@ static int zylonite_voice_hw_params(stru
84770 return 0;
84771 }
84772
84773 -static struct snd_soc_ops zylonite_voice_ops = {
84774 +static const struct snd_soc_ops zylonite_voice_ops = {
84775 .hw_params = zylonite_voice_hw_params,
84776 };
84777
84778 diff -urNp linux-2.6.39.3/sound/soc/s6000/s6000-pcm.c linux-2.6.39.3/sound/soc/s6000/s6000-pcm.c
84779 --- linux-2.6.39.3/sound/soc/s6000/s6000-pcm.c 2011-05-19 00:06:34.000000000 -0400
84780 +++ linux-2.6.39.3/sound/soc/s6000/s6000-pcm.c 2011-05-22 19:36:35.000000000 -0400
84781 @@ -420,7 +420,7 @@ static int s6000_pcm_hw_free(struct snd_
84782 return snd_pcm_lib_free_pages(substream);
84783 }
84784
84785 -static struct snd_pcm_ops s6000_pcm_ops = {
84786 +static const struct snd_pcm_ops s6000_pcm_ops = {
84787 .open = s6000_pcm_open,
84788 .close = s6000_pcm_close,
84789 .ioctl = snd_pcm_lib_ioctl,
84790 diff -urNp linux-2.6.39.3/sound/soc/s6000/s6105-ipcam.c linux-2.6.39.3/sound/soc/s6000/s6105-ipcam.c
84791 --- linux-2.6.39.3/sound/soc/s6000/s6105-ipcam.c 2011-05-19 00:06:34.000000000 -0400
84792 +++ linux-2.6.39.3/sound/soc/s6000/s6105-ipcam.c 2011-05-22 19:36:35.000000000 -0400
84793 @@ -55,7 +55,7 @@ static int s6105_hw_params(struct snd_pc
84794 return 0;
84795 }
84796
84797 -static struct snd_soc_ops s6105_ops = {
84798 +static const struct snd_soc_ops s6105_ops = {
84799 .hw_params = s6105_hw_params,
84800 };
84801
84802 diff -urNp linux-2.6.39.3/sound/soc/samsung/goni_wm8994.c linux-2.6.39.3/sound/soc/samsung/goni_wm8994.c
84803 --- linux-2.6.39.3/sound/soc/samsung/goni_wm8994.c 2011-05-19 00:06:34.000000000 -0400
84804 +++ linux-2.6.39.3/sound/soc/samsung/goni_wm8994.c 2011-05-22 19:36:35.000000000 -0400
84805 @@ -176,7 +176,7 @@ static int goni_hifi_hw_params(struct sn
84806 return 0;
84807 }
84808
84809 -static struct snd_soc_ops goni_hifi_ops = {
84810 +static const struct snd_soc_ops goni_hifi_ops = {
84811 .hw_params = goni_hifi_hw_params,
84812 };
84813
84814 @@ -227,7 +227,7 @@ static struct snd_soc_dai_driver voice_d
84815 .formats = SNDRV_PCM_FMTBIT_S16_LE,},
84816 };
84817
84818 -static struct snd_soc_ops goni_voice_ops = {
84819 +static const struct snd_soc_ops goni_voice_ops = {
84820 .hw_params = goni_voice_hw_params,
84821 };
84822
84823 diff -urNp linux-2.6.39.3/sound/soc/samsung/h1940_uda1380.c linux-2.6.39.3/sound/soc/samsung/h1940_uda1380.c
84824 --- linux-2.6.39.3/sound/soc/samsung/h1940_uda1380.c 2011-05-19 00:06:34.000000000 -0400
84825 +++ linux-2.6.39.3/sound/soc/samsung/h1940_uda1380.c 2011-05-22 19:36:35.000000000 -0400
84826 @@ -136,7 +136,7 @@ static int h1940_hw_params(struct snd_pc
84827 return 0;
84828 }
84829
84830 -static struct snd_soc_ops h1940_ops = {
84831 +static const struct snd_soc_ops h1940_ops = {
84832 .startup = h1940_startup,
84833 .hw_params = h1940_hw_params,
84834 };
84835 diff -urNp linux-2.6.39.3/sound/soc/samsung/jive_wm8750.c linux-2.6.39.3/sound/soc/samsung/jive_wm8750.c
84836 --- linux-2.6.39.3/sound/soc/samsung/jive_wm8750.c 2011-05-19 00:06:34.000000000 -0400
84837 +++ linux-2.6.39.3/sound/soc/samsung/jive_wm8750.c 2011-05-22 19:36:35.000000000 -0400
84838 @@ -92,7 +92,7 @@ static int jive_hw_params(struct snd_pcm
84839 return 0;
84840 }
84841
84842 -static struct snd_soc_ops jive_ops = {
84843 +static const struct snd_soc_ops jive_ops = {
84844 .hw_params = jive_hw_params,
84845 };
84846
84847 diff -urNp linux-2.6.39.3/sound/soc/samsung/neo1973_wm8753.c linux-2.6.39.3/sound/soc/samsung/neo1973_wm8753.c
84848 --- linux-2.6.39.3/sound/soc/samsung/neo1973_wm8753.c 2011-05-19 00:06:34.000000000 -0400
84849 +++ linux-2.6.39.3/sound/soc/samsung/neo1973_wm8753.c 2011-05-22 19:36:35.000000000 -0400
84850 @@ -128,7 +128,7 @@ static int neo1973_hifi_hw_free(struct s
84851 /*
84852 * Neo1973 WM8753 HiFi DAI opserations.
84853 */
84854 -static struct snd_soc_ops neo1973_hifi_ops = {
84855 +static const struct snd_soc_ops neo1973_hifi_ops = {
84856 .hw_params = neo1973_hifi_hw_params,
84857 .hw_free = neo1973_hifi_hw_free,
84858 };
84859 @@ -187,7 +187,7 @@ static int neo1973_voice_hw_free(struct
84860 return snd_soc_dai_set_pll(codec_dai, WM8753_PLL2, 0, 0, 0);
84861 }
84862
84863 -static struct snd_soc_ops neo1973_voice_ops = {
84864 +static const struct snd_soc_ops neo1973_voice_ops = {
84865 .hw_params = neo1973_voice_hw_params,
84866 .hw_free = neo1973_voice_hw_free,
84867 };
84868 diff -urNp linux-2.6.39.3/sound/soc/samsung/rx1950_uda1380.c linux-2.6.39.3/sound/soc/samsung/rx1950_uda1380.c
84869 --- linux-2.6.39.3/sound/soc/samsung/rx1950_uda1380.c 2011-05-19 00:06:34.000000000 -0400
84870 +++ linux-2.6.39.3/sound/soc/samsung/rx1950_uda1380.c 2011-05-22 19:36:35.000000000 -0400
84871 @@ -70,7 +70,7 @@ static struct snd_soc_jack_gpio hp_jack_
84872 },
84873 };
84874
84875 -static struct snd_soc_ops rx1950_ops = {
84876 +static const struct snd_soc_ops rx1950_ops = {
84877 .startup = rx1950_startup,
84878 .hw_params = rx1950_hw_params,
84879 };
84880 diff -urNp linux-2.6.39.3/sound/soc/samsung/s3c24xx_simtec.c linux-2.6.39.3/sound/soc/samsung/s3c24xx_simtec.c
84881 --- linux-2.6.39.3/sound/soc/samsung/s3c24xx_simtec.c 2011-05-19 00:06:34.000000000 -0400
84882 +++ linux-2.6.39.3/sound/soc/samsung/s3c24xx_simtec.c 2011-05-22 19:36:35.000000000 -0400
84883 @@ -228,7 +228,7 @@ static int simtec_call_startup(struct s3
84884 return 0;
84885 }
84886
84887 -static struct snd_soc_ops simtec_snd_ops = {
84888 +static const struct snd_soc_ops simtec_snd_ops = {
84889 .hw_params = simtec_hw_params,
84890 };
84891
84892 diff -urNp linux-2.6.39.3/sound/soc/samsung/s3c24xx_uda134x.c linux-2.6.39.3/sound/soc/samsung/s3c24xx_uda134x.c
84893 --- linux-2.6.39.3/sound/soc/samsung/s3c24xx_uda134x.c 2011-05-19 00:06:34.000000000 -0400
84894 +++ linux-2.6.39.3/sound/soc/samsung/s3c24xx_uda134x.c 2011-05-22 19:36:35.000000000 -0400
84895 @@ -210,7 +210,7 @@ static int s3c24xx_uda134x_hw_params(str
84896 return 0;
84897 }
84898
84899 -static struct snd_soc_ops s3c24xx_uda134x_ops = {
84900 +static const struct snd_soc_ops s3c24xx_uda134x_ops = {
84901 .startup = s3c24xx_uda134x_startup,
84902 .shutdown = s3c24xx_uda134x_shutdown,
84903 .hw_params = s3c24xx_uda134x_hw_params,
84904 diff -urNp linux-2.6.39.3/sound/soc/samsung/smartq_wm8987.c linux-2.6.39.3/sound/soc/samsung/smartq_wm8987.c
84905 --- linux-2.6.39.3/sound/soc/samsung/smartq_wm8987.c 2011-05-19 00:06:34.000000000 -0400
84906 +++ linux-2.6.39.3/sound/soc/samsung/smartq_wm8987.c 2011-05-22 19:36:35.000000000 -0400
84907 @@ -92,7 +92,7 @@ static int smartq_hifi_hw_params(struct
84908 /*
84909 * SmartQ WM8987 HiFi DAI operations.
84910 */
84911 -static struct snd_soc_ops smartq_hifi_ops = {
84912 +static const struct snd_soc_ops smartq_hifi_ops = {
84913 .hw_params = smartq_hifi_hw_params,
84914 };
84915
84916 diff -urNp linux-2.6.39.3/sound/soc/samsung/smdk_spdif.c linux-2.6.39.3/sound/soc/samsung/smdk_spdif.c
84917 --- linux-2.6.39.3/sound/soc/samsung/smdk_spdif.c 2011-05-19 00:06:34.000000000 -0400
84918 +++ linux-2.6.39.3/sound/soc/samsung/smdk_spdif.c 2011-05-22 19:36:35.000000000 -0400
84919 @@ -143,7 +143,7 @@ static int smdk_hw_params(struct snd_pcm
84920 return ret;
84921 }
84922
84923 -static struct snd_soc_ops smdk_spdif_ops = {
84924 +static const struct snd_soc_ops smdk_spdif_ops = {
84925 .hw_params = smdk_hw_params,
84926 };
84927
84928 diff -urNp linux-2.6.39.3/sound/soc/samsung/smdk_wm8580.c linux-2.6.39.3/sound/soc/samsung/smdk_wm8580.c
84929 --- linux-2.6.39.3/sound/soc/samsung/smdk_wm8580.c 2011-05-19 00:06:34.000000000 -0400
84930 +++ linux-2.6.39.3/sound/soc/samsung/smdk_wm8580.c 2011-05-22 19:36:35.000000000 -0400
84931 @@ -114,7 +114,7 @@ static int smdk_hw_params(struct snd_pcm
84932 /*
84933 * SMDK WM8580 DAI operations.
84934 */
84935 -static struct snd_soc_ops smdk_ops = {
84936 +static const struct snd_soc_ops smdk_ops = {
84937 .hw_params = smdk_hw_params,
84938 };
84939
84940 diff -urNp linux-2.6.39.3/sound/soc/sh/dma-sh7760.c linux-2.6.39.3/sound/soc/sh/dma-sh7760.c
84941 --- linux-2.6.39.3/sound/soc/sh/dma-sh7760.c 2011-05-19 00:06:34.000000000 -0400
84942 +++ linux-2.6.39.3/sound/soc/sh/dma-sh7760.c 2011-05-22 19:36:35.000000000 -0400
84943 @@ -311,7 +311,7 @@ static snd_pcm_uframes_t camelot_pos(str
84944 return bytes_to_frames(runtime, pos);
84945 }
84946
84947 -static struct snd_pcm_ops camelot_pcm_ops = {
84948 +static const struct snd_pcm_ops camelot_pcm_ops = {
84949 .open = camelot_pcm_open,
84950 .close = camelot_pcm_close,
84951 .ioctl = snd_pcm_lib_ioctl,
84952 diff -urNp linux-2.6.39.3/sound/soc/sh/hac.c linux-2.6.39.3/sound/soc/sh/hac.c
84953 --- linux-2.6.39.3/sound/soc/sh/hac.c 2011-05-19 00:06:34.000000000 -0400
84954 +++ linux-2.6.39.3/sound/soc/sh/hac.c 2011-05-22 19:36:35.000000000 -0400
84955 @@ -227,7 +227,7 @@ static void hac_ac97_coldrst(struct snd_
84956 hac_ac97_warmrst(ac97);
84957 }
84958
84959 -struct snd_ac97_bus_ops soc_ac97_ops = {
84960 +const struct snd_ac97_bus_ops soc_ac97_ops = {
84961 .read = hac_ac97_read,
84962 .write = hac_ac97_write,
84963 .reset = hac_ac97_coldrst,
84964 diff -urNp linux-2.6.39.3/sound/soc/sh/migor.c linux-2.6.39.3/sound/soc/sh/migor.c
84965 --- linux-2.6.39.3/sound/soc/sh/migor.c 2011-05-19 00:06:34.000000000 -0400
84966 +++ linux-2.6.39.3/sound/soc/sh/migor.c 2011-05-22 19:36:35.000000000 -0400
84967 @@ -108,7 +108,7 @@ static int migor_hw_free(struct snd_pcm_
84968 return 0;
84969 }
84970
84971 -static struct snd_soc_ops migor_dai_ops = {
84972 +static const struct snd_soc_ops migor_dai_ops = {
84973 .hw_params = migor_hw_params,
84974 .hw_free = migor_hw_free,
84975 };
84976 diff -urNp linux-2.6.39.3/sound/soc/sh/siu_pcm.c linux-2.6.39.3/sound/soc/sh/siu_pcm.c
84977 --- linux-2.6.39.3/sound/soc/sh/siu_pcm.c 2011-05-19 00:06:34.000000000 -0400
84978 +++ linux-2.6.39.3/sound/soc/sh/siu_pcm.c 2011-05-22 19:36:35.000000000 -0400
84979 @@ -597,7 +597,7 @@ static void siu_pcm_free(struct snd_pcm
84980 dev_dbg(pcm->card->dev, "%s\n", __func__);
84981 }
84982
84983 -static struct snd_pcm_ops siu_pcm_ops = {
84984 +static const struct snd_pcm_ops siu_pcm_ops = {
84985 .open = siu_pcm_open,
84986 .close = siu_pcm_close,
84987 .ioctl = snd_pcm_lib_ioctl,
84988 diff -urNp linux-2.6.39.3/sound/soc/tegra/harmony.c linux-2.6.39.3/sound/soc/tegra/harmony.c
84989 --- linux-2.6.39.3/sound/soc/tegra/harmony.c 2011-05-19 00:06:34.000000000 -0400
84990 +++ linux-2.6.39.3/sound/soc/tegra/harmony.c 2011-05-22 19:36:35.000000000 -0400
84991 @@ -126,7 +126,7 @@ static int harmony_asoc_hw_params(struct
84992 return 0;
84993 }
84994
84995 -static struct snd_soc_ops harmony_asoc_ops = {
84996 +static const struct snd_soc_ops harmony_asoc_ops = {
84997 .hw_params = harmony_asoc_hw_params,
84998 };
84999
85000 diff -urNp linux-2.6.39.3/sound/soc/tegra/tegra_pcm.c linux-2.6.39.3/sound/soc/tegra/tegra_pcm.c
85001 --- linux-2.6.39.3/sound/soc/tegra/tegra_pcm.c 2011-05-19 00:06:34.000000000 -0400
85002 +++ linux-2.6.39.3/sound/soc/tegra/tegra_pcm.c 2011-05-22 19:36:36.000000000 -0400
85003 @@ -277,7 +277,7 @@ static int tegra_pcm_mmap(struct snd_pcm
85004 runtime->dma_bytes);
85005 }
85006
85007 -static struct snd_pcm_ops tegra_pcm_ops = {
85008 +static const struct snd_pcm_ops tegra_pcm_ops = {
85009 .open = tegra_pcm_open,
85010 .close = tegra_pcm_close,
85011 .ioctl = snd_pcm_lib_ioctl,
85012 diff -urNp linux-2.6.39.3/sound/soc/txx9/txx9aclc.c linux-2.6.39.3/sound/soc/txx9/txx9aclc.c
85013 --- linux-2.6.39.3/sound/soc/txx9/txx9aclc.c 2011-05-19 00:06:34.000000000 -0400
85014 +++ linux-2.6.39.3/sound/soc/txx9/txx9aclc.c 2011-05-22 19:36:36.000000000 -0400
85015 @@ -272,7 +272,7 @@ static int txx9aclc_pcm_close(struct snd
85016 return 0;
85017 }
85018
85019 -static struct snd_pcm_ops txx9aclc_pcm_ops = {
85020 +static const struct snd_pcm_ops txx9aclc_pcm_ops = {
85021 .open = txx9aclc_pcm_open,
85022 .close = txx9aclc_pcm_close,
85023 .ioctl = snd_pcm_lib_ioctl,
85024 diff -urNp linux-2.6.39.3/sound/sparc/amd7930.c linux-2.6.39.3/sound/sparc/amd7930.c
85025 --- linux-2.6.39.3/sound/sparc/amd7930.c 2011-05-19 00:06:34.000000000 -0400
85026 +++ linux-2.6.39.3/sound/sparc/amd7930.c 2011-05-22 19:36:36.000000000 -0400
85027 @@ -733,7 +733,7 @@ static int snd_amd7930_hw_free(struct sn
85028 return snd_pcm_lib_free_pages(substream);
85029 }
85030
85031 -static struct snd_pcm_ops snd_amd7930_playback_ops = {
85032 +static const struct snd_pcm_ops snd_amd7930_playback_ops = {
85033 .open = snd_amd7930_playback_open,
85034 .close = snd_amd7930_playback_close,
85035 .ioctl = snd_pcm_lib_ioctl,
85036 @@ -744,7 +744,7 @@ static struct snd_pcm_ops snd_amd7930_pl
85037 .pointer = snd_amd7930_playback_pointer,
85038 };
85039
85040 -static struct snd_pcm_ops snd_amd7930_capture_ops = {
85041 +static const struct snd_pcm_ops snd_amd7930_capture_ops = {
85042 .open = snd_amd7930_capture_open,
85043 .close = snd_amd7930_capture_close,
85044 .ioctl = snd_pcm_lib_ioctl,
85045 @@ -929,7 +929,7 @@ static int snd_amd7930_dev_free(struct s
85046 return snd_amd7930_free(amd);
85047 }
85048
85049 -static struct snd_device_ops snd_amd7930_dev_ops = {
85050 +static const struct snd_device_ops snd_amd7930_dev_ops = {
85051 .dev_free = snd_amd7930_dev_free,
85052 };
85053
85054 diff -urNp linux-2.6.39.3/sound/sparc/cs4231.c linux-2.6.39.3/sound/sparc/cs4231.c
85055 --- linux-2.6.39.3/sound/sparc/cs4231.c 2011-05-19 00:06:34.000000000 -0400
85056 +++ linux-2.6.39.3/sound/sparc/cs4231.c 2011-05-22 19:36:36.000000000 -0400
85057 @@ -1196,7 +1196,7 @@ static int snd_cs4231_capture_close(stru
85058 * XXX the audio AUXIO register...
85059 */
85060
85061 -static struct snd_pcm_ops snd_cs4231_playback_ops = {
85062 +static const struct snd_pcm_ops snd_cs4231_playback_ops = {
85063 .open = snd_cs4231_playback_open,
85064 .close = snd_cs4231_playback_close,
85065 .ioctl = snd_pcm_lib_ioctl,
85066 @@ -1207,7 +1207,7 @@ static struct snd_pcm_ops snd_cs4231_pla
85067 .pointer = snd_cs4231_playback_pointer,
85068 };
85069
85070 -static struct snd_pcm_ops snd_cs4231_capture_ops = {
85071 +static const struct snd_pcm_ops snd_cs4231_capture_ops = {
85072 .open = snd_cs4231_capture_open,
85073 .close = snd_cs4231_capture_close,
85074 .ioctl = snd_pcm_lib_ioctl,
85075 @@ -1789,7 +1789,7 @@ static int snd_cs4231_sbus_dev_free(stru
85076 return snd_cs4231_sbus_free(cp);
85077 }
85078
85079 -static struct snd_device_ops snd_cs4231_sbus_dev_ops = {
85080 +static const struct snd_device_ops snd_cs4231_sbus_dev_ops = {
85081 .dev_free = snd_cs4231_sbus_dev_free,
85082 };
85083
85084 @@ -1955,7 +1955,7 @@ static int snd_cs4231_ebus_dev_free(stru
85085 return snd_cs4231_ebus_free(cp);
85086 }
85087
85088 -static struct snd_device_ops snd_cs4231_ebus_dev_ops = {
85089 +static const struct snd_device_ops snd_cs4231_ebus_dev_ops = {
85090 .dev_free = snd_cs4231_ebus_dev_free,
85091 };
85092
85093 diff -urNp linux-2.6.39.3/sound/sparc/dbri.c linux-2.6.39.3/sound/sparc/dbri.c
85094 --- linux-2.6.39.3/sound/sparc/dbri.c 2011-05-19 00:06:34.000000000 -0400
85095 +++ linux-2.6.39.3/sound/sparc/dbri.c 2011-05-22 19:36:36.000000000 -0400
85096 @@ -2205,7 +2205,7 @@ static snd_pcm_uframes_t snd_dbri_pointe
85097 return ret;
85098 }
85099
85100 -static struct snd_pcm_ops snd_dbri_ops = {
85101 +static const struct snd_pcm_ops snd_dbri_ops = {
85102 .open = snd_dbri_open,
85103 .close = snd_dbri_close,
85104 .ioctl = snd_pcm_lib_ioctl,
85105 diff -urNp linux-2.6.39.3/sound/spi/at73c213.c linux-2.6.39.3/sound/spi/at73c213.c
85106 --- linux-2.6.39.3/sound/spi/at73c213.c 2011-05-19 00:06:34.000000000 -0400
85107 +++ linux-2.6.39.3/sound/spi/at73c213.c 2011-05-22 19:36:36.000000000 -0400
85108 @@ -319,7 +319,7 @@ snd_at73c213_pcm_pointer(struct snd_pcm_
85109 return pos;
85110 }
85111
85112 -static struct snd_pcm_ops at73c213_playback_ops = {
85113 +static const struct snd_pcm_ops at73c213_playback_ops = {
85114 .open = snd_at73c213_pcm_open,
85115 .close = snd_at73c213_pcm_close,
85116 .ioctl = snd_pcm_lib_ioctl,
85117 @@ -882,7 +882,7 @@ static int snd_at73c213_dev_free(struct
85118 static int __devinit snd_at73c213_dev_init(struct snd_card *card,
85119 struct spi_device *spi)
85120 {
85121 - static struct snd_device_ops ops = {
85122 + static const struct snd_device_ops ops = {
85123 .dev_free = snd_at73c213_dev_free,
85124 };
85125 struct snd_at73c213 *chip = get_chip(card);
85126 diff -urNp linux-2.6.39.3/sound/usb/6fire/midi.c linux-2.6.39.3/sound/usb/6fire/midi.c
85127 --- linux-2.6.39.3/sound/usb/6fire/midi.c 2011-05-19 00:06:34.000000000 -0400
85128 +++ linux-2.6.39.3/sound/usb/6fire/midi.c 2011-05-22 19:36:36.000000000 -0400
85129 @@ -134,14 +134,14 @@ static void usb6fire_midi_in_trigger(
85130 spin_unlock_irqrestore(&rt->in_lock, flags);
85131 }
85132
85133 -static struct snd_rawmidi_ops out_ops = {
85134 +static const struct snd_rawmidi_ops out_ops = {
85135 .open = usb6fire_midi_out_open,
85136 .close = usb6fire_midi_out_close,
85137 .trigger = usb6fire_midi_out_trigger,
85138 .drain = usb6fire_midi_out_drain
85139 };
85140
85141 -static struct snd_rawmidi_ops in_ops = {
85142 +static const struct snd_rawmidi_ops in_ops = {
85143 .open = usb6fire_midi_in_open,
85144 .close = usb6fire_midi_in_close,
85145 .trigger = usb6fire_midi_in_trigger
85146 diff -urNp linux-2.6.39.3/sound/usb/caiaq/audio.c linux-2.6.39.3/sound/usb/caiaq/audio.c
85147 --- linux-2.6.39.3/sound/usb/caiaq/audio.c 2011-05-19 00:06:34.000000000 -0400
85148 +++ linux-2.6.39.3/sound/usb/caiaq/audio.c 2011-05-22 19:36:36.000000000 -0400
85149 @@ -322,7 +322,7 @@ snd_usb_caiaq_pcm_pointer(struct snd_pcm
85150 }
85151
85152 /* operators for both playback and capture */
85153 -static struct snd_pcm_ops snd_usb_caiaq_ops = {
85154 +static const struct snd_pcm_ops snd_usb_caiaq_ops = {
85155 .open = snd_usb_caiaq_substream_open,
85156 .close = snd_usb_caiaq_substream_close,
85157 .ioctl = snd_pcm_lib_ioctl,
85158 diff -urNp linux-2.6.39.3/sound/usb/caiaq/midi.c linux-2.6.39.3/sound/usb/caiaq/midi.c
85159 --- linux-2.6.39.3/sound/usb/caiaq/midi.c 2011-05-19 00:06:34.000000000 -0400
85160 +++ linux-2.6.39.3/sound/usb/caiaq/midi.c 2011-05-22 19:36:36.000000000 -0400
85161 @@ -100,15 +100,13 @@ static void snd_usb_caiaq_midi_output_tr
85162 }
85163
85164
85165 -static struct snd_rawmidi_ops snd_usb_caiaq_midi_output =
85166 -{
85167 +static const struct snd_rawmidi_ops snd_usb_caiaq_midi_output = {
85168 .open = snd_usb_caiaq_midi_output_open,
85169 .close = snd_usb_caiaq_midi_output_close,
85170 .trigger = snd_usb_caiaq_midi_output_trigger,
85171 };
85172
85173 -static struct snd_rawmidi_ops snd_usb_caiaq_midi_input =
85174 -{
85175 +static const struct snd_rawmidi_ops snd_usb_caiaq_midi_input = {
85176 .open = snd_usb_caiaq_midi_input_open,
85177 .close = snd_usb_caiaq_midi_input_close,
85178 .trigger = snd_usb_caiaq_midi_input_trigger,
85179 diff -urNp linux-2.6.39.3/sound/usb/card.c linux-2.6.39.3/sound/usb/card.c
85180 --- linux-2.6.39.3/sound/usb/card.c 2011-05-19 00:06:34.000000000 -0400
85181 +++ linux-2.6.39.3/sound/usb/card.c 2011-05-22 19:36:36.000000000 -0400
85182 @@ -305,7 +305,7 @@ static int snd_usb_audio_create(struct u
85183 struct snd_usb_audio *chip;
85184 int err, len;
85185 char component[14];
85186 - static struct snd_device_ops ops = {
85187 + static const struct snd_device_ops ops = {
85188 .dev_free = snd_usb_audio_dev_free,
85189 };
85190
85191 diff -urNp linux-2.6.39.3/sound/usb/midi.c linux-2.6.39.3/sound/usb/midi.c
85192 --- linux-2.6.39.3/sound/usb/midi.c 2011-05-19 00:06:34.000000000 -0400
85193 +++ linux-2.6.39.3/sound/usb/midi.c 2011-05-22 19:36:36.000000000 -0400
85194 @@ -1146,14 +1146,14 @@ static void snd_usbmidi_input_trigger(st
85195 clear_bit(substream->number, &umidi->input_triggered);
85196 }
85197
85198 -static struct snd_rawmidi_ops snd_usbmidi_output_ops = {
85199 +static const struct snd_rawmidi_ops snd_usbmidi_output_ops = {
85200 .open = snd_usbmidi_output_open,
85201 .close = snd_usbmidi_output_close,
85202 .trigger = snd_usbmidi_output_trigger,
85203 .drain = snd_usbmidi_output_drain,
85204 };
85205
85206 -static struct snd_rawmidi_ops snd_usbmidi_input_ops = {
85207 +static const struct snd_rawmidi_ops snd_usbmidi_input_ops = {
85208 .open = snd_usbmidi_input_open,
85209 .close = snd_usbmidi_input_close,
85210 .trigger = snd_usbmidi_input_trigger
85211 diff -urNp linux-2.6.39.3/sound/usb/misc/ua101.c linux-2.6.39.3/sound/usb/misc/ua101.c
85212 --- linux-2.6.39.3/sound/usb/misc/ua101.c 2011-05-19 00:06:34.000000000 -0400
85213 +++ linux-2.6.39.3/sound/usb/misc/ua101.c 2011-05-22 19:36:36.000000000 -0400
85214 @@ -886,7 +886,7 @@ static snd_pcm_uframes_t playback_pcm_po
85215 return ua101_pcm_pointer(ua, &ua->playback);
85216 }
85217
85218 -static struct snd_pcm_ops capture_pcm_ops = {
85219 +static const struct snd_pcm_ops capture_pcm_ops = {
85220 .open = capture_pcm_open,
85221 .close = capture_pcm_close,
85222 .ioctl = snd_pcm_lib_ioctl,
85223 @@ -899,7 +899,7 @@ static struct snd_pcm_ops capture_pcm_op
85224 .mmap = snd_pcm_lib_mmap_vmalloc,
85225 };
85226
85227 -static struct snd_pcm_ops playback_pcm_ops = {
85228 +static const struct snd_pcm_ops playback_pcm_ops = {
85229 .open = playback_pcm_open,
85230 .close = playback_pcm_close,
85231 .ioctl = snd_pcm_lib_ioctl,
85232 diff -urNp linux-2.6.39.3/sound/usb/mixer.c linux-2.6.39.3/sound/usb/mixer.c
85233 --- linux-2.6.39.3/sound/usb/mixer.c 2011-05-19 00:06:34.000000000 -0400
85234 +++ linux-2.6.39.3/sound/usb/mixer.c 2011-05-22 19:36:36.000000000 -0400
85235 @@ -2201,7 +2201,7 @@ static int snd_usb_mixer_status_create(s
85236 int snd_usb_create_mixer(struct snd_usb_audio *chip, int ctrlif,
85237 int ignore_error)
85238 {
85239 - static struct snd_device_ops dev_ops = {
85240 + static const struct snd_device_ops dev_ops = {
85241 .dev_free = snd_usb_mixer_dev_free
85242 };
85243 struct usb_mixer_interface *mixer;
85244 diff -urNp linux-2.6.39.3/sound/usb/pcm.c linux-2.6.39.3/sound/usb/pcm.c
85245 --- linux-2.6.39.3/sound/usb/pcm.c 2011-05-19 00:06:34.000000000 -0400
85246 +++ linux-2.6.39.3/sound/usb/pcm.c 2011-05-22 19:36:36.000000000 -0400
85247 @@ -844,7 +844,7 @@ static int snd_usb_capture_close(struct
85248 return snd_usb_pcm_close(substream, SNDRV_PCM_STREAM_CAPTURE);
85249 }
85250
85251 -static struct snd_pcm_ops snd_usb_playback_ops = {
85252 +static const struct snd_pcm_ops snd_usb_playback_ops = {
85253 .open = snd_usb_playback_open,
85254 .close = snd_usb_playback_close,
85255 .ioctl = snd_pcm_lib_ioctl,
85256 @@ -857,7 +857,7 @@ static struct snd_pcm_ops snd_usb_playba
85257 .mmap = snd_pcm_lib_mmap_vmalloc,
85258 };
85259
85260 -static struct snd_pcm_ops snd_usb_capture_ops = {
85261 +static const struct snd_pcm_ops snd_usb_capture_ops = {
85262 .open = snd_usb_capture_open,
85263 .close = snd_usb_capture_close,
85264 .ioctl = snd_pcm_lib_ioctl,
85265 diff -urNp linux-2.6.39.3/sound/usb/usx2y/usbusx2yaudio.c linux-2.6.39.3/sound/usb/usx2y/usbusx2yaudio.c
85266 --- linux-2.6.39.3/sound/usb/usx2y/usbusx2yaudio.c 2011-05-19 00:06:34.000000000 -0400
85267 +++ linux-2.6.39.3/sound/usb/usx2y/usbusx2yaudio.c 2011-05-22 19:36:36.000000000 -0400
85268 @@ -919,8 +919,7 @@ static int snd_usX2Y_pcm_close(struct sn
85269 }
85270
85271
85272 -static struct snd_pcm_ops snd_usX2Y_pcm_ops =
85273 -{
85274 +static const struct snd_pcm_ops snd_usX2Y_pcm_ops = {
85275 .open = snd_usX2Y_pcm_open,
85276 .close = snd_usX2Y_pcm_close,
85277 .ioctl = snd_pcm_lib_ioctl,
85278 diff -urNp linux-2.6.39.3/tools/gcc/Makefile linux-2.6.39.3/tools/gcc/Makefile
85279 --- linux-2.6.39.3/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500
85280 +++ linux-2.6.39.3/tools/gcc/Makefile 2011-06-03 01:19:01.000000000 -0400
85281 @@ -0,0 +1,11 @@
85282 +#CC := gcc
85283 +#PLUGIN_SOURCE_FILES := pax_plugin.c
85284 +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
85285 +GCCPLUGINS_DIR := $(shell $(HOSTCC) -print-file-name=plugin)
85286 +#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W
85287 +
85288 +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include
85289 +
85290 +hostlibs-y := pax_plugin.so
85291 +always := $(hostlibs-y)
85292 +pax_plugin-objs := pax_plugin.o
85293 diff -urNp linux-2.6.39.3/tools/gcc/pax_plugin.c linux-2.6.39.3/tools/gcc/pax_plugin.c
85294 --- linux-2.6.39.3/tools/gcc/pax_plugin.c 1969-12-31 19:00:00.000000000 -0500
85295 +++ linux-2.6.39.3/tools/gcc/pax_plugin.c 2011-07-06 20:00:13.000000000 -0400
85296 @@ -0,0 +1,243 @@
85297 +/*
85298 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
85299 + * Licensed under the GPL v2
85300 + *
85301 + * Note: the choice of the license means that the compilation process is
85302 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
85303 + * but for the kernel it doesn't matter since it doesn't link against
85304 + * any of the gcc libraries
85305 + *
85306 + * gcc plugin to help implement various PaX features
85307 + *
85308 + * - track lowest stack pointer
85309 + *
85310 + * TODO:
85311 + * - initialize all local variables
85312 + *
85313 + * BUGS:
85314 + * - cloned functions are instrumented twice
85315 + */
85316 +#include "gcc-plugin.h"
85317 +#include "plugin-version.h"
85318 +#include "config.h"
85319 +#include "system.h"
85320 +#include "coretypes.h"
85321 +#include "tm.h"
85322 +#include "toplev.h"
85323 +#include "basic-block.h"
85324 +#include "gimple.h"
85325 +//#include "expr.h" where are you...
85326 +#include "diagnostic.h"
85327 +#include "rtl.h"
85328 +#include "emit-rtl.h"
85329 +#include "function.h"
85330 +#include "tree.h"
85331 +#include "tree-pass.h"
85332 +#include "intl.h"
85333 +
85334 +int plugin_is_GPL_compatible;
85335 +
85336 +static int track_frame_size = -1;
85337 +static const char track_function[] = "pax_track_stack";
85338 +static bool init_locals;
85339 +
85340 +static struct plugin_info pax_plugin_info = {
85341 + .version = "201106030000",
85342 + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
85343 +// "initialize-locals\t\tforcibly initialize all stack frames\n"
85344 +};
85345 +
85346 +static bool gate_pax_track_stack(void);
85347 +static unsigned int execute_pax_tree_instrument(void);
85348 +static unsigned int execute_pax_final(void);
85349 +
85350 +static struct gimple_opt_pass pax_tree_instrument_pass = {
85351 + .pass = {
85352 + .type = GIMPLE_PASS,
85353 + .name = "pax_tree_instrument",
85354 + .gate = gate_pax_track_stack,
85355 + .execute = execute_pax_tree_instrument,
85356 + .sub = NULL,
85357 + .next = NULL,
85358 + .static_pass_number = 0,
85359 + .tv_id = TV_NONE,
85360 + .properties_required = PROP_gimple_leh | PROP_cfg,
85361 + .properties_provided = 0,
85362 + .properties_destroyed = 0,
85363 + .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
85364 + .todo_flags_finish = TODO_verify_stmts // | TODO_dump_func
85365 + }
85366 +};
85367 +
85368 +static struct rtl_opt_pass pax_final_rtl_opt_pass = {
85369 + .pass = {
85370 + .type = RTL_PASS,
85371 + .name = "pax_final",
85372 + .gate = gate_pax_track_stack,
85373 + .execute = execute_pax_final,
85374 + .sub = NULL,
85375 + .next = NULL,
85376 + .static_pass_number = 0,
85377 + .tv_id = TV_NONE,
85378 + .properties_required = 0,
85379 + .properties_provided = 0,
85380 + .properties_destroyed = 0,
85381 + .todo_flags_start = 0,
85382 + .todo_flags_finish = 0
85383 + }
85384 +};
85385 +
85386 +static bool gate_pax_track_stack(void)
85387 +{
85388 + return track_frame_size >= 0;
85389 +}
85390 +
85391 +static void pax_add_instrumentation(gimple_stmt_iterator *gsi, bool before)
85392 +{
85393 + gimple call;
85394 + tree decl, type;
85395 +
85396 + // insert call to void pax_track_stack(void)
85397 + type = build_function_type_list(void_type_node, NULL_TREE);
85398 + decl = build_fn_decl(track_function, type);
85399 + DECL_ASSEMBLER_NAME(decl); // for LTO
85400 + call = gimple_build_call(decl, 0);
85401 + if (before)
85402 + gsi_insert_before(gsi, call, GSI_CONTINUE_LINKING);
85403 + else
85404 + gsi_insert_after(gsi, call, GSI_CONTINUE_LINKING);
85405 +}
85406 +
85407 +static unsigned int execute_pax_tree_instrument(void)
85408 +{
85409 + basic_block bb;
85410 + gimple_stmt_iterator gsi;
85411 +
85412 + // 1. loop through BBs and GIMPLE statements
85413 + FOR_EACH_BB(bb) {
85414 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
85415 + // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450>
85416 + tree decl;
85417 + gimple stmt = gsi_stmt(gsi);
85418 +
85419 + if (!is_gimple_call(stmt))
85420 + continue;
85421 + decl = gimple_call_fndecl(stmt);
85422 + if (!decl)
85423 + continue;
85424 + if (TREE_CODE(decl) != FUNCTION_DECL)
85425 + continue;
85426 + if (!DECL_BUILT_IN(decl))
85427 + continue;
85428 + if (DECL_BUILT_IN_CLASS(decl) != BUILT_IN_NORMAL)
85429 + continue;
85430 + if (DECL_FUNCTION_CODE(decl) != BUILT_IN_ALLOCA)
85431 + continue;
85432 +
85433 + // 2. insert track call after each __builtin_alloca call
85434 + pax_add_instrumentation(&gsi, false);
85435 +// print_node(stderr, "pax", decl, 4);
85436 + }
85437 + }
85438 +
85439 + // 3. insert track call at the beginning
85440 + bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
85441 + gsi = gsi_start_bb(bb);
85442 + pax_add_instrumentation(&gsi, true);
85443 +
85444 + return 0;
85445 +}
85446 +
85447 +static unsigned int execute_pax_final(void)
85448 +{
85449 + rtx insn;
85450 +
85451 + if (cfun->calls_alloca)
85452 + return 0;
85453 +
85454 + // 1. find pax_track_stack calls
85455 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
85456 + // rtl match: (call_insn 8 7 9 3 (call (mem (symbol_ref ("pax_track_stack") [flags 0x41] <function_decl 0xb7470e80 pax_track_stack>) [0 S1 A8]) (4)) -1 (nil) (nil))
85457 + rtx body;
85458 +
85459 + if (!CALL_P(insn))
85460 + continue;
85461 + body = PATTERN(insn);
85462 + if (GET_CODE(body) != CALL)
85463 + continue;
85464 + body = XEXP(body, 0);
85465 + if (GET_CODE(body) != MEM)
85466 + continue;
85467 + body = XEXP(body, 0);
85468 + if (GET_CODE(body) != SYMBOL_REF)
85469 + continue;
85470 + if (strcmp(XSTR(body, 0), track_function))
85471 + continue;
85472 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
85473 + // 2. delete call if function frame is not big enough
85474 + if (get_frame_size() >= track_frame_size)
85475 + continue;
85476 + delete_insn_and_edges(insn);
85477 + }
85478 +
85479 +// print_simple_rtl(stderr, get_insns());
85480 +// print_rtl(stderr, get_insns());
85481 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
85482 +
85483 + return 0;
85484 +}
85485 +
85486 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
85487 +{
85488 + const char * const plugin_name = plugin_info->base_name;
85489 + const int argc = plugin_info->argc;
85490 + const struct plugin_argument * const argv = plugin_info->argv;
85491 + int i;
85492 + struct register_pass_info pax_tree_instrument_pass_info = {
85493 + .pass = &pax_tree_instrument_pass.pass,
85494 +// .reference_pass_name = "tree_profile",
85495 + .reference_pass_name = "optimized",
85496 + .ref_pass_instance_number = 0,
85497 + .pos_op = PASS_POS_INSERT_AFTER
85498 + };
85499 + struct register_pass_info pax_final_pass_info = {
85500 + .pass = &pax_final_rtl_opt_pass.pass,
85501 + .reference_pass_name = "final",
85502 + .ref_pass_instance_number = 0,
85503 + .pos_op = PASS_POS_INSERT_BEFORE
85504 + };
85505 +
85506 + if (!plugin_default_version_check(version, &gcc_version)) {
85507 + error(G_("incompatible gcc/plugin versions"));
85508 + return 1;
85509 + }
85510 +
85511 + register_callback(plugin_name, PLUGIN_INFO, NULL, &pax_plugin_info);
85512 +
85513 + for (i = 0; i < argc; ++i) {
85514 + if (!strcmp(argv[i].key, "track-lowest-sp")) {
85515 + if (!argv[i].value) {
85516 + error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
85517 + continue;
85518 + }
85519 + track_frame_size = atoi(argv[i].value);
85520 + if (argv[i].value[0] < '0' || argv[i].value[0] > '9' || track_frame_size < 0)
85521 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
85522 + continue;
85523 + }
85524 + if (!strcmp(argv[i].key, "initialize-locals")) {
85525 + if (argv[i].value) {
85526 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
85527 + continue;
85528 + }
85529 + init_locals = true;
85530 + continue;
85531 + }
85532 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
85533 + }
85534 +
85535 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &pax_tree_instrument_pass_info);
85536 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &pax_final_pass_info);
85537 +
85538 + return 0;
85539 +}
85540 diff -urNp linux-2.6.39.3/tools/perf/builtin-lock.c linux-2.6.39.3/tools/perf/builtin-lock.c
85541 --- linux-2.6.39.3/tools/perf/builtin-lock.c 2011-05-19 00:06:34.000000000 -0400
85542 +++ linux-2.6.39.3/tools/perf/builtin-lock.c 2011-05-22 19:36:36.000000000 -0400
85543 @@ -635,14 +635,14 @@ end:
85544
85545 /* lock oriented handlers */
85546 /* TODO: handlers for CPU oriented, thread oriented */
85547 -static struct trace_lock_handler report_lock_ops = {
85548 +static const struct trace_lock_handler report_lock_ops = {
85549 .acquire_event = report_lock_acquire_event,
85550 .acquired_event = report_lock_acquired_event,
85551 .contended_event = report_lock_contended_event,
85552 .release_event = report_lock_release_event,
85553 };
85554
85555 -static struct trace_lock_handler *trace_handler;
85556 +static const struct trace_lock_handler *trace_handler;
85557
85558 static void
85559 process_lock_acquire_event(void *data,
85560 diff -urNp linux-2.6.39.3/tools/perf/builtin-sched.c linux-2.6.39.3/tools/perf/builtin-sched.c
85561 --- linux-2.6.39.3/tools/perf/builtin-sched.c 2011-05-19 00:06:34.000000000 -0400
85562 +++ linux-2.6.39.3/tools/perf/builtin-sched.c 2011-05-22 19:36:36.000000000 -0400
85563 @@ -845,7 +845,7 @@ replay_fork_event(struct trace_fork_even
85564 register_pid(fork_event->child_pid, fork_event->child_comm);
85565 }
85566
85567 -static struct trace_sched_handler replay_ops = {
85568 +static const struct trace_sched_handler replay_ops = {
85569 .wakeup_event = replay_wakeup_event,
85570 .switch_event = replay_switch_event,
85571 .fork_event = replay_fork_event,
85572 @@ -1183,7 +1183,7 @@ latency_migrate_task_event(struct trace_
85573 nr_unordered_timestamps++;
85574 }
85575
85576 -static struct trace_sched_handler lat_ops = {
85577 +static const struct trace_sched_handler lat_ops = {
85578 .wakeup_event = latency_wakeup_event,
85579 .switch_event = latency_switch_event,
85580 .runtime_event = latency_runtime_event,
85581 @@ -1353,7 +1353,7 @@ static void sort_lat(void)
85582 }
85583 }
85584
85585 -static struct trace_sched_handler *trace_handler;
85586 +static const struct trace_sched_handler *trace_handler;
85587
85588 static void
85589 process_sched_wakeup_event(void *data, struct perf_session *session,
85590 @@ -1719,7 +1719,7 @@ static void __cmd_lat(void)
85591
85592 }
85593
85594 -static struct trace_sched_handler map_ops = {
85595 +static const struct trace_sched_handler map_ops = {
85596 .wakeup_event = NULL,
85597 .switch_event = map_switch_event,
85598 .runtime_event = NULL,
85599 diff -urNp linux-2.6.39.3/usr/gen_init_cpio.c linux-2.6.39.3/usr/gen_init_cpio.c
85600 --- linux-2.6.39.3/usr/gen_init_cpio.c 2011-05-19 00:06:34.000000000 -0400
85601 +++ linux-2.6.39.3/usr/gen_init_cpio.c 2011-05-22 19:36:36.000000000 -0400
85602 @@ -305,7 +305,7 @@ static int cpio_mkfile(const char *name,
85603 int retval;
85604 int rc = -1;
85605 int namesize;
85606 - int i;
85607 + unsigned int i;
85608
85609 mode |= S_IFREG;
85610
85611 @@ -394,9 +394,10 @@ static char *cpio_replace_env(char *new_
85612 *env_var = *expanded = '\0';
85613 strncat(env_var, start + 2, end - start - 2);
85614 strncat(expanded, new_location, start - new_location);
85615 - strncat(expanded, getenv(env_var), PATH_MAX);
85616 - strncat(expanded, end + 1, PATH_MAX);
85617 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
85618 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
85619 strncpy(new_location, expanded, PATH_MAX);
85620 + new_location[PATH_MAX] = 0;
85621 } else
85622 break;
85623 }
85624 diff -urNp linux-2.6.39.3/virt/kvm/kvm_main.c linux-2.6.39.3/virt/kvm/kvm_main.c
85625 --- linux-2.6.39.3/virt/kvm/kvm_main.c 2011-05-19 00:06:34.000000000 -0400
85626 +++ linux-2.6.39.3/virt/kvm/kvm_main.c 2011-05-22 19:36:36.000000000 -0400
85627 @@ -73,7 +73,7 @@ LIST_HEAD(vm_list);
85628
85629 static cpumask_var_t cpus_hardware_enabled;
85630 static int kvm_usage_count = 0;
85631 -static atomic_t hardware_enable_failed;
85632 +static atomic_unchecked_t hardware_enable_failed;
85633
85634 struct kmem_cache *kvm_vcpu_cache;
85635 EXPORT_SYMBOL_GPL(kvm_vcpu_cache);
85636 @@ -1594,7 +1594,7 @@ static int kvm_vcpu_release(struct inode
85637 return 0;
85638 }
85639
85640 -static struct file_operations kvm_vcpu_fops = {
85641 +static struct file_operations kvm_vcpu_fops = { /* cannot be const */
85642 .release = kvm_vcpu_release,
85643 .unlocked_ioctl = kvm_vcpu_ioctl,
85644 .compat_ioctl = kvm_vcpu_ioctl,
85645 @@ -2063,7 +2063,7 @@ static int kvm_vm_mmap(struct file *file
85646 return 0;
85647 }
85648
85649 -static struct file_operations kvm_vm_fops = {
85650 +static struct file_operations kvm_vm_fops = { /* cannot be const */
85651 .release = kvm_vm_release,
85652 .unlocked_ioctl = kvm_vm_ioctl,
85653 #ifdef CONFIG_COMPAT
85654 @@ -2161,7 +2161,7 @@ out:
85655 return r;
85656 }
85657
85658 -static struct file_operations kvm_chardev_ops = {
85659 +static struct file_operations kvm_chardev_ops = { /* cannot be const */
85660 .unlocked_ioctl = kvm_dev_ioctl,
85661 .compat_ioctl = kvm_dev_ioctl,
85662 .llseek = noop_llseek,
85663 @@ -2187,7 +2187,7 @@ static void hardware_enable_nolock(void
85664
85665 if (r) {
85666 cpumask_clear_cpu(cpu, cpus_hardware_enabled);
85667 - atomic_inc(&hardware_enable_failed);
85668 + atomic_inc_unchecked(&hardware_enable_failed);
85669 printk(KERN_INFO "kvm: enabling virtualization on "
85670 "CPU%d failed\n", cpu);
85671 }
85672 @@ -2241,10 +2241,10 @@ static int hardware_enable_all(void)
85673
85674 kvm_usage_count++;
85675 if (kvm_usage_count == 1) {
85676 - atomic_set(&hardware_enable_failed, 0);
85677 + atomic_set_unchecked(&hardware_enable_failed, 0);
85678 on_each_cpu(hardware_enable_nolock, NULL, 1);
85679
85680 - if (atomic_read(&hardware_enable_failed)) {
85681 + if (atomic_read_unchecked(&hardware_enable_failed)) {
85682 hardware_disable_all_nolock();
85683 r = -EBUSY;
85684 }
85685 @@ -2509,7 +2509,7 @@ static void kvm_sched_out(struct preempt
85686 kvm_arch_vcpu_put(vcpu);
85687 }
85688
85689 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
85690 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
85691 struct module *module)
85692 {
85693 int r;
85694 @@ -2572,7 +2572,7 @@ int kvm_init(void *opaque, unsigned vcpu
85695 if (!vcpu_align)
85696 vcpu_align = __alignof__(struct kvm_vcpu);
85697 kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
85698 - 0, NULL);
85699 + SLAB_USERCOPY, NULL);
85700 if (!kvm_vcpu_cache) {
85701 r = -ENOMEM;
85702 goto out_free_3;
Unofficial grsecurity patch archive (https://github.com/slashbeast/grsecurity-scrape)